From psilva at redhat.com  Mon Apr  2 08:16:23 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 2 Apr 2018 09:16:23 -0300
Subject: [keycloak-user] Could not obtain configuration from server
In-Reply-To: <CAHp4y4Jp3w1wfekWWPhQ7vMQ9WJjAAyGZnezf0wcXSfm5HDEPA@mail.gmail.com>
References: <CAHp4y4+wMXnkLygCG6S7V7esw=0miT07D1O_LOUz5jivV-KkMQ@mail.gmail.com>
	<CAJrcDBc5xonZRqJBtEjHf2uPz-xh65RnbhJ1QGMbVxvSqRukwQ@mail.gmail.com>
	<CAHp4y4Jp3w1wfekWWPhQ7vMQ9WJjAAyGZnezf0wcXSfm5HDEPA@mail.gmail.com>
Message-ID: <CAJrcDBc=ysT_1e=qovxnA81ya3uLBZO6mW8jUmSJHMj8cwnfpw@mail.gmail.com>

You can check if the token was issued with the roles you defined in
web.xml/security-constraint.

On Thu, Mar 29, 2018 at 11:20 AM, Filip Kozjak <filip.kozjak at gmail.com>
wrote:

> Thank you Pedro,
>
> indeed it was a version issue, I was using the older version of Keycloak.
> However, after resolving this issue I've encountered a new one with always
> getting a *401 Unauthorized* response from the service.
>
> The client code that is calling the service is this:
>
> *String accessToken = AuthzClient.create().obtainAccessToken.getToken();*
> WebTarget target = client.target("url");
> MyResponse res = target.request(MediaType.APPLICATION_JSON).*header("Authorization",
> "Bearer " + accessToken)*.post(MyResponse.class);
>
> keycloak.json SERVICE
>
> {
>   "realm": "demo",
>   "bearer-only": true,
>   "auth-server-url": "http://127.0.0.1:8780/auth",
>   "ssl-required": "external",
>   "resource": "risk-assessment-service",
>   "confidential-port": 0
> }
>
>
> keycloak.json CLIENT
>
> {
>   "realm": "demo",
>   "auth-server-url": "http://127.0.0.1:8780/auth",
>   "ssl-required": "false",
>   "resource": "risk-assessment-client",
>   "credentials": {
>     "secret": "98f93f5e-e20a-433c-b29a-d3f9cab4bb44"
>   },
>   "confidential-port": 0
> }
>
> Could the problem be something with SSL? Because my service is not
> available on https:// endpoints? Or is the calling code not correct?
>
>
>
> On 29 March 2018 at 14:07, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> What version of Keycloak are you using ? Perhaps, Keycloak v4 ?
>>
>> If so, you need to make sure your keycloak-authz dependency references
>> the same version.
>>
>> The uma-configuration discovery endpoint changed to uma2-configuration.
>>
>> Regards.
>> Pedro Igor
>>
>> On Thu, Mar 29, 2018 at 4:21 AM, Filip Kozjak <filip.kozjak at gmail.com>
>> wrote:
>>
>>> Hi everyone,
>>>
>>> I am having troubles obtaining access token for my Java EE REST service
>>> from Keycloak.
>>>
>>> I have started Keycloak server at *http://localhost <http://localhost>*,
>>> and I can access the admin console at
>>> *http://localhost:8081/auth/admin/master/console/#/realms/demo
>>> <http://localhost:8081/auth/admin/master/console/#/realms/demo>.*
>>>
>>> Next, I created a new realm "demo" and registered my REST service there.
>>> I've copied the generated *keycloak.json *to the WEB-INF of my service
>>> and
>>> added what was needed to web.xml. This successfully protected my
>>> endpoint.
>>> My REST service is up and running on *http://localhost:8080/
>>> <http://localhost:8080/>.*
>>>
>>> However, now I want to set up a client that would be authorized to access
>>> the protected endpoint. The client is running at *http://localhost:9080
>>> <http://localhost:9080>. *Again, it's a Java EE REST service that talks
>>> to
>>> the protected service. I registered it as *OAuth Client* in the admin
>>> console and again copied the *keycloak.json* to the resources of my app.
>>> I
>>> am trying to obtain the access token like this:
>>>
>>> AuthzClient authz = AuthzClient.create();
>>> AccessTokenResponse tokenResponse = authzClient.obtainAccessToken();
>>>
>>> This results in the following error:
>>>
>>> java.lang.RuntimeException: Could not obtain configuration from server [
>>> http://localhost:8081/auth/realms/demo/.well-known/uma-configuration]
>>> .<br>
>>> <div id="stack">at
>>> org.keycloak.authorization.client.AuthzClient.<init>(AuthzCl
>>> ient.java:92)<br>at
>>> org.keycloak.authorization.client.AuthzClient.create(AuthzCl
>>> ient.java:60)<br>at
>>> org.keycloak.authorization.client.AuthzClient.create(AuthzCl
>>> ient.java:53)<br>at
>>> hr.assecosee.three_ds_2.risk.services.ProxyServiceImpl.invok
>>> eRiskLevelApi(ProxyServiceImpl.java:28)<br>at
>>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)<br>at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)<br>at
>>> java.lang.reflect.Method.invoke(Method.java:498)<br>at
>>> com.ibm.ejs.container.EJSContainer.invokeProceed(EJSContaine
>>> r.java:5316)<br>...
>>> 16 more<br>
>>> </div>Caused by:
>>> org.keycloak.authorization.client.util.HttpResponseException: Unexpected
>>> response from server: 404 / Not Found<br>
>>>
>>> I posted a question about it on StackOverflow too:
>>> https://stackoverflow.com/questions/49534589/404-not-found-w
>>> hile-requesting-token-from-keycloak
>>>
>>> Is there something I am missing?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From j.keith at xsb.com  Mon Apr  2 10:37:08 2018
From: j.keith at xsb.com (Jordan Keith)
Date: Mon, 2 Apr 2018 09:37:08 -0500 (CDT)
Subject: [keycloak-user] Documentation for what properties are available on
 template pages (login.ftl, etc)?
Message-ID: <474378279.4631740.1522679828592.JavaMail.zimbra@xsb.com>

I have looked over the keycloak documentation, but I can't find out what properties are available when customizing the various keycloak template pages. For modifying login.ftl, I have resorted to inspecting the source code of FreeMarkerLoginFormsProvider.java to find out what attributes are added to the attributes hash map. 

Is there any documentation for this? 

Thanks, 
Jordan Keith 

From jvlcek at redhat.com  Mon Apr  2 12:47:52 2018
From: jvlcek at redhat.com (Joe Vlcek)
Date: Mon, 2 Apr 2018 12:47:52 -0400
Subject: [keycloak-user] How to configure an haproxy load balancer in front
 of a single Keycloak server?
Message-ID: <CALS3dkF0cpJPs-=oPYb=-egNXMg5TicDac1zrn9iQ_7VVUey2g@mail.gmail.com>

Brief:

Are there any instructions for how to configure a load balancer in front of
a singer keycloak server?


Details:

There is a Cloudforms customer that has 2 Cloudforms instance, cf-1 and
cf-2 each of which are configured correctly to use keycloak/SAML for
authentication.

If one points a browser to cf-1 it is correctly redirected to the keycloak
server, once valid credentials are entered the browser correctly redirects
back to cf-1. The same is true for cf-2.

The customer is attempting to set up a haproxy in front of cf-1 and cf-2,
e.g.: cf-load-balancer.

If the point their browser to cf-load-balancer they are redirected to their
keycloak server but the redirect back fails.

I have found the instructions for how to set up a load balancer in front of
multiple keycloak servers which is a different configuration.

Are there any instructions for how to configure a load balancer in front of
a singer keycloak server?

Thank you! Joe VLcek

From lahari.guntha at tcs.com  Tue Apr  3 01:04:16 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Tue, 3 Apr 2018 05:04:16 +0000
Subject: [keycloak-user] "HTTPS Required"
In-Reply-To: <1522330467401.69975@tcs.com>
References: <1521815127939.49747@tcs.com>,
	<CAPZw1G5Rpu=CdLZTOg3LAns08r4KhJpLDauQV3VrdVZTduinVQ@mail.gmail.com>,
	<1522303689399.46974@tcs.com>,<1522330467401.69975@tcs.com>
Message-ID: <1522731856226.67331@tcs.com>

Hi,

Did any one phase the same issuee??

Thanks,
Lahari G
________________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Lahari  Guntha
Sent: 29 March 2018 19:04
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] "HTTPS Required"

Hi,

I am having my keycloak as a container in a VM....which is behind proxy...Only in this case I am getting "HTTPS Required" when accessing it through "HTTP" port.

If the VM is not behind proxy..then setting of "ssl required" to none...works fine....

How to make extra configuration in this case when my keyclaok is behind the proxy???

Thanks and Regards,
Lahari
________________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Lahari  Guntha
Sent: 29 March 2018 11:38
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] "HTTPS Required"

Hi Simon,



I have followed  the below docs:

http://piotrnowicki.com/java/2017/01/09/keycloak-docker-with-ssl-proxy/


According to it I have executed the following commands:


docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect \
        "/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)"

and reloaded the server using the following command:?

docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh<http://disq.us/url?url=http%3A%2F%2Fjboss-cli.sh%3AT5wPgjcm2HFYBDE3LIzknhc8Nm8&cuid=3643091> --connect "reload"?


But still it is showing the same thing "HTTPS" required....

Could you please elaborate the steps to put keyclaok behind nginx proxy??

Thanks and Regards,

lahari G


________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 23 March 2018 20:50
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] "HTTPS Required"

If i want https i put keycloak behind a nginx proxy.


On Fri, Mar 23, 2018 at 2:25 PM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:


Hi All,


I am using Keycloak of version 3.3.0.CR2...


I have launched keycloak as a container in a VM...


Whenever I try to access the "http" port of keycloak...It is showing "HRTPS REQUIRED"...


Even Setting of "Require SSL" to "none" Under Login tab of "Realm Settings" didnot help....


Is there any other solution we have to get this problem solved??


Thanks & Regards,

Lahari G



=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From lahari.guntha at tcs.com  Tue Apr  3 01:06:49 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Tue, 3 Apr 2018 05:06:49 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <1522213483195.38672@tcs.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>,
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>,
	<1522213483195.38672@tcs.com>
Message-ID: <1522732009031.20269@tcs.com>

Hi  All,

Could you please check the procedure I followed?? What are the further changes to be done for the groups to sync into keycloak??

Thanks & Regards,
Lahari G
________________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Lahari  Guntha
Sent: 28 March 2018 10:34
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

Hi Simon,


We have our keycloak in  standalone configuration. I have my keycloak running as a docker container. I loged into the container and manually changed the standalone.xml....and then restarted the server using the below command:


docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload"


I have all my users synced to Keycloak. Now I have an entry of a user "User1" in keycloak. This user is not present in any group in LDAP...Now I added the user "User1" in one of the group in LDAP....now since I have set the "Eviction rate"......I should get the updated group of the user that the user is recently added to in Keycloak UI when I check the "GroupMappings" for that particular user....


Why am I not able to see the groups that the user were added to even after setting the eviction time??


Should I login into any of the application that is integrated with SSO so that I get the User with their proper groups???


Thanks & Regards,

Lahari G?


________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 27 March 2018 14:13
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

if standalone-ha.xml is changed then a restart is necessary.

Simon.




On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:
?Hi,


Do we ?need to reload the keycloak server after changing the standalone.xml???


Thanks & Regards,

Lahari G


________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
Sent: 23 March 2018 20:40
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Group-Mapping

if you are referring to the standard entry

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
 </local-cache>


then LRU means least recently used.  so it will cache 10,000 users and evict the least recently used when cache limit is reached.  obviously this will only evict users if you have greater than 10,000 in your system.  So in my case i changed to the following

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                    <expiration max-idle="1200000"/>
 </local-cache>

which will additionally expire entries after 20 minutes.


full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem


On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>> wrote:
???Hi,


Thanks Simon.


Does setting "Cache Policy" to "No Cache"  option under "User Federation"  makes any sense in this case?? as shown below?


[cid:69b609f1-3662-4933-b316-29896ba797fe]


Could someone explain the "Eviction" policy for user cache??

What exactly will happen???

?


Thanks & Regards,

Lahari G




________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>
Sent: 16 March 2018 19:06
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Group-Mapping

hi, we recently experienced similar and found it to be user cache.  there is a setting in the ldap config which allows you to specify the cache value.  however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache.



On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>>> wrote:
Hi All,



We are using keycloak of version 3.3.0.CR2.

I have my Keycloak integrated with LDAP.

I have configured  many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.

eg:

Users in LDAP:  "user1"

Groups in LDAP:  "group1","group2"


When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in  the Keycloak UI page and we can also see the groups mapped to it.


Now I add the user "user1" into another group "group2"...

But now the newly added group is not reflected when click on User> Group Mapping.


Why Is this happening??


What is the solution to continuously sync the users with the groups they are present in/added newly automatically????


Thanks,

Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From daniel.hammarberg at capgemini.com  Tue Apr  3 03:57:41 2018
From: daniel.hammarberg at capgemini.com (Hammarberg, Daniel)
Date: Tue, 3 Apr 2018 07:57:41 +0000
Subject: [keycloak-user] Set up fine grained permissions
Message-ID: <31225E3A2F1E0E43BA9272CBEBDCC684011843CD@DE-CM-MBX26.corp.capgemini.com>

Hi all,

I am trying to set up fine grained permissions, following the instructions at http://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions

I don?t manage to set permissions for a user to view one client. Could anyone help me to find what?s missing?

My settings:

In the Users menu:

User cm_g123456 is a member of the group ?Content Managers?.
The group Content Managers is mapped to the realm role ?Content Manager? and the client roles realm-management -> query-clients and view-users
If I open the user cm_g123456 and check the Effective Roles under Role Mappings, I can see that Content Manager is active.
The user cm_g123456 also has the client role realm-management -> query-clients

In the Clients menu:

I open my client, ?foo.com?.

Permissions are enabled. I have the following permission:

Name: manage.permission.client.manageSkfCom
Scopes: manage
Apply Policy: content-managers
Decision Strategy: Unanimous

I have the following policy:

Name: content-managers
Realm Roles:
   Name: Content Manager
   Required: checked
Logic: Positive

When I log in to the admin console as the user cm_g123456, I cannot see any clients. Also, when opening a user I cannot see any client roles in the Available Roles list under Role Mappings.

Best regards
/Daniel

_______________________________________________________________________
[Email_CBE.gif]Daniel Hammarberg
Managing Delivery Architect | Application Services

Capgemini Sweden | G?teborg


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2316 bytes
Desc: image001.gif
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180403/80c07f5d/attachment.gif 

From sebastien.vandamme at telemis.com  Tue Apr  3 07:01:43 2018
From: sebastien.vandamme at telemis.com (=?UTF-8?Q?S=C3=A9bastien_Vandamme?=)
Date: Tue, 3 Apr 2018 13:01:43 +0200
Subject: [keycloak-user] keycloak-cli.bat failed to connect to the
 controller with SaslException DIGEST-MD5: Server rejected authentication
Message-ID: <CAM5Pytz34f_WRdZAYDdri-w3251Sxavtf7F1dRE-sEpunzCXGw@mail.gmail.com>

 Hello,

I am in the process of installing Keycloak 3.4.3.Final and customize it
using scripts. I reuse scripts that I used on Keycloak 2.5.1 with success
but, on the new version, I run into strange problems.
All the command that I run that start with

keycloak-cli.bat --connect --controller=localhost:9990 --user=root
--password=somePwd

doesn't work anymore and displays the following error

Failed to connect to the controller:
Unable to authenticate against controller at localhost:9990:
Authentication failed: all available authentication mechanisms failed:
DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server
rejected authentication

When I run the same command without the credentials

keycloak-cli.bat --connect --controller=localhost:9990

the connection work and I see

[standalone at localhost:9990 /]

When I connect directly via the browser on the url localhost:9990, it ask
me for a login and a password, I enter the ones given in the first command
and I can connect without any problem.

I read a lot of stuff on similar problems on the web but nothing solved my
problem. For example, my remoting configuration, that was a problem in some
case, seems right

<subsystem xmlns="urn:jboss:domain:remoting:4.0">
    <endpoint/>
    <http-connector name="http-remoting-connector"
connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>

In short, I'm stuck.
Does someone has any idea to help me ?

Thank you in advance for your help,

Seb

From jack at rightisleft.com  Tue Apr  3 12:41:56 2018
From: jack at rightisleft.com (Jack Murphy)
Date: Tue, 3 Apr 2018 12:41:56 -0400
Subject: [keycloak-user] TypeScript Defs
Message-ID: <CA+DBktzSfrZ90egQnDxXs8215amywuABEeuYEmP5eQuyYXrvAg@mail.gmail.com>

It looks like the TypeScript definitions have been removed
for "keycloak-connect": "4.0.0-beta.1"

Is this a bug or a deprecated feature? How should i resolve this?

Thanks!

?

From jonathan.j.carrasco at jpl.nasa.gov  Tue Apr  3 17:36:05 2018
From: jonathan.j.carrasco at jpl.nasa.gov (Carrasco, Jonathan J (173F))
Date: Tue, 3 Apr 2018 21:36:05 +0000
Subject: [keycloak-user] Multiple Client Certificate Support?
Message-ID: <AD897C2C-CDCF-4C9C-A4F1-3DCCA2716397@jpl.nasa.gov>

Hello Everyone,

General question? does Keycloak support multiple certificates with different expirations.  To allow for rolling client cert updates.

For example, I have keycloak with ?cert1?, and I registered Client1 with ?cert1? and Client2 with ?cert1?.  Now ?cert1? expires.

Am I able to support two certificates, where I add/update Keycloak with ?cert2?? so now there?s an old ?cert1? and new ?cert2? on Keycloak, and Client1 will reach Keycloak with old ?cert1? and determine it needs the new ?cert2?? And have this not break Client2 which will reach Keycloak at a later date with old ?cert1? again.

Or? do I have to update Keycloak cert and re-federate all client applications or else they will break until they have the updated cert?

Thank you for your attention.
--
Jonathan Carrasco (173F)
Jet Propulsion Laboratory ? California Institute of Technology

From pieter at thehyve.nl  Wed Apr  4 04:40:03 2018
From: pieter at thehyve.nl (Pieter Lukasse)
Date: Wed, 4 Apr 2018 10:40:03 +0200
Subject: [keycloak-user] Multiple clients, same realm,
	cross-client REST calls
Message-ID: <CAN-eBc15BOUJdPUDeuJjNVt6w4NcD7zZov+-Ltht_uO5UXB9tQ@mail.gmail.com>

Hi,

I have a use case for the following scenario:


   - 2 clients connected to the same Keycloak realm (via SAML)
   - user logs in to 1st client and opens a webpage that makes REST API
   calls to both 1st and 2nd client apps

Currently the calls to the REST API of the 2nd client app fail with 401
error (not authorized). Any hints on how to get this working? Except for
this specific use case, SSO is working across both apps (i.e. when the user
is logged in to client 1 and then browses to client 2, he does not need to
fill in user name and password again).

Thanks,

Pieter Lukasse


E.   pieter at thehyve.nl

T.   +31(0)30 700 9713

W.  www.thehyve.nl


We empower scientists by building on open source software

From marc.logemann at gmail.com  Wed Apr  4 05:14:52 2018
From: marc.logemann at gmail.com (Marc Logemann)
Date: Wed, 4 Apr 2018 11:14:52 +0200
Subject: [keycloak-user] Spring Security Adapter working but no Principal
Message-ID: <CA+KtLobTm=FWu+bS+oRKPpCg2k7MH+TS5m-AS2NdwA4Pw6J5Ug@mail.gmail.com>

Hi,

i have a weird thing going on. My keycloak Spring Security adapter
works as expected. But i am unable to retrieve the principal. I am
requesting a REST service with a valid Bearer Token. In the REST
controller i want to see the principal via:

Principal userPrincipal = request.getUserPrincipal();

or

Authentication authentication =
SecurityContextHolder.getContext().getAuthentication();
String currentPrincipalName = authentication.getName();

But everything is null. Funny thing is, the Keycloak Filter set the
Authentication correctly but at the end, in my controller, its not
there anymore.

here is my filter list:

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  KeycloakPreAuthActionsFilter
  LogoutFilter
  KeycloakAuthenticationProcessingFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

Has anyone experienced something like this or has an idea?

Thanks
Marc

From sblanc at redhat.com  Wed Apr  4 05:24:23 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 4 Apr 2018 11:24:23 +0200
Subject: [keycloak-user] Spring Security Adapter working but no Principal
In-Reply-To: <CA+KtLobTm=FWu+bS+oRKPpCg2k7MH+TS5m-AS2NdwA4Pw6J5Ug@mail.gmail.com>
References: <CA+KtLobTm=FWu+bS+oRKPpCg2k7MH+TS5m-AS2NdwA4Pw6J5Ug@mail.gmail.com>
Message-ID: <CAMZCGg_iJTpVFgoVWHJQHFw=6e62jzmj5vWhDmKgR+7XmpQzSQ@mail.gmail.com>

Do you have a sample project shared somewhere to reproduce this ?

On Wed, Apr 4, 2018 at 11:14 AM, Marc Logemann <marc.logemann at gmail.com>
wrote:

> Hi,
>
> i have a weird thing going on. My keycloak Spring Security adapter
> works as expected. But i am unable to retrieve the principal. I am
> requesting a REST service with a valid Bearer Token. In the REST
> controller i want to see the principal via:
>
> Principal userPrincipal = request.getUserPrincipal();
>
> or
>
> Authentication authentication =
> SecurityContextHolder.getContext().getAuthentication();
> String currentPrincipalName = authentication.getName();
>
> But everything is null. Funny thing is, the Keycloak Filter set the
> Authentication correctly but at the end, in my controller, its not
> there anymore.
>
> here is my filter list:
>
> Security filter chain: [
>   WebAsyncManagerIntegrationFilter
>   SecurityContextPersistenceFilter
>   HeaderWriterFilter
>   KeycloakPreAuthActionsFilter
>   LogoutFilter
>   KeycloakAuthenticationProcessingFilter
>   RequestCacheAwareFilter
>   SecurityContextHolderAwareRequestFilter
>   AnonymousAuthenticationFilter
>   SessionManagementFilter
>   ExceptionTranslationFilter
>   FilterSecurityInterceptor
> ]
>
> Has anyone experienced something like this or has an idea?
>
> Thanks
> Marc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sr.misc at gmail.com  Wed Apr  4 06:28:08 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Wed, 4 Apr 2018 12:28:08 +0200
Subject: [keycloak-user] "Verify email" on custom User Federation failed
Message-ID: <CABiaesQYyNp_VUP9YF-HzczAREZhqS52WLfYLJk+j0K_VbTE6g@mail.gmail.com>

Hi all,

We are using custom User Federation for our user store which is a database.
Users successfully able to authenticate against the custom User Federation.
Everything is working fine as expected.

Now, we want to "Verify email" on user's first login and also generate
initial magic link email to user.

After we enabled "Verify email" in the realm.and under Required Actions of
Browser Authentication Flow. We are getting the following exception.

08:51:00,649 WARN  [org.keycloak.services] (default task-36)
KC-SERVICES0013: Failed authentication:
org.keycloak.storage.ReadOnlyException: user is read only for this update
        at
org.keycloak.storage.adapter.AbstractUserAdapter.addRequiredAction(AbstractUserAdapter.java:82)
        at
org.keycloak.authentication.requiredactions.VerifyEmail.evaluateTriggers(VerifyEmail.java:53)
        at
org.keycloak.services.managers.AuthenticationManager.evaluateRequiredActionTriggers(AuthenticationManager.java:1039)
        at
org.keycloak.services.managers.AuthenticationManager.nextRequiredAction(AuthenticationManager.java:812)
        at
org.keycloak.authentication.AuthenticationProcessor.nextRequiredAction(AuthenticationProcessor.java:956)
        at
org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:944)
        at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:821)
        at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:284)
        at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:255)
        at
org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:251)
        at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:311)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Please advise how can I fix this.

Regards,

From moritz.becker at gmx.at  Wed Apr  4 08:29:59 2018
From: moritz.becker at gmx.at (moritz.becker at gmx.at)
Date: Wed, 4 Apr 2018 14:29:59 +0200
Subject: [keycloak-user] How to use keycloak-admin-client in the browser
Message-ID: <04a301d3cc10$a67fc210$f37f4630$@gmx.at>

Hi,

 

I want to use keycloak-admin-client in javascript client to allow the user
to manage keycloak resources.

However, keycloak-admin-client depends on keycloak-request-token which uses
ES6 arrow functions in its distribution.

 

So I wonder what the correct way is to use this in the browser?

 

Thanks

 


From subodhcjoshi82 at gmail.com  Wed Apr  4 08:39:32 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Wed, 4 Apr 2018 18:09:32 +0530
Subject: [keycloak-user] How to use keycloak-admin-client in the browser
In-Reply-To: <04a301d3cc10$a67fc210$f37f4630$@gmx.at>
References: <04a301d3cc10$a67fc210$f37f4630$@gmx.at>
Message-ID: <CAFss9rrBY4SHOtHRHsfDQcOjZq-+Xa_7UH1gveLEdtjSPDXnEg@mail.gmail.com>

Are you looking for this feature

https://github.com/keycloak/keycloak-admin-client

On Wed, Apr 4, 2018 at 5:59 PM, <moritz.becker at gmx.at> wrote:

> Hi,
>
>
>
> I want to use keycloak-admin-client in javascript client to allow the user
> to manage keycloak resources.
>
> However, keycloak-admin-client depends on keycloak-request-token which uses
> ES6 arrow functions in its distribution.
>
>
>
> So I wonder what the correct way is to use this in the browser?
>
>
>
> Thanks
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From moritz.becker at gmx.at  Wed Apr  4 10:06:36 2018
From: moritz.becker at gmx.at (moritz.becker at gmx.at)
Date: Wed, 4 Apr 2018 16:06:36 +0200
Subject: [keycloak-user] How to use keycloak-admin-client in the browser
In-Reply-To: <CAFss9rrBY4SHOtHRHsfDQcOjZq-+Xa_7UH1gveLEdtjSPDXnEg@mail.gmail.com>
References: <04a301d3cc10$a67fc210$f37f4630$@gmx.at>
	<CAFss9rrBY4SHOtHRHsfDQcOjZq-+Xa_7UH1gveLEdtjSPDXnEg@mail.gmail.com>
Message-ID: <04c401d3cc1e$25609c50$7021d4f0$@gmx.at>

Well, I am not looking for it, I am referring to it. As I said, it depends on keycloak-request-token which uses ES6 arrow functions in its distribution. This is problematic for the use in clients that do not support these features. 

 

Von: Subodh Joshi <subodhcjoshi82 at gmail.com> 
Gesendet: Mittwoch, 4. April 2018 14:40
An: Moritz Becker <moritz.becker at gmx.at>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] How to use keycloak-admin-client in the browser

 

Are you looking for this feature

https://github.com/keycloak/keycloak-admin-client

 

On Wed, Apr 4, 2018 at 5:59 PM, <moritz.becker at gmx.at <mailto:moritz.becker at gmx.at> > wrote:

Hi,



I want to use keycloak-admin-client in javascript client to allow the user
to manage keycloak resources.

However, keycloak-admin-client depends on keycloak-request-token which uses
ES6 arrow functions in its distribution.



So I wonder what the correct way is to use this in the browser?



Thanks



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user




-- 

Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in <mailto:subodh1_joshi82 at yahoo.co.in> 
http://www.trendsinnews.com


From luke at code-house.org  Wed Apr  4 11:07:05 2018
From: luke at code-house.org (luke at code-house.org)
Date: Wed, 4 Apr 2018 17:07:05 +0200
Subject: [keycloak-user] Limiting user registrations to closed set
In-Reply-To: <e27335af-ae4f-a88b-d14e-a2c693f65ee9@code-house.org>
References: <e27335af-ae4f-a88b-d14e-a2c693f65ee9@code-house.org>
Message-ID: <97D9B876-750C-4D12-B9CB-618FBC145A69@code-house.org>

Since there was no answer in this topic, I can leave an answer for other people who may look for something similar.

I created a new registration flow definition with additional form action at beginning of it. My custom form action contains validation rules working on top of form data. Based on received attributes validation fails registration attempt if external system client do not contain matching user record. Thanks to that no database write attempt is made and there is no need for implementing user storage provider. I attach pseudo code for reference. There are lots of missing pieces, but it should give general idea how problem can be approached.

public class InternalUserFormAction implements FormAction {

   public static final String PROVIDER_ID = ?internal-user-form-action";

   @Override
   public void validate(ValidationContext context) {
       AuthenticatorConfigModel config = context.getAuthenticatorConfig();

       // form action have one option which is external system uri, which should be called in order to check if user who is attempted to made account exists.
       String externalSystemURI = Constants.DEFAULT_SYSTEM_URI;
       if (config != null && config.getConfig() != null) {
           externalSystemURI = config.getConfig().getOrDefault(Constants.SYSTEM_URI_OPTION_NAME, Constants.DEFAULT_SYSTEM_URI);
       }

       MultivaluedMap<String, String> formData = context.getHttpRequest().getDecodedFormParameters();
       List<FormMessage> errors = new ArrayList<>();

       String eventError = Errors.INVALID_REGISTRATION;

       Optional<String> firstName = validateAndGet(formData, errors, RegistrationPage.FIELD_FIRST_NAME, Messages.MISSING_FIRST_NAME);
       Optional<String> lastName = validateAndGet(formData, errors, RegistrationPage.FIELD_LAST_NAME, Messages.MISSING_LAST_NAME);
       Optional<String> email = validateAndGet(formData, errors, RegistrationPage.FIELD_EMAIL, Messages.MISSING_EMAIL);
       Optional<String> phone = validateAndGet(formData, errors, Constants.MOBILE_NUMBER_ATTRIBUTE, "missing_phone_number");
 
       if (errors.size() > 0) {
           fail(context, formData, eventError, errors);
           return;
       } else {
           ExternalSystemClient client = new ExternalSystemClient(externalSystemURI);
           Optional<InternalUser> internalUser = ex.find(
               firstName.orElse(null),
               lastName.orElse(null),
               email.orElse(null),
               phone.orElse(null)
           ));

           if (!internalUser.isPresent()) {
               // final check if all above data is valid
               errors.add(new FormMessage(?generic", "unknown_member"));
               fail(context, formData, eventError, errors);
               return;
           }

           context.success();
       }
   }
}

Cheers,
?ukasz
?
Twitter: ldywicki
Blog: http://dywicki.pl
Code-House - http://code-house.org

> On 29 Mar 2018, at 00:44, ?ukasz Dywicki <luke at code-house.org> wrote:
> 
> Hi all,
> I have a case which is quite simple in terms of logic - I have existing
> database of users with attributes such first and last name, as well as
> email. I miss username and password or just password if I decide to use
> email as login. I would like to use attributes I know for validation of
> new user registrations.
> Any registration attempt with uknown email, first and last should be denied.
> Sadly due to necessity to host user self registration in mobile app I
> had to move it outside of keycloak. This means I use a small utility to
> create accounts using admin api.
> 
> I've tried to use UserStorageProvider, but this SPI is not permited to
> "deny" user registration. When I try to add new user, it goes in even if
> there is no matching combination of attributes. Which SPI is valid for
> my use case?
> 
> Kind regards,
> Lukasz



From marc.logemann at gmail.com  Wed Apr  4 11:24:51 2018
From: marc.logemann at gmail.com (Marc Logemann)
Date: Wed, 4 Apr 2018 17:24:51 +0200
Subject: [keycloak-user] Spring Security Adapter working but no Principal
In-Reply-To: <CAMZCGg_iJTpVFgoVWHJQHFw=6e62jzmj5vWhDmKgR+7XmpQzSQ@mail.gmail.com>
References: <CA+KtLobTm=FWu+bS+oRKPpCg2k7MH+TS5m-AS2NdwA4Pw6J5Ug@mail.gmail.com>
	<CAMZCGg_iJTpVFgoVWHJQHFw=6e62jzmj5vWhDmKgR+7XmpQzSQ@mail.gmail.com>
Message-ID: <CA+KtLoYc-6=w5_-RwvvH4-eUU8JixeqoqGMKexf=YzO=R-Jo2g@mail.gmail.com>

Hi,

cant provide that but after extensive debugging we know the problem.
Had nothing to do with Keycloak Spring Adapter but a Hystrix
Annotation on the Spring Controller. Hystrix dispatches to a whole new
thread and this breaks the SecurityContextHolder which is of course
ThreadLocal based.

We removed the hystrix stuff for now and will investigate that later on.

marc


2018-04-04 11:24 GMT+02:00 Sebastien Blanc <sblanc at redhat.com>:
> Do you have a sample project shared somewhere to reproduce this ?
>
> On Wed, Apr 4, 2018 at 11:14 AM, Marc Logemann <marc.logemann at gmail.com>
> wrote:
>>
>> Hi,
>>
>> i have a weird thing going on. My keycloak Spring Security adapter
>> works as expected. But i am unable to retrieve the principal. I am
>> requesting a REST service with a valid Bearer Token. In the REST
>> controller i want to see the principal via:
>>
>> Principal userPrincipal = request.getUserPrincipal();
>>
>> or
>>
>> Authentication authentication =
>> SecurityContextHolder.getContext().getAuthentication();
>> String currentPrincipalName = authentication.getName();
>>
>> But everything is null. Funny thing is, the Keycloak Filter set the
>> Authentication correctly but at the end, in my controller, its not
>> there anymore.
>>
>> here is my filter list:
>>
>> Security filter chain: [
>>   WebAsyncManagerIntegrationFilter
>>   SecurityContextPersistenceFilter
>>   HeaderWriterFilter
>>   KeycloakPreAuthActionsFilter
>>   LogoutFilter
>>   KeycloakAuthenticationProcessingFilter
>>   RequestCacheAwareFilter
>>   SecurityContextHolderAwareRequestFilter
>>   AnonymousAuthenticationFilter
>>   SessionManagementFilter
>>   ExceptionTranslationFilter
>>   FilterSecurityInterceptor
>> ]
>>
>> Has anyone experienced something like this or has an idea?
>>
>> Thanks
>> Marc
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From pinguwien at gmail.com  Wed Apr  4 13:38:58 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Wed, 4 Apr 2018 19:38:58 +0200
Subject: [keycloak-user] Spring Security Adapter working but no Principal
In-Reply-To: <CA+KtLoYc-6=w5_-RwvvH4-eUU8JixeqoqGMKexf=YzO=R-Jo2g@mail.gmail.com>
References: <CA+KtLobTm=FWu+bS+oRKPpCg2k7MH+TS5m-AS2NdwA4Pw6J5Ug@mail.gmail.com>
	<CAMZCGg_iJTpVFgoVWHJQHFw=6e62jzmj5vWhDmKgR+7XmpQzSQ@mail.gmail.com>
	<CA+KtLoYc-6=w5_-RwvvH4-eUU8JixeqoqGMKexf=YzO=R-Jo2g@mail.gmail.com>
Message-ID: <eeba99cf-ed1d-c2b1-9538-5e894fd5e06a@gmail.com>

Hi Marc,

first of all: I've not used kc together with hystrix yet (but just 
building a docker env with spring cloud, kc and ELK, may be part of 
future blog entries) - so, just guessing here.

That said: it may do the trick to use the inheritablethreadlocal 
strategy for your securityconfig (which also gives you the ability to 
use @async) as stated here at line 35:

https://github.com/Pinguwien/guestbook-backend/blob/master/src/main/java/de/codecentric/demo/guestbook/infrastructure/environment/spring/config/SecurityConfig.java

or in my blogentries (german, you know where)

Best regards,
Dominik

Am 04.04.18 um 17:24 schrieb Marc Logemann:
> Hi,
> 
> cant provide that but after extensive debugging we know the problem.
> Had nothing to do with Keycloak Spring Adapter but a Hystrix
> Annotation on the Spring Controller. Hystrix dispatches to a whole new
> thread and this breaks the SecurityContextHolder which is of course
> ThreadLocal based.
> 
> We removed the hystrix stuff for now and will investigate that later on.
> 
> marc
> 
> 
> 2018-04-04 11:24 GMT+02:00 Sebastien Blanc <sblanc at redhat.com>:
>> Do you have a sample project shared somewhere to reproduce this ?
>>
>> On Wed, Apr 4, 2018 at 11:14 AM, Marc Logemann <marc.logemann at gmail.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> i have a weird thing going on. My keycloak Spring Security adapter
>>> works as expected. But i am unable to retrieve the principal. I am
>>> requesting a REST service with a valid Bearer Token. In the REST
>>> controller i want to see the principal via:
>>>
>>> Principal userPrincipal = request.getUserPrincipal();
>>>
>>> or
>>>
>>> Authentication authentication =
>>> SecurityContextHolder.getContext().getAuthentication();
>>> String currentPrincipalName = authentication.getName();
>>>
>>> But everything is null. Funny thing is, the Keycloak Filter set the
>>> Authentication correctly but at the end, in my controller, its not
>>> there anymore.
>>>
>>> here is my filter list:
>>>
>>> Security filter chain: [
>>>    WebAsyncManagerIntegrationFilter
>>>    SecurityContextPersistenceFilter
>>>    HeaderWriterFilter
>>>    KeycloakPreAuthActionsFilter
>>>    LogoutFilter
>>>    KeycloakAuthenticationProcessingFilter
>>>    RequestCacheAwareFilter
>>>    SecurityContextHolderAwareRequestFilter
>>>    AnonymousAuthenticationFilter
>>>    SessionManagementFilter
>>>    ExceptionTranslationFilter
>>>    FilterSecurityInterceptor
>>> ]
>>>
>>> Has anyone experienced something like this or has an idea?
>>>
>>> Thanks
>>> Marc
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From mbelivea at redhat.com  Wed Apr  4 15:40:38 2018
From: mbelivea at redhat.com (Matthew Beliveau)
Date: Wed, 4 Apr 2018 15:40:38 -0400 (EDT)
Subject: [keycloak-user] SSSD plugin to write to freeIPA
In-Reply-To: <1362705638.12542729.1522870718888.JavaMail.zimbra@redhat.com>
Message-ID: <1751070457.12542842.1522870838183.JavaMail.zimbra@redhat.com>

Hello,

I need to write a plug-in to write to a freeIPA server when logging in through Keycloak. I was looking through the SSSD code on the Keycloak Github to try and find a place where I could place a plug-in. Although, I am not quite sure where to begin or how to implement it. It would be great if you could point me in the right direction and give me a couple of tips to help me begin this process. The goal of the whole effort is to do automatic provisioning of the users into IPA when Keycloak is used for federation

My current environment:
Keycloak-A connected to IPA-A with an Apache App connected to the keycloak server and Keycloak-B connected to IPA-B. I have the Keycloak-A connected to Keycloak-B and I want to write a user from IPA-B to IPA-A when I try to log into my app with a user from IPA-B.

Where I have already looked:
https://github.com/keycloak/keycloak/pull/3761/files
https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main/java/org/keycloak/federation/sssd/ReadonlySSSDUserModelDelegate.java
https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main/java/org/keycloak/federation/sssd/SSSDFederationProvider.java

Any help would be gratefully appreciated
Thank you,

Matthew Beliveau

From bruno at abstractj.org  Wed Apr  4 16:42:21 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 4 Apr 2018 17:42:21 -0300
Subject: [keycloak-user] SSSD plugin to write to freeIPA
In-Reply-To: <1751070457.12542842.1522870838183.JavaMail.zimbra@redhat.com>
References: <1362705638.12542729.1522870718888.JavaMail.zimbra@redhat.com>
	<1751070457.12542842.1522870838183.JavaMail.zimbra@redhat.com>
Message-ID: <20180404204221.GA11590@abstractj.org>

Hi Matthew,

The SSSD federation provider on Keycloak is read-only, this is because
the SSSD D-Bus interface is read-only. In order to do the automatic 
provisioning of users from Keycloak to IPA I see two alternatives:

1. Provide a writeable SSSD interface
2. Provide RESTful endpoints on IPA server for it

I'd guess that the option 2 would be the easiest path to pursue, but
honestly, I have no clue if there are endpoints for it. I would suggest
to first check if there's any way to provision users on IPA server
through RESTful endpoints, later take a look at our documentation 
about how to implement a custom provider[1]. We also have some examples
here[2].

Does it help?

[1] - http://www.keycloak.org/docs/latest/server_development/index.html#provider-interfaces
[2] - https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-simple


On 2018-04-04, Matthew Beliveau wrote:
> Hello,
> 
> I need to write a plug-in to write to a freeIPA server when logging in through Keycloak. I was looking through the SSSD code on the Keycloak Github to try and find a place where I could place a plug-in. Although, I am not quite sure where to begin or how to implement it. It would be great if you could point me in the right direction and give me a couple of tips to help me begin this process. The goal of the whole effort is to do automatic provisioning of the users into IPA when Keycloak is used for federation
> 
> My current environment:
> Keycloak-A connected to IPA-A with an Apache App connected to the keycloak server and Keycloak-B connected to IPA-B. I have the Keycloak-A connected to Keycloak-B and I want to write a user from IPA-B to IPA-A when I try to log into my app with a user from IPA-B.
> 
> Where I have already looked:
> https://github.com/keycloak/keycloak/pull/3761/files
> https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main/java/org/keycloak/federation/sssd/ReadonlySSSDUserModelDelegate.java
> https://github.com/keycloak/keycloak/blob/master/federation/sssd/src/main/java/org/keycloak/federation/sssd/SSSDFederationProvider.java
> 
> Any help would be gratefully appreciated
> Thank you,
> 
> Matthew Beliveau
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From marc.logemann at gmail.com  Wed Apr  4 17:41:55 2018
From: marc.logemann at gmail.com (Marc Logemann)
Date: Wed, 4 Apr 2018 23:41:55 +0200
Subject: [keycloak-user] Spring Security Adapter working but no Principal
In-Reply-To: <eeba99cf-ed1d-c2b1-9538-5e894fd5e06a@gmail.com>
References: <CA+KtLobTm=FWu+bS+oRKPpCg2k7MH+TS5m-AS2NdwA4Pw6J5Ug@mail.gmail.com>
	<CAMZCGg_iJTpVFgoVWHJQHFw=6e62jzmj5vWhDmKgR+7XmpQzSQ@mail.gmail.com>
	<CA+KtLoYc-6=w5_-RwvvH4-eUU8JixeqoqGMKexf=YzO=R-Jo2g@mail.gmail.com>
	<eeba99cf-ed1d-c2b1-9538-5e894fd5e06a@gmail.com>
Message-ID: <CA+KtLoZE05GJYR5FzVSU3ts9U3x8SA7f8aQbSzVhFeHtaDduLw@mail.gmail.com>

Hi,

its even simpler. Hystrix has a config setting for sharing the Spring
Security "SecurityContext". So its seems someone already had the
problem before us and submitted something to the hystrix project. At
the end we can leave it as it is and just put the right config into
place. As always the tough part was debugging the whole mess and
pinpoint the problem. The solution is most of the times easier than
the research before.

But this a little bit off topic at this point because it has nothing
to do with Keycloaks Spring Adapter. But to make this post
interessting for people debugging problems in the space of Spring and
Keycloak Spring Adapter: I highly recommend this:
@EnableWebSecurity(debug = true)

This little debug flag helped us along the way... it really gives some
nice output.

marc

2018-04-04 19:38 GMT+02:00 Dominik Guhr <pinguwien at gmail.com>:
> Hi Marc,
>
> first of all: I've not used kc together with hystrix yet (but just
> building a docker env with spring cloud, kc and ELK, may be part of
> future blog entries) - so, just guessing here.
>
> That said: it may do the trick to use the inheritablethreadlocal
> strategy for your securityconfig (which also gives you the ability to
> use @async) as stated here at line 35:
>
> https://github.com/Pinguwien/guestbook-backend/blob/master/src/main/java/de/codecentric/demo/guestbook/infrastructure/environment/spring/config/SecurityConfig.java
>
> or in my blogentries (german, you know where)
>
> Best regards,
> Dominik
>
> Am 04.04.18 um 17:24 schrieb Marc Logemann:
>> Hi,
>>
>> cant provide that but after extensive debugging we know the problem.
>> Had nothing to do with Keycloak Spring Adapter but a Hystrix
>> Annotation on the Spring Controller. Hystrix dispatches to a whole new
>> thread and this breaks the SecurityContextHolder which is of course
>> ThreadLocal based.
>>
>> We removed the hystrix stuff for now and will investigate that later on.
>>
>> marc
>>
>>
>> 2018-04-04 11:24 GMT+02:00 Sebastien Blanc <sblanc at redhat.com>:
>>> Do you have a sample project shared somewhere to reproduce this ?
>>>
>>> On Wed, Apr 4, 2018 at 11:14 AM, Marc Logemann <marc.logemann at gmail.com>
>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> i have a weird thing going on. My keycloak Spring Security adapter
>>>> works as expected. But i am unable to retrieve the principal. I am
>>>> requesting a REST service with a valid Bearer Token. In the REST
>>>> controller i want to see the principal via:
>>>>
>>>> Principal userPrincipal = request.getUserPrincipal();
>>>>
>>>> or
>>>>
>>>> Authentication authentication =
>>>> SecurityContextHolder.getContext().getAuthentication();
>>>> String currentPrincipalName = authentication.getName();
>>>>
>>>> But everything is null. Funny thing is, the Keycloak Filter set the
>>>> Authentication correctly but at the end, in my controller, its not
>>>> there anymore.
>>>>
>>>> here is my filter list:
>>>>
>>>> Security filter chain: [
>>>>    WebAsyncManagerIntegrationFilter
>>>>    SecurityContextPersistenceFilter
>>>>    HeaderWriterFilter
>>>>    KeycloakPreAuthActionsFilter
>>>>    LogoutFilter
>>>>    KeycloakAuthenticationProcessingFilter
>>>>    RequestCacheAwareFilter
>>>>    SecurityContextHolderAwareRequestFilter
>>>>    AnonymousAuthenticationFilter
>>>>    SessionManagementFilter
>>>>    ExceptionTranslationFilter
>>>>    FilterSecurityInterceptor
>>>> ]
>>>>
>>>> Has anyone experienced something like this or has an idea?
>>>>
>>>> Thanks
>>>> Marc
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mwaki011 at gmail.com  Wed Apr  4 19:09:57 2018
From: mwaki011 at gmail.com (Mike Wakim)
Date: Wed, 4 Apr 2018 19:09:57 -0400
Subject: [keycloak-user] Linking pre-existing Keycloak user with LDAP user
	(without import)
Message-ID: <1BD08DED-DE13-456D-B179-6E94DDA02EC4@gmail.com>

Hello,

I have a small question regarding a specific use case with user federation, that I am hoping someone can help with. I set up a small LDAP server using the example given in the Keycloak Git repo. I imported the LDAP realm into Keycloak and did the following:

1. Turn the "enabled" setting off in user federation (temporarily).
2. Turn the "import" setting off in user federation.
3. Turn the "sync registrations" setting off in user federation.

My use case is the following:

I would like to create a user (e.g. bwilson) manually in Keycloak, and I would like to assign to that user custom roles as needed. However, this user (e.g. bwilson), is a user that already exists in my LDAP server. If I enable user federation, and try to log in using this user, Keycloak by default will only check the Keycloak DB, and will not try to authenticate this username through user federation. Is there anyway for me to link the manually created "bwilson" user, with the "bwilson" user that already exists in LDAP? I'm mainly interested in linking the roles that appear in the Keycloak DB, I would like the user to log in using his LDAP credentials.

I am aware that if I "import" users from LDAP into Keycloak, I can go to a user's settings, and add roles to that user as needed. However if I have a pre-existing user in the Keycloak DB, can I link this user to the user with the same username in LDAP (without importing)? Any assistance would be much appreciated!

Thanks,

Mike

From eferron at outlook.fr  Thu Apr  5 04:37:36 2018
From: eferron at outlook.fr (Elie Ferron)
Date: Thu, 5 Apr 2018 08:37:36 +0000
Subject: [keycloak-user] Keycloak X GLPI
Message-ID: <VI1PR10MB1885ACC1683C79BEBBB55670CEBB0@VI1PR10MB1885.EURPRD10.PROD.OUTLOOK.COM>

Hello all,


I wanted to know if anyone had already linked keycloak with GLPI for the SSO part.


Regards;



From federico at info.nl  Thu Apr  5 05:31:43 2018
From: federico at info.nl (Federico Navarro Polo - Info.nl)
Date: Thu, 5 Apr 2018 09:31:43 +0000
Subject: [keycloak-user] Keycloak 4.0.0.Beta1 is out
In-Reply-To: <CAJgngAemugfcYcmb6noC+XLu7cCp=uKP-0H7J60t8EcaD17eoA@mail.gmail.com>
References: <CAJgngAfuP42pKsvDZaG0K2Cf3HzrL=0LU02hQA=GO=UAbFT4cA@mail.gmail.com>
	<CAJgngAemugfcYcmb6noC+XLu7cCp=uKP-0H7J60t8EcaD17eoA@mail.gmail.com>
Message-ID: <E65144A2-635B-4227-9759-A42C086385A8@info.nl>

Hello Stian,

Are there any examples in the documentation about adding theme resources or using theme selector SPI?

In our case, we used to install theme as a module, which was the recommended way, so it?s not entirely clear what advantages brings the new implementation.

Regards,
Federico

On 23/03/18 12:00, "keycloak-user-bounces at lists.jboss.org on behalf of Stian Thorgersen" <keycloak-user-bounces at lists.jboss.org on behalf of sthorger at redhat.com> wrote:

    I missed one cool new feature. We also now have support for UMA 2.0
    including allowing users to manage resource permissions in the account
    management console.
    
    On Thu, 22 Mar 2018, 21:04 Stian Thorgersen, <sthorger at redhat.com> wrote:
    
    > I'm very pleased to announce the first release of Keycloak 4!
    >
    > To download the release go to the Keycloak homepage
    > <http://www.keycloak.org/downloads>.
    > HighlightsBrand new login pages
    >
    > The login pages have received a brand new look. They now look much more
    > modern and clean!
    > Themes and Theme Resources
    >
    > It's now possible to hot-deploy themes to Keycloak through a regular
    > provider deployment. We've also added support for theme resources. Theme
    > resources allows adding additional templates and resources without creating
    > a theme. Perfect for custom authenticators that require additional pages
    > added to the authentication flow.
    >
    > We've also added support to override the theme for specific clients. If
    > that doesn't cover your needs, then there's a new Theme Selector SPI that
    > allows you to implement custom logic to select the theme.
    > Native promise support to keycloak.js
    >
    > The JavaScript adapter now supports native promises. Of course it still
    > has support for the old style promises as well. Both can be used
    > interchangeably.
    > Edit links in documentation
    >
    > To make it easier to contribute changes to the documentation we have added
    > links to all sections of the documentation. This brings you straight to the
    > GitHub editor for the relevant AsciiDoctor file. There's also a quick link
    > to report an issue on a specific page that will include the relevant page
    > in the description.
    > HTTPS support on keycloak.org
    >
    > Thanks to GitHub pages and Let's Encrypt there's finally HTTPS on
    > keycloak.org. About time?
    > Loads more..
    >
    > The full list of resolved issues is available in JIRA
    > <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta1>
    > .
    > Upgrading
    >
    > Before you upgrade remember to backup your database and check the upgrade
    > guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
    > anything that may have changed.
    >
    >
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From sthorger at redhat.com  Thu Apr  5 06:04:44 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 5 Apr 2018 12:04:44 +0200
Subject: [keycloak-user] Keycloak 4.0.0.Beta1 is out
In-Reply-To: <E65144A2-635B-4227-9759-A42C086385A8@info.nl>
References: <CAJgngAfuP42pKsvDZaG0K2Cf3HzrL=0LU02hQA=GO=UAbFT4cA@mail.gmail.com>
	<CAJgngAemugfcYcmb6noC+XLu7cCp=uKP-0H7J60t8EcaD17eoA@mail.gmail.com>
	<E65144A2-635B-4227-9759-A42C086385A8@info.nl>
Message-ID: <CAJgngAeg0xmVOPWggdkMHvtGar39kC7x9aSNwfnpyX1hErCcqQ@mail.gmail.com>

http://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource

The benefits are that you can simply hot deploy by either using "mvn
wildfly:deploy" or copy the jar to standalone/deployments. No need to
create the module structure, restart the server, edit standalone.xml to
register the module, etc.. You can also package a custom theme alongside
any custom providers if you have any.

On 5 April 2018 at 11:31, Federico Navarro Polo - Info.nl <federico at info.nl>
wrote:

> Hello Stian,
>
> Are there any examples in the documentation about adding theme resources
> or using theme selector SPI?
>
> In our case, we used to install theme as a module, which was the
> recommended way, so it?s not entirely clear what advantages brings the new
> implementation.
>
> Regards,
> Federico
>
> On 23/03/18 12:00, "keycloak-user-bounces at lists.jboss.org on behalf of
> Stian Thorgersen" <keycloak-user-bounces at lists.jboss.org on behalf of
> sthorger at redhat.com> wrote:
>
>     I missed one cool new feature. We also now have support for UMA 2.0
>     including allowing users to manage resource permissions in the account
>     management console.
>
>     On Thu, 22 Mar 2018, 21:04 Stian Thorgersen, <sthorger at redhat.com>
> wrote:
>
>     > I'm very pleased to announce the first release of Keycloak 4!
>     >
>     > To download the release go to the Keycloak homepage
>     > <http://www.keycloak.org/downloads>.
>     > HighlightsBrand new login pages
>     >
>     > The login pages have received a brand new look. They now look much
> more
>     > modern and clean!
>     > Themes and Theme Resources
>     >
>     > It's now possible to hot-deploy themes to Keycloak through a regular
>     > provider deployment. We've also added support for theme resources.
> Theme
>     > resources allows adding additional templates and resources without
> creating
>     > a theme. Perfect for custom authenticators that require additional
> pages
>     > added to the authentication flow.
>     >
>     > We've also added support to override the theme for specific clients.
> If
>     > that doesn't cover your needs, then there's a new Theme Selector SPI
> that
>     > allows you to implement custom logic to select the theme.
>     > Native promise support to keycloak.js
>     >
>     > The JavaScript adapter now supports native promises. Of course it
> still
>     > has support for the old style promises as well. Both can be used
>     > interchangeably.
>     > Edit links in documentation
>     >
>     > To make it easier to contribute changes to the documentation we have
> added
>     > links to all sections of the documentation. This brings you straight
> to the
>     > GitHub editor for the relevant AsciiDoctor file. There's also a
> quick link
>     > to report an issue on a specific page that will include the relevant
> page
>     > in the description.
>     > HTTPS support on keycloak.org
>     >
>     > Thanks to GitHub pages and Let's Encrypt there's finally HTTPS on
>     > keycloak.org. About time?
>     > Loads more..
>     >
>     > The full list of resolved issues is available in JIRA
>     > <https://issues.jboss.org/issues/?jql=project%20%3D%
> 20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta1>
>     > .
>     > Upgrading
>     >
>     > Before you upgrade remember to backup your database and check the
> upgrade
>     > guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
>     > anything that may have changed.
>     >
>     >
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From Emanuele.Gesuato at finantix.com  Thu Apr  5 09:44:12 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Thu, 5 Apr 2018 13:44:12 +0000
Subject: [keycloak-user] SSO in web and desktop application
Message-ID: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>


From Emanuele.Gesuato at finantix.com  Thu Apr  5 09:57:04 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Thu, 5 Apr 2018 13:57:04 +0000
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>
Message-ID: <201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com>


From Emanuele.Gesuato at finantix.com  Thu Apr  5 10:07:57 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Thu, 5 Apr 2018 16:07:57 +0200
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com>
Message-ID: <OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com>

Sorry for previous messages, not sure what happened
******
Hi everyone,
 
we are using the tomcat 7 adapter of keycloak 3.4.3 (SAML). We managed 
also to install the server side part and to integrate the keycloak with an 
our web application. Now when user access to siteA he is correctly 
redirected to keycloak login page and after login he is redirected to the 
application itself. It is working fine.
 
Problem is the following. We are not trying to integrate SSO in the 
following way:
1. User opens browser and goes to our siteA
2. User correctly logins
3. In user desktop there is an our client-server application developed in 
java and our goal is to have the user logged in automatically because we 
are sharing same set of users. Moreover, siteA and the server side 
application are different clients in the same realm.
 
The client-server application is basically a webapplication, where the 
client part is a "custom" browser that restricts the user to do only some 
operations. The browser widget is a custom one but we can change if 
required.
 
Is it possible to do such thing ? How ?
 
I think we need to "share" something between the request of siteA and the 
application itself.
I tried to share the JSESSIONID but it was not working; after 
investigation I found that JSESSIONID is not useful for my purpose.
 
I hope to have explained clearly my issue,
thanks for any help



From:   "Emanuele Gesuato" <Emanuele.Gesuato at finantix.com>
To:     keycloak-user at lists.jboss.org
Date:   05/04/2018 15:58
Subject:        Re: [keycloak-user] SSO in web and desktop application
Sent by:        keycloak-user-bounces at lists.jboss.org




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user





From subodhcjoshi82 at gmail.com  Thu Apr  5 11:32:03 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 05 Apr 2018 15:32:03 +0000
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com>
Message-ID: <CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com>

I don't know if I can understand it clearly but is this not possible
through keycloak rest-api ?

On Thu, 5 Apr 2018, 19:38 Emanuele Gesuato, <Emanuele.Gesuato at finantix.com>
wrote:

> Sorry for previous messages, not sure what happened
> ******
> Hi everyone,
>
> we are using the tomcat 7 adapter of keycloak 3.4.3 (SAML). We managed
> also to install the server side part and to integrate the keycloak with an
> our web application. Now when user access to siteA he is correctly
> redirected to keycloak login page and after login he is redirected to the
> application itself. It is working fine.
>
> Problem is the following. We are not trying to integrate SSO in the
> following way:
> 1. User opens browser and goes to our siteA
> 2. User correctly logins
> 3. In user desktop there is an our client-server application developed in
> java and our goal is to have the user logged in automatically because we
> are sharing same set of users. Moreover, siteA and the server side
> application are different clients in the same realm.
>
> The client-server application is basically a webapplication, where the
> client part is a "custom" browser that restricts the user to do only some
> operations. The browser widget is a custom one but we can change if
> required.
>
> Is it possible to do such thing ? How ?
>
> I think we need to "share" something between the request of siteA and the
> application itself.
> I tried to share the JSESSIONID but it was not working; after
> investigation I found that JSESSIONID is not useful for my purpose.
>
> I hope to have explained clearly my issue,
> thanks for any help
>
>
>
> From:   "Emanuele Gesuato" <Emanuele.Gesuato at finantix.com>
> To:     keycloak-user at lists.jboss.org
> Date:   05/04/2018 15:58
> Subject:        Re: [keycloak-user] SSO in web and desktop application
> Sent by:        keycloak-user-bounces at lists.jboss.org
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sr.misc at gmail.com  Thu Apr  5 12:18:23 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Thu, 5 Apr 2018 18:18:23 +0200
Subject: [keycloak-user] IJ031070: Transaction cannot proceed:
 STATUS_MARKED_ROLLBACK during Custom User Federation
Message-ID: <CABiaesSPL_Kfh-6HK+hkZ+HAQxyPC7Z-fb282sELCy7pdSc7Bg@mail.gmail.com>

Hi all,

We are using Keycloak 3.4.3 and loading users via Custom User Federation
from the database. We are using Postgres 9.4.12

When we are loading users from the database during
CustomUserStorageProviderFactory.create(..),
we are getting the following exception:-

It is throwing the following exception during con.createStatement();

13:46:43,385 ERROR [stderr] (default task-8) java.sql.SQLException:
IJ031070: Transaction cannot proceed: STATUS_MARKED_ROLLBACK
13:46:43,385 ERROR [stderr] (default task-8)    at
org.jboss.jca.adapters.jdbc.WrapperDataSource.checkTransactionActive(WrapperDataSource.java:245)
13:46:43,386 ERROR [stderr] (default task-8)    at
org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransactionActive(WrappedConnection.java:1928)
13:46:43,386 ERROR [stderr] (default task-8)    at
org.jboss.jca.adapters.jdbc.WrappedConnection.checkStatus(WrappedConnection.java:1943)
13:46:43,386 ERROR [stderr] (default task-8)    at
org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransaction(WrappedConnection.java:1917)
13:46:43,387 ERROR [stderr] (default task-8)    at
org.jboss.jca.adapters.jdbc.WrappedConnection.createStatement(WrappedConnection.java:340)
13:46:43,387 ERROR [stderr] (default task-8)    at
com.test.service.UserServiceImpl.loadExistingUsers(UserServiceImpl.java:98)
13:46:43,387 ERROR [stderr] (default task-8)    at com.test.Custom
UserStorageProviderFactory.create(CustomUserStorageProviderFactory.java:43)

But if we call loadExistingUsers in init method of
CustomUserStorageProviderFactory,
it works fine. Please advise, what are we doing wrong? what is the ideal
way of loading existing users in Custom User Federation?

Regards,
SR

From Emanuele.Gesuato at finantix.com  Thu Apr  5 13:14:03 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Thu, 5 Apr 2018 19:14:03 +0200
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com><201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com><OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com>
	<CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com>
Message-ID: <OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com>

Hi Subodh,

it is what I thought but it looks like rest api are available only for 
open-id not for saml protocol.

To retrieve access-token I need to enable access-type as "public" or 
"confidential" but it is an option available only for open-id clients.

When I try to run
 curl   -d "client_id=admin_client"   -d "username=admin"   -d 
"password=password"   -d "grant_type=password"   "
http://<host>:<port>/auth/realms/master/protocol/openid-connect/token"

I got error ( "admin_client" is a saml client):
{"error":"unauthorized_client","error_description":"Client secret not 
provided in request"}

but:
1. access type can be changed as "public" or "confidential" only for 
openId clients.
2. client secret cannot be generated for saml clients.


Am I missing something ?
many thanks for any help,
Emanuele






From:   Subodh Joshi <subodhcjoshi82 at gmail.com>
To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
Cc:     keycloak-user <keycloak-user at lists.jboss.org>
Date:   05/04/2018 17:35
Subject:        Re: [keycloak-user] SSO in web and desktop application
Sent by:        keycloak-user-bounces at lists.jboss.org



I don't know if I can understand it clearly but is this not possible
through keycloak rest-api ?

On Thu, 5 Apr 2018, 19:38 Emanuele Gesuato, 
<Emanuele.Gesuato at finantix.com>
wrote:

> Sorry for previous messages, not sure what happened
> ******
> Hi everyone,
>
> we are using the tomcat 7 adapter of keycloak 3.4.3 (SAML). We managed
> also to install the server side part and to integrate the keycloak with 
an
> our web application. Now when user access to siteA he is correctly
> redirected to keycloak login page and after login he is redirected to 
the
> application itself. It is working fine.
>
> Problem is the following. We are not trying to integrate SSO in the
> following way:
> 1. User opens browser and goes to our siteA
> 2. User correctly logins
> 3. In user desktop there is an our client-server application developed 
in
> java and our goal is to have the user logged in automatically because we
> are sharing same set of users. Moreover, siteA and the server side
> application are different clients in the same realm.
>
> The client-server application is basically a webapplication, where the
> client part is a "custom" browser that restricts the user to do only 
some
> operations. The browser widget is a custom one but we can change if
> required.
>
> Is it possible to do such thing ? How ?
>
> I think we need to "share" something between the request of siteA and 
the
> application itself.
> I tried to share the JSESSIONID but it was not working; after
> investigation I found that JSESSIONID is not useful for my purpose.
>
> I hope to have explained clearly my issue,
> thanks for any help
>
>
>
> From:   "Emanuele Gesuato" <Emanuele.Gesuato at finantix.com>
> To:     keycloak-user at lists.jboss.org
> Date:   05/04/2018 15:58
> Subject:        Re: [keycloak-user] SSO in web and desktop application
> Sent by:        keycloak-user-bounces at lists.jboss.org
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user





From Oscar.Cadena at legis.com.co  Thu Apr  5 13:17:23 2018
From: Oscar.Cadena at legis.com.co (Oscar Cadena)
Date: Thu, 5 Apr 2018 17:17:23 +0000
Subject: [keycloak-user] reset password not working
Message-ID: <391358cc19a34e22bb0762bb707c59f4@AGLAYA.legis.com>

Hi.

In this moment i'm, trying keycloak but i'm unable to make the update password function work's throught the rest api.

What i'm, doing  is the following.

PUT
http://localhost:8080/auth/admin/realms/demo/users/94e2a91a-17bd-4133-b0ff-503c742d1f53/execute-actions-email


HEADERS

Content-Type
application/json

Authorization
bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJkSU5nOVBFam9LMHNOd0dqMTY0Z0pzMDU4ZV9mZUliSzZGZE43NUEtb1AwIn0.eyJqdGkiOiI4OGRjZThhMS0yMmU3LTQ2YWQtYmVlYy1iYzA0MTE5ZDgwYzAiLCJleHAiOjE1MjI5NDUzODIsIm5iZiI6MCwiaWF0IjoxNTIyOTQ1MDgyLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InZhbmlsbGEiLCJzdWIiOiI5NGUyYTkxYS0xN2JkLTQxMzMtYjBmZi01MDNjNzQyZDFmNTMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJ2YW5pbGxhIiwiYXV0aF90aW1lIjoxNTIyOTQ1MDY4LCJzZXNzaW9uX3N0YXRlIjoiNmRkNDBkNTgtZmM5My00ODFiLWJkOWEtOWZhOGE1NTQ3MWU0IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjU2ODE4LyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiSm9obiBEb2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJqb2huZG9lIiwiZ2l2ZW5fbmFtZSI6IkpvaG4iLCJmYW1pbHlfbmFtZSI6IkRvZSIsImVtYWlsIjoiaW5mb0BsZWdpcy5jb20ifQ.MZB8eNYQBueITmlFHWhZxg6sp9hx91DMbDuTJFB_KTcMINbMMqBAnbOaETUWhZ2nZ-005amOpdvZzQAqGFi-chs_Ylk-HrZtsmZKgH59Wf04UEXmTiJgNWnteE2Tb8gZbgJG3qXjeq_PynUMMTOdIXN-xJuYdp_lrsieU7pNxA7Y-k6v4j8OXuQI7hR7bslg82wbNeR8JEWBYYljSE9YT4O4kWOmngmkTYHzDAZQSo0rTIeMi70wVEvp6nDxpGN4qhuqgNVtMIoSJsQ-XBbjrdrnsZvmoiu7zdOSa1hdFFnbgexw8RDMCmOcoMN_KxedvgDJsd10CSmLacW7UD7baA
(I',m using the Access token here. )


And the body
["UPDATE_PASSWORD"]

But i'm getting always 403 Forbidden response. I dont know why.

Any help related would be appreciated.

Best regards.

Oscar.






AVISO LEGAL:
Este correo electr?nico contiene informaci?n confidencial de LEGIS. Si Usted no es el destinatario, le informamos que no podr? usar, retener, imprimir, copiar, distribuir o hacer p?blico su contenido, de hacerlo podr?a tener consecuencias legales. Si ha recibido este correo por error, por favor inf?rmenos a seguridad at legis.com.co y b?rrelo. Si usted es el destinatario, le solicitamos mantener reserva sobre  el contenido, los datos o informaci?n de contacto del remitente y en general sobre la informaci?n de este documento y/o archivos adjuntos,  a no ser que exista una autorizaci?n expl?cita.
                                                    
LEGAL NOTICE:
This e-mail transmission contains confidential information of LEGIS. If you are not the intended recipient, you should not use, hold, print, copy, distribute or make public its content, on the contrary it could have legal.If you have received this e-mail transmission in error, please inform us at  seguridad at legis.com.co and erase it. If you are the intended recipient, we ask you not to make public the content, the data or contact information of the sender and in general the information of this document or attached file, unless a written authorization exists.


From daniel.hammarberg at capgemini.com  Fri Apr  6 02:33:21 2018
From: daniel.hammarberg at capgemini.com (Hammarberg, Daniel)
Date: Fri, 6 Apr 2018 06:33:21 +0000
Subject: [keycloak-user] Set up fine grained permissions
In-Reply-To: <31225E3A2F1E0E43BA9272CBEBDCC684011843CD@DE-CM-MBX26.corp.capgemini.com>
References: <31225E3A2F1E0E43BA9272CBEBDCC684011843CD@DE-CM-MBX26.corp.capgemini.com>
Message-ID: <31225E3A2F1E0E43BA9272CBEBDCC684011864A1@DE-CM-MBX26.corp.capgemini.com>

Hi all,

Does anyone have any input on this? We are really stuck on this one...

Regards
/Daniel


-----Original Message-----
From: Hammarberg, Daniel <daniel.hammarberg at capgemini.com> 
Sent: den 3 april 2018 09:58
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Set up fine grained permissions

Hi all,

I am trying to set up fine grained permissions, following the instructions at http://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions

I don?t manage to set permissions for a user to view one client. Could anyone help me to find what?s missing?

My settings:

In the Users menu:

User cm_g123456 is a member of the group ?Content Managers?.
The group Content Managers is mapped to the realm role ?Content Manager? and the client roles realm-management -> query-clients and view-users If I open the user cm_g123456 and check the Effective Roles under Role Mappings, I can see that Content Manager is active.
The user cm_g123456 also has the client role realm-management -> query-clients

In the Clients menu:

I open my client, ?foo.com?.

Permissions are enabled. I have the following permission:

Name: manage.permission.client.manageSkfCom
Scopes: manage
Apply Policy: content-managers
Decision Strategy: Unanimous

I have the following policy:

Name: content-managers
Realm Roles:
   Name: Content Manager
   Required: checked
Logic: Positive

When I log in to the admin console as the user cm_g123456, I cannot see any clients. Also, when opening a user I cannot see any client roles in the Available Roles list under Role Mappings.

Best regards
/Daniel

_______________________________________________________________________
[Email_CBE.gif]Daniel Hammarberg
Managing Delivery Architect | Application Services

Capgemini Sweden | G?teborg


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.


From uo67113 at gmail.com  Fri Apr  6 03:28:59 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Fri, 6 Apr 2018 09:28:59 +0200
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com>
	<CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com>
	<OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com>
Message-ID: <CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com>

Hello Emmanuele,


If the client-server app is a browser it should be able to make the SAML
authentication request to your IdP and consume the SAMLResponse from your
IdP [1]. For this you can use SAML Java Servlet Filter Adapter  [2]

Perhaps I am missing somethig, sorry...

Hope it helps,

Luis

[1]
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.2.SP-Initiated%20SSO:%20%20Redirect/POST%20Bindings|outline
[2]
http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter







2018-04-05 19:14 GMT+02:00 Emanuele Gesuato <Emanuele.Gesuato at finantix.com>:

> Hi Subodh,
>
> it is what I thought but it looks like rest api are available only for
> open-id not for saml protocol.
>
> To retrieve access-token I need to enable access-type as "public" or
> "confidential" but it is an option available only for open-id clients.
>
> When I try to run
>  curl   -d "client_id=admin_client"   -d "username=admin"   -d
> "password=password"   -d "grant_type=password"   "
> http://<host>:<port>/auth/realms/master/protocol/openid-connect/token"
>
> I got error ( "admin_client" is a saml client):
> {"error":"unauthorized_client","error_description":"Client secret not
> provided in request"}
>
> but:
> 1. access type can be changed as "public" or "confidential" only for
> openId clients.
> 2. client secret cannot be generated for saml clients.
>
>
> Am I missing something ?
> many thanks for any help,
> Emanuele
>
>
>
>
>
>
> From:   Subodh Joshi <subodhcjoshi82 at gmail.com>
> To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> Cc:     keycloak-user <keycloak-user at lists.jboss.org>
> Date:   05/04/2018 17:35
> Subject:        Re: [keycloak-user] SSO in web and desktop application
> Sent by:        keycloak-user-bounces at lists.jboss.org
>
>
>
> I don't know if I can understand it clearly but is this not possible
> through keycloak rest-api ?
>
> On Thu, 5 Apr 2018, 19:38 Emanuele Gesuato,
> <Emanuele.Gesuato at finantix.com>
> wrote:
>
> > Sorry for previous messages, not sure what happened
> > ******
> > Hi everyone,
> >
> > we are using the tomcat 7 adapter of keycloak 3.4.3 (SAML). We managed
> > also to install the server side part and to integrate the keycloak with
> an
> > our web application. Now when user access to siteA he is correctly
> > redirected to keycloak login page and after login he is redirected to
> the
> > application itself. It is working fine.
> >
> > Problem is the following. We are not trying to integrate SSO in the
> > following way:
> > 1. User opens browser and goes to our siteA
> > 2. User correctly logins
> > 3. In user desktop there is an our client-server application developed
> in
> > java and our goal is to have the user logged in automatically because we
> > are sharing same set of users. Moreover, siteA and the server side
> > application are different clients in the same realm.
> >
> > The client-server application is basically a webapplication, where the
> > client part is a "custom" browser that restricts the user to do only
> some
> > operations. The browser widget is a custom one but we can change if
> > required.
> >
> > Is it possible to do such thing ? How ?
> >
> > I think we need to "share" something between the request of siteA and
> the
> > application itself.
> > I tried to share the JSESSIONID but it was not working; after
> > investigation I found that JSESSIONID is not useful for my purpose.
> >
> > I hope to have explained clearly my issue,
> > thanks for any help
> >
> >
> >
> > From:   "Emanuele Gesuato" <Emanuele.Gesuato at finantix.com>
> > To:     keycloak-user at lists.jboss.org
> > Date:   05/04/2018 15:58
> > Subject:        Re: [keycloak-user] SSO in web and desktop application
> > Sent by:        keycloak-user-bounces at lists.jboss.org
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From Marcel.Nemet at gmail.com  Fri Apr  6 05:16:26 2018
From: Marcel.Nemet at gmail.com (=?UTF-8?Q?Marcel_N=C3=A9met?=)
Date: Fri, 6 Apr 2018 11:16:26 +0200
Subject: [keycloak-user] Poor/buggy TypeScript adapter implementation
Message-ID: <CAFsxa5W+3vEOu+CqZGuuBJkw3a2vZALFYB-wx6o=55Kmtds6=A@mail.gmail.com>

At the moment, there are multiple projects on GitHub which try to bring
advanced Keycloak functionality into angular 2+ projects.

There are projects which are based on the official keycloak javascript
adapter (these projects copy files from or import the official javascript
adapter) for example :
https://github.com/ssilvert/keycloak-schematic (works with angular 2+)
and
https://github.com/mauriciovigolo/keycloak-angular (works with angular 4.3+
and provides the implementation for the great HttpInterceptor (angular
4.3+) in order to add bearer tokens to HTTP requests)

Both of these projects are missing the implementation of Authorization
flow, and it is not easy to implement this when one tries to use the
official Keycloak javascript adapter with TypeScript. For example,
KeycloakAuthorization returns undefined when constructed and does not
return an observable after executing async HTTP request to
/.well-known/uma-configuration .

There is another project:
https://github.com/ebondu/angular2-keycloak

which is not using the official keycloak javascript adapter. Instead, the
authors have rewritten the code from official JS adapter into TypeScript.
It seems to address issues which I was not able to solve with the official
javascript adapter. For example, it notifies the initialization of
Authorization object (see
https://github.com/ebondu/angular2-keycloak/blob/b8dd423fefc98305ac2f2f9efd1178020a8a2966/src/services/keycloak.auth.service.ts#L154
).

But this project is not updated as often as the official javascript
adapter. For example, it does not support uma2 which is coming with 4.0.0.

I believe it would be good to invest some effort into making the basic
keycloak javascript adapter working well with angular/typescript. There is
clearly interest in building good libraries, but these have to be based on
a working, official and updated basic adapter. One option would be to pull
the code from https://github.com/ebondu/angular2-keycloak. Or endorse some
working implementation for TypeScript.

issue: https://issues.jboss.org/browse/KEYCLOAK-7021

Best regards

-- 
Marcel N?met
marcel.nemet at gmail.com

From Emanuele.Gesuato at finantix.com  Fri Apr  6 05:51:28 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Fri, 6 Apr 2018 09:51:28 +0000
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com>
References: <CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com>,
	<201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com><201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com><OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com><CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com><OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com>
Message-ID: <201804060951.w369pUWT018680@lists01.dmz-a.mwc.hst.phx2.redhat.com>


From subodhcjoshi82 at gmail.com  Fri Apr  6 06:04:59 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 6 Apr 2018 15:34:59 +0530
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <201804060951.w369pUWT018680@lists01.dmz-a.mwc.hst.phx2.redhat.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com>
	<CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com>
	<OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com>
	<CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com>
	<201804060951.w369pUWT018680@lists01.dmz-a.mwc.hst.phx2.redhat.com>
Message-ID: <CAFss9rq4cTGidFXErZF2Q_fcfO9JAEdr2Y_b=FGRXS9dNS5VBw@mail.gmail.com>

 Emanuele Gesuato Look like some issue with your email client/server.

On Fri, Apr 6, 2018 at 3:21 PM, Emanuele Gesuato <
Emanuele.Gesuato at finantix.com> wrote:

>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From Emanuele.Gesuato at finantix.com  Fri Apr  6 06:38:35 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Fri, 6 Apr 2018 12:38:35 +0200
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <CAFss9rq4cTGidFXErZF2Q_fcfO9JAEdr2Y_b=FGRXS9dNS5VBw@mail.gmail.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com><201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com><OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com><CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com><OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com><CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com><201804060951.w369pUWT018680@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<CAFss9rq4cTGidFXErZF2Q_fcfO9JAEdr2Y_b=FGRXS9dNS5VBw@mail.gmail.com>
Message-ID: <OF13CA690A.68C5C8FC-ONC1258267.003A5EE7-C1258267.003A76DE@notes.ce.collabserv.com>

sorry for my email issue
*****************

Hi there,
 
client-server app is a browser application where we are using the 
keycloak-saml tomcat7 adapter.
 
Your link refers to a java servlet application that doesn?t have an 
adapter for that servlet platform.
 
Am I missing something in your answer ?
 
thanks,
 

Emanuele Gesuato 
Software specialist 


Mobile: +39 335 757 3556 | Email: emanuele.gesuato at finantix.com | skype: 
emanuelegesuato_work 


CONFIDENTIALITY NOTICE - The information contained in this communication 
is intended solely for the use of the individual or entity to whom it is 
addressed and others authorized to receive it. It may contain confidential 
or legally privileged information. If you are not the intended recipient 
you are hereby notified that any disclosure, copying, distribution or 
taking any action in reliance on the contents of this information is 
strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by responding to this 
email and then delete it from your system. Finantix is neither liable for 
the proper and complete transmission of the information contained in this 
communication nor for any delay in its receipt. 




From:   Subodh Joshi <subodhcjoshi82 at gmail.com>
To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
Cc:     keycloak-user <keycloak-user at lists.jboss.org>
Date:   06/04/2018 12:11
Subject:        Re: [keycloak-user] SSO in web and desktop application
Sent by:        keycloak-user-bounces at lists.jboss.org



 Emanuele Gesuato Look like some issue with your email client/server.

On Fri, Apr 6, 2018 at 3:21 PM, Emanuele Gesuato <
Emanuele.Gesuato at finantix.com> wrote:

>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1185 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180406/c0e60741/attachment.gif 

From sthorger at redhat.com  Fri Apr  6 07:04:14 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 6 Apr 2018 13:04:14 +0200
Subject: [keycloak-user] Poor/buggy TypeScript adapter implementation
In-Reply-To: <CAFsxa5W+3vEOu+CqZGuuBJkw3a2vZALFYB-wx6o=55Kmtds6=A@mail.gmail.com>
References: <CAFsxa5W+3vEOu+CqZGuuBJkw3a2vZALFYB-wx6o=55Kmtds6=A@mail.gmail.com>
Message-ID: <CAJgngAdLm-KmM=13M2EeHg7QMSnghL5yQc2r_fUF=CvhQFRRNA@mail.gmail.com>

As I mentioned on the JIRA there are official typescript definitions in the
official keycloak.js package - https://www.npmjs.com/package/keycloak-js.

Have you tried these? If there are issues in those fixes would be welcome.

On 6 April 2018 at 11:16, Marcel N?met <Marcel.Nemet at gmail.com> wrote:

> At the moment, there are multiple projects on GitHub which try to bring
> advanced Keycloak functionality into angular 2+ projects.
>
> There are projects which are based on the official keycloak javascript
> adapter (these projects copy files from or import the official javascript
> adapter) for example :
> https://github.com/ssilvert/keycloak-schematic (works with angular 2+)
> and
> https://github.com/mauriciovigolo/keycloak-angular (works with angular
> 4.3+
> and provides the implementation for the great HttpInterceptor (angular
> 4.3+) in order to add bearer tokens to HTTP requests)
>
> Both of these projects are missing the implementation of Authorization
> flow, and it is not easy to implement this when one tries to use the
> official Keycloak javascript adapter with TypeScript. For example,
> KeycloakAuthorization returns undefined when constructed and does not
> return an observable after executing async HTTP request to
> /.well-known/uma-configuration .
>
> There is another project:
> https://github.com/ebondu/angular2-keycloak
>
> which is not using the official keycloak javascript adapter. Instead, the
> authors have rewritten the code from official JS adapter into TypeScript.
> It seems to address issues which I was not able to solve with the official
> javascript adapter. For example, it notifies the initialization of
> Authorization object (see
> https://github.com/ebondu/angular2-keycloak/blob/
> b8dd423fefc98305ac2f2f9efd1178020a8a2966/src/services/
> keycloak.auth.service.ts#L154
> ).
>
> But this project is not updated as often as the official javascript
> adapter. For example, it does not support uma2 which is coming with 4.0.0.
>
> I believe it would be good to invest some effort into making the basic
> keycloak javascript adapter working well with angular/typescript. There is
> clearly interest in building good libraries, but these have to be based on
> a working, official and updated basic adapter. One option would be to pull
> the code from https://github.com/ebondu/angular2-keycloak. Or endorse some
> working implementation for TypeScript.
>
> issue: https://issues.jboss.org/browse/KEYCLOAK-7021
>
> Best regards
>
> --
> Marcel N?met
> marcel.nemet at gmail.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Fri Apr  6 07:59:04 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 6 Apr 2018 08:59:04 -0300
Subject: [keycloak-user] Set up fine grained permissions
In-Reply-To: <31225E3A2F1E0E43BA9272CBEBDCC684011864A1@DE-CM-MBX26.corp.capgemini.com>
References: <31225E3A2F1E0E43BA9272CBEBDCC684011843CD@DE-CM-MBX26.corp.capgemini.com>
	<31225E3A2F1E0E43BA9272CBEBDCC684011864A1@DE-CM-MBX26.corp.capgemini.com>
Message-ID: <CAJrcDBfKhzxvbGQi-EQyMw0P_RfxiDKu8Dir2Fb1H+Ow-jO50A@mail.gmail.com>

Hi Daniel,

Did you try to configure the "view" permission for your client ? Try to
define the same policy to the "view" permission just like you did to the
"manage" permission.

It may looks strange as you already have the "manage" permission granting
you access, but it is how it works. Let me know if it works and we'll
create a JIRA to discuss the problem in more details.

On Fri, Apr 6, 2018 at 3:33 AM, Hammarberg, Daniel <
daniel.hammarberg at capgemini.com> wrote:

> Hi all,
>
> Does anyone have any input on this? We are really stuck on this one...
>
> Regards
> /Daniel
>
>
> -----Original Message-----
> From: Hammarberg, Daniel <daniel.hammarberg at capgemini.com>
> Sent: den 3 april 2018 09:58
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Set up fine grained permissions
>
> Hi all,
>
> I am trying to set up fine grained permissions, following the instructions
> at http://www.keycloak.org/docs/latest/server_admin/index.
> html#_fine_grain_permissions
>
> I don?t manage to set permissions for a user to view one client. Could
> anyone help me to find what?s missing?
>
> My settings:
>
> In the Users menu:
>
> User cm_g123456 is a member of the group ?Content Managers?.
> The group Content Managers is mapped to the realm role ?Content Manager?
> and the client roles realm-management -> query-clients and view-users If I
> open the user cm_g123456 and check the Effective Roles under Role Mappings,
> I can see that Content Manager is active.
> The user cm_g123456 also has the client role realm-management ->
> query-clients
>
> In the Clients menu:
>
> I open my client, ?foo.com?.
>
> Permissions are enabled. I have the following permission:
>
> Name: manage.permission.client.manageSkfCom
> Scopes: manage
> Apply Policy: content-managers
> Decision Strategy: Unanimous
>
> I have the following policy:
>
> Name: content-managers
> Realm Roles:
>    Name: Content Manager
>    Required: checked
> Logic: Positive
>
> When I log in to the admin console as the user cm_g123456, I cannot see
> any clients. Also, when opening a user I cannot see any client roles in the
> Available Roles list under Role Mappings.
>
> Best regards
> /Daniel
>
> _______________________________________________________________________
> [Email_CBE.gif]Daniel Hammarberg
> Managing Delivery Architect | Application Services
>
> Capgemini Sweden | G?teborg
>
>
> ________________________________
>
> Capgemini is a trading name used by the Capgemini Group of companies which
> includes Capgemini Sverige AB, a company registered in Sweden (number
> 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ?
> S-161 24 Bromma.
> This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute,
> or use this message or any part thereof. If you receive this message in
> error, please notify the sender immediately and delete all copies of this
> message.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From ssilvert at redhat.com  Fri Apr  6 08:30:42 2018
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 6 Apr 2018 08:30:42 -0400
Subject: [keycloak-user] Poor/buggy TypeScript adapter implementation
In-Reply-To: <CAFsxa5W+3vEOu+CqZGuuBJkw3a2vZALFYB-wx6o=55Kmtds6=A@mail.gmail.com>
References: <CAFsxa5W+3vEOu+CqZGuuBJkw3a2vZALFYB-wx6o=55Kmtds6=A@mail.gmail.com>
Message-ID: <32614c2e-4001-cb6f-f731-f745c35acc52@redhat.com>

I totally agree that we need to coalesce around one project for this.? 
I've intended that keyclosk-schematic would become that project and that 
it would be moved in under the official Keycloak umbrella.? I still 
think that is what should happen.? And we should also take the best 
ideas (and even code) from these other projects as we go.

I don't agree with the idea of having a separate TypeScript adapter.? As 
we all know, TypeScript is just transpiled to javascript.? So it makes 
more sense to enhance the javascript adapter than to have two adapters 
that go in different directions.? That way, core functionality always 
has just one code base.

The TypeScript/Angular project should focus on making that javascript 
adapter easier to use and better integrated into an Angular 
environment.? So the TypeScript/Angular project becomes all about type 
defs, wrappers, and services built on top of the javascript adapter.

Stan

On 4/6/2018 5:16 AM, Marcel N?met wrote:
> At the moment, there are multiple projects on GitHub which try to bring
> advanced Keycloak functionality into angular 2+ projects.
>
> There are projects which are based on the official keycloak javascript
> adapter (these projects copy files from or import the official javascript
> adapter) for example :
> https://github.com/ssilvert/keycloak-schematic (works with angular 2+)
> and
> https://github.com/mauriciovigolo/keycloak-angular (works with angular 4.3+
> and provides the implementation for the great HttpInterceptor (angular
> 4.3+) in order to add bearer tokens to HTTP requests)
>
> Both of these projects are missing the implementation of Authorization
> flow, and it is not easy to implement this when one tries to use the
> official Keycloak javascript adapter with TypeScript. For example,
> KeycloakAuthorization returns undefined when constructed and does not
> return an observable after executing async HTTP request to
> /.well-known/uma-configuration .
>
> There is another project:
> https://github.com/ebondu/angular2-keycloak
>
> which is not using the official keycloak javascript adapter. Instead, the
> authors have rewritten the code from official JS adapter into TypeScript.
> It seems to address issues which I was not able to solve with the official
> javascript adapter. For example, it notifies the initialization of
> Authorization object (see
> https://github.com/ebondu/angular2-keycloak/blob/b8dd423fefc98305ac2f2f9efd1178020a8a2966/src/services/keycloak.auth.service.ts#L154
> ).
>
> But this project is not updated as often as the official javascript
> adapter. For example, it does not support uma2 which is coming with 4.0.0.
>
> I believe it would be good to invest some effort into making the basic
> keycloak javascript adapter working well with angular/typescript. There is
> clearly interest in building good libraries, but these have to be based on
> a working, official and updated basic adapter. One option would be to pull
> the code from https://github.com/ebondu/angular2-keycloak. Or endorse some
> working implementation for TypeScript.
>
> issue: https://issues.jboss.org/browse/KEYCLOAK-7021
>
> Best regards
>


From tdockendorf at osc.edu  Fri Apr  6 08:38:09 2018
From: tdockendorf at osc.edu (Dockendorf, Trey)
Date: Fri, 6 Apr 2018 12:38:09 +0000
Subject: [keycloak-user] Handling disabled users from LDAP
Message-ID: <A56265E2-6B73-4E89-901E-422C5EBFB4F2@osc.edu>

Currently we use Keycloak as an IdP tied to our LDAP environment.  We are curious how we would go about having Keycloak reject logins from accounts we deem disabled in LDAP.  Disabled could be for many reasons, one of which is password expiration.  I see I could add a filter to our User Federation for LDAP, but the user would likely just show up as not found and get no kind of ?Your account is disabled? message I presume.

Thanks,
- Trey

--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center

From Athulya.Pillai at cybertech.com  Fri Apr  6 08:44:07 2018
From: Athulya.Pillai at cybertech.com (Athulya Pillai)
Date: Fri, 6 Apr 2018 12:44:07 +0000
Subject: [keycloak-user] Keycloak with nginx proxy
Message-ID: <5D7282EF8AC38B41BA812672DABBF6B6D0C6B8B7@CSSLEX1.Cybertech.Com>

Keycloak Redirect url with nginx is going to http rather than https<https://stackoverflow.com/questions/49629610/keycloak-redirect-url-with-nginx-is-going-to-http-rather-than-https>



I have deployed keycloak docker image in ubuntu along with parameter proxy-address-forwarding =true

Now keycloak is working perfecting with nginx configuration in ssl(https). Now I have deployed another .net corapplication in ubuntu. This application is in http and able to communicate with keycloak in https for login .

However, when the application is hosted in https using nginx, keycloak is showing invalid redirect url. The redirect url is in https in keycloak configuration however keycloak is taking to http for redirect url. Please help to resolve


From khirschmann at huebinet.de  Fri Apr  6 11:13:36 2018
From: khirschmann at huebinet.de (Kevin Hirschmann)
Date: Fri, 6 Apr 2018 15:13:36 +0000
Subject: [keycloak-user] how to identify groups from userfederation
Message-ID: <653518c3a8f34411a45ff7b64b29617a@huebinet.de>

Hello,

exists a way to distinguish the groups which have been imported by a group mapper and the groups created via keycloak ui?
Users have a federationLink, which is not set when they haven't been imported. Reason is, that I do not want users to edit imported groups,
but want to allow it for groups they have created in keycloak.

Thx and a have nice weekend

Kevin Hirschmann

HUEBINET Informationsmanagement GmbH & Co. KG


Telefon:           +49 (0) 261 / 5 00 86 - 17
Telefax:           +49 (0) 261 / 5 00 86 - 29
E-Mail:             kevin.hirschmann at huebinet.de<mailto:kevin.hirschmann at huebinet.de>
Internet:            www.huebinet.de<http://www.huebinet.de/>

 HUEBINET Informationsmanagement GmbH & Co. KG
An der K?nigsbach 8
56075 Koblenz

Sitz und Registergericht: Koblenz HRA 5329

Pers?nlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857

Gesch?ftsf?hrung:
Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.

Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.


From Emanuele.Gesuato at finantix.com  Fri Apr  6 12:38:02 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Fri, 6 Apr 2018 18:38:02 +0200
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <CACp70MmCHGhtrb28+Qc5Hri0gzq6Eu2nG5swJ+jWqqoK+2aebA@mail.gmail.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com>
	<CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com>
	<OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com>
	<CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com>
	<201804060951.w369pUWT018680@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<CAFss9rq4cTGidFXErZF2Q_fcfO9JAEdr2Y_b=FGRXS9dNS5VBw@mail.gmail.com>
	<OF13CA690A.68C5C8FC-ONC1258267.003A5EE7-C1258267.003A76DE@notes.ce.collabserv.com>
	<CACp70MmCHGhtrb28+Qc5Hri0gzq6Eu2nG5swJ+jWqqoK+2aebA@mail.gmail.com>
Message-ID: <OFE73EFE83.E9A84D57-ONC1258267.005A8770-C1258267.005B5F3B@notes.ce.collabserv.com>

Hi Luis,

thanks for your feedback.

Is there any way to use some access token in order to identify the current 
user ?

let me recap.
I have a web application and a "desktop" application they are both 
different but they share the same set of users and they are both in the 
same keycloak realm.
When user is logged to web application I would like to trigger some 
authentication mechanism in order to let user automatically logged when he 
opens the desktop application.

I am using keycloak 3.4.3 with tomcat7 adapter. Both the web application 
and the server side application of the "desktop" one uses tomcat7 as 
servlet container (but they are different instances). Of course keycloak 
server is the same for both.

I am not sure how  a servlet filter can help me solve this issue ... as I 
am using the standard tomcat7 keycloak adapter.

Thanks for any help,
Emanuele





From:   Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
Date:   06/04/2018 17:28
Subject:        Re: [keycloak-user] SSO in web and desktop application



Hello Emanuele,

OK, I see. So if I understand correctly you have "converted" your webapp 
in a desktop application using something like this 
https://applicationize.me/ in a dedicated browser with some restrictions. 

The problem here is that you are requesting the application from a 
completely different client, it would be the same if you open an incognito 
window in your browser after login in the siteA.

I have done a quick test with one of our SAML applications and I am 
redirected to the login page of our SSO. After authentication the app 
works perfectly fine. 

Perhaps you could try to configure that dedicated browser to automatically 
use the windows/kerberos credentials of the logged user...

Cheers,

Luis

ps: the servlet filter can work in any servlet container. I am 
successfully using it in tomcat 9 :)

 









2018-04-06 12:38 GMT+02:00 Emanuele Gesuato <Emanuele.Gesuato at finantix.com
>:
sorry for my email issue
*****************

Hi there,

client-server app is a browser application where we are using the
keycloak-saml tomcat7 adapter.

Your link refers to a java servlet application that doesn?t have an
adapter for that servlet platform.

Am I missing something in your answer ?

thanks,


Emanuele Gesuato
Software specialist


Mobile: +39 335 757 3556 | Email: emanuele.gesuato at finantix.com | skype:
emanuelegesuato_work


CONFIDENTIALITY NOTICE - The information contained in this communication
is intended solely for the use of the individual or entity to whom it is
addressed and others authorized to receive it. It may contain confidential
or legally privileged information. If you are not the intended recipient
you are hereby notified that any disclosure, copying, distribution or
taking any action in reliance on the contents of this information is
strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to this
email and then delete it from your system. Finantix is neither liable for
the proper and complete transmission of the information contained in this
communication nor for any delay in its receipt.




From:   Subodh Joshi <subodhcjoshi82 at gmail.com>
To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
Cc:     keycloak-user <keycloak-user at lists.jboss.org>
Date:   06/04/2018 12:11
Subject:        Re: [keycloak-user] SSO in web and desktop application
Sent by:        keycloak-user-bounces at lists.jboss.org



 Emanuele Gesuato Look like some issue with your email client/server.

On Fri, Apr 6, 2018 at 3:21 PM, Emanuele Gesuato <
Emanuele.Gesuato at finantix.com> wrote:

>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



--
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user





_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett




From Scotthezzell at benefex.co.uk  Fri Apr  6 12:59:40 2018
From: Scotthezzell at benefex.co.uk (Scott Hezzell)
Date: Fri, 6 Apr 2018 16:59:40 +0000
Subject: [keycloak-user] Spring Boot Adapter - change Cache-Control :
	private header
Message-ID: <AM0PR0502MB38268A4936C6597726ED29AB88BA0@AM0PR0502MB3826.eurprd05.prod.outlook.com>

Hi


Spring Boot Version: 1.5.10.RELEASE

Keycloak Spring Boot Adapter Version: 3.4.3.Final


Is there any way to update the Cache-Control header set to private? Any Cache-Control headers set in my controller are always overridden by the settings set by the keycloak adapter.


Thanks
Scott



 [Benefex Logo]

Scott Hezzell
Senior Developer




hellobenefex.com<https://www.benefex.co.uk>
[https://bfx-media.com/img/social%20LinkedIn.png]<https://www.linkedin.com/company/hellobenefex> [Twitter] <https://twitter.com/hellobenefex>

Benefex Ltd, Mountbatten House, Grosvenor Square, Southampton, SO15 2JU. Registered Number: 04768546
As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you!


This message has been scanned for malware by Websense. www.websense.com

From chris.savory at edlogics.com  Fri Apr  6 15:05:00 2018
From: chris.savory at edlogics.com (Chris Savory)
Date: Fri, 6 Apr 2018 19:05:00 +0000
Subject: [keycloak-user] Spring Boot Adapter - change Cache-Control :
 private header
In-Reply-To: <AM0PR0502MB38268A4936C6597726ED29AB88BA0@AM0PR0502MB3826.eurprd05.prod.outlook.com>
References: <AM0PR0502MB38268A4936C6597726ED29AB88BA0@AM0PR0502MB3826.eurprd05.prod.outlook.com>
Message-ID: <854C733D-ABA0-41BF-B6C6-F0EC23560337@edlogics.com>

Have you disabled cache control headers via Spring Security?

@Override
protected void configure( HttpSecurity http ) throws Exception {

	// @formatter:off
	http
	.cors().and()
	.headers()
		.cacheControl().disable()


Then enabled via your controller? 

       return ResponseEntity.ok().cacheControl( CacheControl.maxAge( 600, TimeUnit.SECONDS) ).body( response) );

--
Christopher Savory
Software Engineer | EdLogics

On 4/6/18, 11:59 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Scott Hezzell" <keycloak-user-bounces at lists.jboss.org on behalf of Scotthezzell at benefex.co.uk> wrote:

    Hi
    
    
    Spring Boot Version: 1.5.10.RELEASE
    
    Keycloak Spring Boot Adapter Version: 3.4.3.Final
    
    
    Is there any way to update the Cache-Control header set to private? Any Cache-Control headers set in my controller are always overridden by the settings set by the keycloak adapter.
    
    
    Thanks
    Scott
    
    
    
     [Benefex Logo]
    
    Scott Hezzell
    Senior Developer
    
    
    
    
    hellobenefex.com<https://www.benefex.co.uk>
    [https://bfx-media.com/img/social%20LinkedIn.png]<https://www.linkedin.com/company/hellobenefex> [Twitter] <https://twitter.com/hellobenefex>
    
    Benefex Ltd, Mountbatten House, Grosvenor Square, Southampton, SO15 2JU. Registered Number: 04768546
    As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you!
    
    
    This message has been scanned for malware by Websense. www.websense.com
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From Rens.Verhage at topicus.nl  Sat Apr  7 09:52:43 2018
From: Rens.Verhage at topicus.nl (Rens Verhage)
Date: Sat, 7 Apr 2018 13:52:43 +0000
Subject: [keycloak-user] Is it possible to map 'sub' claim of external
 identity provider to attribute
Message-ID: <D3FA4BDA-5D67-4613-924E-E4B8457AF575@topicus.nl>

I have configured an external OIDC identity provider and now want to add a mapper that maps the OIDC sub (subject) claim to a user attribute:


Mapper type: Attribute Importer
Claim: sub
User Attribute Name: test


On my client I have added a mapper that takes this attribute and inserts it into a claim:


Mapper type: User Attribute
User Attribute: test
Token Claim Name: test
Claim JSON Type: String


On login, I expect to see the claim ?test? in the other claims collection, but the collection remains empty. Am I doing something wrong or is mapping of sub not supported?


Rens



From Scotthezzell at benefex.co.uk  Sat Apr  7 10:06:01 2018
From: Scotthezzell at benefex.co.uk (Scott Hezzell)
Date: Sat, 7 Apr 2018 14:06:01 +0000
Subject: [keycloak-user] Spring Boot Adapter - change Cache-Control :
 private header
In-Reply-To: <854C733D-ABA0-41BF-B6C6-F0EC23560337@edlogics.com>
References: <AM0PR0502MB38268A4936C6597726ED29AB88BA0@AM0PR0502MB3826.eurprd05.prod.outlook.com>,
	<854C733D-ABA0-41BF-B6C6-F0EC23560337@edlogics.com>
Message-ID: <AM0PR0502MB3826B5EF4DF9FAB046CA5F2588B90@AM0PR0502MB3826.eurprd05.prod.outlook.com>

Thanks Chris.


I wasn't using sprint security but I have included and added the configuration below to disable the cache control headers and this makes no difference. I also tried a similar configuration with the KeycloakWebSecurityConfigurerAdapter and still the same result. I still get the Cache-Control header set to private. I am using the spring boot keycloak adaptor to secure a rest api using keycloak JWT tokens.


If I make the controller action unsecured I get the ResponseEntity CacheControl configuration as expected.


Cheers
Scott

________________________________
From: Chris Savory <chris.savory at edlogics.com>
Sent: 06 April 2018 20:05:00
To: Scott Hezzell; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Spring Boot Adapter - change Cache-Control : private header

Have you disabled cache control headers via Spring Security?

@Override
protected void configure( HttpSecurity http ) throws Exception {

        // @formatter:off
        http
        .cors().and()
        .headers()
                .cacheControl().disable()


Then enabled via your controller?

       return ResponseEntity.ok().cacheControl( CacheControl.maxAge( 600, TimeUnit.SECONDS) ).body( response) );

--
Christopher Savory
Software Engineer | EdLogics

On 4/6/18, 11:59 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Scott Hezzell" <keycloak-user-bounces at lists.jboss.org on behalf of Scotthezzell at benefex.co.uk> wrote:

    Hi


    Spring Boot Version: 1.5.10.RELEASE

    Keycloak Spring Boot Adapter Version: 3.4.3.Final


    Is there any way to update the Cache-Control header set to private? Any Cache-Control headers set in my controller are always overridden by the settings set by the keycloak adapter.


    Thanks
    Scott



     [Benefex Logo]

    Scott Hezzell
    Senior Developer




    hellobenefex.com<https://www.benefex.co.uk>
    [https://bfx-media.com/img/social%20LinkedIn.png]<https://www.linkedin.com/company/hellobenefex> [Twitter] <https://twitter.com/hellobenefex>

    Benefex Ltd, Mountbatten House, Grosvenor Square, Southampton, SO15 2JU. Registered Number: 04768546
    As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you!


    This message has been scanned for malware by Websense. www.websense.com<http://www.websense.com>
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user



From orivat at janua.fr  Sat Apr  7 13:21:23 2018
From: orivat at janua.fr (orivat)
Date: Sat, 07 Apr 2018 19:21:23 +0200
Subject: [keycloak-user] Is it possible to map 'sub' claim of external
 identity provider to attribute
In-Reply-To: <D3FA4BDA-5D67-4613-924E-E4B8457AF575@topicus.nl>
Message-ID: <5ac8fe18.04b3df0a.eae43.c7ed@mx.google.com>





Envoy? depuis mon smartphone Samsung Galaxy.
-------- Message d'origine --------De : Rens Verhage <Rens.Verhage at topicus.nl> Date : 07/04/2018  15:52  (GMT+01:00) ? : keycloak-user at lists.jboss.org Objet : [keycloak-user] Is it possible to map 'sub' claim of external identity provider to attribute 
I have configured an external OIDC identity provider and now want to add a mapper that maps the OIDC sub (subject) claim to a user attribute:


Mapper type: Attribute Importer
Claim: sub
User Attribute Name: test


On my client I have added a mapper that takes this attribute and inserts it into a claim:


Mapper type: User Attribute
User Attribute: test
Token Claim Name: test
Claim JSON Type: String


On login, I expect to see the claim ?test? in the other claims collection, but the collection remains empty. Am I doing something wrong or is mapping of sub not supported?


Rens


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From daniel.hammarberg at capgemini.com  Mon Apr  9 04:32:04 2018
From: daniel.hammarberg at capgemini.com (Hammarberg, Daniel)
Date: Mon, 9 Apr 2018 08:32:04 +0000
Subject: [keycloak-user] Set up fine grained permissions
In-Reply-To: <CAJrcDBfKhzxvbGQi-EQyMw0P_RfxiDKu8Dir2Fb1H+Ow-jO50A@mail.gmail.com>
References: <31225E3A2F1E0E43BA9272CBEBDCC684011843CD@DE-CM-MBX26.corp.capgemini.com>
	<31225E3A2F1E0E43BA9272CBEBDCC684011864A1@DE-CM-MBX26.corp.capgemini.com>
	<CAJrcDBfKhzxvbGQi-EQyMw0P_RfxiDKu8Dir2Fb1H+Ow-jO50A@mail.gmail.com>
Message-ID: <31225E3A2F1E0E43BA9272CBEBDCC68401187014@DE-CM-MBX26.corp.capgemini.com>

Hi,

Thanks for the input. I added the View permission. Still no luck. :-/

Regards
/Daniel


-----Original Message-----
From: Pedro Igor Silva <psilva at redhat.com>
Sent: den 6 april 2018 13:59
To: Hammarberg, Daniel
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Set up fine grained permissions

Hi Daniel,

Did you try to configure the "view" permission for your client ? Try to define the same policy to the "view" permission just like you did to the "manage" permission.

It may looks strange as you already have the "manage" permission granting you access, but it is how it works. Let me know if it works and we'll create a JIRA to discuss the problem in more details.

On Fri, Apr 6, 2018 at 3:33 AM, Hammarberg, Daniel < daniel.hammarberg at capgemini.com> wrote:

> Hi all,
>
> Does anyone have any input on this? We are really stuck on this one...
>
> Regards
> /Daniel
>
>
> -----Original Message-----
> From: Hammarberg, Daniel <daniel.hammarberg at capgemini.com>
> Sent: den 3 april 2018 09:58
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Set up fine grained permissions
>
> Hi all,
>
> I am trying to set up fine grained permissions, following the
> instructions at http://www.keycloak.org/docs/latest/server_admin/index.
> html#_fine_grain_permissions
>
> I don?t manage to set permissions for a user to view one client. Could
> anyone help me to find what?s missing?
>
> My settings:
>
> In the Users menu:
>
> User cm_g123456 is a member of the group ?Content Managers?.
> The group Content Managers is mapped to the realm role ?Content Manager?
> and the client roles realm-management -> query-clients and view-users
> If I open the user cm_g123456 and check the Effective Roles under Role
> Mappings, I can see that Content Manager is active.
> The user cm_g123456 also has the client role realm-management ->
> query-clients
>
> In the Clients menu:
>
> I open my client, ?foo.com?.
>
> Permissions are enabled. I have the following permission:
>
> Name: manage.permission.client.manageSkfCom
> Scopes: manage
> Apply Policy: content-managers
> Decision Strategy: Unanimous
>
> I have the following policy:
>
> Name: content-managers
> Realm Roles:
>    Name: Content Manager
>    Required: checked
> Logic: Positive
>
> When I log in to the admin console as the user cm_g123456, I cannot
> see any clients. Also, when opening a user I cannot see any client
> roles in the Available Roles list under Role Mappings.
>
> Best regards
> /Daniel
>


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.


From pieter at thehyve.nl  Mon Apr  9 07:03:16 2018
From: pieter at thehyve.nl (Pieter Lukasse)
Date: Mon, 9 Apr 2018 13:03:16 +0200
Subject: [keycloak-user] Multiple clients, same realm,
	cross-client REST calls
In-Reply-To: <CAN-eBc15BOUJdPUDeuJjNVt6w4NcD7zZov+-Ltht_uO5UXB9tQ@mail.gmail.com>
References: <CAN-eBc15BOUJdPUDeuJjNVt6w4NcD7zZov+-Ltht_uO5UXB9tQ@mail.gmail.com>
Message-ID: <CAN-eBc2hZjyiovMrE8zjXvm0hF+kiQDnM4rossSqNRf5qwUzRw@mail.gmail.com>

Basically I need a single session to be valid at 2 different client
applications that are connected to the same realm. Not possible?

Pieter Lukasse


E.   pieter at thehyve.nl

T.   +31(0)30 700 9713

W.  www.thehyve.nl


We empower scientists by building on open source software

2018-04-04 10:40 GMT+02:00 Pieter Lukasse <pieter at thehyve.nl>:

> Hi,
>
> I have a use case for the following scenario:
>
>
>    - 2 clients connected to the same Keycloak realm (via SAML)
>    - user logs in to 1st client and opens a webpage that makes REST API
>    calls to both 1st and 2nd client apps
>
> Currently the calls to the REST API of the 2nd client app fail with 401
> error (not authorized). Any hints on how to get this working? Except for
> this specific use case, SSO is working across both apps (i.e. when the user
> is logged in to client 1 and then browses to client 2, he does not need to
> fill in user name and password again).
>
> Thanks,
>
> Pieter Lukasse
>
>
> E.   pieter at thehyve.nl
>
> T.   +31(0)30 700 9713
>
> W.  www.thehyve.nl
>
>
> We empower scientists by building on open source software
>

From K.Buler at adbglobal.com  Mon Apr  9 07:16:02 2018
From: K.Buler at adbglobal.com (Karol Buler)
Date: Mon, 9 Apr 2018 13:16:02 +0200
Subject: [keycloak-user] Multiple clients, same realm,
 cross-client REST calls
In-Reply-To: <CAN-eBc2hZjyiovMrE8zjXvm0hF+kiQDnM4rossSqNRf5qwUzRw@mail.gmail.com>
References: <CAN-eBc15BOUJdPUDeuJjNVt6w4NcD7zZov+-Ltht_uO5UXB9tQ@mail.gmail.com>
	<CAN-eBc2hZjyiovMrE8zjXvm0hF+kiQDnM4rossSqNRf5qwUzRw@mail.gmail.com>
Message-ID: <6e3369b9-4a32-0809-f928-f94976dceac8@adbglobal.com>

Hi Pieter,

I had similar problem... check which roles you use on both clients. I
recommend to use "Realm's roles" instead of "Client's roles" in this case :)

Karol


On 09.04.2018 13:03, Pieter Lukasse wrote:
> Basically I need a single session to be valid at 2 different client
> applications that are connected to the same realm. Not possible?
>
> Pieter Lukasse
>
>
> E.   pieter at thehyve.nl
>
> T.   +31(0)30 700 9713
>
> W.  www.thehyve.nl
>
>
> We empower scientists by building on open source software
>
> 2018-04-04 10:40 GMT+02:00 Pieter Lukasse <pieter at thehyve.nl>:
>
>> Hi,
>>
>> I have a use case for the following scenario:
>>
>>
>>     - 2 clients connected to the same Keycloak realm (via SAML)
>>     - user logs in to 1st client and opens a webpage that makes REST API
>>     calls to both 1st and 2nd client apps
>>
>> Currently the calls to the REST API of the 2nd client app fail with 401
>> error (not authorized). Any hints on how to get this working? Except for
>> this specific use case, SSO is working across both apps (i.e. when the user
>> is logged in to client 1 and then browses to client 2, he does not need to
>> fill in user name and password again).
>>
>> Thanks,
>>
>> Pieter Lukasse
>>
>>
>> E.   pieter at thehyve.nl
>>
>> T.   +31(0)30 700 9713
>>
>> W.  www.thehyve.nl
>>
>>
>> We empower scientists by building on open source software
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>


From simonpayne58 at gmail.com  Mon Apr  9 11:20:54 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Mon, 9 Apr 2018 16:20:54 +0100
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <1522732009031.20269@tcs.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
	<1522213483195.38672@tcs.com> <1522732009031.20269@tcs.com>
Message-ID: <CAPZw1G4hFMEHJ1+3cPeTKTKa8z-jdCTFn1nHEV-WdeeqGQyoRg@mail.gmail.com>

have you checked the 'user groups retrieve strategy' on the mappers config
is correct for your need?

otherwise it might only sync on first time and not when LDAP attributes etc
change.

On Tue, Apr 3, 2018 at 6:06 AM, Lahari Guntha <lahari.guntha at tcs.com> wrote:

> Hi  All,
>
> Could you please check the procedure I followed?? What are the further
> changes to be done for the groups to sync into keycloak??
>
> Thanks & Regards,
> Lahari G
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> on behalf of Lahari  Guntha
> Sent: 28 March 2018 10:34
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Group-Mapping
>
> Hi Simon,
>
>
> We have our keycloak in  standalone configuration. I have my keycloak
> running as a docker container. I loged into the container and manually
> changed the standalone.xml....and then restarted the server using the below
> command:
>
>
> docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect
> "reload"
>
>
> I have all my users synced to Keycloak. Now I have an entry of a user
> "User1" in keycloak. This user is not present in any group in LDAP...Now I
> added the user "User1" in one of the group in LDAP....now since I have set
> the "Eviction rate"......I should get the updated group of the user that
> the user is recently added to in Keycloak UI when I check the
> "GroupMappings" for that particular user....
>
>
> Why am I not able to see the groups that the user were added to even after
> setting the eviction time??
>
>
> Should I login into any of the application that is integrated with SSO so
> that I get the User with their proper groups???
>
>
> Thanks & Regards,
>
> Lahari G?
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com>
> Sent: 27 March 2018 14:13
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Group-Mapping
>
> if standalone-ha.xml is changed then a restart is necessary.
>
> Simon.
>
>
>
>
> On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com>> wrote:
> ?Hi,
>
>
> Do we ?need to reload the keycloak server after changing the
> standalone.xml???
>
>
> Thanks & Regards,
>
> Lahari G
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
> Sent: 23 March 2018 20:40
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Group-Mapping
>
> if you are referring to the standard entry
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>  </local-cache>
>
>
> then LRU means least recently used.  so it will cache 10,000 users and
> evict the least recently used when cache limit is reached.  obviously this
> will only evict users if you have greater than 10,000 in your system.  So
> in my case i changed to the following
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                     <expiration max-idle="1200000"/>
>  </local-cache>
>
> which will additionally expire entries after 20 minutes.
>
>
> full explanation can be found here https://docs.jboss.org/author/
> display/WFLY10/Infinispan+Subsystem
>
>
> On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>>> wrote:
> ???Hi,
>
>
> Thanks Simon.
>
>
> Does setting "Cache Policy" to "No Cache"  option under "User Federation"
> makes any sense in this case?? as shown below?
>
>
> [cid:69b609f1-3662-4933-b316-29896ba797fe]
>
>
> Could someone explain the "Eviction" policy for user cache??
>
> What exactly will happen???
>
> ?
>
>
> Thanks & Regards,
>
> Lahari G
>
>
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>
> <mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>
> Sent: 16 March 2018 19:06
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Group-Mapping
>
> hi, we recently experienced similar and found it to be user cache.  there
> is a setting in the ldap config which allows you to specify the cache
> value.  however, i found this to take no effect and eventually set a hard
> eviction rate to the configuration in the standalone-ha.xml for user cache.
>
>
>
> On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com>>>> wrote:
> Hi All,
>
>
>
> We are using keycloak of version 3.3.0.CR2.
>
> I have my Keycloak integrated with LDAP.
>
> I have configured  many applications to have SSO with Keycloak. I have
> done all the configuration to have LDAP integration with Keycloak. I have
> also configured Group mappers so that groups from LDAP are also synced to
> LDAP.
>
> eg:
>
> Users in LDAP:  "user1"
>
> Groups in LDAP:  "group1","group2"
>
>
> When i login into one of my application that is configured to have SSO
> with keycloak with user "user1" that is present in group "group1"...that
> user entry gets shown in  the Keycloak UI page and we can also see the
> groups mapped to it.
>
>
> Now I add the user "user1" into another group "group2"...
>
> But now the newly added group is not reflected when click on User> Group
> Mapping.
>
>
> Why Is this happening??
>
>
> What is the solution to continuously sync the users with the groups they
> are present in/added newly automatically????
>
>
> Thanks,
>
> Lahari
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<
> mailto:keycloak-user at lists.jboss.org>>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From simonpayne58 at gmail.com  Mon Apr  9 11:30:55 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Mon, 9 Apr 2018 16:30:55 +0100
Subject: [keycloak-user] mssql deadlock
Message-ID: <CAPZw1G4R=SCZWH9m58gF=p+aur_KL=KAop1HCi0rGv3zG56ijw@mail.gmail.com>

Hi, i have been looking at using mssql with keycloak and have done some
local performace testing to recreate the deadlocks.

I have found that if we create and delete clients whilst simultaneously
deleting users, deadlock occurs.

I have also found that changing the transaction isolation level to
TRANSACTION_READ_UNCOMMITTED removes the occurrence of the deadlocks.

Is there any reason why i shouldnt use this isolation level?  i understand
that this level comes with dirty reads, but is there a side effect to this
when keycloak is clustered?

Thanks

Simon.

From mposolda at redhat.com  Mon Apr  9 15:17:20 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 9 Apr 2018 21:17:20 +0200
Subject: [keycloak-user] Handling disabled users from LDAP
In-Reply-To: <A56265E2-6B73-4E89-901E-422C5EBFB4F2@osc.edu>
References: <A56265E2-6B73-4E89-901E-422C5EBFB4F2@osc.edu>
Message-ID: <3366030f-92ac-aa60-53e7-b1ae6d799463@redhat.com>

What is your Keycloak version? And what is your LDAP vendor? Is it MSAD? 
For MSAD, we have builtin support with the MSAD mapper as long as you 
use "userAccountControl" attribute to track if user is enabled/disabled 
(which is standard for MSAD environments AFAIK).

Marek

Dne 6.4.2018 v 14:38 Dockendorf, Trey napsal(a):
> Currently we use Keycloak as an IdP tied to our LDAP environment.  We are curious how we would go about having Keycloak reject logins from accounts we deem disabled in LDAP.  Disabled could be for many reasons, one of which is password expiration.  I see I could add a filter to our User Federation for LDAP, but the user would likely just show up as not found and get no kind of ?Your account is disabled? message I presume.
>
> Thanks,
> - Trey
>
> --
> Trey Dockendorf
> HPC Systems Engineer
> Ohio Supercomputer Center
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Apr  9 15:19:28 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 9 Apr 2018 21:19:28 +0200
Subject: [keycloak-user] how to identify groups from userfederation
In-Reply-To: <653518c3a8f34411a45ff7b64b29617a@huebinet.de>
References: <653518c3a8f34411a45ff7b64b29617a@huebinet.de>
Message-ID: <8296ac0c-e545-dcc4-f180-ea55411acc04@redhat.com>

There is no straightforward way ATM. We don't have real federation for 
groups, it's just import from LDAP.

Marek

Dne 6.4.2018 v 17:13 Kevin Hirschmann napsal(a):
> Hello,
>
> exists a way to distinguish the groups which have been imported by a group mapper and the groups created via keycloak ui?
> Users have a federationLink, which is not set when they haven't been imported. Reason is, that I do not want users to edit imported groups,
> but want to allow it for groups they have created in keycloak.
>
> Thx and a have nice weekend
>
> Kevin Hirschmann
>
> HUEBINET Informationsmanagement GmbH & Co. KG
>
>
> Telefon:           +49 (0) 261 / 5 00 86 - 17
> Telefax:           +49 (0) 261 / 5 00 86 - 29
> E-Mail:             kevin.hirschmann at huebinet.de<mailto:kevin.hirschmann at huebinet.de>
> Internet:            www.huebinet.de<http://www.huebinet.de/>
>
>   HUEBINET Informationsmanagement GmbH & Co. KG
> An der K?nigsbach 8
> 56075 Koblenz
>
> Sitz und Registergericht: Koblenz HRA 5329
>
> Pers?nlich haftender Gesellschafter der KG:
> HUEBINET GmbH;
> Sitz und Registergericht: Koblenz HRB 6857
>
> Gesch?ftsf?hrung:
> Dr. Carsten Sch?pp; Michael Biemer; Michael Ewertz
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgesch?ftliche Erkl?rungen mit verbindlichem Inhalt k?nnen ?ber dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.
>
> Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Apr  9 15:20:43 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 9 Apr 2018 21:20:43 +0200
Subject: [keycloak-user] IJ031070: Transaction cannot proceed:
 STATUS_MARKED_ROLLBACK during Custom User Federation
In-Reply-To: <CABiaesSPL_Kfh-6HK+hkZ+HAQxyPC7Z-fb282sELCy7pdSc7Bg@mail.gmail.com>
References: <CABiaesSPL_Kfh-6HK+hkZ+HAQxyPC7Z-fb282sELCy7pdSc7Bg@mail.gmail.com>
Message-ID: <6c694e15-8435-abd5-8d11-635b1219d3a5@redhat.com>

We have an example for JPA user Provider and also quickstart. I suggest 
to take a look at quickstart or example and compare why it works and 
yours doesn't .

Marek

Dne 5.4.2018 v 18:18 Sachin Rastogi napsal(a):
> Hi all,
>
> We are using Keycloak 3.4.3 and loading users via Custom User Federation
> from the database. We are using Postgres 9.4.12
>
> When we are loading users from the database during
> CustomUserStorageProviderFactory.create(..),
> we are getting the following exception:-
>
> It is throwing the following exception during con.createStatement();
>
> 13:46:43,385 ERROR [stderr] (default task-8) java.sql.SQLException:
> IJ031070: Transaction cannot proceed: STATUS_MARKED_ROLLBACK
> 13:46:43,385 ERROR [stderr] (default task-8)    at
> org.jboss.jca.adapters.jdbc.WrapperDataSource.checkTransactionActive(WrapperDataSource.java:245)
> 13:46:43,386 ERROR [stderr] (default task-8)    at
> org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransactionActive(WrappedConnection.java:1928)
> 13:46:43,386 ERROR [stderr] (default task-8)    at
> org.jboss.jca.adapters.jdbc.WrappedConnection.checkStatus(WrappedConnection.java:1943)
> 13:46:43,386 ERROR [stderr] (default task-8)    at
> org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransaction(WrappedConnection.java:1917)
> 13:46:43,387 ERROR [stderr] (default task-8)    at
> org.jboss.jca.adapters.jdbc.WrappedConnection.createStatement(WrappedConnection.java:340)
> 13:46:43,387 ERROR [stderr] (default task-8)    at
> com.test.service.UserServiceImpl.loadExistingUsers(UserServiceImpl.java:98)
> 13:46:43,387 ERROR [stderr] (default task-8)    at com.test.Custom
> UserStorageProviderFactory.create(CustomUserStorageProviderFactory.java:43)
>
> But if we call loadExistingUsers in init method of
> CustomUserStorageProviderFactory,
> it works fine. Please advise, what are we doing wrong? what is the ideal
> way of loading existing users in Custom User Federation?
>
> Regards,
> SR
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Apr  9 15:25:40 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 9 Apr 2018 21:25:40 +0200
Subject: [keycloak-user] Linking pre-existing Keycloak user with LDAP
 user (without import)
In-Reply-To: <1BD08DED-DE13-456D-B179-6E94DDA02EC4@gmail.com>
References: <1BD08DED-DE13-456D-B179-6E94DDA02EC4@gmail.com>
Message-ID: <39c0fcdd-fd3e-834a-7be8-14f7d70191b5@redhat.com>

This is not supported OOTB. You can do it manually. You may need to 
create your own REST endpoint implementation, which will somehow allow 
to link existing users to LDAP users. KC users linked to LDAP should 
have "Federation Link" and also some attributes (you can doublecheck 
them by looking at some LDAP user and his tab "Attributes" in Keycloak 
admin console).

Marek

Dne 5.4.2018 v 01:09 Mike Wakim napsal(a):
> Hello,
>
> I have a small question regarding a specific use case with user federation, that I am hoping someone can help with. I set up a small LDAP server using the example given in the Keycloak Git repo. I imported the LDAP realm into Keycloak and did the following:
>
> 1. Turn the "enabled" setting off in user federation (temporarily).
> 2. Turn the "import" setting off in user federation.
> 3. Turn the "sync registrations" setting off in user federation.
>
> My use case is the following:
>
> I would like to create a user (e.g. bwilson) manually in Keycloak, and I would like to assign to that user custom roles as needed. However, this user (e.g. bwilson), is a user that already exists in my LDAP server. If I enable user federation, and try to log in using this user, Keycloak by default will only check the Keycloak DB, and will not try to authenticate this username through user federation. Is there anyway for me to link the manually created "bwilson" user, with the "bwilson" user that already exists in LDAP? I'm mainly interested in linking the roles that appear in the Keycloak DB, I would like the user to log in using his LDAP credentials.
>
> I am aware that if I "import" users from LDAP into Keycloak, I can go to a user's settings, and add roles to that user as needed. However if I have a pre-existing user in the Keycloak DB, can I link this user to the user with the same username in LDAP (without importing)? Any assistance would be much appreciated!
>
> Thanks,
>
> Mike
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From lahari.guntha at tcs.com  Tue Apr 10 01:42:42 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Tue, 10 Apr 2018 05:42:42 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <CAPZw1G4hFMEHJ1+3cPeTKTKa8z-jdCTFn1nHEV-WdeeqGQyoRg@mail.gmail.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
	<1522213483195.38672@tcs.com> <1522732009031.20269@tcs.com>,
	<CAPZw1G4hFMEHJ1+3cPeTKTKa8z-jdCTFn1nHEV-WdeeqGQyoRg@mail.gmail.com>
Message-ID: <1523338962307.3970@tcs.com>

Hi Simon,


I have selected the " LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE" for my 'user groups retrieve strategy'. Using this the User-Group mapping is done only for the first time..i.e if the user is added or removed from any group it is not getting reflected in keycloak .


I cannot select "LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE_RECURSIVELY" because it is only suitable for "Active Directory" and we are using openLDAP .


Should I change the configuration??


Thanks & Regards,

Lahari

?

________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 09 April 2018 20:50
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

have you checked the 'user groups retrieve strategy' on the mappers config is correct for your need?

otherwise it might only sync on first time and not when LDAP attributes etc change.

On Tue, Apr 3, 2018 at 6:06 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:
Hi  All,

Could you please check the procedure I followed?? What are the further changes to be done for the groups to sync into keycloak??

Thanks & Regards,
Lahari G
________________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Lahari  Guntha
Sent: 28 March 2018 10:34
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Group-Mapping

Hi Simon,


We have our keycloak in  standalone configuration. I have my keycloak running as a docker container. I loged into the container and manually changed the standalone.xml....and then restarted the server using the below command:


docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload"


I have all my users synced to Keycloak. Now I have an entry of a user "User1" in keycloak. This user is not present in any group in LDAP...Now I added the user "User1" in one of the group in LDAP....now since I have set the "Eviction rate"......I should get the updated group of the user that the user is recently added to in Keycloak UI when I check the "GroupMappings" for that particular user....


Why am I not able to see the groups that the user were added to even after setting the eviction time??


Should I login into any of the application that is integrated with SSO so that I get the User with their proper groups???


Thanks & Regards,

Lahari G?


________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
Sent: 27 March 2018 14:13
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Group-Mapping

if standalone-ha.xml is changed then a restart is necessary.

Simon.




On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>> wrote:
?Hi,


Do we ?need to reload the keycloak server after changing the standalone.xml???


Thanks & Regards,

Lahari G


________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>
Sent: 23 March 2018 20:40
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Group-Mapping

if you are referring to the standard entry

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
 </local-cache>


then LRU means least recently used.  so it will cache 10,000 users and evict the least recently used when cache limit is reached.  obviously this will only evict users if you have greater than 10,000 in your system.  So in my case i changed to the following

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                    <expiration max-idle="1200000"/>
 </local-cache>

which will additionally expire entries after 20 minutes.


full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem


On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>>> wrote:
???Hi,


Thanks Simon.


Does setting "Cache Policy" to "No Cache"  option under "User Federation"  makes any sense in this case?? as shown below?


[cid:69b609f1-3662-4933-b316-29896ba797fe]


Could someone explain the "Eviction" policy for user cache??

What exactly will happen???

?


Thanks & Regards,

Lahari G




________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>>
Sent: 16 March 2018 19:06
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>
Subject: Re: [keycloak-user] Group-Mapping

hi, we recently experienced similar and found it to be user cache.  there is a setting in the ldap config which allows you to specify the cache value.  however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache.



On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>>>> wrote:
Hi All,



We are using keycloak of version 3.3.0.CR2.

I have my Keycloak integrated with LDAP.

I have configured  many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.

eg:

Users in LDAP:  "user1"

Groups in LDAP:  "group1","group2"


When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in  the Keycloak UI page and we can also see the groups mapped to it.


Now I add the user "user1" into another group "group2"...

But now the newly added group is not reflected when click on User> Group Mapping.


Why Is this happening??


What is the solution to continuously sync the users with the groups they are present in/added newly automatically????


Thanks,

Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From simonpayne58 at gmail.com  Tue Apr 10 02:37:28 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Tue, 10 Apr 2018 07:37:28 +0100
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <1523338962307.3970@tcs.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
	<1522213483195.38672@tcs.com> <1522732009031.20269@tcs.com>
	<CAPZw1G4hFMEHJ1+3cPeTKTKa8z-jdCTFn1nHEV-WdeeqGQyoRg@mail.gmail.com>
	<1523338962307.3970@tcs.com>
Message-ID: <CAPZw1G41zU9MYFpDiB=QhnEx4OQS+03yPEJAA2eW1hBLvfN7zw@mail.gmail.com>

It's hard to tell you whether to change or not without knowing what your
LDAP setup looks like..

the next  thing i would check is where the relationship between the user
and the group is stored.  Group and User will both have a membership
attribute.  make sure you are selecting the the correct membership LDAP
attribute for the chosen DN.



On Tue, Apr 10, 2018 at 6:42 AM, Lahari Guntha <lahari.guntha at tcs.com>
wrote:

> Hi Simon,
>
>
> I have selected the " LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE" for my 'user
> groups retrieve strategy'. Using this the User-Group mapping is done only
> for the first time..i.e if the user is added or removed from any group it
> is not getting reflected in keycloak .
>
>
> I cannot select "LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE_RECURSIVELY" because it
> is only suitable for "Active Directory" and we are using openLDAP .
>
>
> Should I change the configuration??
>
>
> Thanks & Regards,
>
> Lahari
>
> ?
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com>
> Sent: 09 April 2018 20:50
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Group-Mapping
>
> have you checked the 'user groups retrieve strategy' on the mappers config
> is correct for your need?
>
> otherwise it might only sync on first time and not when LDAP attributes
> etc change.
>
> On Tue, Apr 3, 2018 at 6:06 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com>> wrote:
> Hi  All,
>
> Could you please check the procedure I followed?? What are the further
> changes to be done for the groups to sync into keycloak??
>
> Thanks & Regards,
> Lahari G
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-
> user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org
> <mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Lahari
> Guntha
> Sent: 28 March 2018 10:34
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Group-Mapping
>
> Hi Simon,
>
>
> We have our keycloak in  standalone configuration. I have my keycloak
> running as a docker container. I loged into the container and manually
> changed the standalone.xml....and then restarted the server using the below
> command:
>
>
> docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect
> "reload"
>
>
> I have all my users synced to Keycloak. Now I have an entry of a user
> "User1" in keycloak. This user is not present in any group in LDAP...Now I
> added the user "User1" in one of the group in LDAP....now since I have set
> the "Eviction rate"......I should get the updated group of the user that
> the user is recently added to in Keycloak UI when I check the
> "GroupMappings" for that particular user....
>
>
> Why am I not able to see the groups that the user were added to even after
> setting the eviction time??
>
>
> Should I login into any of the application that is integrated with SSO so
> that I get the User with their proper groups???
>
>
> Thanks & Regards,
>
> Lahari G?
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
> Sent: 27 March 2018 14:13
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Group-Mapping
>
> if standalone-ha.xml is changed then a restart is necessary.
>
> Simon.
>
>
>
>
> On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>>> wrote:
> ?Hi,
>
>
> Do we ?need to reload the keycloak server after changing the
> standalone.xml???
>
>
> Thanks & Regards,
>
> Lahari G
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>
> <mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>
> Sent: 23 March 2018 20:40
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Group-Mapping
>
> if you are referring to the standard entry
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>  </local-cache>
>
>
> then LRU means least recently used.  so it will cache 10,000 users and
> evict the least recently used when cache limit is reached.  obviously this
> will only evict users if you have greater than 10,000 in your system.  So
> in my case i changed to the following
>
> I simply added the expiration value to the existing local-cache entry for
> users
>
> <local-cache name="users">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                     <expiration max-idle="1200000"/>
>  </local-cache>
>
> which will additionally expire entries after 20 minutes.
>
>
> full explanation can be found here https://docs.jboss.org/author/
> display/WFLY10/Infinispan+Subsystem
>
>
> On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com>>>> wrote:
> ???Hi,
>
>
> Thanks Simon.
>
>
> Does setting "Cache Policy" to "No Cache"  option under "User Federation"
> makes any sense in this case?? as shown below?
>
>
> [cid:69b609f1-3662-4933-b316-29896ba797fe]
>
>
> Could someone explain the "Eviction" policy for user cache??
>
> What exactly will happen???
>
> ?
>
>
> Thanks & Regards,
>
> Lahari G
>
>
>
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>
> <mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>><mailto:
> simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58@
> gmail.com<mailto:simonpayne58 at gmail.com>>>>
> Sent: 16 March 2018 19:06
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<
> mailto:keycloak-user at lists.jboss.org>>>
> Subject: Re: [keycloak-user] Group-Mapping
>
> hi, we recently experienced similar and found it to be user cache.  there
> is a setting in the ldap config which allows you to specify the cache
> value.  however, i found this to take no effect and eventually set a hard
> eviction rate to the configuration in the standalone-ha.xml for user cache.
>
>
>
> On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com
> <mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com>>><mailto:lahari.guntha at tcs.com<mailto:l
> ahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:la
> hari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lah
> ari.guntha at tcs.com>>>>> wrote:
> Hi All,
>
>
>
> We are using keycloak of version 3.3.0.CR2.
>
> I have my Keycloak integrated with LDAP.
>
> I have configured  many applications to have SSO with Keycloak. I have
> done all the configuration to have LDAP integration with Keycloak. I have
> also configured Group mappers so that groups from LDAP are also synced to
> LDAP.
>
> eg:
>
> Users in LDAP:  "user1"
>
> Groups in LDAP:  "group1","group2"
>
>
> When i login into one of my application that is configured to have SSO
> with keycloak with user "user1" that is present in group "group1"...that
> user entry gets shown in  the Keycloak UI page and we can also see the
> groups mapped to it.
>
>
> Now I add the user "user1" into another group "group2"...
>
> But now the newly added group is not reflected when click on User> Group
> Mapping.
>
>
> Why Is this happening??
>
>
> What is the solution to continuously sync the users with the groups they
> are present in/added newly automatically????
>
>
> Thanks,
>
> Lahari
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<
> mailto:keycloak-user at lists.jboss.org>>><mailto:keycloak-
> user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> >><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.
> jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<
> mailto:keycloak-user at lists.jboss.org>>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org
> ><mailto:keycloak-user at lists.jboss.org<mailto:ke
> ycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From erlend at hamnaberg.net  Tue Apr 10 03:43:33 2018
From: erlend at hamnaberg.net (Erlend Hamnaberg)
Date: Tue, 10 Apr 2018 09:43:33 +0200
Subject: [keycloak-user] Reset Password flow
Message-ID: <CAGuwm8UWDc5PZ-809_nJDfuuJGJZqK8ZYq-_On8nMhav=1NEgw@mail.gmail.com>

Hello list.

We would like to be able to have a different screen than the login screen
with a message after reset-password.

We would like a separate page with something like:

//Start page
*Check your email*


You have been sent and email with a link to reset your password, this link
expires in one minute.

button[Go to login]

//end page


Then a javascript timeout will bring you back to the login page after 30
secs or so.

Is this possible to get to work without modifying
the org.keycloak.authentication.authenticators.resetcred.ResetCredentialEmail
to display a success messsage instead of resetting the authentication flow?

We dont want to make it possible to guess usernames or emails, so we will
display that screen every time instead of being immediately being thrown
back to the login screen.

Are there any security implications with doing it this way?

/Erlend

From pinguwien at gmail.com  Tue Apr 10 04:03:43 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Tue, 10 Apr 2018 10:03:43 +0200
Subject: [keycloak-user] How to get rid of the basic auth window appearing
 when logging in on windows machines with SPNEGO / Kerberos login?
Message-ID: <d005c179-6249-db88-37b0-6da57936c421@gmail.com>

Hi,

I have a very weird behaviour here.

I am using an ldap federation provider and SPNEGO with its respective 
WWW-Authenticate: Negotiate header to enable auto-login.

Now everything worked fine in our staging environments, but in 
production (damn! there's no p?lace like...), there's suddenly a Basic 
Auth-Window appearing in Chrome (win7) and Edge/Chrome (win10). When 
pressing "cancel", the auth-call is returning a 401 and falling back to 
the login page. But: After this, when I re-open the page which should 
automatically log me in in another tab or in the same tab, it suddenly 
works.

Anyone has some infos about that? I am out of ideas, sadly.

Best regards,
Dominik

From eferron at outlook.fr  Tue Apr 10 05:26:13 2018
From: eferron at outlook.fr (Elie Ferron)
Date: Tue, 10 Apr 2018 09:26:13 +0000
Subject: [keycloak-user] Listen on specific ip address
Message-ID: <VI1PR10MB18852F8A3E4A86F565307866CEBE0@VI1PR10MB1885.EURPRD10.PROD.OUTLOOK.COM>

Hello,


Currently, my server keycloak listens on localhost:8443 but i wish he listens on ServerIp:8443, where can it be configured ?


Thanks you in advance,

From blackbellamy at posteo.de  Tue Apr 10 06:32:56 2018
From: blackbellamy at posteo.de (BlackBellamy)
Date: Tue, 10 Apr 2018 12:32:56 +0200
Subject: [keycloak-user] Listen on specific ip address
In-Reply-To: <VI1PR10MB18852F8A3E4A86F565307866CEBE0@VI1PR10MB1885.EURPRD10.PROD.OUTLOOK.COM>
References: <VI1PR10MB18852F8A3E4A86F565307866CEBE0@VI1PR10MB1885.EURPRD10.PROD.OUTLOOK.COM>
Message-ID: <b6e2946a-c71a-a2e3-d870-3b8151305d12@posteo.de>

I think running standalone.sh/bat with the argument -b=ServerIp should
do it.


On 04/10/2018 11:26 AM, Elie Ferron wrote:
> Hello,
> 
> 
> Currently, my server keycloak listens on localhost:8443 but i wish he listens on ServerIp:8443, where can it be configured ?
> 
> 
> Thanks you in advance,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From corentin.dupont at gmail.com  Tue Apr 10 07:09:21 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 10 Apr 2018 13:09:21 +0200
Subject: [keycloak-user] Entitlement request with additional parameters
Message-ID: <CAEyhvmoSrCtfPAoJiJkEQGqg-OmJOfx--pxFSm=kPfA+RgyMgw@mail.gmail.com>

Hi guys,
I use the entitlement API to check access control on my resources. Here I
check if a user can update a sensor:

curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
$TOKEN" -d '{
    "permissions" : [
        {
            "resource_set_name" : "Sensors",
            "scopes" : [
                "sensors:update"
            ]
        }
    ]
}'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"


But I would like to make complex policies that check additional parameters,
such as sensor status etc.
How can I pass along the additional parameters to the request, and use them
in my policies? I use javascript policies mainly.

Thanks
Corentin

From eivind at jotta.no  Tue Apr 10 07:17:03 2018
From: eivind at jotta.no (Eivind Larsen)
Date: Tue, 10 Apr 2018 07:17:03 -0400
Subject: [keycloak-user] Mapping identity provider ID (sub) to user attribute
Message-ID: <CAF4REn7SwSGDt_+xja6b3CJvSfutG68N6AuhJ6rxd5SYkgoqDw@mail.gmail.com>

Hi.

I have setup a realm using another keycloak as OIDC identity provider.
So we have a setup:

?client ?> keycloak A <?> keycloak B

Where we control A but not B.

Since we have a custom integration with this provider from before, I
need to get the id of the provided identity (B.sub) into the access
token produced by A to remain backward compatible with our data.

To accomplish this, I followed the outline from:
https://lists.jboss.org/pipermail/keycloak-user/2017-October/012132.html

where a mapper (?Attribute importer?) is added to the identity
provider, which should import claim ?sub? as a user attribute.

We would then import claim ?sub' into user attribute ?sub', then for
the client, map user attribute ?sub' to claim ?provider_id' in access
token.

However, no value is imported from the identity no matter which claims
or attribute I map to/from.
Only the hardcoded values seem to show up when I list the attributes
of the user in the admin console.

Can anyone confirm if this should work, and what I should try next?

I have tried importing claim sub from provided identity into many
different custom user attributes to no avail.


From psilva at redhat.com  Tue Apr 10 08:20:24 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 10 Apr 2018 09:20:24 -0300
Subject: [keycloak-user] Entitlement request with additional parameters
In-Reply-To: <CAEyhvmoSrCtfPAoJiJkEQGqg-OmJOfx--pxFSm=kPfA+RgyMgw@mail.gmail.com>
References: <CAEyhvmoSrCtfPAoJiJkEQGqg-OmJOfx--pxFSm=kPfA+RgyMgw@mail.gmail.com>
Message-ID: <CAJrcDBeRKbvCo=SQ_LY_uE-qbbHdmDaLSnRFYzcV7A+V9w1W5g@mail.gmail.com>

Hi Corentin,

We are adding support for "pushed claims". That is the main task I'm
working with right now.

If you want to track the changes being made and provide any feedback,
please watch https://issues.jboss.org/browse/KEYCLOAK-4903. So far, I have
enabled pushing claims when using UMA and permission tickets. As you might
know, with the introduction of UMA 2.0 there is no specific endpoint for
entitlements anymore. Now permissions are evaluated using the token
endpoint. Next step is enable "pushed claims" to non-UMA requests (without
permission tickets, just like the old entitlement api).

On Tue, Apr 10, 2018 at 8:09 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> I use the entitlement API to check access control on my resources. Here I
> check if a user can update a sensor:
>
> curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
> $TOKEN" -d '{
>     "permissions" : [
>         {
>             "resource_set_name" : "Sensors",
>             "scopes" : [
>                 "sensors:update"
>             ]
>         }
>     ]
> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>
>
> But I would like to make complex policies that check additional parameters,
> such as sensor status etc.
> How can I pass along the additional parameters to the request, and use them
> in my policies? I use javascript policies mainly.
>
> Thanks
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tdockendorf at osc.edu  Tue Apr 10 09:30:46 2018
From: tdockendorf at osc.edu (Dockendorf, Trey)
Date: Tue, 10 Apr 2018 13:30:46 +0000
Subject: [keycloak-user] Handling disabled users from LDAP
In-Reply-To: <3366030f-92ac-aa60-53e7-b1ae6d799463@redhat.com>
References: <A56265E2-6B73-4E89-901E-422C5EBFB4F2@osc.edu>
	<3366030f-92ac-aa60-53e7-b1ae6d799463@redhat.com>
Message-ID: <CFBC53EC-2B1E-4F47-8EBB-2B2F6C8F620E@osc.edu>

We are on Keycloak 3.4.2 using OpenLDAP 2.4.40.  We have implemented ppolicy overlay on the server side to deny authenticated binds when someone's password has expired but we have custom attributes like loginDisabled that also dictates if someone should be granted access.

Thanks,
- Trey

-- 
Trey Dockendorf

HPC Systems Engineer
Ohio Supercomputer Center
?On 4/9/18, 3:17 PM, "Marek Posolda" <mposolda at redhat.com> wrote:

    What is your Keycloak version? And what is your LDAP vendor? Is it MSAD? 
    For MSAD, we have builtin support with the MSAD mapper as long as you 
    use "userAccountControl" attribute to track if user is enabled/disabled 
    (which is standard for MSAD environments AFAIK).
    
    Marek
    
    Dne 6.4.2018 v 14:38 Dockendorf, Trey napsal(a):
    > Currently we use Keycloak as an IdP tied to our LDAP environment.  We are curious how we would go about having Keycloak reject logins from accounts we deem disabled in LDAP.  Disabled could be for many reasons, one of which is password expiration.  I see I could add a filter to our User Federation for LDAP, but the user would likely just show up as not found and get no kind of ?Your account is disabled? message I presume.
    >
    > Thanks,
    > - Trey
    >
    > --
    > Trey Dockendorf
    > HPC Systems Engineer
    > Ohio Supercomputer Center
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    
    
    



From kitowskikamil at gmail.com  Tue Apr 10 10:18:49 2018
From: kitowskikamil at gmail.com (Kamil Kitowski)
Date: Tue, 10 Apr 2018 14:18:49 +0000
Subject: [keycloak-user] SpringBoot 2 Support and best practices
Message-ID: <CAMZDEezg7qCk7SkHePKovUThgTqb6XUD65PY-CaEqwo06jUwKA@mail.gmail.com>

Hello everyone!
I'm completly new around here and I'm sorry if I did anything wrong.

Is there any information about possible SpringBoot 2 support via adapters?
It's been over a month since its release and Keycloak released 4.0.0.Beta1
which should contain merged changes from several pull requests about
spring-boot 2 support however there is no keycloak-spring-boot-2-starter
(or adapter) artifact available on public maven repos. Am I missing
something (like additional repository) or there are some issues with said
adapter?

It works quite fine running on my local build, but I don't want to add
*.jar to my git repo.

Also minor question about best practices. Is it bad that I combine
keycloak-spring-boot-2-adapter and keycloak-spring-security-adapter? I like
defining Keycloak connection configuration via spring properties, but I'd
rather configure security using spring-security-like configuration.

Best regards.
-- 
Kitowski Kamil

From mposolda at redhat.com  Tue Apr 10 10:42:13 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 10 Apr 2018 16:42:13 +0200
Subject: [keycloak-user] Handling disabled users from LDAP
In-Reply-To: <CFBC53EC-2B1E-4F47-8EBB-2B2F6C8F620E@osc.edu>
References: <A56265E2-6B73-4E89-901E-422C5EBFB4F2@osc.edu>
	<3366030f-92ac-aa60-53e7-b1ae6d799463@redhat.com>
	<CFBC53EC-2B1E-4F47-8EBB-2B2F6C8F620E@osc.edu>
Message-ID: <75f57a1a-7d5a-149f-429d-5c82f15d7e0f@redhat.com>

I think you would either need to use User Attribute LDAP Mapper, but not 
sure if it's possible. I am not 100% sure about your LDAP structure. Or 
you need to implement custom LDAP Storage mapper then.

Marek

Dne 10.4.2018 v 15:30 Dockendorf, Trey napsal(a):
> We are on Keycloak 3.4.2 using OpenLDAP 2.4.40.  We have implemented ppolicy overlay on the server side to deny authenticated binds when someone's password has expired but we have custom attributes like loginDisabled that also dictates if someone should be granted access.
>
> Thanks,
> - Trey
>


From sblanc at redhat.com  Tue Apr 10 10:43:42 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 10 Apr 2018 16:43:42 +0200
Subject: [keycloak-user] SpringBoot 2 Support and best practices
In-Reply-To: <CAMZDEezg7qCk7SkHePKovUThgTqb6XUD65PY-CaEqwo06jUwKA@mail.gmail.com>
References: <CAMZDEezg7qCk7SkHePKovUThgTqb6XUD65PY-CaEqwo06jUwKA@mail.gmail.com>
Message-ID: <CAMZCGg-XrV_b=nerKD8ikNPeKYuy1=cCoYyGjAEMpFhQHCEpxw@mail.gmail.com>

Hi Kamil,

The Spring Boot 2 work has been merged into master just after Beta1, so it
missed the release but it will be included in the next release.

Regarding SB2 and Spring Security, both will still work together and what
you are doing is not considered as a bad practice.

Sebi


On Tue, Apr 10, 2018 at 4:18 PM, Kamil Kitowski <kitowskikamil at gmail.com>
wrote:

> Hello everyone!
> I'm completly new around here and I'm sorry if I did anything wrong.
>
> Is there any information about possible SpringBoot 2 support via adapters?
> It's been over a month since its release and Keycloak released 4.0.0.Beta1
> which should contain merged changes from several pull requests about
> spring-boot 2 support however there is no keycloak-spring-boot-2-starter
> (or adapter) artifact available on public maven repos. Am I missing
> something (like additional repository) or there are some issues with said
> adapter?
>
> It works quite fine running on my local build, but I don't want to add
> *.jar to my git repo.
>
> Also minor question about best practices. Is it bad that I combine
> keycloak-spring-boot-2-adapter and keycloak-spring-security-adapter? I
> like
> defining Keycloak connection configuration via spring properties, but I'd
> rather configure security using spring-security-like configuration.
>
> Best regards.
> --
> Kitowski Kamil
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tdockendorf at osc.edu  Tue Apr 10 12:06:19 2018
From: tdockendorf at osc.edu (Dockendorf, Trey)
Date: Tue, 10 Apr 2018 16:06:19 +0000
Subject: [keycloak-user] Handling disabled users from LDAP
In-Reply-To: <75f57a1a-7d5a-149f-429d-5c82f15d7e0f@redhat.com>
References: <A56265E2-6B73-4E89-901E-422C5EBFB4F2@osc.edu>
	<3366030f-92ac-aa60-53e7-b1ae6d799463@redhat.com>
	<CFBC53EC-2B1E-4F47-8EBB-2B2F6C8F620E@osc.edu>
	<75f57a1a-7d5a-149f-429d-5c82f15d7e0f@redhat.com>
Message-ID: <6EB49797-ACEB-475A-81BB-5535E5E80026@osc.edu>

With either approach it sounds like what your describing is getting the loginDisabled attribute into Keycloak.  Once that attribute is stored, how would I go about telling Keycloak to disallow access based on the attribute's value?

Below is an example of LDAP record where login should be disabled.

Thanks,
- Trey

dn: cn=<username>,ou=People,<base DN>
displayName: first last
employeeType: REGULAR
gecos: first last
ou: OSC Operations
cn: <username>
employeeStatus: ACTIVE
gidNumber: 103
company: Ohio Supercomputer Center
uid: <username>
mail: <email>
homeDirectory: /users/<username>
title: Employee
uidNumber: 20821
sn: lastname
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: posixAccount
objectClass: oscUser
objectClass: shadowAccount
givenName: firstname
jobCode: FALSE
loginDisabled: TRUE
loginShell: /bin/bash

-- 
Trey Dockendorf

HPC Systems Engineer
Ohio Supercomputer Center
?On 4/10/18, 10:42 AM, "Marek Posolda" <mposolda at redhat.com> wrote:

    I think you would either need to use User Attribute LDAP Mapper, but not 
    sure if it's possible. I am not 100% sure about your LDAP structure. Or 
    you need to implement custom LDAP Storage mapper then.
    
    Marek
    
    Dne 10.4.2018 v 15:30 Dockendorf, Trey napsal(a):
    > We are on Keycloak 3.4.2 using OpenLDAP 2.4.40.  We have implemented ppolicy overlay on the server side to deny authenticated binds when someone's password has expired but we have custom attributes like loginDisabled that also dictates if someone should be granted access.
    >
    > Thanks,
    > - Trey
    >
    
    



From kitowskikamil at gmail.com  Tue Apr 10 13:08:03 2018
From: kitowskikamil at gmail.com (Kamil Kitowski)
Date: Tue, 10 Apr 2018 17:08:03 +0000
Subject: [keycloak-user] SpringBoot 2 Support and best practices
In-Reply-To: <CAMZCGg-XrV_b=nerKD8ikNPeKYuy1=cCoYyGjAEMpFhQHCEpxw@mail.gmail.com>
References: <CAMZDEezg7qCk7SkHePKovUThgTqb6XUD65PY-CaEqwo06jUwKA@mail.gmail.com>
	<CAMZCGg-XrV_b=nerKD8ikNPeKYuy1=cCoYyGjAEMpFhQHCEpxw@mail.gmail.com>
Message-ID: <CAMZDEeyKZsqGU2hMprCZivUo1jsxoZZpmqes-jFwfdRk_xtUqA@mail.gmail.com>

Hi Sebastian,
Thanks for clearing some things. Now it makes sense.

wt., 10.04.2018, 16:43 u?ytkownik Sebastien Blanc <sblanc at redhat.com>
napisa?:

> Hi Kamil,
>
> The Spring Boot 2 work has been merged into master just after Beta1, so it
> missed the release but it will be included in the next release.
>
> Regarding SB2 and Spring Security, both will still work together and what
> you are doing is not considered as a bad practice.
>
> Sebi
>
>
> On Tue, Apr 10, 2018 at 4:18 PM, Kamil Kitowski <kitowskikamil at gmail.com>
> wrote:
>
>> Hello everyone!
>> I'm completly new around here and I'm sorry if I did anything wrong.
>>
>> Is there any information about possible SpringBoot 2 support via adapters?
>> It's been over a month since its release and Keycloak released 4.0.0.Beta1
>> which should contain merged changes from several pull requests about
>> spring-boot 2 support however there is no keycloak-spring-boot-2-starter
>> (or adapter) artifact available on public maven repos. Am I missing
>> something (like additional repository) or there are some issues with said
>> adapter?
>>
>> It works quite fine running on my local build, but I don't want to add
>> *.jar to my git repo.
>>
>> Also minor question about best practices. Is it bad that I combine
>> keycloak-spring-boot-2-adapter and keycloak-spring-security-adapter? I
>> like
>> defining Keycloak connection configuration via spring properties, but I'd
>> rather configure security using spring-security-like configuration.
>>
>> Best regards.
>>
> --
>> Kitowski Kamil
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> --
Kitowski Kamil

From daniel.hammarberg at capgemini.com  Tue Apr 10 15:27:50 2018
From: daniel.hammarberg at capgemini.com (Hammarberg, Daniel)
Date: Tue, 10 Apr 2018 19:27:50 +0000
Subject: [keycloak-user] Set up fine grained permissions
In-Reply-To: <CAJrcDBfKhzxvbGQi-EQyMw0P_RfxiDKu8Dir2Fb1H+Ow-jO50A@mail.gmail.com>
References: <31225E3A2F1E0E43BA9272CBEBDCC684011843CD@DE-CM-MBX26.corp.capgemini.com>
	<31225E3A2F1E0E43BA9272CBEBDCC684011864A1@DE-CM-MBX26.corp.capgemini.com>
	<CAJrcDBfKhzxvbGQi-EQyMw0P_RfxiDKu8Dir2Fb1H+Ow-jO50A@mail.gmail.com>
Message-ID: <31225E3A2F1E0E43BA9272CBEBDCC68401187899@DE-CM-MBX26.corp.capgemini.com>

Hi all,

Thanks to the kind help from Pedro, I found that my problem was that I renamed the permission after creating it. The naming is obviously important -- is there a reason why the name is editable, when editing it breaks the functionlity?

Best regards
/Daniel


-----Original Message-----
From: Pedro Igor Silva <psilva at redhat.com>
Sent: den 6 april 2018 13:59
To: Hammarberg, Daniel
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Set up fine grained permissions

Hi Daniel,

Did you try to configure the "view" permission for your client ? Try to define the same policy to the "view" permission just like you did to the "manage" permission.

It may looks strange as you already have the "manage" permission granting you access, but it is how it works. Let me know if it works and we'll create a JIRA to discuss the problem in more details.

On Fri, Apr 6, 2018 at 3:33 AM, Hammarberg, Daniel < daniel.hammarberg at capgemini.com> wrote:

> Hi all,
>
> Does anyone have any input on this? We are really stuck on this one...
>
> Regards
> /Daniel
>
>
> -----Original Message-----
> From: Hammarberg, Daniel <daniel.hammarberg at capgemini.com>
> Sent: den 3 april 2018 09:58
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Set up fine grained permissions
>
> Hi all,
>
> I am trying to set up fine grained permissions, following the
> instructions at http://www.keycloak.org/docs/latest/server_admin/index.
> html#_fine_grain_permissions
>
> I don?t manage to set permissions for a user to view one client. Could
> anyone help me to find what?s missing?
>
> My settings:
>
> In the Users menu:
>
> User cm_g123456 is a member of the group ?Content Managers?.
> The group Content Managers is mapped to the realm role ?Content Manager?
> and the client roles realm-management -> query-clients and view-users
> If I open the user cm_g123456 and check the Effective Roles under Role
> Mappings, I can see that Content Manager is active.
> The user cm_g123456 also has the client role realm-management ->
> query-clients
>
> In the Clients menu:
>
> I open my client, ?foo.com?.
>
> Permissions are enabled. I have the following permission:
>
> Name: manage.permission.client.manageSkfCom
> Scopes: manage
> Apply Policy: content-managers
> Decision Strategy: Unanimous
>
> I have the following policy:
>
> Name: content-managers
> Realm Roles:
>    Name: Content Manager
>    Required: checked
> Logic: Positive
>
> When I log in to the admin console as the user cm_g123456, I cannot
> see any clients. Also, when opening a user I cannot see any client
> roles in the Available Roles list under Role Mappings.
>
> Best regards
> /Daniel
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.


From ebenzacar at gmail.com  Tue Apr 10 17:58:57 2018
From: ebenzacar at gmail.com (Eric B)
Date: Tue, 10 Apr 2018 17:58:57 -0400
Subject: [keycloak-user] Is there an Event I can trap in KeyCloak when an
 account status is changed?(ie: temporary locks)
Message-ID: <CA+T+PjEWamkK=4c6UyacJofMVjUdO0VXvcM9=FrUKbF7GkiRaA@mail.gmail.com>

 Hi,

I'm using KeyCloak 3.4.3.FINAL and looking to see if there is any way I can
capture when an account is temporarily locked/unlocked. I was hoping to
write an EventListener that would trigger based on an event type, but I
can't seem to find anything that fires when then account is locked or
unlocked.

Is there such an Event in Keycloak? If not, is there a way I can add my own
custom events? I'd be okay with trapping an AccountModified event and work
with that, but the only event I see fired is the LOGIN_ERROR which doesn't
tell me if the account is being temporarily disabled.  Furthermore, I can't
see any events being fired when the account is re-enabled.

Thanks,

Eric

From michael at stroeder.com  Wed Apr 11 03:47:21 2018
From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=)
Date: Wed, 11 Apr 2018 09:47:21 +0200
Subject: [keycloak-user] Handling disabled users from LDAP
In-Reply-To: <6EB49797-ACEB-475A-81BB-5535E5E80026@osc.edu>
References: <A56265E2-6B73-4E89-901E-422C5EBFB4F2@osc.edu>
	<3366030f-92ac-aa60-53e7-b1ae6d799463@redhat.com>
	<CFBC53EC-2B1E-4F47-8EBB-2B2F6C8F620E@osc.edu>
	<75f57a1a-7d5a-149f-429d-5c82f15d7e0f@redhat.com>
	<6EB49797-ACEB-475A-81BB-5535E5E80026@osc.edu>
Message-ID: <d5d116f8-4ff3-a920-0e53-f0c40d3377a6@stroeder.com>

Dockendorf, Trey wrote:
> With either approach it sounds like what your describing is getting
> the loginDisabled attribute into Keycloak.  Once that attribute is
> stored, how would I go about telling Keycloak to disallow access
> based on the attribute's value?

With OpenLDAP's ACLs you should grant auth access to 'userPassword' for
anonymous based on value of your custom loginDisabled attribute. With
such an ACL keycloak does not have to know about that attribute at all.
And all LDAP-enabled applications will behave the same without
reconfiguration.

OpenLDAP details are off-topic here.
You could ask for ACL details on the openldap-technical mailing list.

Ciao, Michael.

From mposolda at redhat.com  Wed Apr 11 05:14:09 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 11 Apr 2018 11:14:09 +0200
Subject: [keycloak-user] Handling disabled users from LDAP
In-Reply-To: <6EB49797-ACEB-475A-81BB-5535E5E80026@osc.edu>
References: <A56265E2-6B73-4E89-901E-422C5EBFB4F2@osc.edu>
	<3366030f-92ac-aa60-53e7-b1ae6d799463@redhat.com>
	<CFBC53EC-2B1E-4F47-8EBB-2B2F6C8F620E@osc.edu>
	<75f57a1a-7d5a-149f-429d-5c82f15d7e0f@redhat.com>
	<6EB49797-ACEB-475A-81BB-5535E5E80026@osc.edu>
Message-ID: <d91560c5-136c-8d94-30d2-2723f7365e7b@redhat.com>

I think you will need to implement your own LDAP mapper for this. You 
can take a look at some existing mappers for inspiration (For example 
MSADUserAccountControlStorageMapper)

Marek

Dne 10.4.2018 v 18:06 Dockendorf, Trey napsal(a):
> With either approach it sounds like what your describing is getting the loginDisabled attribute into Keycloak.  Once that attribute is stored, how would I go about telling Keycloak to disallow access based on the attribute's value?
>
> Below is an example of LDAP record where login should be disabled.
>
> Thanks,
> - Trey
>
> dn: cn=<username>,ou=People,<base DN>
> displayName: first last
> employeeType: REGULAR
> gecos: first last
> ou: OSC Operations
> cn: <username>
> employeeStatus: ACTIVE
> gidNumber: 103
> company: Ohio Supercomputer Center
> uid: <username>
> mail: <email>
> homeDirectory: /users/<username>
> title: Employee
> uidNumber: 20821
> sn: lastname
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> objectClass: posixAccount
> objectClass: oscUser
> objectClass: shadowAccount
> givenName: firstname
> jobCode: FALSE
> loginDisabled: TRUE
> loginShell: /bin/bash
>


From vrinda.nayak at j4care.com  Wed Apr 11 05:44:58 2018
From: vrinda.nayak at j4care.com (vrinda nayak)
Date: Wed, 11 Apr 2018 11:44:58 +0200
Subject: [keycloak-user] Keycloak JWT modification and logging
Message-ID: <CAPJgXT1WtmJeHDVf9A4N66vRb6SvfFX3=SGa7C81jtEA8+1vqg@mail.gmail.com>

Hello All,

We use Keycloak standalone system as authentication server. On our
client/server side we have just installed the Keycloak Adapter.
For certain tests, we need to change the values of *'aud', 'sub', 'nbf',
'exp'* parameters in Json Web Token.
Also for one test, we need to send back an unsigned token to the client.
Can someone please advise how this can be achieved? Also which logger would
I need to set to DEBUG/TRACE in standalone.xml, to be able to see the JWT
parameters and their values in the response sent back to client?

Thanks in advance.

Vrinda

From subodhcjoshi82 at gmail.com  Wed Apr 11 06:15:18 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Wed, 11 Apr 2018 15:45:18 +0530
Subject: [keycloak-user] Keycloak JWT modification and logging
In-Reply-To: <CAPJgXT1WtmJeHDVf9A4N66vRb6SvfFX3=SGa7C81jtEA8+1vqg@mail.gmail.com>
References: <CAPJgXT1WtmJeHDVf9A4N66vRb6SvfFX3=SGa7C81jtEA8+1vqg@mail.gmail.com>
Message-ID: <CAFss9rpS1wo7Dm=TToU2yBrmBgA+vRmbJF+vsNS4rhvANpoSxw@mail.gmail.com>

For logger i thinking you have to change  <root-logger>

On Wed, Apr 11, 2018 at 3:14 PM, vrinda nayak <vrinda.nayak at j4care.com>
wrote:

> Hello All,
>
> We use Keycloak standalone system as authentication server. On our
> client/server side we have just installed the Keycloak Adapter.
> For certain tests, we need to change the values of *'aud', 'sub', 'nbf',
> 'exp'* parameters in Json Web Token.
> Also for one test, we need to send back an unsigned token to the client.
> Can someone please advise how this can be achieved? Also which logger would
> I need to set to DEBUG/TRACE in standalone.xml, to be able to see the JWT
> parameters and their values in the response sent back to client?
>
> Thanks in advance.
>
> Vrinda
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From slelardoux at hotmail.com  Wed Apr 11 09:58:01 2018
From: slelardoux at hotmail.com (Simon Lelardoux)
Date: Wed, 11 Apr 2018 13:58:01 +0000
Subject: [keycloak-user] Kerberos auth
Message-ID: <VI1PR0302MB2767CCFEF57065EEB97EC9C6CCBD0@VI1PR0302MB2767.eurprd03.prod.outlook.com>

Hi everybody !

I am implementing kerberos authentication for my keycloak users but a problem is blocking me. When I get the page "401 unauthorized", a warning appears "JavaScript is disabled. We strongly recommend to enable it. You were unable to login via Kerberos.  Click the button below to login via an alternative method" and I'm redirected automatically.

Do you know what it is?

Cordially



From bruno at abstractj.org  Wed Apr 11 10:22:09 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 11 Apr 2018 11:22:09 -0300
Subject: [keycloak-user] Kerberos auth
In-Reply-To: <VI1PR0302MB2767CCFEF57065EEB97EC9C6CCBD0@VI1PR0302MB2767.eurprd03.prod.outlook.com>
References: <VI1PR0302MB2767CCFEF57065EEB97EC9C6CCBD0@VI1PR0302MB2767.eurprd03.prod.outlook.com>
Message-ID: <20180411142209.GA8521@abstractj.org>

Maybe you have JavaScript disabled for your browser?

On 2018-04-11, Simon Lelardoux wrote:
> Hi everybody !
> 
> I am implementing kerberos authentication for my keycloak users but a problem is blocking me. When I get the page "401 unauthorized", a warning appears "JavaScript is disabled. We strongly recommend to enable it. You were unable to login via Kerberos.  Click the button below to login via an alternative method" and I'm redirected automatically.
> 
> Do you know what it is?
> 
> Cordially
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From suleyman.yildirim at accenture.com  Wed Apr 11 11:17:32 2018
From: suleyman.yildirim at accenture.com (Yildirim, Suleyman)
Date: Wed, 11 Apr 2018 15:17:32 +0000
Subject: [keycloak-user] Keycloak IDP Brokering + Spring Boot/Angular
Message-ID: <CO1P114MB02002A146211ABADDF4CCBAAF4BD0@CO1P114MB0200.NAMP114.PROD.OUTLOOK.COM>

Hi all,

As a novice person in security and Keycloak, I have setup Keycloak Identity Provider to interact with ADFS using link http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html. I wonder how we test this setting using Angular and Spring Boot. Some details are below:

We are using Angular 1.x and Spring Boot for the project. I have implemented SSO with open id connect but implementation part of SAML is still confusing. There are tutorials for OpenID connect but not with SAML. How do we send SAML request to external ADFS using IDP broker using Spring Boot/Angular? Do I need to use Java adapters for that?

Best Regards,
Suleyman


________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com

From corentin.dupont at gmail.com  Wed Apr 11 11:22:03 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 11 Apr 2018 17:22:03 +0200
Subject: [keycloak-user] Entitlement request with additional parameters
In-Reply-To: <CAJrcDBeRKbvCo=SQ_LY_uE-qbbHdmDaLSnRFYzcV7A+V9w1W5g@mail.gmail.com>
References: <CAEyhvmoSrCtfPAoJiJkEQGqg-OmJOfx--pxFSm=kPfA+RgyMgw@mail.gmail.com>
	<CAJrcDBeRKbvCo=SQ_LY_uE-qbbHdmDaLSnRFYzcV7A+V9w1W5g@mail.gmail.com>
Message-ID: <CAEyhvmrOoHSzDiRsLbftNP=EFgjz11Mj6WwXCo4a3isX9eUMug@mail.gmail.com>

Thanks for the info.
So if I understand, I need to upgrade to UMA endpoint when it will be
available.

Cheers

On Tue, Apr 10, 2018 at 2:20 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi Corentin,
>
> We are adding support for "pushed claims". That is the main task I'm
> working with right now.
>
> If you want to track the changes being made and provide any feedback,
> please watch https://issues.jboss.org/browse/KEYCLOAK-4903. So far, I
> have enabled pushing claims when using UMA and permission tickets. As you
> might know, with the introduction of UMA 2.0 there is no specific endpoint
> for entitlements anymore. Now permissions are evaluated using the token
> endpoint. Next step is enable "pushed claims" to non-UMA requests (without
> permission tickets, just like the old entitlement api).
>
> On Tue, Apr 10, 2018 at 8:09 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi guys,
>> I use the entitlement API to check access control on my resources. Here I
>> check if a user can update a sensor:
>>
>> curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
>> $TOKEN" -d '{
>>     "permissions" : [
>>         {
>>             "resource_set_name" : "Sensors",
>>             "scopes" : [
>>                 "sensors:update"
>>             ]
>>         }
>>     ]
>> }'  "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
>>
>>
>> But I would like to make complex policies that check additional
>> parameters,
>> such as sensor status etc.
>> How can I pass along the additional parameters to the request, and use
>> them
>> in my policies? I use javascript policies mainly.
>>
>> Thanks
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From ntle at castortech.com  Wed Apr 11 11:39:20 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Wed, 11 Apr 2018 11:39:20 -0400
Subject: [keycloak-user] How can user change his password after login?
Message-ID: <CAJVRZt-fb_74GRd+Pk7s1H0CDs2bYZkowyPZfpaMcVB6eCYJeQ@mail.gmail.com>

Hello,

We are using Keycloak 3.4.3Final for authentication only and we want to
create a link from the application so that user can change their password
after login.
I looked at the forget password flow and see the page
http://localhost:8180/auth/realms/testRealm/login-actions/required-action?execution=UPDATE_PASSWORD&client_id=account&tab_id=TI2aayKftXY
is what we need. Is there anyway to generate this link without the time
constraint?

Thank you

Thai

From Rens.Verhage at topicus.nl  Wed Apr 11 11:54:45 2018
From: Rens.Verhage at topicus.nl (Rens Verhage)
Date: Wed, 11 Apr 2018 15:54:45 +0000
Subject: [keycloak-user] Passing session information
Message-ID: <40018605-6103-475A-8844-115B3CFAF71D@topicus.nl>

Hi,

I?m using GitHub as an identity provider. For all users that login through GitHub, I?d like to hardcode a session attribute which will be passed through to my application.

In the identity provider settings, I have the option to add a ?hard coded session attribute? mapper. In the client settings, I can add a ?user session note? mapper. I configured both these mappers on identity provider and client using the same name for the attribute and note. This however doesn?t work and it shouldn?t, as from what I understand, session attributes != session notes.

Now I?m stuck, the identity provider only supports mapping session attributes, the client only supports mapping session notes. How can I pass information in the session from provider to client?



Rens


From uo67113 at gmail.com  Wed Apr 11 12:58:47 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 11 Apr 2018 18:58:47 +0200
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <OFE73EFE83.E9A84D57-ONC1258267.005A8770-C1258267.005B5F3B@notes.ce.collabserv.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<201804051357.w35Dv7cT029606@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com>
	<CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com>
	<OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com>
	<CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com>
	<201804060951.w369pUWT018680@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<CAFss9rq4cTGidFXErZF2Q_fcfO9JAEdr2Y_b=FGRXS9dNS5VBw@mail.gmail.com>
	<OF13CA690A.68C5C8FC-ONC1258267.003A5EE7-C1258267.003A76DE@notes.ce.collabserv.com>
	<CACp70MmCHGhtrb28+Qc5Hri0gzq6Eu2nG5swJ+jWqqoK+2aebA@mail.gmail.com>
	<OFE73EFE83.E9A84D57-ONC1258267.005A8770-C1258267.005B5F3B@notes.ce.collabserv.com>
Message-ID: <CACp70MkQY6iNcnXVDdxqTPc+YxHBLZ+pPkVk7hYyX9UAjZEgUg@mail.gmail.com>

Hello Emanuele,

Please, forget about the servlet filter, at the beginning I thought that
the "client-server application developed in java" was not using any
keycloak adaptor, sorry for the confusion.

No, SAML does not provide a token that you can share between different
clients.

You could think about share the cookies between the browser and the
"client-server" app, but this is a horrible hack. I would warn you to avoid
this way :)

Me, personally I would explore these two options:

a) Dedicated browser to automatically use the windows/kerberos credentials
of the logged user.
b) Let the dedicated browser redirect the user to the IdP login page. Yes,
users has to authenticate, but it will save you a lot of headache...

If you are using chrome there are extensions that apparently let you share
sessions between devices (
https://chrome.google.com/webstore/detail/sessionbox-free-multi-log/megbklhjamjbcafknkgmokldgolkdfig).
You can give it a try, but me honestly, I do not like that option very
much...

Cheers,

Luis









2018-04-06 18:38 GMT+02:00 Emanuele Gesuato <Emanuele.Gesuato at finantix.com>:

> Hi Luis,
>
> thanks for your feedback.
>
> Is there any way to use some access token in order to identify the current
> user ?
>
> let me recap.
> I have a web application and a "desktop" application they are both
> different but they share the same set of users and they are both in the
> same keycloak realm.
> When user is logged to web application I would like to trigger some
> authentication mechanism in order to let user automatically logged when he
> opens the desktop application.
>
> I am using keycloak 3.4.3 with tomcat7 adapter. Both the web application
> and the server side application of the "desktop" one uses tomcat7 as
> servlet container (but they are different instances). Of course keycloak
> server is the same for both.
>
> I am not sure how  a servlet filter can help me solve this issue ... as I
> am using the standard tomcat7 keycloak adapter.
>
> Thanks for any help,
> Emanuele
>
>
>
>
>
> From:   Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
> To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> Date:   06/04/2018 17:28
> Subject:        Re: [keycloak-user] SSO in web and desktop application
>
>
>
> Hello Emanuele,
>
> OK, I see. So if I understand correctly you have "converted" your webapp
> in a desktop application using something like this
> https://applicationize.me/ in a dedicated browser with some restrictions.
>
> The problem here is that you are requesting the application from a
> completely different client, it would be the same if you open an incognito
> window in your browser after login in the siteA.
>
> I have done a quick test with one of our SAML applications and I am
> redirected to the login page of our SSO. After authentication the app
> works perfectly fine.
>
> Perhaps you could try to configure that dedicated browser to automatically
> use the windows/kerberos credentials of the logged user...
>
> Cheers,
>
> Luis
>
> ps: the servlet filter can work in any servlet container. I am
> successfully using it in tomcat 9 :)
>
>
>
>
>
>
>
>
>
>
>
> 2018-04-06 12:38 GMT+02:00 Emanuele Gesuato <Emanuele.Gesuato at finantix.com
> >:
> sorry for my email issue
> *****************
>
> Hi there,
>
> client-server app is a browser application where we are using the
> keycloak-saml tomcat7 adapter.
>
> Your link refers to a java servlet application that doesn?t have an
> adapter for that servlet platform.
>
> Am I missing something in your answer ?
>
> thanks,
>
>
> Emanuele Gesuato
> Software specialist
>
>
> Mobile: +39 335 757 3556 | Email: emanuele.gesuato at finantix.com | skype:
> emanuelegesuato_work
>
>
> CONFIDENTIALITY NOTICE - The information contained in this communication
> is intended solely for the use of the individual or entity to whom it is
> addressed and others authorized to receive it. It may contain confidential
> or legally privileged information. If you are not the intended recipient
> you are hereby notified that any disclosure, copying, distribution or
> taking any action in reliance on the contents of this information is
> strictly prohibited and may be unlawful. If you have received this
> communication in error, please notify us immediately by responding to this
> email and then delete it from your system. Finantix is neither liable for
> the proper and complete transmission of the information contained in this
> communication nor for any delay in its receipt.
>
>
>
>
> From:   Subodh Joshi <subodhcjoshi82 at gmail.com>
> To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> Cc:     keycloak-user <keycloak-user at lists.jboss.org>
> Date:   06/04/2018 12:11
> Subject:        Re: [keycloak-user] SSO in web and desktop application
> Sent by:        keycloak-user-bounces at lists.jboss.org
>
>
>
>  Emanuele Gesuato Look like some issue with your email client/server.
>
> On Fri, Apr 6, 2018 at 3:21 PM, Emanuele Gesuato <
> Emanuele.Gesuato at finantix.com> wrote:
>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
> - Samuel Beckett
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From john.lewis at geodis.com  Wed Apr 11 13:55:55 2018
From: john.lewis at geodis.com (Lewis, John)
Date: Wed, 11 Apr 2018 17:55:55 +0000
Subject: [keycloak-user] (no subject)
Message-ID: <AM3PR04MB1331C7415504CD09B1168A42EFBD0@AM3PR04MB1331.eurprd04.prod.outlook.com>

Hello,

I?m looking to get some feedback regarding the following:

https://issues.jboss.org/browse/KEYCLOAK-6818

https://stackoverflow.com/questions/49035587/keycloak-creates-an-extra-auth-session-id-cookie-with-a-path-of-auth-when-log

We are getting what appears to be an extra AUTH_SESSION_ID cookie back from the Keycloak server.

The main question is: Is Keycloak supposed to create two AUTH_SESSION_ID cookies for a single session?

If not, why are we getting them?

Thanks,
John

From john.lewis at geodis.com  Wed Apr 11 17:42:46 2018
From: john.lewis at geodis.com (Lewis, John)
Date: Wed, 11 Apr 2018 21:42:46 +0000
Subject: [keycloak-user] Extra AUTH_SESSION_D Cookie Returned by Keycloak
	Server
Message-ID: <AM3PR04MB133164896A40918CD48CBF85EFBD0@AM3PR04MB1331.eurprd04.prod.outlook.com>

I neglected to add the Subject in previous post - sorry about that.

I'm looking to get some feedback regarding the following:

https://issues.jboss.org/browse/KEYCLOAK-6818

https://stackoverflow.com/questions/49035587/keycloak-creates-an-extra-auth-session-id-cookie-with-a-path-of-auth-when-log

We are getting what appears to be an extra AUTH_SESSION_ID cookie back from the Keycloak server.

The main question is: Is Keycloak supposed to create two AUTH_SESSION_ID cookies for a single session?

If not, why are we getting them?

Thanks,
John

From gkinkladze at bog.ge  Wed Apr 11 21:59:08 2018
From: gkinkladze at bog.ge (Giorgi Kinkladze)
Date: Thu, 12 Apr 2018 01:59:08 +0000
Subject: [keycloak-user] custom registration flow
Message-ID: <3713A928926F9F4DAAF98578FBB3319521C96258@Ex-Mailbox-03.bog.ge>

Hello, I want to create a new registration flow with multiple pages. I wasn't able to find any documentation about this. (The only documentation I found so far is about extending existing registration flow, it also says if I want to write my own registration flow I should implement Authenticator. I have already done that).  I've read the default registration flow implementation, there are 3 FormAction, FormActionFactory implementations one for user creation, one for profile info validation and one for password validation. Now I implemented my own validator which extends FormAction and FormActionFactory but I wasn't able to add this validation in my custom registration flow. How can I do this? If I can't what is the alternative way to implement my custom registration with multiple pages. For example I want the first page of the registration flow to ask for user card id (It is a registration flow for a bank user so he/she must have our bank debit/credit card to register), then I want to check if the card info is valid and display next page of the registration flow... Should I create a new Authenticator per page or use the same one?

________________________________

Find out the latest about the Bank of Georgia Group products, services and recent developments from the Bank of Georgia monthly e-newsletter. If you wish to subscribe please simply send a request to enewsletter at bog.ge and write "subscribe" in the subject line.

This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. JSC Bank of Georgia shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. JSC Bank of Georgia does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference.

From emeline.chevalier at astre-digital.com  Thu Apr 12 02:59:33 2018
From: emeline.chevalier at astre-digital.com (Emeline CHEVALIER)
Date: Thu, 12 Apr 2018 06:59:33 +0000
Subject: [keycloak-user] Restreint access to a client with role
In-Reply-To: <VI1PR0401MB183868B4186BB5A094070438B5BD0@VI1PR0401MB1838.eurprd04.prod.outlook.com>
References: <VI1PR0401MB183868B4186BB5A094070438B5BD0@VI1PR0401MB1838.eurprd04.prod.outlook.com>
Message-ID: <VI1PR0401MB1838806FB4666A73A3078B0FB5BC0@VI1PR0401MB1838.eurprd04.prod.outlook.com>

Hi,
I have realm with many clients. I want to restraint access to one client for users that not have a role.
Example :
MyRealm with Client A access to a server A and Client B to access to a server B (SAML configuration).
I have many users but I want that only users with role "AccessB" must to access to my server B.
How to do that ?
I try to create roles, policies... but I'm lost into these configurations.

Keycloak version : 3.4

Regards

Emeline

From hasebullah.ansari at syntlogo.de  Thu Apr 12 05:05:48 2018
From: hasebullah.ansari at syntlogo.de (ansarihaseb)
Date: Thu, 12 Apr 2018 02:05:48 -0700 (MST)
Subject: [keycloak-user] How to directly map attributes of token received
 from ext IdP to the token generated by Keycloak while sending it to End
 User apllication without Data persistent in Keycloak DB?
Message-ID: <1523523948105-0.post@n6.nabble.com>

Hello users,

      I have a requirement in Keycloak that I want to send token attribute
to the end application through Keycloak token but I don't want to store the
user or its attributes in the keycloak database. So it means, that when a
user authenticates through an external broker provider, a token is received
by keycloak and then instead of saving it, the Keycloak should generate a
token for end user application by just reading the token from external IdP
and mapping the attributes.

Cheers !!!
Regards,
Haseb Ansari



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From Emanuele.Gesuato at finantix.com  Thu Apr 12 09:49:19 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Thu, 12 Apr 2018 15:49:19 +0200
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <CACp70MkQY6iNcnXVDdxqTPc+YxHBLZ+pPkVk7hYyX9UAjZEgUg@mail.gmail.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com><OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com><CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com><OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com><CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com><201804060951.w369pUWT018680@lists01.dmz-a.mwc.hst.phx2.redhat.com><CAFss9rq4cTGidFXErZF2Q_fcfO9JAEdr2Y_b=FGRXS9dNS5VBw@mail.gmail.com><OF13CA690A.68C5C8FC-ONC1258267.003A5EE7-C1258267.003A76DE@notes.ce.collabserv.com><CACp70MmCHGhtrb28+Qc5Hri0gzq6Eu2nG5swJ+jWqqoK+2aebA@mail.gmail.com><OFE73EFE83.E9A84D57-ONC1258267.005A8770-C1258267.005B5F3B@notes.c
	<CACp70MkQY6iNcnXVDdxqTPc+YxHBLZ+pPkVk7hYyX9UAjZEgUg@mail.gmail.com>
Message-ID: <OF9E45AD2B.5B9416C3-ONC125826D.004AEA83-C125826D.004BED31@notes.ce.collabserv.com>

Hi Luis,

thank you very much for your support, I really appreciate.

Do you think it would be possible if we use openId instead of saml ?
Can we share some token in order to "share" authentication among different 
 clients ?

Thanks,
Emanuele




From:   Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
To:     keycloak-user at lists.jboss.org
Date:   11/04/2018 18:59
Subject:        Re: [keycloak-user] SSO in web and desktop application
Sent by:        keycloak-user-bounces at lists.jboss.org



Hello Emanuele,

Please, forget about the servlet filter, at the beginning I thought that
the "client-server application developed in java" was not using any
keycloak adaptor, sorry for the confusion.

No, SAML does not provide a token that you can share between different
clients.

You could think about share the cookies between the browser and the
"client-server" app, but this is a horrible hack. I would warn you to 
avoid
this way :)

Me, personally I would explore these two options:

a) Dedicated browser to automatically use the windows/kerberos credentials
of the logged user.
b) Let the dedicated browser redirect the user to the IdP login page. Yes,
users has to authenticate, but it will save you a lot of headache...

If you are using chrome there are extensions that apparently let you share
sessions between devices (
https://chrome.google.com/webstore/detail/sessionbox-free-multi-log/megbklhjamjbcafknkgmokldgolkdfig
).
You can give it a try, but me honestly, I do not like that option very
much...

Cheers,

Luis









2018-04-06 18:38 GMT+02:00 Emanuele Gesuato 
<Emanuele.Gesuato at finantix.com>:

> Hi Luis,
>
> thanks for your feedback.
>
> Is there any way to use some access token in order to identify the 
current
> user ?
>
> let me recap.
> I have a web application and a "desktop" application they are both
> different but they share the same set of users and they are both in the
> same keycloak realm.
> When user is logged to web application I would like to trigger some
> authentication mechanism in order to let user automatically logged when 
he
> opens the desktop application.
>
> I am using keycloak 3.4.3 with tomcat7 adapter. Both the web application
> and the server side application of the "desktop" one uses tomcat7 as
> servlet container (but they are different instances). Of course keycloak
> server is the same for both.
>
> I am not sure how  a servlet filter can help me solve this issue ... as 
I
> am using the standard tomcat7 keycloak adapter.
>
> Thanks for any help,
> Emanuele
>
>
>
>
>
> From:   Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
> To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> Date:   06/04/2018 17:28
> Subject:        Re: [keycloak-user] SSO in web and desktop application
>
>
>
> Hello Emanuele,
>
> OK, I see. So if I understand correctly you have "converted" your webapp
> in a desktop application using something like this
> https://applicationize.me/ in a dedicated browser with some 
restrictions.
>
> The problem here is that you are requesting the application from a
> completely different client, it would be the same if you open an 
incognito
> window in your browser after login in the siteA.
>
> I have done a quick test with one of our SAML applications and I am
> redirected to the login page of our SSO. After authentication the app
> works perfectly fine.
>
> Perhaps you could try to configure that dedicated browser to 
automatically
> use the windows/kerberos credentials of the logged user...
>
> Cheers,
>
> Luis
>
> ps: the servlet filter can work in any servlet container. I am
> successfully using it in tomcat 9 :)
>
>
>
>
>
>
>
>
>
>
>
> 2018-04-06 12:38 GMT+02:00 Emanuele Gesuato 
<Emanuele.Gesuato at finantix.com
> >:
> sorry for my email issue
> *****************
>
> Hi there,
>
> client-server app is a browser application where we are using the
> keycloak-saml tomcat7 adapter.
>
> Your link refers to a java servlet application that doesn?t have an
> adapter for that servlet platform.
>
> Am I missing something in your answer ?
>
> thanks,
>
>
> Emanuele Gesuato
> Software specialist
>
>
> Mobile: +39 335 757 3556 | Email: emanuele.gesuato at finantix.com | skype:
> emanuelegesuato_work
>
>
> CONFIDENTIALITY NOTICE - The information contained in this communication
> is intended solely for the use of the individual or entity to whom it is
> addressed and others authorized to receive it. It may contain 
confidential
> or legally privileged information. If you are not the intended recipient
> you are hereby notified that any disclosure, copying, distribution or
> taking any action in reliance on the contents of this information is
> strictly prohibited and may be unlawful. If you have received this
> communication in error, please notify us immediately by responding to 
this
> email and then delete it from your system. Finantix is neither liable 
for
> the proper and complete transmission of the information contained in 
this
> communication nor for any delay in its receipt.
>
>
>
>
> From:   Subodh Joshi <subodhcjoshi82 at gmail.com>
> To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> Cc:     keycloak-user <keycloak-user at lists.jboss.org>
> Date:   06/04/2018 12:11
> Subject:        Re: [keycloak-user] SSO in web and desktop application
> Sent by:        keycloak-user-bounces at lists.jboss.org
>
>
>
>  Emanuele Gesuato Look like some issue with your email client/server.
>
> On Fri, Apr 6, 2018 at 3:21 PM, Emanuele Gesuato <
> Emanuele.Gesuato at finantix.com> wrote:
>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail 
better."
> - Samuel Beckett
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user




From slelardoux at hotmail.com  Thu Apr 12 10:43:28 2018
From: slelardoux at hotmail.com (Simon Lelardoux)
Date: Thu, 12 Apr 2018 14:43:28 +0000
Subject: [keycloak-user] Problem with kerberos
Message-ID: <VI1PR0302MB2767999BA1BD5885A293A39FCCBC0@VI1PR0302MB2767.eurprd03.prod.outlook.com>

Hello everyone !
I am new to my Kerberos authentication problem: When it is required in the authentication flow, I remain stuck on a page displaying "Kerberos not configured". Yet the configuration was made on ldap in user federation. Is the problem on the client or server side?

Thank you for your answers


From aliok at redhat.com  Thu Apr 12 10:51:29 2018
From: aliok at redhat.com (Ali Ok)
Date: Thu, 12 Apr 2018 17:51:29 +0300
Subject: [keycloak-user] Keycloak Express middleware VS self signed cert
In-Reply-To: <CABoO8LfYb5GBPwLVOnWUCTAZk79_RyaM+jmhNAw9C_gPJR+11Q@mail.gmail.com>
References: <CABoO8LfYb5GBPwLVOnWUCTAZk79_RyaM+jmhNAw9C_gPJR+11Q@mail.gmail.com>
Message-ID: <CABoO8Lfq6w1TUJ2+EHRXWR7d84zbxaetueKA+614+5y=yMD4DA@mail.gmail.com>

Resending, after subscribing to Keycloak user list

----------------------------------

(also adding Keycloak ML)

Hi,
I am trying to integrate a Node application with a Keycloak instance
running on my local OpenShift cluster.

Node app uses the Keycloak client in this Gist: [1]
Here is the keycloak.json file used in Node app: [2]


When I pass a valid token to the Node app, Keycloak middleware on the Node
app side is trying to get the public key from Keycloak, I see there is
"self signed certificate in certificate chain" error when Keycloak lib
tries to do this:
"

// retrieve public KEY and use it to validate token
this.rotation.getJWK(token.header.kid).then(key => {

"
here: https://github.com/keycloak/keycloak-nodejs-connect/blob/
master/middleware/auth-utils/grant-manager.js#L359

2 questions:
- How can I configure client and the Node app to have the public key
already, so that it doesn't go and fetch the public key?
- If question above doesn't make sense (I can be considered a beginner in
this area), how can I make middleware to work with a self signed cert
Keycloak instance?

I prefer the first approach.

Thanks,
Ali

[1]: https://gist.github.com/aliok/8ae2c9d240d09367b59e491677400a96
[2]: https://gist.github.com/aliok/23e93794847ef3493893627ca68e9650

From weil at redhat.com  Thu Apr 12 11:07:46 2018
From: weil at redhat.com (Wei Li)
Date: Thu, 12 Apr 2018 16:07:46 +0100
Subject: [keycloak-user] Keycloak Express middleware VS self signed cert
In-Reply-To: <CABoO8Lfq6w1TUJ2+EHRXWR7d84zbxaetueKA+614+5y=yMD4DA@mail.gmail.com>
References: <CABoO8LfYb5GBPwLVOnWUCTAZk79_RyaM+jmhNAw9C_gPJR+11Q@mail.gmail.com>
	<CABoO8Lfq6w1TUJ2+EHRXWR7d84zbxaetueKA+614+5y=yMD4DA@mail.gmail.com>
Message-ID: <CAHmyU2ogrBThOC68q_K5Pz7r1svQVb66+Qk4TmbUeAGey7-ZUw@mail.gmail.com>

Hi Ali,

I think by default the http module in nodejs doesn't support self-signed
certificates. Can you try add this in the nodejs code:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

Thanks.

On Thu, Apr 12, 2018 at 3:51 PM, Ali Ok <aliok at redhat.com> wrote:

> Resending, after subscribing to Keycloak user list
>
> ----------------------------------
>
> (also adding Keycloak ML)
>
> Hi,
> I am trying to integrate a Node application with a Keycloak instance
> running on my local OpenShift cluster.
>
> Node app uses the Keycloak client in this Gist: [1]
> Here is the keycloak.json file used in Node app: [2]
>
>
> When I pass a valid token to the Node app, Keycloak middleware on the Node
> app side is trying to get the public key from Keycloak, I see there is
> "self signed certificate in certificate chain" error when Keycloak lib
> tries to do this:
> "
>
> // retrieve public KEY and use it to validate token
> this.rotation.getJWK(token.header.kid).then(key => {
>
> "
> here: https://github.com/keycloak/keycloak-nodejs-connect/blob/master/
> middleware/auth-utils/grant-manager.js#L359
>
> 2 questions:
> - How can I configure client and the Node app to have the public key
> already, so that it doesn't go and fetch the public key?
> - If question above doesn't make sense (I can be considered a beginner in
> this area), how can I make middleware to work with a self signed cert
> Keycloak instance?
>
> I prefer the first approach.
>
> Thanks,
> Ali
>
> [1]: https://gist.github.com/aliok/8ae2c9d240d09367b59e491677400a96
> [2]: https://gist.github.com/aliok/23e93794847ef3493893627ca68e9650
>
>


-- 

WEI LI

Principal SOFTWARE ENGINEER

Red Hat Mobile <https://www.redhat.com/>

weil at redhat.com    M: +353862393272
<https://red.ht/sig>

From onlineuser21k at gmail.com  Thu Apr 12 20:09:06 2018
From: onlineuser21k at gmail.com (Online User)
Date: Thu, 12 Apr 2018 20:09:06 -0400
Subject: [keycloak-user] Fwd: Access Token Timeout behaviour - Changes
 between Keycloak 2.5.5 and Keycloak 3.4.1
In-Reply-To: <CACkhAFnpc_T3=L0S8ZNRxb1jhq1EVTCqrG0jhXTUTM8LoWOXxw@mail.gmail.com>
References: <CACkhAFnpc_T3=L0S8ZNRxb1jhq1EVTCqrG0jhXTUTM8LoWOXxw@mail.gmail.com>
Message-ID: <CACkhAFmPC6ihLVcg1WWVuiHevUK3ixPod46_ueePMUGUDRHOCQ@mail.gmail.com>

>
> How do I know what changed between these versions in subject?
>
> An internal client of mine reports that there is a change in the behaviour
> between these versions.
>
> He is observing in 3.4.1 that, keycloak redirects the user to the service
> after access token expirey and before the session timeout where in he
> expected to be redirected to the login page.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image-2018-03-29-11-53-44-768.png
Type: image/png
Size: 40193 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180412/6ea60f34/attachment-0001.png 

From aliok at redhat.com  Fri Apr 13 02:35:25 2018
From: aliok at redhat.com (Ali Ok)
Date: Fri, 13 Apr 2018 09:35:25 +0300
Subject: [keycloak-user] Keycloak Express middleware VS self signed cert
In-Reply-To: <CAHmyU2ogrBThOC68q_K5Pz7r1svQVb66+Qk4TmbUeAGey7-ZUw@mail.gmail.com>
References: <CABoO8LfYb5GBPwLVOnWUCTAZk79_RyaM+jmhNAw9C_gPJR+11Q@mail.gmail.com>
	<CABoO8Lfq6w1TUJ2+EHRXWR7d84zbxaetueKA+614+5y=yMD4DA@mail.gmail.com>
	<CAHmyU2ogrBThOC68q_K5Pz7r1svQVb66+Qk4TmbUeAGey7-ZUw@mail.gmail.com>
Message-ID: <CABoO8LcP6oGc7-k2e0yP+bShrAp3Lce3GT_rKVzQ-c5YKQxcqw@mail.gmail.com>

Hi Wei,

Got it, thanks.

On Thu, Apr 12, 2018 at 6:07 PM, Wei Li <weil at redhat.com> wrote:

> Hi Ali,
>
> I think by default the http module in nodejs doesn't support self-signed
> certificates. Can you try add this in the nodejs code:
>
> process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
>
> Thanks.
>
> On Thu, Apr 12, 2018 at 3:51 PM, Ali Ok <aliok at redhat.com> wrote:
>
>> Resending, after subscribing to Keycloak user list
>>
>> ----------------------------------
>>
>> (also adding Keycloak ML)
>>
>> Hi,
>> I am trying to integrate a Node application with a Keycloak instance
>> running on my local OpenShift cluster.
>>
>> Node app uses the Keycloak client in this Gist: [1]
>> Here is the keycloak.json file used in Node app: [2]
>>
>>
>> When I pass a valid token to the Node app, Keycloak middleware on the
>> Node app side is trying to get the public key from Keycloak, I see there is
>> "self signed certificate in certificate chain" error when Keycloak lib
>> tries to do this:
>> "
>>
>> // retrieve public KEY and use it to validate token
>> this.rotation.getJWK(token.header.kid).then(key => {
>>
>> "
>> here: https://github.com/keycloak/keycloak-nodejs-connect/
>> blob/master/middleware/auth-utils/grant-manager.js#L359
>>
>> 2 questions:
>> - How can I configure client and the Node app to have the public key
>> already, so that it doesn't go and fetch the public key?
>> - If question above doesn't make sense (I can be considered a beginner in
>> this area), how can I make middleware to work with a self signed cert
>> Keycloak instance?
>>
>> I prefer the first approach.
>>
>> Thanks,
>> Ali
>>
>> [1]: https://gist.github.com/aliok/8ae2c9d240d09367b59e491677400a96
>> [2]: https://gist.github.com/aliok/23e93794847ef3493893627ca68e9650
>>
>>
>
>
> --
>
> WEI LI
>
> Principal SOFTWARE ENGINEER
>
> Red Hat Mobile <https://www.redhat.com/>
>
> weil at redhat.com    M: +353862393272
> <https://red.ht/sig>
>

From frederik.schmitt1 at gmx.de  Fri Apr 13 05:21:50 2018
From: frederik.schmitt1 at gmx.de (Frederik Schmitt)
Date: Fri, 13 Apr 2018 11:21:50 +0200
Subject: [keycloak-user] Access redirect_uri within Freemarker Template
Message-ID: <BEF9E4E0-E4CC-4DAF-B072-599931856022@gmx.de>

Is it possible to somehow access the redirect_uri within the login Freemarker template like accessing the current locale?

We want to provide a link using this redirect_uri giving the user the ability to go back to where he came from.

Thanks in advance.

From sthorger at redhat.com  Fri Apr 13 05:32:56 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 13 Apr 2018 11:32:56 +0200
Subject: [keycloak-user] Access redirect_uri within Freemarker Template
In-Reply-To: <BEF9E4E0-E4CC-4DAF-B072-599931856022@gmx.de>
References: <BEF9E4E0-E4CC-4DAF-B072-599931856022@gmx.de>
Message-ID: <CAJgngAcUFqMp_d3S7pE5iXW-pQerZPFm-=xVALSozJfMEeWC8Q@mail.gmail.com>

There's the client base URL for that exact reason. It will allow linking
back to the app. It's not really a good idea to use the redirect URI as
that is not always the application page, but can rather be a special OAuth
callback URL.

On 13 April 2018 at 11:21, Frederik Schmitt <frederik.schmitt1 at gmx.de>
wrote:

> Is it possible to somehow access the redirect_uri within the login
> Freemarker template like accessing the current locale?
>
> We want to provide a link using this redirect_uri giving the user the
> ability to go back to where he came from.
>
> Thanks in advance.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vrinda.nayak at j4care.com  Fri Apr 13 06:06:23 2018
From: vrinda.nayak at j4care.com (vrinda nayak)
Date: Fri, 13 Apr 2018 12:06:23 +0200
Subject: [keycloak-user] Keycloak JWT modification and logging
In-Reply-To: <CAPJgXT1WtmJeHDVf9A4N66vRb6SvfFX3=SGa7C81jtEA8+1vqg@mail.gmail.com>
References: <CAPJgXT1WtmJeHDVf9A4N66vRb6SvfFX3=SGa7C81jtEA8+1vqg@mail.gmail.com>
Message-ID: <CAPJgXT2TNkf2AvZDfcSOzD8q1S4VNWPgHOGpVeyKmnmH59jWcQ@mail.gmail.com>

Hello All,

Please is there any way to change the value of 'aud' parameter in JWT
token. The token that I get back using curl, shows that the value of this
parameter is always the 'client_id'.

Just for background: The test case is :
-> Auth_Client logs in with 'BadUser' and requests for token (Auth_Client
is configured as a Client in Keycloak and is of type 'public')
-> Keycloak sends back token with 'aud' parameter containing URI of unknown
resource
-> Auth_Client incorporates 'BadUser' token received into transaction to
Resource_Server (Resource_Server is also configured as a Client in Keycloak
and is of type 'bearer-only')
-> Resource_Server checks token and *should* deny access to requested
resource (which is unknown to Resource_server) with 401-Unauthorized

Also, I have tried enabling the 'Authorization Flow Enabled' and added
Resource/Permission/Policy and Policy Enforcement Mode is default
(Enforcing) referring to
*https://www.keycloak.org/docs/3.0/authorization_services/topics/resource-server/enable-authorization.html
<https://www.keycloak.org/docs/3.0/authorization_services/topics/resource-server/enable-authorization.html>*
- This information does not seem to be sent in the token from Keycloak
(when checked with curl).
- When used with our application I get 'Forbidden' for all users, even when
the User Policy was created only for 'BadUser'.
- The Auth_Client (which was 'public' type) gets automatically changed to
'confidential' type. Is this intended?

Thanks in advance.

Vrinda

On Wed, Apr 11, 2018 at 11:44 AM, vrinda nayak <vrinda.nayak at j4care.com>
wrote:

> Hello All,
>
> We use Keycloak standalone system as authentication server. On our
> client/server side we have just installed the Keycloak Adapter.
> For certain tests, we need to change the values of *'aud', 'sub', 'nbf',
> 'exp'* parameters in Json Web Token.
> Also for one test, we need to send back an unsigned token to the client.
> Can someone please advise how this can be achieved? Also which logger would
> I need to set to DEBUG/TRACE in standalone.xml, to be able to see the JWT
> parameters and their values in the response sent back to client?
>
> Thanks in advance.
>
> Vrinda
>

From sagar.bijlwan at gmail.com  Fri Apr 13 08:25:17 2018
From: sagar.bijlwan at gmail.com (sagar bijlwan)
Date: Fri, 13 Apr 2018 13:25:17 +0100
Subject: [keycloak-user] Can there be multiple keycloak.auth-server-url in
	keycloak adapter
Message-ID: <CAPX9jpJh4r4gYz856PrZ6iHqQgmch1xhbH4MUFrxbEMvDStmpg@mail.gmail.com>

Hi,

I am using nginx as reverse proxy facing the external world and my spring
boot app and keycloak are deployed internally.

In Spring boot application.properties i am providing proxy address and
redirecting to real instance from proxy.


keycloak.auth-server-url=https://proxyadress/auth

nginx.conf snippet

location /auth {

                proxy_pass http://internalbox:9000/auth;

                proxy_buffering off;

                client_max_body_size 0;

                proxy_set_header Host $host;

                proxy_set_header X-Real-IP $remote_addr;

                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                proxy_set_header X-Forwarded-Proto $scheme;

           }

Scenario:

When an unautenticated user tries to access the app, app redirects to
https://proxyadress/auth. Proxy in tun redirects to real instance and user
logs in. The issue is after the log in. keycloak adapter tries to turn
access code into acccess token and generates a POST. For that it uses the
address given in auth-server-url i.e. proxy address. Clearly there is no
keycloak sitting at the proxy at port 443 and there are errors and Auth
outcome is FAILED.

How can i tell keycoak-adapter to use an internal URL for this POST
request? Any other workaround ?

Thanks

Sagar



-- 
S A M

From luke at code-house.org  Fri Apr 13 08:33:58 2018
From: luke at code-house.org (=?utf-8?Q?=C5=81ukasz_Dywicki?=)
Date: Fri, 13 Apr 2018 14:33:58 +0200
Subject: [keycloak-user] custom registration flow
In-Reply-To: <3713A928926F9F4DAAF98578FBB3319521C96258@Ex-Mailbox-03.bog.ge>
References: <3713A928926F9F4DAAF98578FBB3319521C96258@Ex-Mailbox-03.bog.ge>
Message-ID: <D2CF3132-A864-4294-A784-8169863A611A@code-house.org>

Hey Gorgi,
I was doing similar thing (still completing some aspects). In order to customize registration you have to copy default registration flow. Then you can edit steps in the process.
Last switch which is needed is binding your flow in authentication settings instead of default one.
Hope that helps.

Cheers,
?ukasz Dywicki
--
Code-House
http://code-house.org

> On 12 Apr 2018, at 03:59, Giorgi Kinkladze <gkinkladze at bog.ge> wrote:
> 
> Hello, I want to create a new registration flow with multiple pages. I wasn't able to find any documentation about this. (The only documentation I found so far is about extending existing registration flow, it also says if I want to write my own registration flow I should implement Authenticator. I have already done that).  I've read the default registration flow implementation, there are 3 FormAction, FormActionFactory implementations one for user creation, one for profile info validation and one for password validation. Now I implemented my own validator which extends FormAction and FormActionFactory but I wasn't able to add this validation in my custom registration flow. How can I do this? If I can't what is the alternative way to implement my custom registration with multiple pages. For example I want the first page of the registration flow to ask for user card id (It is a registration flow for a bank user so he/she must have our bank debit/credit card to register), then!
>  I want to check if the card info is valid and display next page of the registration flow... Should I create a new Authenticator per page or use the same one?
> 
> ________________________________
> 
> Find out the latest about the Bank of Georgia Group products, services and recent developments from the Bank of Georgia monthly e-newsletter. If you wish to subscribe please simply send a request to enewsletter at bog.ge and write "subscribe" in the subject line.
> 
> This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. JSC Bank of Georgia shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. JSC Bank of Georgia does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From sr.misc at gmail.com  Fri Apr 13 09:22:33 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Fri, 13 Apr 2018 15:22:33 +0200
Subject: [keycloak-user] lock user after being inactive for certain period
Message-ID: <CABiaesT4p5F+do8cL9YmmCgpJniRnRXbcqKoCcK5RFMAxG5D7w@mail.gmail.com>

Hi all,

We need to disable / lock user if user doesn't login into system for
certain period (such as after 10 days or so). I couldn't find an option to
enable. Please guide me.

Regards,
SR

From sr.misc at gmail.com  Fri Apr 13 09:35:51 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Fri, 13 Apr 2018 15:35:51 +0200
Subject: [keycloak-user] IJ031070: Transaction cannot proceed:
 STATUS_MARKED_ROLLBACK during Custom User Federation
In-Reply-To: <6c694e15-8435-abd5-8d11-635b1219d3a5@redhat.com>
References: <CABiaesSPL_Kfh-6HK+hkZ+HAQxyPC7Z-fb282sELCy7pdSc7Bg@mail.gmail.com>
	<6c694e15-8435-abd5-8d11-635b1219d3a5@redhat.com>
Message-ID: <CABiaesQsHHnqm9rhXN542je5f5upXgC5mT5rKOZXe01wGbvCSQ@mail.gmail.com>

Thanks Marek for your pointer.

I found that I have use xa-data-source. Also, it would be helpful if we can
pure JPA example (without EJB). I'm struggling to populate EntityManager in
the UserStorageProvider Impl. It says,

Caused by: javax.persistence.PersistenceException: No Persistence provider
for EntityManager named user-storage-jpa-example1
        at
javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:61)
        at
javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:39)
        at
org.keycloak.examples.storage.user.EjbExampleUserStorageProvider.<init>(EjbExampleUserStorageProvider.java:67)
        at
org.keycloak.examples.storage.user.EjbExampleUserStorageProviderFactory.create(EjbExampleUserStorageProviderFactory.java:23)

We do have META-INF/persistence.xml and

<?xml version="1.0" encoding="UTF-8" ?>
<persistence version="2.0" xmlns="http://java.sun.com/xml/ns/persistence"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/persistence
http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">
<persistence-unit name="user-storage-jpa-example1" transaction-type="JTA">
<provider>org.hibernate.jpa.HibernatePersistenceProvider</provider>
<jta-data-source>java:jboss/datasources/ExampleXADS</jta-data-source>
<class>org.keycloak.examples.storage.user.UserEntity</class>
<properties>
<property name="hibernate.hbm2ddl.auto" value="update"/>
<property name="hibernate.show_sql" value="true"/>
<property name="hibernate.dialect"
value="org.hibernate.dialect.PostgreSQL92Dialect"/>
<property name="hibernate.connection.driver_class"
value="org.postgresql.Driver"/>
<property name="hibernate.connection.username" value="xxxxx"/>
<property name="hibernate.connection.password" value="xxxxx"/>
</properties>
</persistence-unit>
</persistence>

We are looking for EntityManagerFactory using
Persistence.createEntityManagerFactory("user-storage-jpa-example1");

Please advise.

Best regards,
Sachin


On Mon, Apr 9, 2018 at 9:20 PM, Marek Posolda <mposolda at redhat.com> wrote:

> We have an example for JPA user Provider and also quickstart. I suggest to
> take a look at quickstart or example and compare why it works and yours
> doesn't .
>
> Marek
>
> Dne 5.4.2018 v 18:18 Sachin Rastogi napsal(a):
>
>> Hi all,
>>
>> We are using Keycloak 3.4.3 and loading users via Custom User Federation
>> from the database. We are using Postgres 9.4.12
>>
>> When we are loading users from the database during
>> CustomUserStorageProviderFactory.create(..),
>> we are getting the following exception:-
>>
>> It is throwing the following exception during con.createStatement();
>>
>> 13:46:43,385 ERROR [stderr] (default task-8) java.sql.SQLException:
>> IJ031070: Transaction cannot proceed: STATUS_MARKED_ROLLBACK
>> 13:46:43,385 ERROR [stderr] (default task-8)    at
>> org.jboss.jca.adapters.jdbc.WrapperDataSource.checkTransacti
>> onActive(WrapperDataSource.java:245)
>> 13:46:43,386 ERROR [stderr] (default task-8)    at
>> org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransacti
>> onActive(WrappedConnection.java:1928)
>> 13:46:43,386 ERROR [stderr] (default task-8)    at
>> org.jboss.jca.adapters.jdbc.WrappedConnection.checkStatus(Wr
>> appedConnection.java:1943)
>> 13:46:43,386 ERROR [stderr] (default task-8)    at
>> org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransacti
>> on(WrappedConnection.java:1917)
>> 13:46:43,387 ERROR [stderr] (default task-8)    at
>> org.jboss.jca.adapters.jdbc.WrappedConnection.createStatemen
>> t(WrappedConnection.java:340)
>> 13:46:43,387 ERROR [stderr] (default task-8)    at
>> com.test.service.UserServiceImpl.loadExistingUsers(UserServi
>> ceImpl.java:98)
>> 13:46:43,387 ERROR [stderr] (default task-8)    at com.test.Custom
>> UserStorageProviderFactory.create(CustomUserStorageProviderF
>> actory.java:43)
>>
>> But if we call loadExistingUsers in init method of
>> CustomUserStorageProviderFactory,
>> it works fine. Please advise, what are we doing wrong? what is the ideal
>> way of loading existing users in Custom User Federation?
>>
>> Regards,
>> SR
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From sr.misc at gmail.com  Fri Apr 13 09:48:00 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Fri, 13 Apr 2018 15:48:00 +0200
Subject: [keycloak-user] How can user change his password after login?
In-Reply-To: <CAJVRZt-fb_74GRd+Pk7s1H0CDs2bYZkowyPZfpaMcVB6eCYJeQ@mail.gmail.com>
References: <CAJVRZt-fb_74GRd+Pk7s1H0CDs2bYZkowyPZfpaMcVB6eCYJeQ@mail.gmail.com>
Message-ID: <CABiaesS76ZfQ9FySuh9WuSpzxOTJ6yTM5b=T3mybSwheF+HNdw@mail.gmail.com>

Hi,

Have you tried to enable "Update Password" under Authentication in
"Required Actions". Please ensure that user also have "Update Password" in
Required User Actions under respective User.

Regards,
SR







On Wed, Apr 11, 2018 at 5:39 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> We are using Keycloak 3.4.3Final for authentication only and we want to
> create a link from the application so that user can change their password
> after login.
> I looked at the forget password flow and see the page
> http://localhost:8180/auth/realms/testRealm/login-actions/required-action?
> execution=UPDATE_PASSWORD&client_id=account&tab_id=TI2aayKftXY
> is what we need. Is there anyway to generate this link without the time
> constraint?
>
> Thank you
>
> Thai
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sjefhoeks at hotmail.com  Fri Apr 13 10:56:05 2018
From: sjefhoeks at hotmail.com (Sjef Hoeks)
Date: Fri, 13 Apr 2018 14:56:05 +0000
Subject: [keycloak-user] Authentication with both Keycloak and client-cert
Message-ID: <AM5PR10MB1538757F60FFC69E0914080AAFB30@AM5PR10MB1538.EURPRD10.PROD.OUTLOOK.COM>

Hi,

is it possible to protect an application consisting of a single WAR with both Keycloak (for the user interface) and CLIENT_CERT (for webservices).

E.g.:
endpoint /ui must be protected with Keycloak, so users must login to access these pages.
endpoint /ws must be protected with mutual authencation with certificates.

Kind regards,
Sjef

From uo67113 at gmail.com  Fri Apr 13 11:19:43 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Fri, 13 Apr 2018 17:19:43 +0200
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <OF9E45AD2B.5B9416C3-ONC125826D.004AEA83-C125826D.004BED31@notes.ce.collabserv.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<OF8E298DC1.D2FA4F17-ONC1258266.004D6329-C1258266.004DA1D3@notes.ce.collabserv.com>
	<CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com>
	<OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com>
	<CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com>
	<201804060951.w369pUWT018680@lists01.dmz-a.mwc.hst.phx2.redhat.com>
	<CAFss9rq4cTGidFXErZF2Q_fcfO9JAEdr2Y_b=FGRXS9dNS5VBw@mail.gmail.com>
	<OF13CA690A.68C5C8FC-ONC1258267.003A5EE7-C1258267.003A76DE@notes.ce.collabserv.com>
	<CACp70MmCHGhtrb28+Qc5Hri0gzq6Eu2nG5swJ+jWqqoK+2aebA@mail.gmail.com>
	<CACp70MkQY6iNcnXVDdxqTPc+YxHBLZ+pPkVk7hYyX9UAjZEgUg@mail.gmail.com>
	<OF9E45AD2B.5B9416C3-ONC125826D.004AEA83-C125826D.004BED31@notes.ce.collabserv.com>
Message-ID: <CACp70Mn5nT7iYB0QxuNQRGvGBxjK_RuEdQ=M=Bswku=aTf0d1w@mail.gmail.com>

Hello Emanuele,

You are welcome, sorry for not being more helpful.

I must to admit that I did not try openid for any of my services.

I do believe that you could drop that question on the openId support forum:
https://getsatisfaction.com/openid

Hope it helps,

Luis





2018-04-12 15:49 GMT+02:00 Emanuele Gesuato <Emanuele.Gesuato at finantix.com>:

> Hi Luis,
>
> thank you very much for your support, I really appreciate.
>
> Do you think it would be possible if we use openId instead of saml ?
> Can we share some token in order to "share" authentication among different
>  clients ?
>
> Thanks,
> Emanuele
>
>
>
>
> From:   Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
> To:     keycloak-user at lists.jboss.org
> Date:   11/04/2018 18:59
> Subject:        Re: [keycloak-user] SSO in web and desktop application
> Sent by:        keycloak-user-bounces at lists.jboss.org
>
>
>
> Hello Emanuele,
>
> Please, forget about the servlet filter, at the beginning I thought that
> the "client-server application developed in java" was not using any
> keycloak adaptor, sorry for the confusion.
>
> No, SAML does not provide a token that you can share between different
> clients.
>
> You could think about share the cookies between the browser and the
> "client-server" app, but this is a horrible hack. I would warn you to
> avoid
> this way :)
>
> Me, personally I would explore these two options:
>
> a) Dedicated browser to automatically use the windows/kerberos credentials
> of the logged user.
> b) Let the dedicated browser redirect the user to the IdP login page. Yes,
> users has to authenticate, but it will save you a lot of headache...
>
> If you are using chrome there are extensions that apparently let you share
> sessions between devices (
> https://chrome.google.com/webstore/detail/sessionbox-free-multi-log/
> megbklhjamjbcafknkgmokldgolkdfig
> ).
> You can give it a try, but me honestly, I do not like that option very
> much...
>
> Cheers,
>
> Luis
>
>
>
>
>
>
>
>
>
> 2018-04-06 18:38 GMT+02:00 Emanuele Gesuato
> <Emanuele.Gesuato at finantix.com>:
>
> > Hi Luis,
> >
> > thanks for your feedback.
> >
> > Is there any way to use some access token in order to identify the
> current
> > user ?
> >
> > let me recap.
> > I have a web application and a "desktop" application they are both
> > different but they share the same set of users and they are both in the
> > same keycloak realm.
> > When user is logged to web application I would like to trigger some
> > authentication mechanism in order to let user automatically logged when
> he
> > opens the desktop application.
> >
> > I am using keycloak 3.4.3 with tomcat7 adapter. Both the web application
> > and the server side application of the "desktop" one uses tomcat7 as
> > servlet container (but they are different instances). Of course keycloak
> > server is the same for both.
> >
> > I am not sure how  a servlet filter can help me solve this issue ... as
> I
> > am using the standard tomcat7 keycloak adapter.
> >
> > Thanks for any help,
> > Emanuele
> >
> >
> >
> >
> >
> > From:   Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
> > To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> > Date:   06/04/2018 17:28
> > Subject:        Re: [keycloak-user] SSO in web and desktop application
> >
> >
> >
> > Hello Emanuele,
> >
> > OK, I see. So if I understand correctly you have "converted" your webapp
> > in a desktop application using something like this
> > https://applicationize.me/ in a dedicated browser with some
> restrictions.
> >
> > The problem here is that you are requesting the application from a
> > completely different client, it would be the same if you open an
> incognito
> > window in your browser after login in the siteA.
> >
> > I have done a quick test with one of our SAML applications and I am
> > redirected to the login page of our SSO. After authentication the app
> > works perfectly fine.
> >
> > Perhaps you could try to configure that dedicated browser to
> automatically
> > use the windows/kerberos credentials of the logged user...
> >
> > Cheers,
> >
> > Luis
> >
> > ps: the servlet filter can work in any servlet container. I am
> > successfully using it in tomcat 9 :)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > 2018-04-06 12:38 GMT+02:00 Emanuele Gesuato
> <Emanuele.Gesuato at finantix.com
> > >:
> > sorry for my email issue
> > *****************
> >
> > Hi there,
> >
> > client-server app is a browser application where we are using the
> > keycloak-saml tomcat7 adapter.
> >
> > Your link refers to a java servlet application that doesn?t have an
> > adapter for that servlet platform.
> >
> > Am I missing something in your answer ?
> >
> > thanks,
> >
> >
> > Emanuele Gesuato
> > Software specialist
> >
> >
> > Mobile: +39 335 757 3556 | Email: emanuele.gesuato at finantix.com | skype:
> > emanuelegesuato_work
> >
> >
> > CONFIDENTIALITY NOTICE - The information contained in this communication
> > is intended solely for the use of the individual or entity to whom it is
> > addressed and others authorized to receive it. It may contain
> confidential
> > or legally privileged information. If you are not the intended recipient
> > you are hereby notified that any disclosure, copying, distribution or
> > taking any action in reliance on the contents of this information is
> > strictly prohibited and may be unlawful. If you have received this
> > communication in error, please notify us immediately by responding to
> this
> > email and then delete it from your system. Finantix is neither liable
> for
> > the proper and complete transmission of the information contained in
> this
> > communication nor for any delay in its receipt.
> >
> >
> >
> >
> > From:   Subodh Joshi <subodhcjoshi82 at gmail.com>
> > To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> > Cc:     keycloak-user <keycloak-user at lists.jboss.org>
> > Date:   06/04/2018 12:11
> > Subject:        Re: [keycloak-user] SSO in web and desktop application
> > Sent by:        keycloak-user-bounces at lists.jboss.org
> >
> >
> >
> >  Emanuele Gesuato Look like some issue with your email client/server.
> >
> > On Fri, Apr 6, 2018 at 3:21 PM, Emanuele Gesuato <
> > Emanuele.Gesuato at finantix.com> wrote:
> >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Subodh Chandra Joshi
> > subodh1_joshi82 at yahoo.co.in
> > http://www.trendsinnews.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > --
> > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail
> better."
> > - Samuel Beckett
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From uo67113 at gmail.com  Fri Apr 13 12:19:51 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Fri, 13 Apr 2018 18:19:51 +0200
Subject: [keycloak-user] Keycloak IDP Brokering + Spring Boot/Angular
In-Reply-To: <CO1P114MB02002A146211ABADDF4CCBAAF4BD0@CO1P114MB0200.NAMP114.PROD.OUTLOOK.COM>
References: <CO1P114MB02002A146211ABADDF4CCBAAF4BD0@CO1P114MB0200.NAMP114.PROD.OUTLOOK.COM>
Message-ID: <CACp70MnCQjnwf-bL6M8pat8xSQgTpR3W76y9k7BwG90Mt-r=6w@mail.gmail.com>

Hello Suleyman,


The sample [1] application of the spring-security-saml [2] worked like a
charm for me for the. I just needed to specify the metadata URL of my idp
in org.opensaml.saml2.metadata.provider.HTTPMetadataProvider bean
of sample/src/main/webapp/WEB-INF/securityContext.xml [3] In my setup I was
using openAM as IdP

In your case I iimagine that you have to register ADFS as IdP [4], get the
SP metadata [5] and use it in your app? Or perhaps you have to register
your app as a saml client [6]

Hope it helps,

[1]
https://github.com/spring-projects/spring-security-saml/tree/develop/sample
[2] https://github.com/spring-projects/spring-security-saml
[3]
https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/chapter-quick-start.html
[4]
https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-identity-providers
[5]
https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker_saml_sp_descriptor
[6]
https://www.keycloak.org/docs/latest/server_admin/index.html#saml-clients






2018-04-11 17:17 GMT+02:00 Yildirim, Suleyman <
suleyman.yildirim at accenture.com>:

> Hi all,
>
> As a novice person in security and Keycloak, I have setup Keycloak
> Identity Provider to interact with ADFS using link
> http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html.
> I wonder how we test this setting using Angular and Spring Boot. Some
> details are below:
>
> We are using Angular 1.x and Spring Boot for the project. I have
> implemented SSO with open id connect but implementation part of SAML is
> still confusing. There are tutorials for OpenID connect but not with SAML.
> How do we send SAML request to external ADFS using IDP broker using Spring
> Boot/Angular? Do I need to use Java adapters for that?
>
> Best Regards,
> Suleyman
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at https://www.accenture.com/us-
> en/privacy-policy.
> ____________________________________________________________
> __________________________
>
> www.accenture.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From ntle at castortech.com  Fri Apr 13 15:52:30 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Fri, 13 Apr 2018 15:52:30 -0400
Subject: [keycloak-user] How can user change his password after login?
In-Reply-To: <CABiaesS76ZfQ9FySuh9WuSpzxOTJ6yTM5b=T3mybSwheF+HNdw@mail.gmail.com>
References: <CAJVRZt-fb_74GRd+Pk7s1H0CDs2bYZkowyPZfpaMcVB6eCYJeQ@mail.gmail.com>
	<CABiaesS76ZfQ9FySuh9WuSpzxOTJ6yTM5b=T3mybSwheF+HNdw@mail.gmail.com>
Message-ID: <CAJVRZt_tfKVR1Ex06ZVdu3=P0QK0_7L6bsh_461VTtds152BAA@mail.gmail.com>

The "Required Actions" are used by admin to force user take some actions in
the next login. What i am asking for is how the user can change his
password after successfully login. Maybe the user realizes his password has
been compromised and want to update it.
I don't want to use the "Forgot Password" link on the login page because

   - the user did not forget his password, he just want to change it
   - maybe the user's email is also compromised and cannot access email
   - the link in the password reset email has an expiring time

Thai

On Fri, Apr 13, 2018 at 9:48 AM, Sachin Rastogi <sr.misc at gmail.com> wrote:

> Hi,
>
> Have you tried to enable "Update Password" under Authentication in
> "Required Actions". Please ensure that user also have "Update Password" in
> Required User Actions under respective User.
>
> Regards,
> SR
>
>
>
>
>
>
>
> On Wed, Apr 11, 2018 at 5:39 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> Hello,
>>
>> We are using Keycloak 3.4.3Final for authentication only and we want to
>> create a link from the application so that user can change their password
>> after login.
>> I looked at the forget password flow and see the page
>> http://localhost:8180/auth/realms/testRealm/login-actions/
>> required-action?execution=UPDATE_PASSWORD&client_id=
>> account&tab_id=TI2aayKftXY
>> is what we need. Is there anyway to generate this link without the time
>> constraint?
>>
>> Thank you
>>
>> Thai
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From ssilvert at redhat.com  Fri Apr 13 19:21:41 2018
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 13 Apr 2018 19:21:41 -0400
Subject: [keycloak-user] How can user change his password after login?
In-Reply-To: <CAJVRZt_tfKVR1Ex06ZVdu3=P0QK0_7L6bsh_461VTtds152BAA@mail.gmail.com>
References: <CAJVRZt-fb_74GRd+Pk7s1H0CDs2bYZkowyPZfpaMcVB6eCYJeQ@mail.gmail.com>
	<CABiaesS76ZfQ9FySuh9WuSpzxOTJ6yTM5b=T3mybSwheF+HNdw@mail.gmail.com>
	<CAJVRZt_tfKVR1Ex06ZVdu3=P0QK0_7L6bsh_461VTtds152BAA@mail.gmail.com>
Message-ID: <cda608e8-2927-7cff-7328-bb5b778de85f@redhat.com>

On 4/13/2018 3:52 PM, Nhut Thai Le wrote:
> The "Required Actions" are used by admin to force user take some actions in
> the next login. What i am asking for is how the user can change his
> password after successfully login. Maybe the user realizes his password has
> been compromised and want to update it.
> I don't want to use the "Forgot Password" link on the login page because
>
>     - the user did not forget his password, he just want to change it
>     - maybe the user's email is also compromised and cannot access email
>     - the link in the password reset email has an expiring time
>
> Thai
See User Account Service:
https://www.keycloak.org/docs/3.2/server_admin/topics/account.html

>
> On Fri, Apr 13, 2018 at 9:48 AM, Sachin Rastogi <sr.misc at gmail.com> wrote:
>
>> Hi,
>>
>> Have you tried to enable "Update Password" under Authentication in
>> "Required Actions". Please ensure that user also have "Update Password" in
>> Required User Actions under respective User.
>>
>> Regards,
>> SR
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Apr 11, 2018 at 5:39 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>>
>>> Hello,
>>>
>>> We are using Keycloak 3.4.3Final for authentication only and we want to
>>> create a link from the application so that user can change their password
>>> after login.
>>> I looked at the forget password flow and see the page
>>> http://localhost:8180/auth/realms/testRealm/login-actions/
>>> required-action?execution=UPDATE_PASSWORD&client_id=
>>> account&tab_id=TI2aayKftXY
>>> is what we need. Is there anyway to generate this link without the time
>>> constraint?
>>>
>>> Thank you
>>>
>>> Thai
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>


From frederik.schmitt1 at gmx.de  Mon Apr 16 04:55:05 2018
From: frederik.schmitt1 at gmx.de (Frederik Schmitt)
Date: Mon, 16 Apr 2018 10:55:05 +0200
Subject: [keycloak-user] Access redirect_uri within Freemarker Template
In-Reply-To: <CAJgngAcUFqMp_d3S7pE5iXW-pQerZPFm-=xVALSozJfMEeWC8Q@mail.gmail.com>
References: <BEF9E4E0-E4CC-4DAF-B072-599931856022@gmx.de>
	<CAJgngAcUFqMp_d3S7pE5iXW-pQerZPFm-=xVALSozJfMEeWC8Q@mail.gmail.com>
Message-ID: <B1053E49-B9B8-4C60-B281-7FE121A81D33@gmx.de>

Thanks for your reply!

I guess this is what we were actually looking for and what we will definitely be doing. Thanks for clarifying things here.

It would be quite helpful to have a complete list of all available variables (that can be used in the FTL files) somewhere in the documentation. Or did we just miss it?

> On 13. Apr 2018, at 11:32, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> There's the client base URL for that exact reason. It will allow linking back to the app. It's not really a good idea to use the redirect URI as that is not always the application page, but can rather be a special OAuth callback URL.
> 
> On 13 April 2018 at 11:21, Frederik Schmitt <frederik.schmitt1 at gmx.de <mailto:frederik.schmitt1 at gmx.de>> wrote:
> Is it possible to somehow access the redirect_uri within the login Freemarker template like accessing the current locale?
> 
> We want to provide a link using this redirect_uri giving the user the ability to go back to where he came from.
> 
> Thanks in advance.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 


From Emanuele.Gesuato at finantix.com  Mon Apr 16 05:26:48 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Mon, 16 Apr 2018 11:26:48 +0200
Subject: [keycloak-user] SSO in web and desktop application
In-Reply-To: <CACp70Mn5nT7iYB0QxuNQRGvGBxjK_RuEdQ=M=Bswku=aTf0d1w@mail.gmail.com>
References: <201804051344.w35DiFtu025158@lists01.dmz-a.mwc.hst.phx2.redhat.com><CAFss9ronTWVRzY4_83yg1NJYu2zJ+=u7=tHnRjdksuDamL0j_A@mail.gmail.com><OF7CD79AB0.3E76D291-ONC1258266.005C0EB7-C1258266.005EABD0@notes.ce.collabserv.com><CACp70MnpFqenbYfK0WRbWzn2B0xABVbVSgNRikHqriocmGZj8g@mail.gmail.com><201804060951.w369pUWT018680@lists01.dmz-a.mwc.hst.phx2.redhat.com><CAFss9rq4cTGidFXErZF2Q_fcfO9JAEdr2Y_b=FGRXS9dNS5VBw@mail.gmail.com><OF13CA690A.68C5C8FC-ONC1258267.003A5EE7-C1258267.003A76DE@notes.ce.collabserv.com><CACp70MmCHGhtrb28+Qc5Hri0gzq6Eu2nG5swJ+jWqqoK+2aebA@mail.gmail.com><CACp70MkQY6iNcnXVDdxqTPc+YxHBLZ+pPkVk7hYyX9UAjZEgUg@mail.gmail.com><OF9E45AD2B.5B9416C3-ONC125826D.004AEA83-C125826D.004BED31@notes.
	<CACp70Mn5nT7iYB0QxuNQRGvGBxjK_RuEdQ=M=Bswku=aTf0d1w@mail.gmail.com>
Message-ID: <OF5DA1AA0F.BCD7C19C-ONC1258271.003339C9-C1258271.0033E480@notes.ce.collabserv.com>

Hi,

just a quick update in case any of you have some hints to share.

I am trying to use "impersonate" rest api in order to get a fresh token 
for the user I want to use in my application.

By using following CURL I am able to get this new token for my "target" 
user:

curl --verbose -X POST "
http://<host>/auth/realms/master/protocol/openid-connect/token" \
 --data-urlencode 
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
 --data-urlencode 
"requested_token_type=urn:ietf:params:oauth:token-type:access_token" \
 -d "requested_subject=${USER_ID}" \
 -d "audience=${TARGET_CLIENT}" \
 -d "client_id=${SOURCE_CLIENT}" \
 -d "subject_token=${TKN}"

but it is not enough, because to fully impersonate the user in my web 
application I need a fresh JSESSIONID. By getting JSESSIONID I can store 
it as a cookie and in this way I can skip the keycloak login page.

Is the token meant to be used only in rest api ? Am I missing something ?



thanks for any help,
Emanuele




From:   Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
To:     keycloak-user at lists.jboss.org
Date:   13/04/2018 17:26
Subject:        Re: [keycloak-user] SSO in web and desktop application
Sent by:        keycloak-user-bounces at lists.jboss.org



Hello Emanuele,

You are welcome, sorry for not being more helpful.

I must to admit that I did not try openid for any of my services.

I do believe that you could drop that question on the openId support 
forum:
https://getsatisfaction.com/openid

Hope it helps,

Luis





2018-04-12 15:49 GMT+02:00 Emanuele Gesuato 
<Emanuele.Gesuato at finantix.com>:

> Hi Luis,
>
> thank you very much for your support, I really appreciate.
>
> Do you think it would be possible if we use openId instead of saml ?
> Can we share some token in order to "share" authentication among 
different
>  clients ?
>
> Thanks,
> Emanuele
>
>
>
>
> From:   Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
> To:     keycloak-user at lists.jboss.org
> Date:   11/04/2018 18:59
> Subject:        Re: [keycloak-user] SSO in web and desktop application
> Sent by:        keycloak-user-bounces at lists.jboss.org
>
>
>
> Hello Emanuele,
>
> Please, forget about the servlet filter, at the beginning I thought that
> the "client-server application developed in java" was not using any
> keycloak adaptor, sorry for the confusion.
>
> No, SAML does not provide a token that you can share between different
> clients.
>
> You could think about share the cookies between the browser and the
> "client-server" app, but this is a horrible hack. I would warn you to
> avoid
> this way :)
>
> Me, personally I would explore these two options:
>
> a) Dedicated browser to automatically use the windows/kerberos 
credentials
> of the logged user.
> b) Let the dedicated browser redirect the user to the IdP login page. 
Yes,
> users has to authenticate, but it will save you a lot of headache...
>
> If you are using chrome there are extensions that apparently let you 
share
> sessions between devices (
> https://chrome.google.com/webstore/detail/sessionbox-free-multi-log/
> megbklhjamjbcafknkgmokldgolkdfig
> ).
> You can give it a try, but me honestly, I do not like that option very
> much...
>
> Cheers,
>
> Luis
>
>
>
>
>
>
>
>
>
> 2018-04-06 18:38 GMT+02:00 Emanuele Gesuato
> <Emanuele.Gesuato at finantix.com>:
>
> > Hi Luis,
> >
> > thanks for your feedback.
> >
> > Is there any way to use some access token in order to identify the
> current
> > user ?
> >
> > let me recap.
> > I have a web application and a "desktop" application they are both
> > different but they share the same set of users and they are both in 
the
> > same keycloak realm.
> > When user is logged to web application I would like to trigger some
> > authentication mechanism in order to let user automatically logged 
when
> he
> > opens the desktop application.
> >
> > I am using keycloak 3.4.3 with tomcat7 adapter. Both the web 
application
> > and the server side application of the "desktop" one uses tomcat7 as
> > servlet container (but they are different instances). Of course 
keycloak
> > server is the same for both.
> >
> > I am not sure how  a servlet filter can help me solve this issue ... 
as
> I
> > am using the standard tomcat7 keycloak adapter.
> >
> > Thanks for any help,
> > Emanuele
> >
> >
> >
> >
> >
> > From:   Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
> > To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> > Date:   06/04/2018 17:28
> > Subject:        Re: [keycloak-user] SSO in web and desktop application
> >
> >
> >
> > Hello Emanuele,
> >
> > OK, I see. So if I understand correctly you have "converted" your 
webapp
> > in a desktop application using something like this
> > https://applicationize.me/ in a dedicated browser with some
> restrictions.
> >
> > The problem here is that you are requesting the application from a
> > completely different client, it would be the same if you open an
> incognito
> > window in your browser after login in the siteA.
> >
> > I have done a quick test with one of our SAML applications and I am
> > redirected to the login page of our SSO. After authentication the app
> > works perfectly fine.
> >
> > Perhaps you could try to configure that dedicated browser to
> automatically
> > use the windows/kerberos credentials of the logged user...
> >
> > Cheers,
> >
> > Luis
> >
> > ps: the servlet filter can work in any servlet container. I am
> > successfully using it in tomcat 9 :)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > 2018-04-06 12:38 GMT+02:00 Emanuele Gesuato
> <Emanuele.Gesuato at finantix.com
> > >:
> > sorry for my email issue
> > *****************
> >
> > Hi there,
> >
> > client-server app is a browser application where we are using the
> > keycloak-saml tomcat7 adapter.
> >
> > Your link refers to a java servlet application that doesn?t have an
> > adapter for that servlet platform.
> >
> > Am I missing something in your answer ?
> >
> > thanks,
> >
> >
> > Emanuele Gesuato
> > Software specialist
> >
> >
> > Mobile: +39 335 757 3556 | Email: emanuele.gesuato at finantix.com | 
skype:
> > emanuelegesuato_work
> >
> >
> > CONFIDENTIALITY NOTICE - The information contained in this 
communication
> > is intended solely for the use of the individual or entity to whom it 
is
> > addressed and others authorized to receive it. It may contain
> confidential
> > or legally privileged information. If you are not the intended 
recipient
> > you are hereby notified that any disclosure, copying, distribution or
> > taking any action in reliance on the contents of this information is
> > strictly prohibited and may be unlawful. If you have received this
> > communication in error, please notify us immediately by responding to
> this
> > email and then delete it from your system. Finantix is neither liable
> for
> > the proper and complete transmission of the information contained in
> this
> > communication nor for any delay in its receipt.
> >
> >
> >
> >
> > From:   Subodh Joshi <subodhcjoshi82 at gmail.com>
> > To:     Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> > Cc:     keycloak-user <keycloak-user at lists.jboss.org>
> > Date:   06/04/2018 12:11
> > Subject:        Re: [keycloak-user] SSO in web and desktop application
> > Sent by:        keycloak-user-bounces at lists.jboss.org
> >
> >
> >
> >  Emanuele Gesuato Look like some issue with your email client/server.
> >
> > On Fri, Apr 6, 2018 at 3:21 PM, Emanuele Gesuato <
> > Emanuele.Gesuato at finantix.com> wrote:
> >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Subodh Chandra Joshi
> > subodh1_joshi82 at yahoo.co.in
> > http://www.trendsinnews.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > --
> > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail
> better."
> > - Samuel Beckett
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail 
better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user




From kitowskikamil at gmail.com  Mon Apr 16 07:38:55 2018
From: kitowskikamil at gmail.com (Kamil Kitowski)
Date: Mon, 16 Apr 2018 11:38:55 +0000
Subject: [keycloak-user] Keys error with Authorization Code Flow
Message-ID: <CAMZDEewGtUSXsuZP8NmtqgABxBkGr7gjQXgL+1M9eA3fmhQQ8g@mail.gmail.com>

Hi everyone.
I have a weird problem while using Authorization Code Flow when I'm trying
to get a token with Postman and/or my web app (Angular).
In both cases I get to see a Keycloak login page and after I provide valid
credentials, Keycloak presents me an error:
"Unexpected error when handling authentication request to identity
provider.",

and an exception is thrown (logs):
"13:19:52,345 ERROR [org.keycloak.keys.FailsafeAesKeyProvider] (default
task-36) No active keys found, using failsafe provider, please login to
admin console to add keys. Clustering is not supported.
13:19:52,348 WARN  [org.keycloak.services] (default task-36)
KC-SERVICES0013: Failed authentication: java.lang.RuntimeException:
org.keycloak.jose.jwe.JWEException: java.security.InvalidKeyException:
Illegal key size
        at
org.keycloak.services.managers.CodeGenerateUtil$AuthenticatedClientSessionModelParser.retrieveCode(CodeGenerateUtil.java:221)
        at
org.keycloak.services.managers.CodeGenerateUtil$AuthenticatedClientSessionModelParser.retrieveCode(CodeGenerateUtil.java:162)
        at
org.keycloak.services.managers.ClientSessionCode.getOrGenerateCode(ClientSessionCode.java:246)
        at
org.keycloak.protocol.oidc.OIDCLoginProtocol.authenticated(OIDCLoginProtocol.java:200)
        at
org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:727)
        at
org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:681)
        at
org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:807)
        at
org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:993)
        at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:863)
        at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:290)
        at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:261)
        at
org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:257)
        at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:318)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.jose.jwe.JWEException:
java.security.InvalidKeyException: Illegal key size
        at org.keycloak.jose.jwe.JWE.encodeJwe(JWE.java:142)
        at org.keycloak.util.TokenUtil.jweDirectEncode(TokenUtil.java:151)
        at
org.keycloak.services.managers.CodeGenerateUtil$AuthenticatedClientSessionModelParser.retrieveCode(CodeGenerateUtil.java:219)
        ... 70 more
Caused by: java.security.InvalidKeyException: Illegal key size
        at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039)
        at javax.crypto.Cipher.init(Cipher.java:1393)
        at javax.crypto.Cipher.init(Cipher.java:1327)
        at
org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.encryptBytes(AesCbcHmacShaEncryptionProvider.java:120)
        at
org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.encodeJwe(AesCbcHmacShaEncryptionProvider.java:68)
        at org.keycloak.jose.jwe.JWE.encodeJwe(JWE.java:138)
        ... 72 more"

The mentioned error does not happen when i use a Direct Access Grant (using
the same user and his credentials)
and I'm able to get a proper access token. Definitely there is no problem
with LDAP connection.

Is this a configuration error and is there a workaround? If it's a key
problem or LDAP connection why does it pop up only with Authorication Code
Flow?
I tested it on versions 3.4.3 and 4.0.0.Beta1 and it happens on both of
them.

Best regards,
-- 
Kitowski Kamil

From sthorger at redhat.com  Mon Apr 16 08:53:30 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 16 Apr 2018 14:53:30 +0200
Subject: [keycloak-user] Access redirect_uri within Freemarker Template
In-Reply-To: <B1053E49-B9B8-4C60-B281-7FE121A81D33@gmx.de>
References: <BEF9E4E0-E4CC-4DAF-B072-599931856022@gmx.de>
	<CAJgngAcUFqMp_d3S7pE5iXW-pQerZPFm-=xVALSozJfMEeWC8Q@mail.gmail.com>
	<B1053E49-B9B8-4C60-B281-7FE121A81D33@gmx.de>
Message-ID: <CAJgngAc_VPZCv1Q4hMTuMM5Lb5shwJqV-BujPq6OnNFNN6pj7g@mail.gmail.com>

On 16 April 2018 at 10:55, Frederik Schmitt <frederik.schmitt1 at gmx.de>
wrote:

> Thanks for your reply!
>
> I guess this is what we were actually looking for and what we will
> definitely be doing. Thanks for clarifying things here.
>
> It would be quite helpful to have a complete list of all available
> variables (that can be used in the FTL files) somewhere in the
> documentation. Or did we just miss it?
>

+1 That would be nice, but we don't currently have any plans to do it due
to other priorities. Feel free to create a JIRA though.


>
> On 13. Apr 2018, at 11:32, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> There's the client base URL for that exact reason. It will allow linking
> back to the app. It's not really a good idea to use the redirect URI as
> that is not always the application page, but can rather be a special OAuth
> callback URL.
>
> On 13 April 2018 at 11:21, Frederik Schmitt <frederik.schmitt1 at gmx.de>
> wrote:
>
>> Is it possible to somehow access the redirect_uri within the login
>> Freemarker template like accessing the current locale?
>>
>> We want to provide a link using this redirect_uri giving the user the
>> ability to go back to where he came from.
>>
>> Thanks in advance.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From tdockendorf at osc.edu  Mon Apr 16 09:04:40 2018
From: tdockendorf at osc.edu (Dockendorf, Trey)
Date: Mon, 16 Apr 2018 13:04:40 +0000
Subject: [keycloak-user] Handling disabled users from LDAP
In-Reply-To: <d5d116f8-4ff3-a920-0e53-f0c40d3377a6@stroeder.com>
References: <A56265E2-6B73-4E89-901E-422C5EBFB4F2@osc.edu>
	<3366030f-92ac-aa60-53e7-b1ae6d799463@redhat.com>
	<CFBC53EC-2B1E-4F47-8EBB-2B2F6C8F620E@osc.edu>
	<75f57a1a-7d5a-149f-429d-5c82f15d7e0f@redhat.com>
	<6EB49797-ACEB-475A-81BB-5535E5E80026@osc.edu>
	<d5d116f8-4ff3-a920-0e53-f0c40d3377a6@stroeder.com>
Message-ID: <701626DD-DDDE-475B-95A3-98B24F9D4791@osc.edu>

We've taking the approach of using OpenLDAP ACLs.  If anyone comes across this thread and wonders how we did this:

ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
    by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
    by * break
olcAccess: {1}to attrs=userPassword filter="(!(loginDisabled=TRUE))"
    by self read
    by anonymous auth
    by * break
olcAccess: {2}to attrs=userPassword
    by dn="cn=ldap-admin, <BASE>" write 
    by dn="cn=idm-admin,ou=Admin, <BASE>" write
    by dn="cn=syncuser,ou=Admin, <BASE>" read
    by * none
olcAccess: {3}to *
    by dn="cn=ldap-admin,<BASE> " write
    by dn="cn=idm-admin,ou=Admin,<BASE>" write
    by dn="cn=syncuser,ou=Admin,<BASE>" read
    by * read
EOF

-- 
Trey Dockendorf

HPC Systems Engineer
Ohio Supercomputer Center
?On 4/11/18, 3:47 AM, "Michael Str?der" <michael at stroeder.com> wrote:

    Dockendorf, Trey wrote:
    > With either approach it sounds like what your describing is getting
    > the loginDisabled attribute into Keycloak.  Once that attribute is
    > stored, how would I go about telling Keycloak to disallow access
    > based on the attribute's value?
    
    With OpenLDAP's ACLs you should grant auth access to 'userPassword' for
    anonymous based on value of your custom loginDisabled attribute. With
    such an ACL keycloak does not have to know about that attribute at all.
    And all LDAP-enabled applications will behave the same without
    reconfiguration.
    
    OpenLDAP details are off-topic here.
    You could ask for ACL details on the openldap-technical mailing list.
    
    Ciao, Michael.
    



From Enrique.Canocarballar at ge.com  Mon Apr 16 10:21:03 2018
From: Enrique.Canocarballar at ge.com (Cano Carballar, Enrique (GE Power))
Date: Mon, 16 Apr 2018 14:21:03 +0000
Subject: [keycloak-user] Using Keycloak for authorisation only
Message-ID: <71A27CB2-9394-4B45-91B1-D108F75B7B6C@ge.com>

Hi

I was wondering if anyone has got any experience using Keycloak as an authorization engine only, without the authentication part? The authentication would be done by an external OAuth2 product (CloudFoundry UAA).

Thanks.

From eivind at jotta.no  Mon Apr 16 10:32:07 2018
From: eivind at jotta.no (Eivind Larsen)
Date: Mon, 16 Apr 2018 10:32:07 -0400
Subject: [keycloak-user] Offline client gone after redeploy
Message-ID: <CAF4REn570V9b2AcPQi9C4oHrHaQTA4QaxGfhJ3p4PSuGMGVQNQ@mail.gmail.com>

Hey Keycloak users!

We are running Keycloak 3.4.3.Final in HA mode on Kubernetes.
We have 3 nodes, named keycloak-0 keycloak-1 keycloak-2.

After a redeploy or killing of one or several nodes, some offline
clients are refused to refresh their tokens, and get this response on
refresh_token grant:

Status: 401
Body: ? {"error":"invalid_grant","error_description":"Session doesn't
have required client?}


In standalone-ha.xml we have set:


<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
?<cache-container name="keycloak" jndi-name="infinispan/Keycloak">
? <distributed-cache name="sessions" mode="SYNC" owners="3"/>
? <distributed-cache name="authenticationSessions" mode="SYNC" owners="3"/>
? <distributed-cache name="offlineSessions" mode="SYNC" owners="3"/>
? <distributed-cache name="clientSessions" mode="SYNC" owners="3"/>
? <distributed-cache name="offlineClientSessions" mode="SYNC" owners="3"/>
? <distributed-cache name="loginFailures" mode="SYNC" owners="3"/>
? <distributed-cache name="actionTokens" mode="SYNC" owners="3">
?
?</cache-container>
??
</subsystem>

?

? ? ? ? <subsystem xmlns="urn:jboss:domain:jgroups:5.0">
? ? ? ? ? ? <channels default="ee">
? ? ? ? ? ? ? ? <channel name="ee" stack="tcp" cluster="ejb"/>
? ? ? ? ? ? </channels>
? ? ? ? ? ? <stacks>
? ? ? ? ? ? ? ? <stack name="tcp">
? ? ? ? ? ? ? ? ? ? <transport type="TCP" socket-binding="jgroups-tcp"/>
? ? ? ? ? ? ? ? ? ? <protocol type="JDBC_PING">
? ? ? ? ? ? ? ? ? ? ? <property
name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
? ? ? ? ? ? ? ? ? ? ? <property
name="clear_table_on_view_change">true</property>
? ? ? ? ? ? ? ? ? ? ? <property name="break_on_coord_rsp">true</property>
? ? ? ? ? ? ? ? ? ? ? <property name="initialize_sql">CREATE TABLE
JGROUPSPING (own_addr varchar(200) NOT NULL, creation_timestamp
timestamp NOT NULL, cluster_name varchar(200) NOT NULL, ping_data
varbinary(5000) DEFAULT NULL, PRIMARY KEY (own_addr,
cluster_name))</property>
? ? ? ? ? ? ? ? ? ? ? <property name="insert_single_sql">INSERT INTO
JGROUPSPING (own_addr, creation_timestamp, cluster_name, ping_data)
values (?, NOW(), ?, ?)</property>
? ? ? ? ? ? ? ? ? ? </protocol>
? ? ? ? ? ? ? ? ? ? <protocol type="MERGE3"/>
? ? ? ? ? ? ? ? ? ? <protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
? ? ? ? ? ? ? ? ? ? <protocol type="FD"/>
? ? ? ? ? ? ? ? ? ? <protocol type="VERIFY_SUSPECT"/>
? ? ? ? ? ? ? ? ? ? <protocol type="pbcast.NAKACK2"/>
? ? ? ? ? ? ? ? ? ? <protocol type="UNICAST3"/>
? ? ? ? ? ? ? ? ? ? <protocol type="pbcast.STABLE"/>
? ? ? ? ? ? ? ? ? ? <protocol type="pbcast.GMS">
? ? ? ? ? ? ? ? ? ? ? <property name="max_join_attempts">5</property>
? ? ? ? ? ? ? ? ? ? </protocol>
? ? ? ? ? ? ? ? ? ? <protocol type="MFC"/>
? ? ? ? ? ? ? ? ? ? <protocol type="FRAG2"/>
? ? ? ? ? ? ? ? </stack>
? ? ? ? ? ? </stacks>
? ? ? ? </subsystem>


But this error still occurs.

I do believe JGroups is working correctly as well.
Here is an excerpt from a node keycloak-1 while killing keycloak-2.

12:19:54,876 WARN ?[org.infinispan.CLUSTER] (remote-thread--p9-t16)
[Context=offlineClientSessions]ISPN000312: Lost data because of
graceful leaver keycloak-2
12:19:54,888 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t17)
ISPN000310: Starting cluster-wide rebalance for cache
authenticationSessions, topology CacheTopology{id=2299,
rebalanceId=1056, currentCH=DefaultConsistentHash{ns=256, owners =
(2)[keycloak-1: 134+33, keycloak-0: 122+53]},
pendingCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
132+124, keycloak-0: 124+132]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0]}
12:19:54,889 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t17)
[Context=authenticationSessions][Scope=keycloak-1]ISPN100002: Started
local rebalance
12:19:54,959 WARN ?[org.infinispan.CLUSTER] (remote-thread--p9-t19)
[Context=clientSessions]ISPN000312: Lost data because of graceful
leaver keycloak-2
12:19:54,966 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t20)
ISPN000310: Starting cluster-wide rebalance for cache offlineSessions,
topology CacheTopology{id=2296, rebalanceId=1053,
currentCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
134+33, keycloak-0: 122+53]}, pendingCH=DefaultConsistentHash{ns=256,
owners = (2)[keycloak-1: 132+124, keycloak-0: 124+132]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0]}
12:19:54,967 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t20)
[Context=offlineSessions][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:19:54,969 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t17)
ISPN000310: Starting cluster-wide rebalance for cache sessions,
topology CacheTopology{id=2298, rebalanceId=1055,
currentCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
134+33, keycloak-0: 122+53]}, pendingCH=DefaultConsistentHash{ns=256,
owners = (2)[keycloak-1: 132+124, keycloak-0: 124+132]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0]}
12:19:54,969 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t17)
[Context=sessions][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:19:54,966 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t23)
ISPN000310: Starting cluster-wide rebalance for cache loginFailures,
topology CacheTopology{id=2295, rebalanceId=1052,
currentCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
134+33, keycloak-0: 122+53]}, pendingCH=DefaultConsistentHash{ns=256,
owners = (2)[keycloak-1: 132+124, keycloak-0: 124+132]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0]}
12:19:55,016 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t23)
[Context=loginFailures][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:19:55,017 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t22)
ISPN000310: Starting cluster-wide rebalance for cache actionTokens,
topology CacheTopology{id=2296, rebalanceId=1053,
currentCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
134+33, keycloak-0: 122+53]}, pendingCH=DefaultConsistentHash{ns=256,
owners = (2)[keycloak-1: 132+124, keycloak-0: 124+132]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0]}
12:19:55,017 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t22)
[Context=actionTokens][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:19:55,019 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t21)
[Context=authenticationSessions][Scope=keycloak-0]ISPN100003: Finished
local rebalance
12:19:55,030 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t21)
[Context=sessions][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:19:55,031 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t14)
[Context=authenticationSessions][Scope=keycloak-1]ISPN100003: Finished
local rebalance
12:19:55,031 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t14) ISPN000336: Finished cluster-wide
rebalance for cache authenticationSessions, topology id = 2299
12:19:55,033 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t23)
[Context=offlineSessions][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:19:55,033 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t21)
[Context=actionTokens][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:19:55,035 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t16)
[Context=loginFailures][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:19:55,036 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t10)
[Context=sessions][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:19:55,036 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t10) ISPN000336: Finished cluster-wide
rebalance for cache sessions, topology id = 2298
12:19:55,115 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t22)
[Context=loginFailures][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:19:55,115 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t22)
ISPN000336: Finished cluster-wide rebalance for cache loginFailures,
topology id = 2295
12:19:55,117 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t23)
[Context=actionTokens][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:19:55,117 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t23)
ISPN000336: Finished cluster-wide rebalance for cache actionTokens,
topology id = 2296
12:19:55,121 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t25)
[Context=offlineSessions][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:19:55,121 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t25) ISPN000336: Finished cluster-wide
rebalance for cache offlineSessions, topology id = 2296

12:19:56,029 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|831] (2) [keycloak-1, keycloak-0]
12:19:56,030 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|831] (2) [keycloak-1, keycloak-0]
12:19:56,037 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|831] (2) [keycloak-1, keycloak-0]
12:19:56,037 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|831] (2) [keycloak-1, keycloak-0]
12:19:56,038 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|831] (2) [keycloak-1, keycloak-0]




12:19:56,718 ERROR [org.jgroups.protocols.TCP]
(TransferQueueBundler,ejb,keycloak-1) JGRP000029: keycloak-1: failed
sending message to keycloak-2 (61 bytes):
java.net.SocketTimeoutException: connect timed out, headers: UNICAST3:
ACK, seqno=1486, ts=1332, TP: [cluster_name=ejb]



.... wait node comes up again:



12:21:00,042 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|832] (3) [keycloak-1, keycloak-0, keycloak-2]
12:21:00,043 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|832] (3) [keycloak-1, keycloak-0, keycloak-2]
12:21:00,043 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|832] (3) [keycloak-1, keycloak-0, keycloak-2]
12:21:00,044 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|832] (3) [keycloak-1, keycloak-0, keycloak-2]
12:21:00,047 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(thread-1) ISPN000094: Received new cluster view for channel ejb:
[keycloak-1|832] (3) [keycloak-1, keycloak-0, keycloak-2]
12:21:03,458 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
ISPN000310: Starting cluster-wide rebalance for cache
offlineClientSessions, topology CacheTopology{id=1649,
rebalanceId=719, currentCH=DefaultConsistentHash{ns=256, owners =
(2)[keycloak-1: 132+0, keycloak-0: 124+0]},
pendingCH=DefaultConsistentHash{ns=256, owners = (3)[keycloak-1: 87+0,
keycloak-0: 86+0, keycloak-2: 83+0]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0, keycloak-2]}
12:21:03,459 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
[Context=offlineClientSessions][Scope=keycloak-1]ISPN100002: Started
local rebalance
12:21:03,458 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
ISPN000310: Starting cluster-wide rebalance for cache loginFailures,
topology CacheTopology{id=2297, rebalanceId=1053,
currentCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
132+124, keycloak-0: 124+132]},
pendingCH=DefaultConsistentHash{ns=256, owners = (3)[keycloak-1:
87+82, keycloak-0: 86+75, keycloak-2: 83+99]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0, keycloak-2]}
12:21:03,459 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
[Context=loginFailures][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:21:03,460 INFO ?[org.infinispan.CLUSTER] (transport-thread--p20-t3)
[Context=offlineClientSessions][Scope=keycloak-1]ISPN100003: Finished
local rebalance
12:21:03,460 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t18)
[Context=loginFailures][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:21:03,462 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t25)
ISPN000310: Starting cluster-wide rebalance for cache work, topology
CacheTopology{id=1646, rebalanceId=716,
currentCH=ReplicatedConsistentHash{ns = 256, owners = (2)[keycloak-1:
132, keycloak-0: 124]}, pendingCH=ReplicatedConsistentHash{ns = 256,
owners = (3)[keycloak-1: 87, keycloak-0: 86, keycloak-2: 83]},
unionCH=null, actualMembers=[keycloak-1, keycloak-0, keycloak-2]}
12:21:03,463 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t25)
[Context=work][Scope=keycloak-1]ISPN100002: Started local rebalance
12:21:03,463 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t17)
[Context=work][Scope=keycloak-1]ISPN100003: Finished local rebalance
12:21:03,476 INFO ?[org.infinispan.CLUSTER] (remote-thread--p6-t2)
ISPN000310: Starting cluster-wide rebalance for cache client-mappings,
topology CacheTopology{id=1657, rebalanceId=727,
currentCH=ReplicatedConsistentHash{ns = 256, owners = (2)[keycloak-1:
132, keycloak-0: 124]}, pendingCH=ReplicatedConsistentHash{ns = 256,
owners = (3)[keycloak-1: 87, keycloak-0: 86, keycloak-2: 83]},
unionCH=null, actualMembers=[keycloak-1, keycloak-0, keycloak-2]}
12:21:03,476 INFO ?[org.infinispan.CLUSTER] (remote-thread--p6-t2)
[Context=client-mappings][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:21:03,515 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
[Context=offlineClientSessions][Scope=keycloak-0]ISPN100003: Finished
local rebalance
12:21:03,463 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t26)
ISPN000310: Starting cluster-wide rebalance for cache sessions,
topology CacheTopology{id=2300, rebalanceId=1056,
currentCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
132+124, keycloak-0: 124+132]},
pendingCH=DefaultConsistentHash{ns=256, owners = (3)[keycloak-1:
87+82, keycloak-0: 86+75, keycloak-2: 83+99]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0, keycloak-2]}
12:21:03,516 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t26)
[Context=sessions][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:21:03,517 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p19-t15)
[Context=client-mappings][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:21:03,519 INFO ?[org.infinispan.CLUSTER] (remote-thread--p6-t2)
[Context=client-mappings][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:21:03,522 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t12)
[Context=sessions][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:21:03,522 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t30)
[Context=loginFailures][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:21:03,522 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t26)
[Context=work][Scope=keycloak-0]ISPN100003: Finished local rebalance
12:21:03,523 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t30)
[Context=sessions][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:21:03,522 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
ISPN000310: Starting cluster-wide rebalance for cache offlineSessions,
topology CacheTopology{id=2298, rebalanceId=1054,
currentCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
132+124, keycloak-0: 124+132]},
pendingCH=DefaultConsistentHash{ns=256, owners = (3)[keycloak-1:
87+82, keycloak-0: 86+75, keycloak-2: 83+99]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0, keycloak-2]}
12:21:03,522 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t28)
ISPN000310: Starting cluster-wide rebalance for cache clientSessions,
topology CacheTopology{id=1648, rebalanceId=718,
currentCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
132+0, keycloak-0: 124+0]}, pendingCH=DefaultConsistentHash{ns=256,
owners = (3)[keycloak-1: 87+0, keycloak-0: 86+0, keycloak-2: 83+0]},
unionCH=null, actualMembers=[keycloak-1, keycloak-0, keycloak-2]}
12:21:03,523 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t28)
[Context=clientSessions][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:21:03,523 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
[Context=offlineSessions][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:21:03,523 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
ISPN000310: Starting cluster-wide rebalance for cache actionTokens,
topology CacheTopology{id=2298, rebalanceId=1054,
currentCH=DefaultConsistentHash{ns=256, owners = (2)[keycloak-1:
132+124, keycloak-0: 124+132]},
pendingCH=DefaultConsistentHash{ns=256, owners = (3)[keycloak-1:
87+82, keycloak-0: 86+75, keycloak-2: 83+99]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0, keycloak-2]}
12:21:03,524 INFO ?[org.infinispan.CLUSTER]
(transport-thread--p20-t13)
[Context=offlineSessions][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:21:03,524 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
[Context=actionTokens][Scope=keycloak-1]ISPN100002: Started local
rebalance
12:21:03,523 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t27)
ISPN000310: Starting cluster-wide rebalance for cache
authenticationSessions, topology CacheTopology{id=2301,
rebalanceId=1057, currentCH=DefaultConsistentHash{ns=256, owners =
(2)[keycloak-1: 132+124, keycloak-0: 124+132]},
pendingCH=DefaultConsistentHash{ns=256, owners = (3)[keycloak-1:
87+82, keycloak-0: 86+75, keycloak-2: 83+99]}, unionCH=null,
actualMembers=[keycloak-1, keycloak-0, keycloak-2]}
12:21:03,524 INFO ?[org.infinispan.CLUSTER] (transport-thread--p20-t8)
[Context=clientSessions][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:21:03,524 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t27)
[Context=authenticationSessions][Scope=keycloak-1]ISPN100002: Started
local rebalance
12:21:03,525 INFO ?[org.infinispan.CLUSTER] (transport-thread--p20-t8)
[Context=actionTokens][Scope=keycloak-1]ISPN100003: Finished local
rebalance
12:21:03,525 INFO ?[org.infinispan.CLUSTER] (transport-thread--p20-t8)
[Context=authenticationSessions][Scope=keycloak-1]ISPN100003: Finished
local rebalance
12:21:03,526 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t27)
[Context=clientSessions][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:21:03,528 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t27)
[Context=actionTokens][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:21:03,528 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t27)
[Context=offlineSessions][Scope=keycloak-0]ISPN100003: Finished local
rebalance
12:21:03,529 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
[Context=authenticationSessions][Scope=keycloak-0]ISPN100003: Finished
local rebalance
12:21:03,683 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
[Context=sessions][Scope=keycloak-2]ISPN100003: Finished local
rebalance
12:21:03,683 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
ISPN000336: Finished cluster-wide rebalance for cache sessions,
topology id = 2300
12:21:03,750 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
[Context=loginFailures][Scope=keycloak-2]ISPN100003: Finished local
rebalance
12:21:03,750 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
ISPN000336: Finished cluster-wide rebalance for cache loginFailures,
topology id = 2297
12:21:03,765 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
[Context=actionTokens][Scope=keycloak-2]ISPN100003: Finished local
rebalance
12:21:03,765 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t24)
ISPN000336: Finished cluster-wide rebalance for cache actionTokens,
topology id = 2298
12:21:04,058 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
[Context=offlineClientSessions][Scope=keycloak-2]ISPN100003: Finished
local rebalance
12:21:04,059 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
ISPN000336: Finished cluster-wide rebalance for cache
offlineClientSessions, topology id = 1649
12:21:04,069 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
[Context=clientSessions][Scope=keycloak-2]ISPN100003: Finished local
rebalance
12:21:04,069 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
ISPN000336: Finished cluster-wide rebalance for cache clientSessions,
topology id = 1648
12:21:04,351 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
[Context=work][Scope=keycloak-2]ISPN100003: Finished local rebalance
12:21:04,351 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
ISPN000336: Finished cluster-wide rebalance for cache work, topology
id = 1646
12:21:04,374 INFO ?[org.infinispan.CLUSTER] (remote-thread--p6-t2)
[Context=client-mappings][Scope=keycloak-2]ISPN100003: Finished local
rebalance
12:21:04,374 INFO ?[org.infinispan.CLUSTER] (remote-thread--p6-t2)
ISPN000336: Finished cluster-wide rebalance for cache client-mappings,
topology id = 1657
12:21:04,460 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
[Context=offlineSessions][Scope=keycloak-2]ISPN100003: Finished local
rebalance
12:21:04,460 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t18)
ISPN000336: Finished cluster-wide rebalance for cache offlineSessions,
topology id = 2298
12:21:04,460 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t27)
[Context=authenticationSessions][Scope=keycloak-2]ISPN100003: Finished
local rebalance
12:21:04,460 INFO ?[org.infinispan.CLUSTER] (remote-thread--p9-t27)
ISPN000336: Finished cluster-wide rebalance for cache
authenticationSessions, topology id = 2301



Is this working as intended?


- Eivind


From Manfred.Schenk at iosb.fraunhofer.de  Mon Apr 16 10:32:34 2018
From: Manfred.Schenk at iosb.fraunhofer.de (Schenk, Manfred)
Date: Mon, 16 Apr 2018 14:32:34 +0000
Subject: [keycloak-user] In which cases will the return value of
 org.keycloak.representations.idm.GroupRepresentation.getAttributes() NOT
 empty?
Message-ID: <E1282C0B6D2B6940B528596BD272E63E749A8E8E@ms3mbx3.ms3.corp>

At the moment I'm trying to read/view all users/groups from a certain realm using the REST interface with the help of the class "org.keycloak.admin.client.Keycloak".

I can get the list of available groups and their subgroups and also the ids and names oft he groups.
But I haven't figured out how I can achieve non-empty return values for the getAttributes() method oft he org.keycloak.representations.idm.GroupRepresentation instances.

Do I need some special configuration or request parameter fort he desired result?

Thanks in advance,
Manfred

--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstra?e 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk at iosb.fraunhofer.de
http://www.iosb.fraunhofer.de


From jasonspittel at yahoo.com  Mon Apr 16 12:24:06 2018
From: jasonspittel at yahoo.com (Jason Spittel)
Date: Mon, 16 Apr 2018 16:24:06 +0000 (UTC)
Subject: [keycloak-user] Is KeyCloak SAML vulnerable to the c14n exploit?
References: <1438435178.965590.1523895846981.ref@mail.yahoo.com>
Message-ID: <1438435178.965590.1523895846981@mail.yahoo.com>

Hello,
I was alerted to this exploit, and was wondering if Keycloak, acting as an SP in a SAML authentication workflow, is vulnerable to it.
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations


Briefly,? if a comment is put into an XML value, some parsers seem to stop parsing during canonicalization so that these two values are equivalent and equally valid for the same dsig:
user at domain.comuser@domain.com<!--and this breaks parsing-->.hackers.net
Would it basically come down to if the parsers that Keycloak is using for SAML are vulnerable? Which look to be the javax.xml.stream parsers. Is that correct?
Thanks,
Jason

From jstrathern at gmail.com  Mon Apr 16 13:20:34 2018
From: jstrathern at gmail.com (Joe Strathern)
Date: Mon, 16 Apr 2018 11:20:34 -0600
Subject: [keycloak-user] Teiid JDBC Access with DirectAccessGrantLoginModule
 leads to clear text password in log
Message-ID: <CA+AnJVCJTigAWRTNpr6xzfv3q0Bs4bYR7xo7TQEXpw3dC98mGQ@mail.gmail.com>

Hello Keycloak Community,
I've encountered a logging issue using the DirectAccessGrantLoginModule
that can lead to clear-text passwords exposed in the logs.

In my application, i am leveraging Teiid for Database Virtualization, and
have secured its JDBC access using the DirectAccessGrantLoginModule in a
custom security domain. This is to allow users to access the data from JDBC
clients by providing username/password instead of a token

However, using this approach, when the login occurs, the LoginModule at
DEBUG level will use the apache wire library and log the following line:


2017-12-12 09:23:18,263 DEBUG [org.apache.http.wire] (NIO8) >>
"grant_type=password&username=MyUser&password=MyPassword&client_id=MyClient"

In the log line above, *MyPassword* will be in clear text, and visible to
anyone reviewing the logs.

Is there any way to leverage this Login Module (or make improvements) to
ensure the users clear-text password is not shown in the log for security
reasons? Perhaps an option or property that could encrypt/redact that
password for that log message?

I can add custom Wildfly loggers to not display messages from this package
at DEBUG, but it would be great if there was another option available to
avoid missing out on other messages from this package.

Thanks,
Joe

From psilva at redhat.com  Mon Apr 16 13:58:12 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 16 Apr 2018 14:58:12 -0300
Subject: [keycloak-user] Using Keycloak for authorisation only
In-Reply-To: <71A27CB2-9394-4B45-91B1-D108F75B7B6C@ge.com>
References: <71A27CB2-9394-4B45-91B1-D108F75B7B6C@ge.com>
Message-ID: <CAJrcDBc+XRsE6M9dtYqiB-bs2Tyum0bPKMiy1D2-oP2--VRFsA@mail.gmail.com>

If you are asking about using only authorization services, it is not
possible. It relies on keycloak authentication bits.

Regards.
Pedro Igor

On Mon, Apr 16, 2018 at 11:21 AM, Cano Carballar, Enrique (GE Power) <
Enrique.Canocarballar at ge.com> wrote:

> Hi
>
> I was wondering if anyone has got any experience using Keycloak as an
> authorization engine only, without the authentication part? The
> authentication would be done by an external OAuth2 product (CloudFoundry
> UAA).
>
> Thanks.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ntle at castortech.com  Mon Apr 16 16:17:46 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Mon, 16 Apr 2018 16:17:46 -0400
Subject: [keycloak-user] In which cases will the return value of
 org.keycloak.representations.idm.GroupRepresentation.getAttributes() NOT
 empty?
In-Reply-To: <E1282C0B6D2B6940B528596BD272E63E749A8E8E@ms3mbx3.ms3.corp>
References: <E1282C0B6D2B6940B528596BD272E63E749A8E8E@ms3mbx3.ms3.corp>
Message-ID: <CAJVRZt8gSiJL+-SUdnVhmRnac0uQsZw_WxaYA0Af3TwpiS0efg@mail.gmail.com>

I had similar problem and i think most case when loading *Represenation
from ID return more detail than a search or list method:

List<GroupRepresentation> groups = realm.groups().groups("sales", 0,
10); //search,
returned items doesn't have attrs
GroupRepresentation g = groups.get(0);

Map<String, List<String>> attrs = new HashMap<String, List<String>>(); //just
add my attr
attrs.put("_peaka", Collections.singletonList("boo"));
g.setAttributes(attrs);
realm.groups().group(g.getId()).update(g);

GroupRepresentation g1 = realm.groups().group(*g.getId()*
).toRepresentation(); //loading group from its ID somehow load attrs

Thai

On Mon, Apr 16, 2018 at 10:32 AM, Schenk, Manfred <
Manfred.Schenk at iosb.fraunhofer.de> wrote:

> At the moment I'm trying to read/view all users/groups from a certain
> realm using the REST interface with the help of the class
> "org.keycloak.admin.client.Keycloak".
>
> I can get the list of available groups and their subgroups and also the
> ids and names oft he groups.
> But I haven't figured out how I can achieve non-empty return values for
> the getAttributes() method oft he org.keycloak.representations.idm.GroupRepresentation
> instances.
>
> Do I need some special configuration or request parameter fort he desired
> result?
>
> Thanks in advance,
> Manfred
>
> --
> Manfred Schenk, Fraunhofer IOSB
> Informationsmanagement und Leittechnik
> Fraunhoferstra?e 1,76131 Karlsruhe, Germany
> Telefon +49 721 6091-391
> mailto:Manfred.Schenk at iosb.fraunhofer.de
> http://www.iosb.fraunhofer.de
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From ntle at castortech.com  Mon Apr 16 16:38:21 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Mon, 16 Apr 2018 16:38:21 -0400
Subject: [keycloak-user] How to warn user when his/her password is about to
	expire?
Message-ID: <CAJVRZt8_NnNLKfwqTR_1Qd2mg_dpFXvzqW6EoDi7z6S1gSTzUA@mail.gmail.com>

Hello,

Is there any option to warn user when he login that his/her password is
about to expire or allow user to change password within X days from the
expiring date?

Thai

From polochepu at gmail.com  Mon Apr 16 18:59:42 2018
From: polochepu at gmail.com (paolo lizarazu)
Date: Mon, 16 Apr 2018 22:59:42 +0000
Subject: [keycloak-user] Authorization Code Grant
Message-ID: <CA+UhoAGfosfw9NqUs67NvewS1kSuUZOsGfkAGT77CVSig5tV+w@mail.gmail.com>

Hi All, I have a keycloak running with a test realm and someone client,
this has an admin/admin user, I want to use Authorization Code
Grant(seems direct
access grant in keycloak) but not sure if I am misunderstanding something

my Application is a desktop one that has its own login window, inside this
i am sending a request to get a token like

POST http://localhost:9080/auth/realms/test/protocol/openid-connect/token
wit body
grant_type=password&clientid=someone&username=admin&password=admin

this is returning the json with access_token, expires_in, refresh_toke, etc
seems all good.

from here if I want to get user info
http://localhost:9080/auth/realms/test/protocol/openid-connect/userinfo
setting header  authorization=Bearer code_token i am getting 401
unauthorized with
{
    "error": "invalid_token",
    "error_description": "Token invalid: Token is not active"
}

should I do a new request with
grant_type=authorization_code&code=access_token to interchange the current
for a long one? and handle the refresh token later?

sorry if this is a common or simple issue i am not getting working.

From sthorger at redhat.com  Tue Apr 17 00:25:30 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 17 Apr 2018 06:25:30 +0200
Subject: [keycloak-user] How to warn user when his/her password is about
 to expire?
In-Reply-To: <CAJVRZt8_NnNLKfwqTR_1Qd2mg_dpFXvzqW6EoDi7z6S1gSTzUA@mail.gmail.com>
References: <CAJVRZt8_NnNLKfwqTR_1Qd2mg_dpFXvzqW6EoDi7z6S1gSTzUA@mail.gmail.com>
Message-ID: <CAJgngAfF_Sq9Uex4vSDioY54hQkUt6eTMzVYy0SyUMm5V=BJHA@mail.gmail.com>

There isn't. However, the password doesn't expire, rather it requires the
user to update the password on the next login, so it shouldn't be necessary
to email/notify the user.

On 16 April 2018 at 22:38, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> Is there any option to warn user when he login that his/her password is
> about to expire or allow user to change password within X days from the
> expiring date?
>
> Thai
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Manfred.Schenk at iosb.fraunhofer.de  Tue Apr 17 03:27:12 2018
From: Manfred.Schenk at iosb.fraunhofer.de (Schenk, Manfred)
Date: Tue, 17 Apr 2018 07:27:12 +0000
Subject: [keycloak-user] In which cases will the return value of
 org.keycloak.representations.idm.GroupRepresentation.getAttributes() NOT
 empty?
In-Reply-To: <CAJVRZt8gSiJL+-SUdnVhmRnac0uQsZw_WxaYA0Af3TwpiS0efg@mail.gmail.com>
References: <E1282C0B6D2B6940B528596BD272E63E749A8E8E@ms3mbx3.ms3.corp>
	<CAJVRZt8gSiJL+-SUdnVhmRnac0uQsZw_WxaYA0Af3TwpiS0efg@mail.gmail.com>
Message-ID: <E1282C0B6D2B6940B528596BD272E63E749AB6D6@ms3mbx3.ms3.corp>

Thanks for your answer. I wonder how one can implement such a logic without mentioning it in the documentation?

But with your hint I can get the desired attributes now.

Regards,
Manfred

--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstra?e 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk at iosb.fraunhofer.de
http://www.iosb.fraunhofer.de

Von: Nhut Thai Le <ntle at castortech.com>
Gesendet: Montag, 16. April 2018 22:18
An: Schenk, Manfred <Manfred.Schenk at iosb.fraunhofer.de>
Cc: keycloak-user at lists.jboss.org
Betreff: Re: [keycloak-user] In which cases will the return value of org.keycloak.representations.idm.GroupRepresentation.getAttributes() NOT empty?

I had similar problem and i think most case when loading *Represenation from ID return more detail than a search or list method:

List<GroupRepresentation> groups = realm.groups().groups("sales", 0, 10);                                //search, returned items doesn't have attrs
GroupRepresentation g = groups.get(0);

Map<String, List<String>> attrs = new HashMap<String, List<String>>();                                              //just add my attr
attrs.put("_peaka", Collections.singletonList("boo"));
g.setAttributes(attrs);
realm.groups().group(g.getId()).update(g);

GroupRepresentation g1 = realm.groups().group(g.getId()).toRepresentation();    //loading group from its ID somehow load attrs

Thai

On Mon, Apr 16, 2018 at 10:32 AM, Schenk, Manfred <Manfred.Schenk at iosb.fraunhofer.de<mailto:Manfred.Schenk at iosb.fraunhofer.de>> wrote:
At the moment I'm trying to read/view all users/groups from a certain realm using the REST interface with the help of the class "org.keycloak.admin.client.Keycloak".

I can get the list of available groups and their subgroups and also the ids and names oft he groups.
But I haven't figured out how I can achieve non-empty return values for the getAttributes() method oft he org.keycloak.representations.idm.GroupRepresentation instances.

Do I need some special configuration or request parameter fort he desired result?

Thanks in advance,
Manfred

--
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstra?e 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk at iosb.fraunhofer.de<mailto:Manfred.Schenk at iosb.fraunhofer.de>
http://www.iosb.fraunhofer.de

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



--
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com<mailto:ntle at castortech.com>
www.castortech.com<http://www.castortech.com>

CONFIDENTIALITY NOTICE: The information contained in this e-mail is confidential and may be proprietary information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, disclosure, copy or use of the information contained in this e-mail message is strictly prohibited. If you have received and/or are viewing this e-mail in error, please immediately notify the sender by reply e-mail, and delete it from your system without reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv? ? l'usage exclusif du destinataire. Toute autre personne est par les pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer ou reproduire ce message. Si vous avez re?u cette communication par erreur, veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From keycloak-list at vergien.net  Tue Apr 17 04:34:33 2018
From: keycloak-list at vergien.net (keycloak-list at vergien.net)
Date: Tue, 17 Apr 2018 10:34:33 +0200
Subject: [keycloak-user] Provisioning keycloak in a docker image for testing
Message-ID: <39aaf9b9-5682-28fc-686e-4fd4f236328b@vergien.net>

Hi list,

I'm working on getting a keycloak in a docker container with a defined
dataset for integration testing.

I'm using a json realm export and an json file with the users.

My problem is that the imported users only have a userId and password,
but not other attributes like firstName, etc.

If I add the users into the realm export it works fine, but I would like
to use tow different files, since the users tend to change more often
then the realm definition.

Is this behavior a bug or a design decision?

Here is a link to my Dockerfile:
https://git.loe.auf.uni-rostock.de/werbeo/docker/keycloak-werbeo

Thanks in advance

Daniel

From sthorger at redhat.com  Tue Apr 17 06:35:27 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 17 Apr 2018 12:35:27 +0200
Subject: [keycloak-user] Fwd: Reference users
In-Reply-To: <CAJgngAfKnOzN3E8+zZ6=SnFVfTjW9=vcKM82fwR+JUVS49Ei_g@mail.gmail.com>
References: <CAJgngAfKnOzN3E8+zZ6=SnFVfTjW9=vcKM82fwR+JUVS49Ei_g@mail.gmail.com>
Message-ID: <CAJgngAeJ3x-RJKfdvdWV0PGVKMugkmqZF8LMaeZqtpipm5FpcQ@mail.gmail.com>

We would like to gather some information on what companies are currently
using or are planning to use Keycloak in production.

We are also looking for public references.

If you are able to share your story please contact me off list.

From Marko.Pascan at bosch-si.com  Tue Apr 17 07:33:35 2018
From: Marko.Pascan at bosch-si.com (Pascan Marko (INST/ECS4))
Date: Tue, 17 Apr 2018 11:33:35 +0000
Subject: [keycloak-user] Defining a state of a Keycloak configuration:
 groups, users, roles, etc
Message-ID: <5039c4e65818439b9791c8043cc8a2d1@bosch-si.com>

Hi,

I was wondering if there is a recommended way to define a Keycloak setup/configuration state (users, groups, user groups memberships, roles, clients, etc) in some format (json, yaml...) and use this to re-configure/update Keycloak setup to bring it to the desired state (updates and deletions of elements including)? What I am looking for is to track the Keycloak resources in some format in a revision control system and use these artifacts (json, yaml) to update, delete and create Keycloak artifacts.

Best regards,

Marko Pasan


From dirk.franssen at gmail.com  Tue Apr 17 08:00:02 2018
From: dirk.franssen at gmail.com (Dirk Franssen)
Date: Tue, 17 Apr 2018 14:00:02 +0200
Subject: [keycloak-user] Available: Event Listener to InfluxDB
Message-ID: <CALT3SxidJy2kih4XcdphQzD3+gXAJ8A58mWaaXfAmLv2=eZzBg@mail.gmail.com>

Hi,

not sure if this is the right channel, which seems quiet lately, but I want
to FYI that I created an event listener to write events to InfluxDB, a
timeseries database.

The listener and some Grafana dashboards are available at
https://github.com/dfranssen/influxdb-keycloak-event-listener if someone is
interested.

Kind regards,
Dirk

From lists at merit.unu.edu  Tue Apr 17 08:55:34 2018
From: lists at merit.unu.edu (lists)
Date: Tue, 17 Apr 2018 14:55:34 +0200
Subject: [keycloak-user] enable CORS
Message-ID: <58793918-c4dd-9574-e3c0-7495aa456af9@merit.unu.edu>

Hi,

We are using keycloak as a SAML2 IdP for a web application (SOGo). 
Logging on works fine, however, after a while SOGo stops working.

I asked SOGo support to take a look at this, and they told me: "You'll 
need to enable CORS headers on our IdP keycloak.ourcompany.com so I can 
continue the debugging. The redirect is currently blocked for this reason."

I cannot find any keycloak toggle that would enable CORS headers. Could 
anyone tell me how to do this..?

MJ

From ntle at castortech.com  Tue Apr 17 09:27:22 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Tue, 17 Apr 2018 09:27:22 -0400
Subject: [keycloak-user] custom password policies
Message-ID: <CAJVRZt9=a7NQiy14MCPpBdABtjfKkc25ppaVK6NZce2kTY4qJw@mail.gmail.com>

Hello,

We have some special need regarding the password policies:

   1. user must use the password within X days
   2. user can not change password within Y days
   3. lock out user after password has been expired for N days

I don't know if these are supported in Keycloak since i dont see them in
the password policy. Is it possible add my own password policies and if
yes, can I have some guideline?

Thai

From kamal.softeng at gmail.com  Tue Apr 17 10:27:46 2018
From: kamal.softeng at gmail.com (Kamal)
Date: Tue, 17 Apr 2018 10:27:46 -0400
Subject: [keycloak-user] Map domains to realms in keycloak
Message-ID: <CANtwYhpOS+cGVYb8906c1tdB=OPD-XHHkw1YzKRyaUosHqfgqA@mail.gmail.com>

 Hi everyone,

Is there a way to associate each realm in KeyCloak with domain(or
subdomain)? I am hoping to be able to host multiple clients on the same
server, for example

https://client1.sso.mycompany.com/auth
https://client2.sso.mycompany.com/auth

and have keycloak associate client1 with a realm; say client1 and so forth.
I want to avoid having clients specify the realm in the URL; at least not
when they come to the site initially.

Any advice is appreciated.

Thanks,
Kamal

From eferron at outlook.fr  Tue Apr 17 10:55:03 2018
From: eferron at outlook.fr (Elie Ferron)
Date: Tue, 17 Apr 2018 14:55:03 +0000
Subject: [keycloak-user] Error io.undertow with HTTPS
Message-ID: <VI1PR10MB18853BB18F323399AA28AEC7CEB70@VI1PR10MB1885.EURPRD10.PROD.OUTLOOK.COM>

Hello all


Since i access to my keycloak server in https, i have this kind of error. I don't understand where it comes from. Any ideas ?


Error :

ERROR [io.undertow] (default task-6) UT005085: Connection io.undertow.server.protocol.http2.Http2ServerConnection at 772a5b27 for exchange HttpServerExchange{ GET /auth/resources/3.4.3.final/admin/keycloak/templates/kc-menu.html request {accept=[application/json, text/plain, */*], accept-language=[fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3], accept-encoding=[gzip, deflate, br], user-agent=[Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0], referer=["host":/auth/admin/master/console/], Host=[host]} response {Cache-Control=[max-age=2592000], X-Powered-By=[Undertow/1], Server=[WildFly/11], Content-Type=[text/html;charset=UTF-8], Content-Length=[5670], Date=[Tue, 17 Apr 2018 14:48:25 GMT], :status=[200]}} was not closed cleanly, forcibly closing connection

Thanks

From lists at merit.unu.edu  Tue Apr 17 11:28:18 2018
From: lists at merit.unu.edu (lists)
Date: Tue, 17 Apr 2018 17:28:18 +0200
Subject: [keycloak-user] enable CORS
In-Reply-To: <58793918-c4dd-9574-e3c0-7495aa456af9@merit.unu.edu>
References: <58793918-c4dd-9574-e3c0-7495aa456af9@merit.unu.edu>
Message-ID: <2bf9718a-5233-d864-1b2f-184f15f77fc9@merit.unu.edu>

Hi,

I have read some more, but would still some feedback from the experts 
here. :-) Here's what I think I learned:

We are using apache as a proxy in front of keycloak, configured like this:

> ProxyPreserveHost On
> ProxyVia Off
> ProxyRequests Off
> ProxyPass / "http://localhost:8080/"
> ProxyPassReverse / "http://localhost:8080/"
> 
> RequestHeader set X-Forwarded-Proto "https"
> RequestHeader set X-Forwarded-Port "443"

After reading https://awesometoast.com/cors/ and 
http://enable-cors.org/server_apache.html it seems I have to add CORS 
headers in apache config, so I added:

> Header always set Access-Control-Allow-Origin "*"

The "*" in this line feels like opening a large security hole...

But any comments on the above?

MJ

On 17-4-2018 14:55, lists wrote:
> Hi,
> 
> We are using keycloak as a SAML2 IdP for a web application (SOGo).
> Logging on works fine, however, after a while SOGo stops working.
> 
> I asked SOGo support to take a look at this, and they told me: "You'll
> need to enable CORS headers on our IdP keycloak.ourcompany.com so I can
> continue the debugging. The redirect is currently blocked for this reason."
> 
> I cannot find any keycloak toggle that would enable CORS headers. Could
> anyone tell me how to do this..?
> 
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From ntle at castortech.com  Tue Apr 17 11:50:54 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Tue, 17 Apr 2018 11:50:54 -0400
Subject: [keycloak-user] Brute force detection kick in but login screen does
	not tell user
Message-ID: <CAJVRZt9L+8yvnpbxwqFnwSTunpBTWU-C82FCp3S3vt9C_wqHwQ@mail.gmail.com>

Hello,

I set up brute force detection to lock out user after a few attempts and i
can see the user is temporarily disabled from the log:

11:39:16,217 WARN  [org.keycloak.events] (default task-13)
type=LOGIN_ERROR, realmId=398525c4-fc1d-4d8c-905e-c5c116acfc9d,
clientId=blah, userId=575c7e61-5c16-437f-aca9-e20425804fc4,
ipAddress=127.0.0.1, error=user_temporarily_disabled,
auth_method=openid-connect, auth_type=code, redirect_uri=
http://localhost:8080/blah/, code_id=44355bdc-4a9f-4960-96f8-06157bfea2d0,
username=ntle at castortech.com

However, the login screen still displays the generic error "Invalid
username or password.". Is there anyway to customize this to tell the user
that he exceed the number of trials and need to wait X minutes before retry?

Thai

From bruno at abstractj.org  Tue Apr 17 12:22:48 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 17 Apr 2018 16:22:48 +0000
Subject: [keycloak-user] Error io.undertow with HTTPS
In-Reply-To: <VI1PR10MB18853BB18F323399AA28AEC7CEB70@VI1PR10MB1885.EURPRD10.PROD.OUTLOOK.COM>
References: <VI1PR10MB18853BB18F323399AA28AEC7CEB70@VI1PR10MB1885.EURPRD10.PROD.OUTLOOK.COM>
Message-ID: <CAM5SUC4twZqpVDTFvrRtcB2iW4UVK68MXvwNwX32uhbKbmVXCg@mail.gmail.com>

Would be very helpful if you provide the full logs. Do you have them? If
yes, please send to the mailing list.

On Tue, Apr 17, 2018 at 11:59 AM Elie Ferron <eferron at outlook.fr> wrote:

> Hello all
>
>
> Since i access to my keycloak server in https, i have this kind of error.
> I don't understand where it comes from. Any ideas ?
>
>
> Error :
>
> ERROR [io.undertow] (default task-6) UT005085: Connection
> io.undertow.server.protocol.http2.Http2ServerConnection at 772a5b27 for
> exchange HttpServerExchange{ GET
> /auth/resources/3.4.3.final/admin/keycloak/templates/kc-menu.html request
> {accept=[application/json, text/plain, */*],
> accept-language=[fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3],
> accept-encoding=[gzip, deflate, br], user-agent=[Mozilla/5.0 (Windows NT
> 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0],
> referer=["host":/auth/admin/master/console/], Host=[host]} response
> {Cache-Control=[max-age=2592000], X-Powered-By=[Undertow/1],
> Server=[WildFly/11], Content-Type=[text/html;charset=UTF-8],
> Content-Length=[5670], Date=[Tue, 17 Apr 2018 14:48:25 GMT],
> :status=[200]}} was not closed cleanly, forcibly closing connection
>
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From gkinkladze at bog.ge  Tue Apr 17 13:36:32 2018
From: gkinkladze at bog.ge (Giorgi Kinkladze)
Date: Tue, 17 Apr 2018 17:36:32 +0000
Subject: [keycloak-user] keycloak local database
Message-ID: <3713A928926F9F4DAAF98578FBB3319521C96CD8@Ex-Mailbox-03.bog.ge>

Hello,

Is there a way I can configure Keycloak to make it not use its local database I mean the H2 database, I don't want to change it with Mysql (I have already read that tutorial). We have already added our user database as external user federation and it works fine but we don't need keyclok local database. Is it even possible? If so how can I do that?

________________________________

Find out the latest about the Bank of Georgia Group products, services and recent developments from the Bank of Georgia monthly e-newsletter. If you wish to subscribe please simply send a request to enewsletter at bog.ge and write "subscribe" in the subject line.

This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. JSC Bank of Georgia shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. JSC Bank of Georgia does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference.

From cedric.thiebault at sensefly.com  Tue Apr 17 15:14:07 2018
From: cedric.thiebault at sensefly.com (Cedric Thiebault)
Date: Tue, 17 Apr 2018 19:14:07 +0000
Subject: [keycloak-user] Keycloak 4 release date?
Message-ID: <HE1P190MB01879B1CF10570FDBD167620E2B70@HE1P190MB0187.EURP190.PROD.OUTLOOK.COM>

Hello,


Do you have an idea of the release date for Keycloak 4.0?

I'm waiting for Spring Boot 2 support :-)


Cedric



From ntle at castortech.com  Tue Apr 17 15:28:13 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Tue, 17 Apr 2018 15:28:13 -0400
Subject: [keycloak-user] admin-client hang
Message-ID: <CAJVRZt_3iF_RVGuv4QzQh32tavps3No7ki+LiwLha4wezLr2VA@mail.gmail.com>

Hello,

I'm writing a script to automate our realm setup using keycloak
admin-client. I use the same client for multiple calls and at some point,
my script hang. Is there any issue with using the same client for multiple
calls? Is each public method of the admin-client asynchronous? If yes, how
do I chain calls like: create realm-> create client -> create resource ->
create permissions -> create policy,...

Thai

From fachhoch at gmail.com  Tue Apr 17 15:49:04 2018
From: fachhoch at gmail.com (fachhoch m)
Date: Tue, 17 Apr 2018 15:49:04 -0400
Subject: [keycloak-user] logout implementation with KeycloakOIDCFilter
Message-ID: <CAGddLcq+KUn=PCgQHW7Y8Q7ztduoLJZB5V3wNOq-UXbn1h1KSg@mail.gmail.com>

I am getting started with securing my webapp using KeycloakOIDCFilter ,

For logout my application  redirects to url   <raw>
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri</raw>,
  this clears the session in keycloack,  but application continues to show
secured pages,   and this filter pulls security information
(SerializableKeycloakAccount) from cache.

by removing KeycloakAccount.class.getName()  attribute   from session   and
redirect to auth-server
is  redirecting to login page , and preventing acces to  secured pages
after logout,

Is this how logout should be implemented ?


This filter also   has PreAuthActionsHandler, this has handleLogout ,
should application use this ?

From mposolda at redhat.com  Wed Apr 18 03:21:57 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 18 Apr 2018 09:21:57 +0200
Subject: [keycloak-user] admin-client hang
In-Reply-To: <CAJVRZt_3iF_RVGuv4QzQh32tavps3No7ki+LiwLha4wezLr2VA@mail.gmail.com>
References: <CAJVRZt_3iF_RVGuv4QzQh32tavps3No7ki+LiwLha4wezLr2VA@mail.gmail.com>
Message-ID: <0b144b3d-b884-d2c2-1dac-cd8ddb0a65d4@redhat.com>

On 17/04/18 21:28, Nhut Thai Le wrote:
> Hello,
>
> I'm writing a script to automate our realm setup using keycloak
> admin-client. I use the same client for multiple calls and at some point,
> my script hang. Is there any issue with using the same client for multiple
> calls?
It's not an issue, but make sure that:
- You use connection pooling. By default, it's 10 connections. See 
source of classes Keycloak and KeycloakBuilder
- Make sure you close responses. Especially for the "create" methods, 
which returns Response objects, you need to explicitly close them. For 
the methods, which returns void or JSON objects, you don't need to do 
anything

If needed, see our testsuite for more inspirations. It's using 
adminClient in almost all the tests.

> Is each public method of the admin-client asynchronous? If yes, how
> do I chain calls like: create realm-> create client -> create resource ->
> create permissions -> create policy,...
No, calls are synchronous and chaining shouldn't be an issue.

Marek
>
> Thai
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From eferron at outlook.fr  Wed Apr 18 03:27:13 2018
From: eferron at outlook.fr (Elie Ferron)
Date: Wed, 18 Apr 2018 07:27:13 +0000
Subject: [keycloak-user] Error io.undertow with HTTPS
In-Reply-To: <CAM5SUC4twZqpVDTFvrRtcB2iW4UVK68MXvwNwX32uhbKbmVXCg@mail.gmail.com>
References: <VI1PR10MB18853BB18F323399AA28AEC7CEB70@VI1PR10MB1885.EURPRD10.PROD.OUTLOOK.COM>,
	<CAM5SUC4twZqpVDTFvrRtcB2iW4UVK68MXvwNwX32uhbKbmVXCg@mail.gmail.com>
Message-ID: <VI1PR10MB1885433E88AC8CE2EFF02CD7CEB60@VI1PR10MB1885.EURPRD10.PROD.OUTLOOK.COM>

Hi, this is the full log

________________________________
De : Bruno Oliveira <bruno at abstractj.org>
Envoy? : mardi 17 avril 2018 16:22:48
? : Elie Ferron
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] Error io.undertow with HTTPS

Would be very helpful if you provide the full logs. Do you have them? If yes, please send to the mailing list.

On Tue, Apr 17, 2018 at 11:59 AM Elie Ferron <eferron at outlook.fr<mailto:eferron at outlook.fr>> wrote:
Hello all


Since i access to my keycloak server in https, i have this kind of error. I don't understand where it comes from. Any ideas ?


Error :

ERROR [io.undertow] (default task-6) UT005085: Connection io.undertow.server.protocol.http2.Http2ServerConnection at 772a5b27 for exchange HttpServerExchange{ GET /auth/resources/3.4.3.final/admin/keycloak/templates/kc-menu.html request {accept=[application/json, text/plain, */*], accept-language=[fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3], accept-encoding=[gzip, deflate, br], user-agent=[Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0], referer=["host":/auth/admin/master/console/], Host=[host]} response {Cache-Control=[max-age=2592000], X-Powered-By=[Undertow/1], Server=[WildFly/11], Content-Type=[text/html;charset=UTF-8], Content-Length=[5670], Date=[Tue, 17 Apr 2018 14:48:25 GMT], :status=[200]}} was not closed cleanly, forcibly closing connection

Thanks
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From suleyman.yildirim at accenture.com  Wed Apr 18 04:49:11 2018
From: suleyman.yildirim at accenture.com (Yildirim, Suleyman)
Date: Wed, 18 Apr 2018 08:49:11 +0000
Subject: [keycloak-user] [External] Re: Keycloak IDP Brokering + Spring
 Boot/Angular
In-Reply-To: <CACp70MnCQjnwf-bL6M8pat8xSQgTpR3W76y9k7BwG90Mt-r=6w@mail.gmail.com>
References: <CO1P114MB02002A146211ABADDF4CCBAAF4BD0@CO1P114MB0200.NAMP114.PROD.OUTLOOK.COM>
	<CACp70MnCQjnwf-bL6M8pat8xSQgTpR3W76y9k7BwG90Mt-r=6w@mail.gmail.com>
Message-ID: <DM3P114MB02032AE34EAC1742ED3F088BF4B60@DM3P114MB0203.NAMP114.PROD.OUTLOOK.COM>

Hello Rodriguez,

Thanks a lot.  I will try the links. Our application will act as SP and we will use client's Microsoft ADFS as IDP. Once the user browse the front-end (e.g.: http://localhost:5005 ), the SP will send the metadata to IDP etc.. The problem is how to initiate this.

Thanks,
Suleyman

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Luis Rodr?guez Fern?ndez
Sent: 13 April 2018 17:20
To: keycloak-user at lists.jboss.org
Subject: [External] Re: [keycloak-user] Keycloak IDP Brokering + Spring Boot/Angular

Hello Suleyman,


The sample [1] application of the spring-security-saml [2] worked like a charm for me for the. I just needed to specify the metadata URL of my idp in org.opensaml.saml2.metadata.provider.HTTPMetadataProvider bean of sample/src/main/webapp/WEB-INF/securityContext.xml [3] In my setup I was using openAM as IdP

In your case I iimagine that you have to register ADFS as IdP [4], get the SP metadata [5] and use it in your app? Or perhaps you have to register your app as a saml client [6]

Hope it helps,

[1]
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_spring-2Dprojects_spring-2Dsecurity-2Dsaml_tree_develop_sample&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=fCPaCrcLez8ASH62RopjIxHvKCbl3uA2fF4Yhfot86c&s=yYkTPYik3OkO8oBo-3jeC6B3XH74Bn07kfikShxQT1o&e=
[2] https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_spring-2Dprojects_spring-2Dsecurity-2Dsaml&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=fCPaCrcLez8ASH62RopjIxHvKCbl3uA2fF4Yhfot86c&s=WXylYuwLapUl5R9QcjdxovK4m274uVGS56PCzefE_3s&e=
[3]
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.spring.io_spring-2Dsecurity-2Dsaml_docs_1.0.0.RELEASE_reference_html_chapter-2Dquick-2Dstart.html&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=fCPaCrcLez8ASH62RopjIxHvKCbl3uA2fF4Yhfot86c&s=scCL-oo1moIefFzY6yhqohk_fvs1fuJg-Yqs38Bl8KM&e=
[4]
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_server-5Fadmin_index.html-23saml-2Dv2-2D0-2Didentity-2Dproviders&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=fCPaCrcLez8ASH62RopjIxHvKCbl3uA2fF4Yhfot86c&s=hqPuTi8W2sxFr15XQ5X28f4AIzlAuryjAxFgdbgzu80&e=
[5]
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_server-5Fadmin_index.html-23-5Fidentity-5Fbroker-5Fsaml-5Fsp-5Fdescriptor&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=fCPaCrcLez8ASH62RopjIxHvKCbl3uA2fF4Yhfot86c&s=VRSUCbkJv1_djKzq3Gca42SrDlZUFTW7pMpxT6HDpFQ&e=
[6]
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_server-5Fadmin_index.html-23saml-2Dclients&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=fCPaCrcLez8ASH62RopjIxHvKCbl3uA2fF4Yhfot86c&s=YrJBuId_pagLiuGhqElDni2x4GEDTdEdR3BgzuRiuFk&e=






2018-04-11 17:17 GMT+02:00 Yildirim, Suleyman <
suleyman.yildirim at accenture.com>:

> Hi all,
>
> As a novice person in security and Keycloak, I have setup Keycloak
> Identity Provider to interact with ADFS using link
> https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=fCPaCrcLez8ASH62RopjIxHvKCbl3uA2fF4Yhfot86c&s=O5WSElSIYqrYzBU8z42mtS3ZpqF6flyBB9WK4mPIS5g&e=.
> I wonder how we test this setting using Angular and Spring Boot. Some
> details are below:
>
> We are using Angular 1.x and Spring Boot for the project. I have
> implemented SSO with open id connect but implementation part of SAML
> is still confusing. There are tutorials for OpenID connect but not with SAML.
> How do we send SAML request to external ADFS using IDP broker using
> Spring Boot/Angular? Do I need to use Java adapters for that?
>
> Best Regards,
> Suleyman
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data
> protection laws. For further information on how Accenture processes
> your personal data, please see our privacy statement at
> https://www.accenture.com/us- en/privacy-policy.
> ____________________________________________________________
> __________________________
>
> www.accenture.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> ailman_listinfo_keycloak-2Duser&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8n
> OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=fCPaC
> rcLez8ASH62RopjIxHvKCbl3uA2fF4Yhfot86c&s=L4_zG-BD23rrfkDTTtBo0rs7aVAHk
> HhVEesVkpdeNHw&e=
>



--

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=fCPaCrcLez8ASH62RopjIxHvKCbl3uA2fF4Yhfot86c&s=L4_zG-BD23rrfkDTTtBo0rs7aVAHkHhVEesVkpdeNHw&e=

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com


From ntle at castortech.com  Wed Apr 18 09:35:15 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Wed, 18 Apr 2018 09:35:15 -0400
Subject: [keycloak-user] admin-client hang
In-Reply-To: <0b144b3d-b884-d2c2-1dac-cd8ddb0a65d4@redhat.com>
References: <CAJVRZt_3iF_RVGuv4QzQh32tavps3No7ki+LiwLha4wezLr2VA@mail.gmail.com>
	<0b144b3d-b884-d2c2-1dac-cd8ddb0a65d4@redhat.com>
Message-ID: <CAJVRZt8mo5o7ZbzvGynNWCCUB7o4v8wWfMHDo659OODfm7QE5g@mail.gmail.com>

Thank you for the hint. I use the builder with 80 connections pool and I
still have the hang problem. I didn't know that I have to close the
response. I though the whole point of using pool is that i dont have to
worry about the life cycle of the connection anymore. Anyway, will try what
you suggested.

Thai



On Wed, Apr 18, 2018 at 3:21 AM, Marek Posolda <mposolda at redhat.com> wrote:

> On 17/04/18 21:28, Nhut Thai Le wrote:
>
>> Hello,
>>
>> I'm writing a script to automate our realm setup using keycloak
>> admin-client. I use the same client for multiple calls and at some point,
>> my script hang. Is there any issue with using the same client for multiple
>> calls?
>>
> It's not an issue, but make sure that:
> - You use connection pooling. By default, it's 10 connections. See source
> of classes Keycloak and KeycloakBuilder
> - Make sure you close responses. Especially for the "create" methods,
> which returns Response objects, you need to explicitly close them. For the
> methods, which returns void or JSON objects, you don't need to do anything
>
> If needed, see our testsuite for more inspirations. It's using adminClient
> in almost all the tests.
>
> Is each public method of the admin-client asynchronous? If yes, how
>> do I chain calls like: create realm-> create client -> create resource ->
>> create permissions -> create policy,...
>>
> No, calls are synchronous and chaining shouldn't be an issue.
>
> Marek
>
>>
>> Thai
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>


-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From kitowskikamil at gmail.com  Wed Apr 18 11:02:16 2018
From: kitowskikamil at gmail.com (Kamil Kitowski)
Date: Wed, 18 Apr 2018 15:02:16 +0000
Subject: [keycloak-user] Read access token values with Spring-Boot-2-Adaper
	or Spring-Security-Adapter
Message-ID: <CAMZDEezENLGbD7SnLoK-YCYv47uVZFBY6Cq=eOwNY_BzgCtkuQ@mail.gmail.com>

Hello everyone,
in my Keycloak configuration I mapped some additional information into my
access token and I'd like to read them in by backend services.
Is it achievable with just these adapters or do I need additional libraries
to parse incoming JWT token?
Best regards,
-- 
Kitowski Kamil

From ranjan.pakira at capgemini.com  Wed Apr 18 11:29:58 2018
From: ranjan.pakira at capgemini.com (Pakira, Ranjan)
Date: Wed, 18 Apr 2018 15:29:58 +0000
Subject: [keycloak-user] Fetch user with administration REST API
In-Reply-To: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3CF7@IN-BLR-DAGND3.corp.capgemini.com>
References: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3CF7@IN-BLR-DAGND3.corp.capgemini.com>
Message-ID: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3D38@IN-BLR-DAGND3.corp.capgemini.com>

Hi,
We are facing one issue to get users with administration REST API: GET /{realm}/users
Default value of "max" parameter for this REST API is 100. In our database there are millions of users. But using the REST API we are unable to fetch all users, even if we set value of the "max" parameter to 10000, it is throwing following error:

Exception in thread "main" java.lang.Exception: http://keycloak.skf.com/auth/admin/realms/SKF/users?max=10000 returns status code: 404

Please let us know how to traverse all the users.
Is there any way to fetch all the usernames or user ids other than fetching UserRepresentation?

Thanks & Regards,
Ranjan
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

From subodhcjoshi82 at gmail.com  Wed Apr 18 11:53:38 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Wed, 18 Apr 2018 15:53:38 +0000
Subject: [keycloak-user] Fetch user with administration REST API
In-Reply-To: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3D38@IN-BLR-DAGND3.corp.capgemini.com>
References: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3CF7@IN-BLR-DAGND3.corp.capgemini.com>
	<0CCF50CABB0BC0438C7672FC2C769FB4BFBC3D38@IN-BLR-DAGND3.corp.capgemini.com>
Message-ID: <CAFss9rpmi_n=2w1+gZeqT48b7HPQHroFpOE5+wG+V4O+8F=Ptg@mail.gmail.com>

Millions of record you want to fetch in one go?
Where you will store all those user ?
It won't impact the performance of your app as well keycloak ?
Why not you are using server side pagination to achieve this ?

On Wed, 18 Apr 2018, 21:01 Pakira, Ranjan, <ranjan.pakira at capgemini.com>
wrote:

> Hi,
> We are facing one issue to get users with administration REST API: GET
> /{realm}/users
> Default value of "max" parameter for this REST API is 100. In our database
> there are millions of users. But using the REST API we are unable to fetch
> all users, even if we set value of the "max" parameter to 10000, it is
> throwing following error:
>
> Exception in thread "main" java.lang.Exception:
> http://keycloak.skf.com/auth/admin/realms/SKF/users?max=10000 returns
> status code: 404
>
> Please let us know how to traverse all the users.
> Is there any way to fetch all the usernames or user ids other than
> fetching UserRepresentation?
>
> Thanks & Regards,
> Ranjan
> This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute,
> or use this message or any part thereof. If you receive this message in
> error, please notify the sender immediately and delete all copies of this
> message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ntle at castortech.com  Wed Apr 18 12:19:18 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Wed, 18 Apr 2018 12:19:18 -0400
Subject: [keycloak-user] admin-client hang
In-Reply-To: <CAJVRZt8mo5o7ZbzvGynNWCCUB7o4v8wWfMHDo659OODfm7QE5g@mail.gmail.com>
References: <CAJVRZt_3iF_RVGuv4QzQh32tavps3No7ki+LiwLha4wezLr2VA@mail.gmail.com>
	<0b144b3d-b884-d2c2-1dac-cd8ddb0a65d4@redhat.com>
	<CAJVRZt8mo5o7ZbzvGynNWCCUB7o4v8wWfMHDo659OODfm7QE5g@mail.gmail.com>
Message-ID: <CAJVRZt8LKWKCBzw5dD4TB4dJCcLa-P=5ADxqnQ4_dfKVM3qrUQ@mail.gmail.com>

I changed my code to close the response and i don't get the hang anymore.
At the moment, I always get the response status code and close the response
like this:

Response resp =
admin.realm("test").clients().get("clientUuid").authorization().policies().client().create(policyRep);
int code = resp.getStatus();
resp.close();

however fi i use a method that return a response but don't use it, would it
automatically close? For example:

admin.realm("test").clients().get("clientUuid").authorization().policies().client().create(policyRep);

Thai



On Wed, Apr 18, 2018 at 9:35 AM, Nhut Thai Le <ntle at castortech.com> wrote:

> Thank you for the hint. I use the builder with 80 connections pool and I
> still have the hang problem. I didn't know that I have to close the
> response. I though the whole point of using pool is that i dont have to
> worry about the life cycle of the connection anymore. Anyway, will try what
> you suggested.
>
> Thai
>
>
>
> On Wed, Apr 18, 2018 at 3:21 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> On 17/04/18 21:28, Nhut Thai Le wrote:
>>
>>> Hello,
>>>
>>> I'm writing a script to automate our realm setup using keycloak
>>> admin-client. I use the same client for multiple calls and at some point,
>>> my script hang. Is there any issue with using the same client for
>>> multiple
>>> calls?
>>>
>> It's not an issue, but make sure that:
>> - You use connection pooling. By default, it's 10 connections. See source
>> of classes Keycloak and KeycloakBuilder
>> - Make sure you close responses. Especially for the "create" methods,
>> which returns Response objects, you need to explicitly close them. For the
>> methods, which returns void or JSON objects, you don't need to do anything
>>
>> If needed, see our testsuite for more inspirations. It's using
>> adminClient in almost all the tests.
>>
>> Is each public method of the admin-client asynchronous? If yes, how
>>> do I chain calls like: create realm-> create client -> create resource ->
>>> create permissions -> create policy,...
>>>
>> No, calls are synchronous and chaining shouldn't be an issue.
>>
>> Marek
>>
>>>
>>> Thai
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St Ouest, Suite 613
> Montr?al, Qu?bec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
> ? l'usage exclusif du destinataire. Toute autre personne est par les
> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
>



-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From sr.misc at gmail.com  Wed Apr 18 13:24:37 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Wed, 18 Apr 2018 19:24:37 +0200
Subject: [keycloak-user] custom password policies
In-Reply-To: <CAJVRZt9=a7NQiy14MCPpBdABtjfKkc25ppaVK6NZce2kTY4qJw@mail.gmail.com>
References: <CAJVRZt9=a7NQiy14MCPpBdABtjfKkc25ppaVK6NZce2kTY4qJw@mail.gmail.com>
Message-ID: <CABiaesTFO20KQUCGRMCgQ25AjrpETpXvrQ2mhLwt_=0PW3JfFQ@mail.gmail.com>

Hi all,

We also have same requirements. Please advise, how can we achieve this?

Regards,
SR

On Tue, Apr 17, 2018 at 3:27 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> We have some special need regarding the password policies:
>
>    1. user must use the password within X days
>    2. user can not change password within Y days
>    3. lock out user after password has been expired for N days
>
> I don't know if these are supported in Keycloak since i dont see them in
> the password policy. Is it possible add my own password policies and if
> yes, can I have some guideline?
>
> Thai
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Wed Apr 18 14:03:18 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 18 Apr 2018 20:03:18 +0200
Subject: [keycloak-user] admin-client hang
In-Reply-To: <CAJVRZt8LKWKCBzw5dD4TB4dJCcLa-P=5ADxqnQ4_dfKVM3qrUQ@mail.gmail.com>
References: <CAJVRZt_3iF_RVGuv4QzQh32tavps3No7ki+LiwLha4wezLr2VA@mail.gmail.com>
	<0b144b3d-b884-d2c2-1dac-cd8ddb0a65d4@redhat.com>
	<CAJVRZt8mo5o7ZbzvGynNWCCUB7o4v8wWfMHDo659OODfm7QE5g@mail.gmail.com>
	<CAJVRZt8LKWKCBzw5dD4TB4dJCcLa-P=5ADxqnQ4_dfKVM3qrUQ@mail.gmail.com>
Message-ID: <98dc119c-115a-412a-5136-245171cd8026@redhat.com>

On 18/04/18 18:19, Nhut Thai Le wrote:
> I changed my code to close the response and i don't get the hang 
> anymore. At the moment, I always get the response status code and 
> close the response like this:
>
> Response resp = 
> admin.realm("test").clients().get("clientUuid").authorization().policies().client().create(policyRep);
> int code = resp.getStatus();
> resp.close();
>
> however fi i use a method that return a response but don't use it, 
> would it automatically close? For example:
>
> admin.realm("test").clients().get("clientUuid").authorization().policies().client().create(policyRep);
No, it won't close automatically. Which is quite error-prone and danger. 
IMO our admin client should never be done in a way to return those 
Response objects.

My personal opinion would be to never return those responses, but rather 
return the created object including his ID as a result of the "create" 
methods. That has the advantages that:
- caller will know ID easily (currently ID is available as a last part 
of the "Location" header of the response and it's not so trivial to 
retrieve it).
- Responses will be closed automatically
- Better API - In case of error, the exception will be thrown instead of 
the caller required to parse Response body, status etc. Which I 
personally like much more.

The disadvantages are:
- The create method will automatically return created objects, so 
responses might be a bit bigger. But that's very minor disadvantage
- It needs to be done :) . And backwards compatibility

Marek

>
> Thai
>
>
>
> On Wed, Apr 18, 2018 at 9:35 AM, Nhut Thai Le <ntle at castortech.com 
> <mailto:ntle at castortech.com>> wrote:
>
>     Thank you for the hint. I use the builder with 80 connections pool
>     and I still have the hang problem. I didn't know that I have to
>     close the response. I though the whole point of using pool is that
>     i dont have to worry about the life cycle of the connection
>     anymore. Anyway, will try what you suggested.
>
>     Thai
>
>
>
>     On Wed, Apr 18, 2018 at 3:21 AM, Marek Posolda
>     <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>
>         On 17/04/18 21:28, Nhut Thai Le wrote:
>
>             Hello,
>
>             I'm writing a script to automate our realm setup using
>             keycloak
>             admin-client. I use the same client for multiple calls and
>             at some point,
>             my script hang. Is there any issue with using the same
>             client for multiple
>             calls?
>
>         It's not an issue, but make sure that:
>         - You use connection pooling. By default, it's 10 connections.
>         See source of classes Keycloak and KeycloakBuilder
>         - Make sure you close responses. Especially for the "create"
>         methods, which returns Response objects, you need to
>         explicitly close them. For the methods, which returns void or
>         JSON objects, you don't need to do anything
>
>         If needed, see our testsuite for more inspirations. It's using
>         adminClient in almost all the tests.
>
>             Is each public method of the admin-client asynchronous? If
>             yes, how
>             do I chain calls like: create realm-> create client ->
>             create resource ->
>             create permissions -> create policy,...
>
>         No, calls are synchronous and chaining shouldn't be an issue.
>
>         Marek
>
>
>             Thai
>             _______________________________________________
>             keycloak-user mailing list
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>
>
>
>     -- 
>     Castor Technologies Inc
>     460 rue St-Catherine St Ouest, Suite 613
>     Montr?al, Qu?bec H3B-1A7
>     (514) 360-7208 o
>     (514) 798-2044 f
>     ntle at castortech.com <mailto:ntle at castortech.com>
>     www.castortech.com <http://www.castortech.com>
>
>     CONFIDENTIALITY NOTICE: The information contained in this e-mail
>     is confidential and may be proprietary information intended only
>     for the use of the individual or entity to whom it is addressed.
>     If the reader of this message is not the intended recipient, you
>     are hereby notified that any viewing, dissemination, distribution,
>     disclosure, copy or use of the information contained in this
>     e-mail message is strictly prohibited. If you have received and/or
>     are viewing this e-mail in error, please immediately notify the
>     sender by reply e-mail, and delete it from your system without
>     reading, forwarding, copying or saving in any manner. Thank you.
>     AVIS DE CONFIDENTIALITE: L?information contenue dans ce message
>     est confidentiel, peut ?tre prot?g? par le secret professionnel et
>     est r?serv? ? l'usage exclusif du destinataire. Toute autre
>     personne est par les pr?sentes avis?e qu'il lui est strictement
>     interdit de diffuser, distribuer ou reproduire ce message. Si vous
>     avez re?u cette communication par erreur, veuillez la d?truire
>     imm?diatement et en aviser l'exp?diteur. Merci.
>
>
>
>
> -- 
> Castor Technologies Inc
> 460 rue St-Catherine St Ouest, Suite 613
> Montr?al, Qu?bec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com <mailto:ntle at castortech.com>
> www.castortech.com <http://www.castortech.com>
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is 
> confidential and may be proprietary information intended only for the 
> use of the individual or entity to whom it is addressed. If the reader 
> of this message is not the intended recipient, you are hereby notified 
> that any viewing, dissemination, distribution, disclosure, copy or use 
> of the information contained in this e-mail message is strictly 
> prohibited. If you have received and/or are viewing this e-mail in 
> error, please immediately notify the sender by reply e-mail, and 
> delete it from your system without reading, forwarding, copying or 
> saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est 
> confidentiel, peut ?tre prot?g? par le secret professionnel et est 
> r?serv? ? l'usage exclusif du destinataire. Toute autre personne est 
> par les pr?sentes avis?e qu'il lui est strictement interdit de 
> diffuser, distribuer ou reproduire ce message. Si vous avez re?u cette 
> communication par erreur, veuillez la d?truire imm?diatement et en 
> aviser l'exp?diteur. Merci.



From ntle at castortech.com  Wed Apr 18 14:19:43 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Wed, 18 Apr 2018 14:19:43 -0400
Subject: [keycloak-user] admin-client hang
In-Reply-To: <98dc119c-115a-412a-5136-245171cd8026@redhat.com>
References: <CAJVRZt_3iF_RVGuv4QzQh32tavps3No7ki+LiwLha4wezLr2VA@mail.gmail.com>
	<0b144b3d-b884-d2c2-1dac-cd8ddb0a65d4@redhat.com>
	<CAJVRZt8mo5o7ZbzvGynNWCCUB7o4v8wWfMHDo659OODfm7QE5g@mail.gmail.com>
	<CAJVRZt8LKWKCBzw5dD4TB4dJCcLa-P=5ADxqnQ4_dfKVM3qrUQ@mail.gmail.com>
	<98dc119c-115a-412a-5136-245171cd8026@redhat.com>
Message-ID: <CAJVRZt8ijhOtu1xmq0XApGAXTiMs3ux2o+P6E-XiAQg8K0uSzQ@mail.gmail.com>

I have the same though too. ?Actually, i'm making an adaptor for my app to
manipulate security. The adaptor wrap the admin client and return only the
UUID on those create methods.? I also notice that some create methods
return a response with status 201 but no location but when reading the
response into the *Representation i can getId which a bit strange to me.
Anyway, it's sucks that i have to remember to catch and close the response
even if i don't care or the response does have any interesting value.

Thank you

Thai

On Wed, Apr 18, 2018 at 2:03 PM, Marek Posolda <mposolda at redhat.com> wrote:

> On 18/04/18 18:19, Nhut Thai Le wrote:
>
> I changed my code to close the response and i don't get the hang anymore.
> At the moment, I always get the response status code and close the response
> like this:
>
> Response resp = admin.realm("test").clients().get("clientUuid").
> authorization().policies().client().create(policyRep);
> int code = resp.getStatus();
> resp.close();
>
> however fi i use a method that return a response but don't use it, would
> it automatically close? For example:
>
> admin.realm("test").clients().get("clientUuid").
> authorization().policies().client().create(policyRep);
>
> No, it won't close automatically. Which is quite error-prone and danger.
> IMO our admin client should never be done in a way to return those Response
> objects.
>
> My personal opinion would be to never return those responses, but rather
> return the created object including his ID as a result of the "create"
> methods. That has the advantages that:
> - caller will know ID easily (currently ID is available as a last part of
> the "Location" header of the response and it's not so trivial to retrieve
> it).
> - Responses will be closed automatically
> - Better API - In case of error, the exception will be thrown instead of
> the caller required to parse Response body, status etc. Which I personally
> like much more.
>
> The disadvantages are:
> - The create method will automatically return created objects, so
> responses might be a bit bigger. But that's very minor disadvantage
> - It needs to be done :) . And backwards compatibility
>
> Marek
>
>
>
> Thai
>
>
>
> On Wed, Apr 18, 2018 at 9:35 AM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> Thank you for the hint. I use the builder with 80 connections pool and I
>> still have the hang problem. I didn't know that I have to close the
>> response. I though the whole point of using pool is that i dont have to
>> worry about the life cycle of the connection anymore. Anyway, will try what
>> you suggested.
>>
>> Thai
>>
>>
>>
>> On Wed, Apr 18, 2018 at 3:21 AM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> On 17/04/18 21:28, Nhut Thai Le wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm writing a script to automate our realm setup using keycloak
>>>> admin-client. I use the same client for multiple calls and at some
>>>> point,
>>>> my script hang. Is there any issue with using the same client for
>>>> multiple
>>>> calls?
>>>>
>>> It's not an issue, but make sure that:
>>> - You use connection pooling. By default, it's 10 connections. See
>>> source of classes Keycloak and KeycloakBuilder
>>> - Make sure you close responses. Especially for the "create" methods,
>>> which returns Response objects, you need to explicitly close them. For the
>>> methods, which returns void or JSON objects, you don't need to do anything
>>>
>>> If needed, see our testsuite for more inspirations. It's using
>>> adminClient in almost all the tests.
>>>
>>> Is each public method of the admin-client asynchronous? If yes, how
>>>> do I chain calls like: create realm-> create client -> create resource
>>>> ->
>>>> create permissions -> create policy,...
>>>>
>>> No, calls are synchronous and chaining shouldn't be an issue.
>>>
>>> Marek
>>>
>>>>
>>>> Thai
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>>
>> --
>> Castor Technologies Inc
>> 460 rue St-Catherine St
>> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
>> Ouest, Suite 613
>> Montr?al, Qu?bec H3B-1A7
>> (514) 360-7208 o
>> (514) 798-2044 f
>> ntle at castortech.com
>> www.castortech.com
>>
>> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
>> confidential and may be proprietary information intended only for the use
>> of the individual or entity to whom it is addressed. If the reader of this
>> message is not the intended recipient, you are hereby notified that any
>> viewing, dissemination, distribution, disclosure, copy or use of the
>> information contained in this e-mail message is strictly prohibited. If you
>> have received and/or are viewing this e-mail in error, please immediately
>> notify the sender by reply e-mail, and delete it from your system without
>> reading, forwarding, copying or saving in any manner. Thank you.
>> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
>> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
>> ? l'usage exclusif du destinataire. Toute autre personne est par les
>> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
>> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
>> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
>>
>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St
> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
> Ouest, Suite 613
> Montr?al, Qu?bec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
> ? l'usage exclusif du destinataire. Toute autre personne est par les
> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
>
>
>


-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From ranjan.pakira at capgemini.com  Wed Apr 18 15:04:50 2018
From: ranjan.pakira at capgemini.com (Pakira, Ranjan)
Date: Wed, 18 Apr 2018 19:04:50 +0000
Subject: [keycloak-user] Fetch user with administration REST API
In-Reply-To: <CAFss9rpmi_n=2w1+gZeqT48b7HPQHroFpOE5+wG+V4O+8F=Ptg@mail.gmail.com>
References: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3CF7@IN-BLR-DAGND3.corp.capgemini.com>
	<0CCF50CABB0BC0438C7672FC2C769FB4BFBC3D38@IN-BLR-DAGND3.corp.capgemini.com>
	<CAFss9rpmi_n=2w1+gZeqT48b7HPQHroFpOE5+wG+V4O+8F=Ptg@mail.gmail.com>
Message-ID: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3F7E@IN-BLR-DAGND3.corp.capgemini.com>

No. it?s for nightly job.
Yes there is way to manually calculate the offset and get the results.
But I want to know if there is any way to get proxy of all users or to get all user ids/username.

From: Subodh Joshi [mailto:subodhcjoshi82 at gmail.com]
Sent: Wednesday, April 18, 2018 9:24 PM
To: Pakira, Ranjan
Cc: keycloak-user; BISWAS, AYAN; Erdal, Jonatan; Hammarberg, Daniel
Subject: Re: [keycloak-user] Fetch user with administration REST API

Millions of record you want to fetch in one go?
Where you will store all those user ?
It won't impact the performance of your app as well keycloak ?
Why not you are using server side pagination to achieve this ?

On Wed, 18 Apr 2018, 21:01 Pakira, Ranjan, <ranjan.pakira at capgemini.com<mailto:ranjan.pakira at capgemini.com>> wrote:
Hi,
We are facing one issue to get users with administration REST API: GET /{realm}/users
Default value of "max" parameter for this REST API is 100. In our database there are millions of users. But using the REST API we are unable to fetch all users, even if we set value of the "max" parameter to 10000, it is throwing following error:

Exception in thread "main" java.lang.Exception: http://keycloak.skf.com/auth/admin/realms/SKF/users?max=10000 returns status code: 404

Please let us know how to traverse all the users.
Is there any way to fetch all the usernames or user ids other than fetching UserRepresentation?

Thanks & Regards,
Ranjan
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From ranjan.pakira at capgemini.com  Wed Apr 18 15:10:53 2018
From: ranjan.pakira at capgemini.com (Pakira, Ranjan)
Date: Wed, 18 Apr 2018 19:10:53 +0000
Subject: [keycloak-user] Fetch user with administration REST API
In-Reply-To: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3F7E@IN-BLR-DAGND3.corp.capgemini.com>
References: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3CF7@IN-BLR-DAGND3.corp.capgemini.com>
	<0CCF50CABB0BC0438C7672FC2C769FB4BFBC3D38@IN-BLR-DAGND3.corp.capgemini.com>
	<CAFss9rpmi_n=2w1+gZeqT48b7HPQHroFpOE5+wG+V4O+8F=Ptg@mail.gmail.com>
	<0CCF50CABB0BC0438C7672FC2C769FB4BFBC3F7E@IN-BLR-DAGND3.corp.capgemini.com>
Message-ID: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3FA8@IN-BLR-DAGND3.corp.capgemini.com>

Problem is that fetch users with "max" parameter value 10000 does not work. It means that if any search criteria returns around 10000 users it will fail.

From: Pakira, Ranjan
Sent: Thursday, April 19, 2018 12:35 AM
To: Subodh Joshi
Cc: keycloak-user; BISWAS, AYAN; Erdal, Jonatan; Hammarberg, Daniel
Subject: RE: [keycloak-user] Fetch user with administration REST API

No. it?s for nightly job.
Yes there is way to manually calculate the offset and get the results.
But I want to know if there is any way to get proxy of all users or to get all user ids/username.

From: Subodh Joshi [mailto:subodhcjoshi82 at gmail.com]
Sent: Wednesday, April 18, 2018 9:24 PM
To: Pakira, Ranjan
Cc: keycloak-user; BISWAS, AYAN; Erdal, Jonatan; Hammarberg, Daniel
Subject: Re: [keycloak-user] Fetch user with administration REST API

Millions of record you want to fetch in one go?
Where you will store all those user ?
It won't impact the performance of your app as well keycloak ?
Why not you are using server side pagination to achieve this ?

On Wed, 18 Apr 2018, 21:01 Pakira, Ranjan, <ranjan.pakira at capgemini.com<mailto:ranjan.pakira at capgemini.com>> wrote:
Hi,
We are facing one issue to get users with administration REST API: GET /{realm}/users
Default value of "max" parameter for this REST API is 100. In our database there are millions of users. But using the REST API we are unable to fetch all users, even if we set value of the "max" parameter to 10000, it is throwing following error:

Exception in thread "main" java.lang.Exception: http://keycloak.skf.com/auth/admin/realms/SKF/users?max=10000 returns status code: 404

Please let us know how to traverse all the users.
Is there any way to fetch all the usernames or user ids other than fetching UserRepresentation?

Thanks & Regards,
Ranjan
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From soumya.mishra at aktana.com  Wed Apr 18 15:26:16 2018
From: soumya.mishra at aktana.com (Soumya Mishra)
Date: Wed, 18 Apr 2018 12:26:16 -0700
Subject: [keycloak-user] Screenshots in token_exchange documentation not
 accessible. Giving 404 error.
Message-ID: <CAFdYJBBpuTPqMBM9ti0tRTD7VoZJBFBU5bxTofUdxiiYr+G0AQ@mail.gmail.com>

Hello,

The documentation for token-exchange feature is missing the screenshots.

https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/token-exchange/token-exchange.adoc

All the screenshots under "Granting Permission for the Exchange" section
are nt available.

If any one knows any other links for this documentation please let me know.

Regards,
Soumya

From daya.gnanasekaran at gmail.com  Wed Apr 18 17:47:31 2018
From: daya.gnanasekaran at gmail.com (Daya Gnanasekaran)
Date: Wed, 18 Apr 2018 21:47:31 +0000
Subject: [keycloak-user] LDAP Group mapping
Message-ID: <CAGa9DRczF5O9SYQ3PifaYFVvVt1kV8fZHGRXYsF1LL0G2V4zXQ@mail.gmail.com>

I'm trying to assign a keycloak group to an user based on their ldap group.
For example, i have groups in keycloak that are specific to my application
say app-admin and app-user (these groups i just used to aggregate roles).
In ldap the users are part of groups like developers and managers. Now i'm
trying to support a mapping a mapping between these groups, like if the
user is part of developers group then automatically add app-admin.

Any pointers to begin with?

Thanks.

From subodhcjoshi82 at gmail.com  Wed Apr 18 21:57:18 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 19 Apr 2018 01:57:18 +0000
Subject: [keycloak-user] Screenshots in token_exchange documentation not
 accessible. Giving 404 error.
In-Reply-To: <CAFdYJBBpuTPqMBM9ti0tRTD7VoZJBFBU5bxTofUdxiiYr+G0AQ@mail.gmail.com>
References: <CAFdYJBBpuTPqMBM9ti0tRTD7VoZJBFBU5bxTofUdxiiYr+G0AQ@mail.gmail.com>
Message-ID: <CAFss9rqMB1Smkai3FBwtRQq_HY67rBJDSyy1aikB885rH-CqaA@mail.gmail.com>

Is this missing in the keycloak documentation website as well ?

On Thu, 19 Apr 2018, 01:08 Soumya Mishra, <soumya.mishra at aktana.com> wrote:

> Hello,
>
> The documentation for token-exchange feature is missing the screenshots.
>
>
> https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/token-exchange/token-exchange.adoc
>
> All the screenshots under "Granting Permission for the Exchange" section
> are nt available.
>
> If any one knows any other links for this documentation please let me know.
>
> Regards,
> Soumya
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Thu Apr 19 02:22:37 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 19 Apr 2018 08:22:37 +0200
Subject: [keycloak-user] Screenshots in token_exchange documentation not
 accessible. Giving 404 error.
In-Reply-To: <CAFss9rqMB1Smkai3FBwtRQq_HY67rBJDSyy1aikB885rH-CqaA@mail.gmail.com>
References: <CAFdYJBBpuTPqMBM9ti0tRTD7VoZJBFBU5bxTofUdxiiYr+G0AQ@mail.gmail.com>
	<CAFss9rqMB1Smkai3FBwtRQq_HY67rBJDSyy1aikB885rH-CqaA@mail.gmail.com>
Message-ID: <d509f82e-624f-33fd-c6c8-acee3dbb4fb8@redhat.com>

Nope, the official docs is here: 
https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange 
. This is the docs, which is linked from Keycloak homepage when you 
click "Docs" link.

What you pointed above are the github sources. This is useful just if 
you want to update documentation and send us pull request (in case you 
found a bug in docs).

Marek

On 19/04/18 03:57, Subodh Joshi wrote:
> Is this missing in the keycloak documentation website as well ?
>
> On Thu, 19 Apr 2018, 01:08 Soumya Mishra, <soumya.mishra at aktana.com 
> <mailto:soumya.mishra at aktana.com>> wrote:
>
>     Hello,
>
>     The documentation for token-exchange feature is missing the
>     screenshots.
>
>     https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/token-exchange/token-exchange.adoc
>
>     All the screenshots under "Granting Permission for the Exchange"
>     section
>     are nt available.
>
>     If any one knows any other links for this documentation please let
>     me know.
>
>     Regards,
>     Soumya
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From sthorger at redhat.com  Thu Apr 19 05:50:30 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 19 Apr 2018 11:50:30 +0200
Subject: [keycloak-user] Keycloak Questionnaire
Message-ID: <CAJgngAeZYwBiVyRrZ9OpEaxWR+Y7oaJF=QfOjFUPQx=N7VXrtA@mail.gmail.com>

We would love to gather some information on who is using Keycloak and how
it is being used. With that intent we have created a form here
https://goo.gl/forms/TRSmCCU6eX25prhH2

I would greatly appreciate if as many as possible can fill this in.

Thanks,
Stian Thorgersen
Keycloak Project Lead

From alpilin at gmail.com  Thu Apr 19 07:36:35 2018
From: alpilin at gmail.com (Alexandr Pilin)
Date: Thu, 19 Apr 2018 14:36:35 +0300
Subject: [keycloak-user] Dockerized Keycloak unreachable from host after
	migration
Message-ID: <CAEO99Jsyx4CkJoQnOjH6wnqkhLB=94RrWsaT457BROwtT1icqg@mail.gmail.com>

 Hi all,

I was trying to use import functionality with Keycloak docker image, and it
seems that import makes Keycloak unreachable from the host. Here is the
command I've used to start docker image:

docker run --name keycloak-demo -p 8180:8080 -e KEYCLOAK_USER=admin -e
KEYCLOAK_PASSWORD=admin -v <path to the folder with exported .json
file>:/opt/jboss/compose-conf jboss/keycloak:3.4.3.Final
-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=/opt/jboss/compose-conf/keycloak-exported.json
-Dkeycloak.migration.strategy=IGNORE_EXISTING

Container starts without errors in logs, imports all the data, but I cannot
access it by http://localhost:8180 (I've got an empty reply from server) .
Although it is reachable from within container itself. After removing
migration command arguments from "docker run" command everything works.
I've compared logs and didn't found any explanation why this may happen.
The only difference seems to be is an import which completes without
errors.

I've tried with Keycloak. 3.4.3.Final and 4.0.0.beta on Windows and MacOS.
Docker version is 18.03.0-ce-win59 (16762).

I'm doing something wrong, or maybe it is not intended for migration
functionality to be working with the Docker image?


Thank you,


Best regards,
Aleksandr Pilin

From ndekefa at gmail.com  Thu Apr 19 07:43:56 2018
From: ndekefa at gmail.com (Anselme Ndeke)
Date: Thu, 19 Apr 2018 13:43:56 +0200
Subject: [keycloak-user] Can't logout using Jetty93 adapter
Message-ID: <CACArUaFTCRBRP9-L7VAgCUrUJBMdFoDdJ8z+hAq4fhAdxe7B7g@mail.gmail.com>

Hi,

Steps to reproduce:

   - setup jetty93 adapter on jetty 9.3.10.v20160621
   - download keycloak server 4.0.0.Beta1
   - follow through keycloak-quistarts/app-profile-jee-vanilla tutorials
   - try access the restricted page and login with user password
   - logout
   - try login again = you're still logged in (the session is alive on
   keycloak server)

Expected: keycloak server should ask for user/password again

I attached a project based on the vanilla sample. The same generated war
works well on wildfly10.

What am I doing wrong? Thanks in advance.

-- 

Regards,

Anselme NDEKE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: app-profile-jee-vanilla.tar
Type: application/x-tar
Size: 69632 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180419/f6f2288d/attachment-0001.tar 

From ntle at castortech.com  Thu Apr 19 09:32:13 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Thu, 19 Apr 2018 09:32:13 -0400
Subject: [keycloak-user] Adding information to session
Message-ID: <CAJVRZt93Fr__n3zYB5pSvmn6MpoodZxy24O86s9=hyPGSwyJPg@mail.gmail.com>

Hello,

Is there anyway to add some custom data to the user session? I only use
Keycloak for authentication and after the user login (redirected to the
app), i want to set store some value to the user session. I can do this in
my servlet

session.setAttribute("customAttr", value);

But this would set on the app server, not on KC

?Thai?

From ntle at castortech.com  Thu Apr 19 12:12:45 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Thu, 19 Apr 2018 12:12:45 -0400
Subject: [keycloak-user] Cannot remove default resource when enable admin
	events log
Message-ID: <CAJVRZt_26rJSfmY4Jz45AHB34a4YuJSFPM9_pTKbgXoN9GM-jg@mail.gmail.com>

Hello,

Does anyone experience issue when deleting Default Resource when admin
events log is enable?

Thai

From RLewis at carbonite.com  Thu Apr 19 12:40:31 2018
From: RLewis at carbonite.com (Reed Lewis)
Date: Thu, 19 Apr 2018 16:40:31 +0000
Subject: [keycloak-user] Setting the Domain name used for outgoing password
	reset emails, etc.
Message-ID: <C2C48556-6A97-4C05-BF14-065F38CB4E98@carbonite.com>

All,
    I have Keycloak running in a Kubernetes Container and it works well.  We are creating users using the admin API which also works well.   The issue is that when we call the Admin API using the inside the Kubernetes route (a 10.x.x.x address), the email sent out has a link to click for the user that has that same 10.x.x.x address.

I have one solution which is to put an entry into the hosts file on the calling machine which translates to the internal IP address, so the address would be correct for the customer delivered email.

But is there a simpler way to do this?  Is there a setting in Keycloak which represents the FQDN it is running on and that is used for everything?

Thanks,

Reed Lewis
Principal Software Engineer
This message is the property of CARBONITE, INC. and may contain confidential or privileged information.
If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone.  Instead, destroy it and notify me by reply e-mail

From abhi.raghav007 at gmail.com  Thu Apr 19 13:24:14 2018
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Thu, 19 Apr 2018 22:54:14 +0530
Subject: [keycloak-user] Built in Service account
Message-ID: <00ff9ec7-888a-4ac0-a0a1-81f4e07cb3cf@gmail.com>

Hi
I found the keyclaok service account feature very effective to provide 
access to some external vendor process access to your secured REST 
endpoints. 
https://www.keycloak.org/docs/3.1/server_admin/topics/clients/oidc/service-accounts.html 
[https://www.keycloak.org/docs/3.1/server_admin/topics/clients/oidc/service-accounts.html]
I just got struck at one point, how to assign any group to a service 
account user(built in) I see role assigments is possible. Is there a 
workaround to achieve if not direct support for this. Because i have some 
policies where on the basis of which my app share certain resources.
I appreciate any help on this.
Cheers Abhishek
via Newton Mail 
[https://cloudmagic.com/k/d/mailapp?ct=pi&cv=9.8.307&pv=11.2.6&source=email_footer_2]

From john.lewis at geodis.com  Thu Apr 19 14:03:20 2018
From: john.lewis at geodis.com (Lewis, John)
Date: Thu, 19 Apr 2018 18:03:20 +0000
Subject: [keycloak-user] Using both proxy address forwarding and an
	ip-access-control filter
Message-ID: <AM3PR04MB1331720B4738409A5D073213EFB50@AM3PR04MB1331.eurprd04.prod.outlook.com>

Hello Everyone,

When using both proxy address forwarding (https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses) and also using request filtering (http://lists.jboss.org/pipermail/keycloak-user/2016-September/007855.html ), does the filter get applied before or after the IP Address is harvested from X-Forwarded-For header?

It seems like the filter is getting applied before the IP Address is pulled from the header which makes using both kind of pointless.

Thanks for your help,
John

From sthorger at redhat.com  Thu Apr 19 15:23:09 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 19 Apr 2018 21:23:09 +0200
Subject: [keycloak-user] custom password policies
In-Reply-To: <CABiaesTFO20KQUCGRMCgQ25AjrpETpXvrQ2mhLwt_=0PW3JfFQ@mail.gmail.com>
References: <CAJVRZt9=a7NQiy14MCPpBdABtjfKkc25ppaVK6NZce2kTY4qJw@mail.gmail.com>
	<CABiaesTFO20KQUCGRMCgQ25AjrpETpXvrQ2mhLwt_=0PW3JfFQ@mail.gmail.com>
Message-ID: <CAJgngAd-h8DvdPiXBAtjDYFMUNdCFtU7rqJdT4kyhO7Dc18ARg@mail.gmail.com>

These are not available out of the box, but you can achieve 1 and 3 with a
custom required action and 2 with a custom password policy.

On 18 April 2018 at 19:24, Sachin Rastogi <sr.misc at gmail.com> wrote:

> Hi all,
>
> We also have same requirements. Please advise, how can we achieve this?
>
> Regards,
> SR
>
> On Tue, Apr 17, 2018 at 3:27 PM, Nhut Thai Le <ntle at castortech.com> wrote:
>
> > Hello,
> >
> > We have some special need regarding the password policies:
> >
> >    1. user must use the password within X days
> >    2. user can not change password within Y days
> >    3. lock out user after password has been expired for N days
> >
> > I don't know if these are supported in Keycloak since i dont see them in
> > the password policy. Is it possible add my own password policies and if
> > yes, can I have some guideline?
> >
> > Thai
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From aechols at bfcsaz.com  Thu Apr 19 20:13:11 2018
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 19 Apr 2018 17:13:11 -0700
Subject: [keycloak-user] Keycloak Standalone HA Cluster Behind
	Zenloadbalancer
Message-ID: <CAHj77GVgAX2SoWD53Z9N1w3_GS-4x9FmAxsvUh6RDFOpvTonvQ@mail.gmail.com>

Hello,

I'm working on setting up a standalone ha cluster behind a LB cluster. I'm
using ZenLoadBalancer in this instance.

I'm trying to track down some issues, I've enabled the logging for DEBUG as
well.

If I access any of the 2 hosts in the cluster through the UI on their
individual IP addresses, I'm able to change and modify any configuration
options, and everything is synced instantly between the hosts. I'm using
MariaDB Galera cluster for the database server.

When I go through the LB, I can access and use the GUI just fine; however,
when I need to modify anything I just get the following error:

*Error!* An unexpected server error has occurred

Nothing shows up in the server.log, even though DEBUG is enabled. Again,
this doesn't happen when going to the individual hosts webui, just through
the VIP on the LB cluster.

I'm looking for other ideas on how to debug the issue or if anyone else has
run into something similar. Thank you. :)
--

From mohashi at redhat.com  Thu Apr 19 23:00:21 2018
From: mohashi at redhat.com (Marcelo Ohashi)
Date: Fri, 20 Apr 2018 03:00:21 +0000
Subject: [keycloak-user] Image Customization to add Oracle RAC Datasource
Message-ID: <CAJZeCYS7VeN9rQNYBapeJpMRTNACov8a4BCA37w57+W+jmVFqw@mail.gmail.com>

Hi all,

I have been analysing the redhat-sso72-openshift Dockerfile and the image
internal scripts to customize the standalone.xml with necessary XML
elements to add new data sources.

We need some guidance here to make this image customization and add this
entry along with the driver's module.

I've found that inside the image's /opt/eap/bin/launch folder there's a
datasource.sh, which is part of the configuration step, responsible to add
the data sources entries to the standalone-openshift.xml file.

So, despite this script has a third option that seems to be capable to
create a new data source entry for other types of databases (besides MySQL
and PostgreSQL), I am not sure if this is recommended. We didn't find any
guidance in the docs on how to use it and we don't know if this will be
backward compatible in future RH-SSO releases.

Do you think this is the right approach or it's better to create new
scripts to do the necessary customizations, without using the
datasources.sh script, and call it from the openshift-launch.sh script
after the configuration have been finished?

Best regards,




-- 
Marcelo Ohashi
Middleware Architect | Red Hat Brasil
M: +55 11 9 7338-6338 Av. Brigadeiro Faria Lima 3900, 8? Andar. S?o Paulo,
Brasil.
RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com
<https://www.redhat.com/pt-br/about/trusted>
<http://www.redhat.com/es/about/trusted> <http://www.redhat.com.br>[image:
Red Hat] <http://www.redhat.com.br>

From eduard.matuszak at worldline.com  Fri Apr 20 01:36:42 2018
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Fri, 20 Apr 2018 05:36:42 +0000
Subject: [keycloak-user] management of refresh token lifetime
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D72AA3D1C8@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

Is there a way how to get informtion about the lifetime settings for refresh tokens of a realm or even to customize the lifetime?

Best regards, Eduard Matuszak



From subodhcjoshi82 at gmail.com  Fri Apr 20 01:49:44 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 20 Apr 2018 11:19:44 +0530
Subject: [keycloak-user] Fetch user with administration REST API
In-Reply-To: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3FA8@IN-BLR-DAGND3.corp.capgemini.com>
References: <0CCF50CABB0BC0438C7672FC2C769FB4BFBC3CF7@IN-BLR-DAGND3.corp.capgemini.com>
	<0CCF50CABB0BC0438C7672FC2C769FB4BFBC3D38@IN-BLR-DAGND3.corp.capgemini.com>
	<CAFss9rpmi_n=2w1+gZeqT48b7HPQHroFpOE5+wG+V4O+8F=Ptg@mail.gmail.com>
	<0CCF50CABB0BC0438C7672FC2C769FB4BFBC3F7E@IN-BLR-DAGND3.corp.capgemini.com>
	<0CCF50CABB0BC0438C7672FC2C769FB4BFBC3FA8@IN-BLR-DAGND3.corp.capgemini.com>
Message-ID: <CAFss9rrW7p+cbQAw=HB_VT14Qs1OR_T_7NVz-j7FXP4XoMZ0Bg@mail.gmail.com>

Hi

In our application we have pagination so i have to give query like this

http://<IP ADDRESS>:8080/<WEB-APP NAME>/tenants/T0/users?max=500&page=1

It worked perfectly .I have to give page because that a mandatory in my
case.

It may possible getting 10k record created issue and keycloak DB or
keycloak somehow hung due to that .

Exactly what exception you got?

On Thu, Apr 19, 2018 at 12:40 AM, Pakira, Ranjan <
ranjan.pakira at capgemini.com> wrote:

> Problem is that fetch users with "max" parameter value 10000 does not
> work. It means that if any search criteria returns around 10000 users it
> will fail.
>
>
>
> *From:* Pakira, Ranjan
> *Sent:* Thursday, April 19, 2018 12:35 AM
> *To:* Subodh Joshi
> *Cc:* keycloak-user; BISWAS, AYAN; Erdal, Jonatan; Hammarberg, Daniel
> *Subject:* RE: [keycloak-user] Fetch user with administration REST API
>
>
>
> No. it?s for nightly job.
>
> Yes there is way to manually calculate the offset and get the results.
>
> But I want to know if there is any way to get proxy of all users or to get
> all user ids/username.
>
>
>
> *From:* Subodh Joshi [mailto:subodhcjoshi82 at gmail.com
> <subodhcjoshi82 at gmail.com>]
> *Sent:* Wednesday, April 18, 2018 9:24 PM
> *To:* Pakira, Ranjan
> *Cc:* keycloak-user; BISWAS, AYAN; Erdal, Jonatan; Hammarberg, Daniel
> *Subject:* Re: [keycloak-user] Fetch user with administration REST API
>
>
>
> Millions of record you want to fetch in one go?
>
> Where you will store all those user ?
>
> It won't impact the performance of your app as well keycloak ?
>
> Why not you are using server side pagination to achieve this ?
>
>
>
> On Wed, 18 Apr 2018, 21:01 Pakira, Ranjan, <ranjan.pakira at capgemini.com>
> wrote:
>
> Hi,
> We are facing one issue to get users with administration REST API: GET
> /{realm}/users
> Default value of "max" parameter for this REST API is 100. In our database
> there are millions of users. But using the REST API we are unable to fetch
> all users, even if we set value of the "max" parameter to 10000, it is
> throwing following error:
>
> Exception in thread "main" java.lang.Exception:
> http://keycloak.skf.com/auth/admin/realms/SKF/users?max=10000 returns
> status code: 404
>
> Please let us know how to traverse all the users.
> Is there any way to fetch all the usernames or user ids other than
> fetching UserRepresentation?
>
> Thanks & Regards,
> Ranjan
> This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute,
> or use this message or any part thereof. If you receive this message in
> error, please notify the sender immediately and delete all copies of this
> message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From yuriy.yunikov at verygood.systems  Fri Apr 20 09:00:10 2018
From: yuriy.yunikov at verygood.systems (Yuriy Yunikov)
Date: Fri, 20 Apr 2018 13:00:10 +0000
Subject: [keycloak-user] Search by user id on admin console
Message-ID: <CAC9TNOdrkN00f3RqyuAngDSRRpD3O4DyxHhNbnKdZr66_x4izA@mail.gmail.com>

Hi everyone! Is there any way to find user by id on the admin console? I'm
aware of API method, but can't find any possibility to do it on the console.

I've created a feature request for this -
https://issues.jboss.org/browse/KEYCLOAK-7206 as it would be very useful.
Please correct me if I'm wrong.

Regards,
Yuriy

From onlineuser21k at gmail.com  Fri Apr 20 12:09:58 2018
From: onlineuser21k at gmail.com (Online User)
Date: Fri, 20 Apr 2018 12:09:58 -0400
Subject: [keycloak-user] How do I run a test from keycloak testsuite on a
	server outside IDE?
Message-ID: <CACkhAFkqTumazjeeNo0sOmBXqn_8ODzd9kn6yy_pM8q_536PaQ@mail.gmail.com>

Hi,

I need debug something on a server. I found good test cases that are in the
keycloak testsuite but they run only on the bootstrapped keycloak server
started by arquillian.

Is it possible for me to point the test case to run on a specific server?

thanks in advance,
Pradeep

From ebenzacar at gmail.com  Fri Apr 20 13:53:41 2018
From: ebenzacar at gmail.com (Eric B)
Date: Fri, 20 Apr 2018 13:53:41 -0400
Subject: [keycloak-user] User Attributes security and organization
Message-ID: <CA+T+PjGi8K_ADVSRr4c_iL0b3Bse9fkZKh-8zS5texCTA0YG1Q@mail.gmail.com>

I just starting working with KeyCloak (3.4.3) and have been looking at the
user attributes and trying to determine how I can leverage some custom
attributes for my different clients.  Two things in particular stand out
when I look at the user attributes:

1) there is no mapping/assignment of attributes per client
2) there is no security assignment on the attributes (ex: what can be
self-administered, what is read-only, what is visible to the client, etc)

This becomes an issue when a user logs into the admin panel.  Once he is
logged in, he can essentially post a form with any attributes defined and
these will automatically be persisted in the KeyCloak DB.  While I'm not
concerned about CSRF, I am concerned about a malicious user trying to
explode by DB by submitting an extraneous number of attributes that KC will
persist.

Additionally, if I want to use a user attribute to specify some read-only
information about a user, if the user knows the attribute name, he can
override it via a form post.  So essentially, I have no way to secure the
attributes.

In a similar vein, I am a bit taken aback that all attributes are
associated to the user only and cannot be assigned to a client.  I would
like to be able to specify some client-specific attributes, and have KC
automatically filter the attributes available to a client token
accordingly.  Is this not feasible?

Are either of these functionalities implementable through some form of
customization, or are they on the roadmap for a future version?

Thanks,

Eric

From kamal.softeng at gmail.com  Fri Apr 20 15:05:49 2018
From: kamal.softeng at gmail.com (Kamal)
Date: Fri, 20 Apr 2018 15:05:49 -0400
Subject: [keycloak-user] Setting the Domain name used for outgoing
 password reset emails, etc.
In-Reply-To: <C2C48556-6A97-4C05-BF14-065F38CB4E98@carbonite.com>
References: <C2C48556-6A97-4C05-BF14-065F38CB4E98@carbonite.com>
Message-ID: <CANtwYhoLwDFJfA7CicFemB1J+XFLMVpt7MCn8krJt2jXDvPBDA@mail.gmail.com>

I have the same issue and I am already thinking of using a custom email
sender that replaces the host part of the link to a DNS and my current
mapping is a simple properties file in JBOSS_HOME. I wish KeyCloak had a
notion of associating realm with an FQND.

Hope this helps and I will be curious what others think

On Thu, Apr 19, 2018 at 12:40 PM, Reed Lewis <RLewis at carbonite.com> wrote:

> All,
>     I have Keycloak running in a Kubernetes Container and it works well.
> We are creating users using the admin API which also works well.   The
> issue is that when we call the Admin API using the inside the Kubernetes
> route (a 10.x.x.x address), the email sent out has a link to click for the
> user that has that same 10.x.x.x address.
>
> I have one solution which is to put an entry into the hosts file on the
> calling machine which translates to the internal IP address, so the address
> would be correct for the customer delivered email.
>
> But is there a simpler way to do this?  Is there a setting in Keycloak
> which represents the FQDN it is running on and that is used for everything?
>
> Thanks,
>
> Reed Lewis
> Principal Software Engineer
> This message is the property of CARBONITE, INC. and may contain
> confidential or privileged information.
> If this message has been delivered to you by mistake, then do not copy or
> deliver this message to anyone.  Instead, destroy it and notify me by reply
> e-mail
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mwaki011 at gmail.com  Sat Apr 21 09:53:10 2018
From: mwaki011 at gmail.com (Mike Wakim)
Date: Sat, 21 Apr 2018 09:53:10 -0400
Subject: [keycloak-user] Role Delegation by Users
Message-ID: <CD0E4244-97F7-499F-B026-C4F9622ED890@gmail.com>

Hello, 

If a user has been assigned a certain role by an admin, is there any way to allow this user to delegate his role to other users that he trusts?

I don't see a direct configuration for this in Keycloak, are there any known solutions / configurations to achieve such behaviour?

Thanks,

Mike

From sergey at shimkiv.com  Sat Apr 21 14:11:31 2018
From: sergey at shimkiv.com (Serhii Shymkiv)
Date: Sat, 21 Apr 2018 21:11:31 +0300
Subject: [keycloak-user] An ability to evaluate/transform the template
 variables during the SAML/OpenID protocol mappers processing
Message-ID: <CAD7UjAPN4h25LADb8VMev_PwzKPC=kKqoG5ohahNaL7A9ndEUw@mail.gmail.com>

Hello Guys,
current email thread is inspired by the
https://github.com/keycloak/keycloak/pull/5042
and the question for the community is:
- what do you think if the Keycloak will have an ability to
evaluate/transform the template variables during the SAML/OpenID protocol
mappers processing ?

Examples (please refer to the attached "snapshot-1.png" and
"snapshot-2.png"):
1. "snapshot-1.png":
    ${firstName} ${lastName}
    =>
    the simplest expression, the template variables will be evaluated into
the real values of the user (in this case) properties
    =>
    e.g.: "Serhii Shymkiv" (without quotes, of course)
2. "snapshot-2.png":
    Welcome back, #(${firstName} ${lastName}) ?: ${email}
    =>
    almost the same expression but with additional logic which means that
the value of the #(...) block will be used only if it is not blank (null or
space symbols only) otherwise the expression to the right of the ?:
operator will be evaluated
    =>
    e.g.: "Welcome back, Serhii Shymkiv"
    e.g.: "Welcome back, sergey at shimkiv.com"

Thank you for you time.




-- 
Best regards,
Serhii Shymkiv.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snapshot-1.png
Type: image/png
Size: 32632 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180421/9abacd6b/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snapshot-2.png
Type: image/png
Size: 36018 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180421/9abacd6b/attachment-0003.png 

From torsten.roemer at agfa.com  Sun Apr 22 17:00:52 2018
From: torsten.roemer at agfa.com (Torsten Roemer)
Date: Sun, 22 Apr 2018 23:00:52 +0200
Subject: [keycloak-user] Instance of Infinispan RoleAdapter
Message-ID: <adf6dd7f-a8a1-7c7a-bb48-a7b571b2ca68@agfa.com>

Hello,

I've implemented a User Storage Provider following the Example User 
Storage Provider with EJB and JPA.

It works fine, I can fetch tokens for the users in external storage and 
now I would like to add roles to the users.
For that I have overwritten UserAdapter#getRoleMappings:

@Override
public Set<RoleModel> getRoleMappings() {
 ??? final Set<RoleModel> roles = super.getRoleMappings();
 ??? final RoleModel role = new RoleAdapter(this, "my-role-id", 
"my-role-name");
 ??? roles.add(role);

 ??? return roles;
}

RoleAdapter is my own minimal implementation of RoleModel.

While this works, there are now many calls to getUserById() which I 
think is because my RoleModel implementation is not cached.
I suppose this could be solved by using 
org.keycloak.models.cache.infinispan.RoleAdapter but how can I create an 
instance of it?
In particular, I have trouble of getting an instance of 
RealmCacheSession that needs to be passed to the constructor.

Cheers,
Torsten


From federico at info.nl  Mon Apr 23 04:45:28 2018
From: federico at info.nl (Federico Navarro Polo - Info.nl)
Date: Mon, 23 Apr 2018 08:45:28 +0000
Subject: [keycloak-user] Is possible to have a "required action only on
	demand"?
Message-ID: <E0138F66-863F-47DF-89CB-107380B3DA4D@info.nl>

Hello,

I?m currently facing the following requirement, which I think is not standard in Keycloak.

The basic idea is to have 2-factor authentication, but I don?t need it on login time, only when the user attempts to execute some specific action. Therefore, setting the logic as an authenticator or as a required action does not satisfy my needs, since the user should be allowed to login in the base case.

The idea I was considering is to have an additional role on user level (eg: user_verified), so that in case of having that role, the user is good to go, but in case of not having the role, he will be required to go through the additional authentication process.

My question is, how can I trigger that process?

Met vriendelijke groet,

Federico Navarro

backend developer

federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  -<tel:+31205309161>

info.nl<http://www.info.nl/>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>



From dev.spike.j at gmail.com  Mon Apr 23 05:48:52 2018
From: dev.spike.j at gmail.com (Spike J)
Date: Mon, 23 Apr 2018 11:48:52 +0200
Subject: [keycloak-user] Keyclaok 4 and Scopes (Account Page)
Message-ID: <CAKe9+pywuVv9DEsLzLw-E3zLUdqKK8JS3KbDVJipY4UzwcMcWA@mail.gmail.com>

 Hi together,

we are trying to use Keycloak in a microservice environment with different
admins for different services. Therefore, we want to use the scopes that
can be manages in the account pages for each REST endpoint in each service.

But there are a few questions we are not able to figure out:
1. can we create resources/scopes in the account-page or only manage
existing scopes?
2. is there any way to have an overview with all scopes/resources to apply
for or is the common usecase that you fail to get access and then have to
sent a ticket somehow manually or call the admin to get the scope?
3. is there no way to make policies based on scopes? There are only
permissions based on scopes. But somehow we run in circles, as we want to
use the scopes as permissions and don?t want to protect the scopes based on
anything else than the account-page ("My Resources").
4. is there any easy annotation to check for scopes in spring? I always see
"hasRole", but when we only work with scopes we would expect a "hasScope".
Do we have to add roles with "Scope Param Required"?
5. where do we actually check for scopes allowed for a user? When we get
the token - depending on the policy enforcement - we either get always the
scope or never and not based on what is configured on the account-page.

Would be great to get some feedback as we really struggle with those topics
for several time now.
I am compiling the newest keycloak all the time -> Version 4 beta.

Thanks in advance and kind regards

From psilva at redhat.com  Mon Apr 23 08:07:45 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 23 Apr 2018 09:07:45 -0300
Subject: [keycloak-user] Keyclaok 4 and Scopes (Account Page)
In-Reply-To: <CAKe9+pywuVv9DEsLzLw-E3zLUdqKK8JS3KbDVJipY4UzwcMcWA@mail.gmail.com>
References: <CAKe9+pywuVv9DEsLzLw-E3zLUdqKK8JS3KbDVJipY4UzwcMcWA@mail.gmail.com>
Message-ID: <CAJrcDBevgg3nBNq7U6rwHy6JbQnhsK0gQx3fBanvUi6U4t13Kg@mail.gmail.com>

On Mon, Apr 23, 2018 at 6:48 AM, Spike J <dev.spike.j at gmail.com> wrote:

>  Hi together,
>
> we are trying to use Keycloak in a microservice environment with different
> admins for different services. Therefore, we want to use the scopes that
> can be manages in the account pages for each REST endpoint in each service.
>
> But there are a few questions we are not able to figure out:
> 1. can we create resources/scopes in the account-page or only manage
> existing scopes?
>

Users are only allowed to manage existing resources and scopes. Where these
resources/scopes were previously created on the resource server.


> 2. is there any way to have an overview with all scopes/resources to apply
> for or is the common usecase that you fail to get access and then have to
> sent a ticket somehow manually or call the admin to get the scope?
>

This functionality is based on UMA protocol to enable users to manage their
own resources. From a client perspective, you will be receiving a
permission ticket with the necessary information to request access to a
protected resource. But as a resource server you are allowed to query the
Resource Registration Endpoint and query for resources.


> 3. is there no way to make policies based on scopes? There are only
> permissions based on scopes. But somehow we run in circles, as we want to
> use the scopes as permissions and don?t want to protect the scopes based on
> anything else than the account-page ("My Resources").
>

So, you don't want any permission/policies but just rely on the permissions
granted your users via account page ?

I don't have tests for this scenario, but I think we can do that.


> 4. is there any easy annotation to check for scopes in spring? I always see
> "hasRole", but when we only work with scopes we would expect a "hasScope".
> Do we have to add roles with "Scope Param Required"?
>

When you enable the policy enforcer to your application you are provided
with an Authorization Context [1]. It is basically an object that provides
access to the permissions granted by the server (resource and scopes).

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_authorization_context


> 5. where do we actually check for scopes allowed for a user? When we get
> the token - depending on the policy enforcement - we either get always the
> scope or never and not based on what is configured on the account-page.
>

I may be missing something here, but usually you don't need to manually
check for resources/scopes as this is the job of the policy enforcer. But
again, you can have access to all permissions granted from the
Authorization Context.


>
> Would be great to get some feedback as we really struggle with those topics
> for several time now.
> I am compiling the newest keycloak all the time -> Version 4 beta.
>
> Thanks in advance and kind regards
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Mon Apr 23 08:13:44 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 23 Apr 2018 09:13:44 -0300
Subject: [keycloak-user] Cannot remove default resource when enable
 admin events log
In-Reply-To: <CAJVRZt_26rJSfmY4Jz45AHB34a4YuJSFPM9_pTKbgXoN9GM-jg@mail.gmail.com>
References: <CAJVRZt_26rJSfmY4Jz45AHB34a4YuJSFPM9_pTKbgXoN9GM-jg@mail.gmail.com>
Message-ID: <CAJrcDBcCPUGtXiV+QK=SnsOvG9v16c3gDT+39MGCBnbvBBbiOQ@mail.gmail.com>

This was already fixed by https://issues.jboss.org/browse/KEYCLOAK-6321.

On Thu, Apr 19, 2018 at 1:12 PM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> Does anyone experience issue when deleting Default Resource when admin
> events log is enable?
>
> Thai
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From johnson.liang at appier.com  Mon Apr 23 23:17:08 2018
From: johnson.liang at appier.com (Johnson Liang)
Date: Tue, 24 Apr 2018 03:17:08 +0000
Subject: [keycloak-user] Keycloak.js cannot catch the case when keycloak
	server is down
In-Reply-To: <CAPzDX+LO6A0v5HCvEbPk9YjMjTa8HgOcQUDZXL_YLiVbVL0Dcw@mail.gmail.com>
References: <CAPzDX+LO6A0v5HCvEbPk9YjMjTa8HgOcQUDZXL_YLiVbVL0Dcw@mail.gmail.com>
Message-ID: <CAPzDX++oc0CDNOSq82d07-Lk0FdW0JNJHdFY7FC64cpWbuGiAA@mail.gmail.com>

Hello,

I am trying to implement an error handling mechanism for my public access
type JS client, however the current implementation of keycloak.js does not
provide such feature.

To be specific, I want to achieve the following steps:
1. Initializing the JS client using keycloak.init({onLoad:
'login-required'})
2a. If the initialization succeeds, store keycloak.token to
window.localStorage.
2b. If initialization fails due to network issues (i.e. the keycloak server
is down), use the keycloak token stored in the localStorage instead.

In this way, users that has frequently logged in to our system can still be
authenticated if the keycloak server is down, which buys us time recovering
the authentication service.

However, I cannot implement the measure above because the current
keycloak.js does not reject keycloak.init()'s promise when there is network
error.

Specifically, when keycloak server is down, invoking postMessage() in
checkLoginIframe() will throw exception [1]. However the exception is not
handled by checkLoginIframe(), so processInit() can do nothing about the
initPromise [2].

As an alternative, I can implement the following health check instead:
1. Send an ajax request to
`<keycloak-server>/realms/<realm>/.well-known/openid-configuration` to test
if the keycloak is alive.
2a. If keycloak is alive, do keycloak.init()
2b. If not, use the token stored in localStorage

This alternative costs one extra RTT between the keycloak server and the JS
client. I'd like to know:

1. Is it possible for keycloak.js to catch network errors so that we can
properly handle the network error?
2. If the answer to 1 is no, is there any alternative better the one above?

Thanks,
Johnson

[1] Relevant code:
https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js#L1117
[2] Relevant code:
https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js#L183

From hmlnarik at redhat.com  Tue Apr 24 02:54:24 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 24 Apr 2018 08:54:24 +0200
Subject: [keycloak-user] Is KeyCloak SAML vulnerable to the c14n exploit?
In-Reply-To: <1438435178.965590.1523895846981@mail.yahoo.com>
References: <1438435178.965590.1523895846981.ref@mail.yahoo.com>
	<1438435178.965590.1523895846981@mail.yahoo.com>
Message-ID: <CAMvXD=Ep0F=5YvALTYVyKNkGYZwEkg16y8EYyngUdCoW8Yb5Kg@mail.gmail.com>

No, keycloak is not vulnerable to this exploit.

On Mon, Apr 16, 2018 at 6:24 PM, Jason Spittel <jasonspittel at yahoo.com>
wrote:

> Hello,
> I was alerted to this exploit, and was wondering if Keycloak, acting as an
> SP in a SAML authentication workflow, is vulnerable to it.
> https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-
> implementations
>
>
> Briefly,  if a comment is put into an XML value, some parsers seem to stop
> parsing during canonicalization so that these two values are equivalent and
> equally valid for the same dsig:
> user at domain.comuser@domain.com<!--and this breaks parsing-->.hackers.net
> Would it basically come down to if the parsers that Keycloak is using for
> SAML are vulnerable? Which look to be the javax.xml.stream parsers. Is that
> correct?
> Thanks,
> Jason
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




-- 

--Hynek

From sthorger at redhat.com  Tue Apr 24 03:15:14 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 24 Apr 2018 09:15:14 +0200
Subject: [keycloak-user] Keycloak Questionnaire
Message-ID: <CAJgngAfGMonAxabadrYy7H0ZHVPmm6geOr72XWuxLEf1pnveAw@mail.gmail.com>

We would love to gather some information on who is using Keycloak and how
it is being used. With that intent we have created a form here
https://goo.gl/forms/TRSmCCU6eX25prhH2

I would greatly appreciate if as many as possible can fill this in.

Thanks,
Stian Thorgersen
Keycloak Project Lead

From dev.spike.j at gmail.com  Tue Apr 24 03:54:09 2018
From: dev.spike.j at gmail.com (Spike J)
Date: Tue, 24 Apr 2018 09:54:09 +0200
Subject: [keycloak-user] Keyclaok 4 and Scopes (Account Page)
In-Reply-To: <CAJrcDBevgg3nBNq7U6rwHy6JbQnhsK0gQx3fBanvUi6U4t13Kg@mail.gmail.com>
References: <CAKe9+pywuVv9DEsLzLw-E3zLUdqKK8JS3KbDVJipY4UzwcMcWA@mail.gmail.com>
	<CAJrcDBevgg3nBNq7U6rwHy6JbQnhsK0gQx3fBanvUi6U4t13Kg@mail.gmail.com>
Message-ID: <CAKe9+pzACR=B1f584__N7CwYHkfUidNFjQ1609y5MSb=00V24Q@mail.gmail.com>

Hi Pedro,

thanks for your replies.

according to:

1. Are there any plans to create scopes on the account page? In our case
every service-owner should be able to decide if he wants to protect each
REST endpoint with its own scope or a single scope for all and so on. So it
would be nice that he could just create a scope from within his account
page and does not have to ask us (admins) to create that scope for him.
Otherwise we would create a separate Webapp just for creating/deleting
scopes.

2. I understand from the UMA perspective how to apply for a scope through
the ticketing process. But as a requester for a scope (to access a REST
endpoint in our case) I would like to see all scopes that are available to
apply for certain scopes directly from the account page. For me the account
page seems kind of restricted as I can allow or give scopes, but can not
apply for one. And on the other hand (referring to 1.) I can manage
ressources and scopes but can not create them.

3. We managed to set up a script-based policy with checking for owner
and/or claims to a scope. I think that should fullfill our requirements.

4. Thanks, we will have a closer look at that.

5. We tried to check our entire infrastructure with Postman first.
Therefore, we were looking for an endpoint that gives us the granted
scopes. But I agree, if the policy enforcer does that then there is no need
for anything else :)

Thanks a lot
Spike

2018-04-23 14:07 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:

>
>
> On Mon, Apr 23, 2018 at 6:48 AM, Spike J <dev.spike.j at gmail.com> wrote:
>
>>  Hi together,
>>
>> we are trying to use Keycloak in a microservice environment with different
>> admins for different services. Therefore, we want to use the scopes that
>> can be manages in the account pages for each REST endpoint in each
>> service.
>>
>> But there are a few questions we are not able to figure out:
>> 1. can we create resources/scopes in the account-page or only manage
>> existing scopes?
>>
>
> Users are only allowed to manage existing resources and scopes. Where
> these resources/scopes were previously created on the resource server.
>
>
>> 2. is there any way to have an overview with all scopes/resources to apply
>> for or is the common usecase that you fail to get access and then have to
>> sent a ticket somehow manually or call the admin to get the scope?
>>
>
> This functionality is based on UMA protocol to enable users to manage
> their own resources. From a client perspective, you will be receiving a
> permission ticket with the necessary information to request access to a
> protected resource. But as a resource server you are allowed to query the
> Resource Registration Endpoint and query for resources.
>
>
>> 3. is there no way to make policies based on scopes? There are only
>> permissions based on scopes. But somehow we run in circles, as we want to
>> use the scopes as permissions and don?t want to protect the scopes based
>> on
>> anything else than the account-page ("My Resources").
>>
>
> So, you don't want any permission/policies but just rely on the
> permissions granted your users via account page ?
>
> I don't have tests for this scenario, but I think we can do that.
>
>
>> 4. is there any easy annotation to check for scopes in spring? I always
>> see
>> "hasRole", but when we only work with scopes we would expect a "hasScope".
>> Do we have to add roles with "Scope Param Required"?
>>
>
> When you enable the policy enforcer to your application you are provided
> with an Authorization Context [1]. It is basically an object that provides
> access to the permissions granted by the server (resource and scopes).
>
> [1] https://www.keycloak.org/docs/latest/authorization_
> services/index.html#_enforcer_authorization_context
>
>
>> 5. where do we actually check for scopes allowed for a user? When we get
>> the token - depending on the policy enforcement - we either get always the
>> scope or never and not based on what is configured on the account-page.
>>
>
> I may be missing something here, but usually you don't need to manually
> check for resources/scopes as this is the job of the policy enforcer. But
> again, you can have access to all permissions granted from the
> Authorization Context.
>
>
>>
>> Would be great to get some feedback as we really struggle with those
>> topics
>> for several time now.
>> I am compiling the newest keycloak all the time -> Version 4 beta.
>>
>> Thanks in advance and kind regards
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From felipe.braun at intelbras.com.br  Tue Apr 24 06:35:46 2018
From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja)
Date: Tue, 24 Apr 2018 07:35:46 -0300
Subject: [keycloak-user] Social login + REST
Message-ID: <797e89c3-7e6a-0521-cf07-6f77933ffe1e@intelbras.com.br>

Hello guys,

There is a third party creating an mobile app for us, using our KeyCloak
for authentication. They've run into some issues trying to use social
login with the REST API, so they can control the UI.

So: is it *possible* to do that with social login? They successfully
have done it with keycloak user auth, but not with google/facebook. If
so, *how* is it done? Is there a different endpoint for that? The devs
say that the docs do not cover this kind of usage (maybe because it
doesn't work? I have not checked the docs, nor their code).

They're tried using a hidden page in the background to emulate the
clicks, but google does not accept like that anymore.

Any ideas?

Thanks!
--
Felipe Braun Azambuja
DBA
Tecnologia da Informa??o e Comunica??o
(48) 3281 9577
felipe.braun at intelbras.com.br
Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.

The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.


From vramik at redhat.com  Tue Apr 24 07:45:30 2018
From: vramik at redhat.com (Vlasta Ramik)
Date: Tue, 24 Apr 2018 13:45:30 +0200
Subject: [keycloak-user] as7 wildfly8 adapter
Message-ID: <77fe5165-f79d-1f4e-15f7-2b800188efb6@redhat.com>

Hey guys,

I was considering a removal of as7 adapter (EAP6 adapter stays) and also 
wildfly8 adapter. AFAIK there was just few downloads of those in the 
past months.

I'm working on different test framework for adapter tests and IMO there 
is a waste of time to put an effort into those.

Any concerns or ideas?

Thanks

Vlasta


From psilva at redhat.com  Tue Apr 24 11:07:30 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 24 Apr 2018 12:07:30 -0300
Subject: [keycloak-user] Keyclaok 4 and Scopes (Account Page)
In-Reply-To: <CAKe9+pzACR=B1f584__N7CwYHkfUidNFjQ1609y5MSb=00V24Q@mail.gmail.com>
References: <CAKe9+pywuVv9DEsLzLw-E3zLUdqKK8JS3KbDVJipY4UzwcMcWA@mail.gmail.com>
	<CAJrcDBevgg3nBNq7U6rwHy6JbQnhsK0gQx3fBanvUi6U4t13Kg@mail.gmail.com>
	<CAKe9+pzACR=B1f584__N7CwYHkfUidNFjQ1609y5MSb=00V24Q@mail.gmail.com>
Message-ID: <CAJrcDBdmyrtWO6-=QszR5LNCH1x4690nd4ZZgYOaVipq0ppF8g@mail.gmail.com>

On Tue, Apr 24, 2018 at 4:54 AM, Spike J <dev.spike.j at gmail.com> wrote:

> Hi Pedro,
>
> thanks for your replies.
>
> according to:
>
> 1. Are there any plans to create scopes on the account page? In our case
> every service-owner should be able to decide if he wants to protect each
> REST endpoint with its own scope or a single scope for all and so on. So it
> would be nice that he could just create a scope from within his account
> page and does not have to ask us (admins) to create that scope for him.
> Otherwise we would create a separate Webapp just for creating/deleting
> scopes.
>

I guess your "users" are not actually end-users, right ? I mean, they are
developers responsible for a service in your platform ?

If that is true, the account page is meant for end-users. Where the
resources and scopes they can manage are actually managed by a resource
server.

As you might know, we provide APIs that you can use to build functionality
to manage things on the server (Resources, scopes, policies, permissions,
etc).


>
> 2. I understand from the UMA perspective how to apply for a scope through
> the ticketing process. But as a requester for a scope (to access a REST
> endpoint in our case) I would like to see all scopes that are available to
> apply for certain scopes directly from the account page. For me the account
> page seems kind of restricted as I can allow or give scopes, but can not
> apply for one. And on the other hand (referring to 1.) I can manage
> ressources and scopes but can not create them.
>

I see. Yeah, users can not "ask" for a resource/scope from the account
page. They can "grant" access to their resources/scopes. This is not
something hard to support, we could provide something to let users "ask"
for access.

The thing is that per UMA, client applications are responsible for managing
these "authorization requests". User is navigating through your application
and then he wants to access some protected resource he is not allowed to
access. Being this resource owned by a different user, your client
application can "ask" the owner to allow the user to access the resource by
"submitting" a authorization request which the owner can "approve" or
"deny".

That is the flow we support. I`m not sure how we could support "asking"
permissions directly through account page thoughj ....


>
> 3. We managed to set up a script-based policy with checking for owner
> and/or claims to a scope. I think that should fullfill our requirements.
>
> 4. Thanks, we will have a closer look at that.
>
> 5. We tried to check our entire infrastructure with Postman first.
> Therefore, we were looking for an endpoint that gives us the granted
> scopes. But I agree, if the policy enforcer does that then there is no need
> for anything else :)
>

In next release (Beta2) we are going to push several improvements to policy
enforcer. Some of them include:

* Allow clients to not use RPTs to access a resource server but just the
access token. In this case, the PEP will do the job to query permissions
from the server for each request.
* Allow resource servers to push arbitrary claims from different sources at
runtime (request, external http service, etc) and send these claims to
policies in order to provide a more information about the transaction in
course.
* Allow resource servers to configure cache of paths and resources mapped
from the server. Or disable cache completely.
* Allow resources to load resources on-demand from Keycloak. Today you need
to either load everything during deployment or specify paths in
keycloak.json.


>
> Thanks a lot
> Spike
>
> 2018-04-23 14:07 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:
>
>>
>>
>> On Mon, Apr 23, 2018 at 6:48 AM, Spike J <dev.spike.j at gmail.com> wrote:
>>
>>>  Hi together,
>>>
>>> we are trying to use Keycloak in a microservice environment with
>>> different
>>> admins for different services. Therefore, we want to use the scopes that
>>> can be manages in the account pages for each REST endpoint in each
>>> service.
>>>
>>> But there are a few questions we are not able to figure out:
>>> 1. can we create resources/scopes in the account-page or only manage
>>> existing scopes?
>>>
>>
>> Users are only allowed to manage existing resources and scopes. Where
>> these resources/scopes were previously created on the resource server.
>>
>>
>>> 2. is there any way to have an overview with all scopes/resources to
>>> apply
>>> for or is the common usecase that you fail to get access and then have to
>>> sent a ticket somehow manually or call the admin to get the scope?
>>>
>>
>> This functionality is based on UMA protocol to enable users to manage
>> their own resources. From a client perspective, you will be receiving a
>> permission ticket with the necessary information to request access to a
>> protected resource. But as a resource server you are allowed to query the
>> Resource Registration Endpoint and query for resources.
>>
>>
>>> 3. is there no way to make policies based on scopes? There are only
>>> permissions based on scopes. But somehow we run in circles, as we want to
>>> use the scopes as permissions and don?t want to protect the scopes based
>>> on
>>> anything else than the account-page ("My Resources").
>>>
>>
>> So, you don't want any permission/policies but just rely on the
>> permissions granted your users via account page ?
>>
>> I don't have tests for this scenario, but I think we can do that.
>>
>>
>>> 4. is there any easy annotation to check for scopes in spring? I always
>>> see
>>> "hasRole", but when we only work with scopes we would expect a
>>> "hasScope".
>>> Do we have to add roles with "Scope Param Required"?
>>>
>>
>> When you enable the policy enforcer to your application you are provided
>> with an Authorization Context [1]. It is basically an object that provides
>> access to the permissions granted by the server (resource and scopes).
>>
>> [1] https://www.keycloak.org/docs/latest/authorization_servi
>> ces/index.html#_enforcer_authorization_context
>>
>>
>>> 5. where do we actually check for scopes allowed for a user? When we get
>>> the token - depending on the policy enforcement - we either get always
>>> the
>>> scope or never and not based on what is configured on the account-page.
>>>
>>
>> I may be missing something here, but usually you don't need to manually
>> check for resources/scopes as this is the job of the policy enforcer. But
>> again, you can have access to all permissions granted from the
>> Authorization Context.
>>
>>
>>>
>>> Would be great to get some feedback as we really struggle with those
>>> topics
>>> for several time now.
>>> I am compiling the newest keycloak all the time -> Version 4 beta.
>>>
>>> Thanks in advance and kind regards
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>

From ntle at castortech.com  Tue Apr 24 17:43:25 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Tue, 24 Apr 2018 17:43:25 -0400
Subject: [keycloak-user] Keycloak admin-client session timeout
Message-ID: <CAJVRZt8nvKNcKi=aBtHwHbsdfuGR0j-eJp7zdS=iWDuhknV=og@mail.gmail.com>

Hello,

I'm using a single Keycloak instance to make multiple calls to the Keycloak
server. At some point (i think after 30 mins), it get 401 error. This means
the session that Resteasy using is timeout. Is there anyway to create an
instance of Keycloak admin-client that automatically reconnect ?

Thai

From dev.spike.j at gmail.com  Wed Apr 25 03:00:17 2018
From: dev.spike.j at gmail.com (Spike J)
Date: Wed, 25 Apr 2018 09:00:17 +0200
Subject: [keycloak-user] Keyclaok 4 and Scopes (Account Page)
In-Reply-To: <CAJrcDBdmyrtWO6-=QszR5LNCH1x4690nd4ZZgYOaVipq0ppF8g@mail.gmail.com>
References: <CAKe9+pywuVv9DEsLzLw-E3zLUdqKK8JS3KbDVJipY4UzwcMcWA@mail.gmail.com>
	<CAJrcDBevgg3nBNq7U6rwHy6JbQnhsK0gQx3fBanvUi6U4t13Kg@mail.gmail.com>
	<CAKe9+pzACR=B1f584__N7CwYHkfUidNFjQ1609y5MSb=00V24Q@mail.gmail.com>
	<CAJrcDBdmyrtWO6-=QszR5LNCH1x4690nd4ZZgYOaVipq0ppF8g@mail.gmail.com>
Message-ID: <CAKe9+pxFf8iAFXx39tb0Wtxe7ZWS_TL28f7kk4KwOXMw00g4-Q@mail.gmail.com>

2018-04-24 17:07 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:

>
>
> On Tue, Apr 24, 2018 at 4:54 AM, Spike J <dev.spike.j at gmail.com> wrote:
>
>> Hi Pedro,
>>
>> thanks for your replies.
>>
>> according to:
>>
>> 1. Are there any plans to create scopes on the account page? In our case
>> every service-owner should be able to decide if he wants to protect each
>> REST endpoint with its own scope or a single scope for all and so on. So it
>> would be nice that he could just create a scope from within his account
>> page and does not have to ask us (admins) to create that scope for him.
>> Otherwise we would create a separate Webapp just for creating/deleting
>> scopes.
>>
>
> I guess your "users" are not actually end-users, right ? I mean, they are
> developers responsible for a service in your platform ?
>
> If that is true, the account page is meant for end-users. Where the
> resources and scopes they can manage are actually managed by a resource
> server.
>
> As you might know, we provide APIs that you can use to build functionality
> to manage things on the server (Resources, scopes, policies, permissions,
> etc).
>

Yes, that is exactly our case. Couldn?t this be just an additional role
"manage-resources" for users for the account-page like
"view-profile"/"manage-account" in "Role Mappings"?


>
>
>>
>> 2. I understand from the UMA perspective how to apply for a scope through
>> the ticketing process. But as a requester for a scope (to access a REST
>> endpoint in our case) I would like to see all scopes that are available to
>> apply for certain scopes directly from the account page. For me the account
>> page seems kind of restricted as I can allow or give scopes, but can not
>> apply for one. And on the other hand (referring to 1.) I can manage
>> ressources and scopes but can not create them.
>>
>
> I see. Yeah, users can not "ask" for a resource/scope from the account
> page. They can "grant" access to their resources/scopes. This is not
> something hard to support, we could provide something to let users "ask"
> for access.
>
> The thing is that per UMA, client applications are responsible for
> managing these "authorization requests". User is navigating through your
> application and then he wants to access some protected resource he is not
> allowed to access. Being this resource owned by a different user, your
> client application can "ask" the owner to allow the user to access the
> resource by "submitting" a authorization request which the owner can
> "approve" or "deny".
>
> That is the flow we support. I`m not sure how we could support "asking"
> permissions directly through account page thoughj ....
>

I think our usecase is a little bit different to the "common" usecase for
keycloak. But having keycloak to protect our REST endpoints would make us
always fail to access that endpoint first and then having a ticket send to
the owner. Would be possible but a little bit ugly to let all calls "fail"
first. If there was something like an "apply for" form this would be
awesome. Otherwise, again, we would build a webapp in front of keycloak to
do something like this (similar to 1). But of course we would prefer a
keycloak-native solution.


>
>
>>
>> 3. We managed to set up a script-based policy with checking for owner
>> and/or claims to a scope. I think that should fullfill our requirements.
>>
>> 4. Thanks, we will have a closer look at that.
>>
>> 5. We tried to check our entire infrastructure with Postman first.
>> Therefore, we were looking for an endpoint that gives us the granted
>> scopes. But I agree, if the policy enforcer does that then there is no need
>> for anything else :)
>>
>
> In next release (Beta2) we are going to push several improvements to
> policy enforcer. Some of them include:
>
> * Allow clients to not use RPTs to access a resource server but just the
> access token. In this case, the PEP will do the job to query permissions
> from the server for each request.
> * Allow resource servers to push arbitrary claims from different sources
> at runtime (request, external http service, etc) and send these claims to
> policies in order to provide a more information about the transaction in
> course.
> * Allow resource servers to configure cache of paths and resources mapped
> from the server. Or disable cache completely.
> * Allow resources to load resources on-demand from Keycloak. Today you
> need to either load everything during deployment or specify paths in
> keycloak.json.
>

Sounds great, thanks for the update :)


>
>
>>
>> Thanks a lot
>> Spike
>>
>> 2018-04-23 14:07 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:
>>
>>>
>>>
>>> On Mon, Apr 23, 2018 at 6:48 AM, Spike J <dev.spike.j at gmail.com> wrote:
>>>
>>>>  Hi together,
>>>>
>>>> we are trying to use Keycloak in a microservice environment with
>>>> different
>>>> admins for different services. Therefore, we want to use the scopes that
>>>> can be manages in the account pages for each REST endpoint in each
>>>> service.
>>>>
>>>> But there are a few questions we are not able to figure out:
>>>> 1. can we create resources/scopes in the account-page or only manage
>>>> existing scopes?
>>>>
>>>
>>> Users are only allowed to manage existing resources and scopes. Where
>>> these resources/scopes were previously created on the resource server.
>>>
>>>
>>>> 2. is there any way to have an overview with all scopes/resources to
>>>> apply
>>>> for or is the common usecase that you fail to get access and then have
>>>> to
>>>> sent a ticket somehow manually or call the admin to get the scope?
>>>>
>>>
>>> This functionality is based on UMA protocol to enable users to manage
>>> their own resources. From a client perspective, you will be receiving a
>>> permission ticket with the necessary information to request access to a
>>> protected resource. But as a resource server you are allowed to query the
>>> Resource Registration Endpoint and query for resources.
>>>
>>>
>>>> 3. is there no way to make policies based on scopes? There are only
>>>> permissions based on scopes. But somehow we run in circles, as we want
>>>> to
>>>> use the scopes as permissions and don?t want to protect the scopes
>>>> based on
>>>> anything else than the account-page ("My Resources").
>>>>
>>>
>>> So, you don't want any permission/policies but just rely on the
>>> permissions granted your users via account page ?
>>>
>>> I don't have tests for this scenario, but I think we can do that.
>>>
>>>
>>>> 4. is there any easy annotation to check for scopes in spring? I always
>>>> see
>>>> "hasRole", but when we only work with scopes we would expect a
>>>> "hasScope".
>>>> Do we have to add roles with "Scope Param Required"?
>>>>
>>>
>>> When you enable the policy enforcer to your application you are provided
>>> with an Authorization Context [1]. It is basically an object that provides
>>> access to the permissions granted by the server (resource and scopes).
>>>
>>> [1] https://www.keycloak.org/docs/latest/authorization_servi
>>> ces/index.html#_enforcer_authorization_context
>>>
>>>
>>>> 5. where do we actually check for scopes allowed for a user? When we get
>>>> the token - depending on the policy enforcement - we either get always
>>>> the
>>>> scope or never and not based on what is configured on the account-page.
>>>>
>>>
>>> I may be missing something here, but usually you don't need to manually
>>> check for resources/scopes as this is the job of the policy enforcer. But
>>> again, you can have access to all permissions granted from the
>>> Authorization Context.
>>>
>>>
>>>>
>>>> Would be great to get some feedback as we really struggle with those
>>>> topics
>>>> for several time now.
>>>> I am compiling the newest keycloak all the time -> Version 4 beta.
>>>>
>>>> Thanks in advance and kind regards
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>

From sthorger at redhat.com  Wed Apr 25 03:26:54 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 25 Apr 2018 09:26:54 +0200
Subject: [keycloak-user] [keycloak-dev] as7 wildfly8 adapter
In-Reply-To: <77fe5165-f79d-1f4e-15f7-2b800188efb6@redhat.com>
References: <77fe5165-f79d-1f4e-15f7-2b800188efb6@redhat.com>
Message-ID: <CAJgngAdyj1=bbWhFGc3usb7N6oKCdHQVOHgaZ8Er=c4+6U_jjw@mail.gmail.com>

We can't keep supporting all old versions in-definitively so I agree with
removing these. It's been a long long time since AS7 and WildFly 8 was
released.

Here's some concrete download numbers from keycloak.org for 3.4.3.Final
adapters:

* WildFly adapter - 1140 dls
* AS7 adapter - 51 dls
* WF8 adapter - 42 dls

42 downloads doesn't translate into 42 users. My guess that translates into
perhaps 10-20 users.

Now while we're at it let's also look at Tomcat and Jetty:

* Tomcat 8 - 480
* Tomcat 7 - 113
* Tomcat 6 - 33
* Jetty 9.4 - 69
* Jetty 9.3 - 7
* Jetty 9.2 - 6
* Jetty 9.1 - 3
* Jetty 8.1 - 4

The list that looks obvious to remove to me are WF8, AS7, Tomcat 6, Jetty
9.3-Jetty 8.1.

Now let's consider the options for those few that may still be using:

* Stick with Keycloak 3.4.3.Final adapter
* Switch to the coming Keycloak Proxy adapter
* A different OIDC library
* Upgrade the container (this is what they should be doing really)

On 24 April 2018 at 13:45, Vlasta Ramik <vramik at redhat.com> wrote:

> Hey guys,
>
> I was considering a removal of as7 adapter (EAP6 adapter stays) and also
> wildfly8 adapter. AFAIK there was just few downloads of those in the
> past months.
>
> I'm working on different test framework for adapter tests and IMO there
> is a waste of time to put an effort into those.
>
> Any concerns or ideas?
>
> Thanks
>
> Vlasta
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From hmlnarik at redhat.com  Wed Apr 25 05:09:24 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 25 Apr 2018 11:09:24 +0200
Subject: [keycloak-user] [keycloak-dev] as7 wildfly8 adapter
In-Reply-To: <CAJgngAdyj1=bbWhFGc3usb7N6oKCdHQVOHgaZ8Er=c4+6U_jjw@mail.gmail.com>
References: <77fe5165-f79d-1f4e-15f7-2b800188efb6@redhat.com>
	<CAJgngAdyj1=bbWhFGc3usb7N6oKCdHQVOHgaZ8Er=c4+6U_jjw@mail.gmail.com>
Message-ID: <CAMvXD=FuD44GdxZ8V3yC4j-kx2Fj6X+_Q9FuHD6zS4aVS=h6Rw@mail.gmail.com>

I agree with all but Jetty 9.2 and 8.1 - those are needed for Fuse 6.3
support.

--Hynek

On Wed, Apr 25, 2018 at 9:26 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> We can't keep supporting all old versions in-definitively so I agree with
> removing these. It's been a long long time since AS7 and WildFly 8 was
> released.
>
> Here's some concrete download numbers from keycloak.org for 3.4.3.Final
> adapters:
>
> * WildFly adapter - 1140 dls
> * AS7 adapter - 51 dls
> * WF8 adapter - 42 dls
>
> 42 downloads doesn't translate into 42 users. My guess that translates into
> perhaps 10-20 users.
>
> Now while we're at it let's also look at Tomcat and Jetty:
>
> * Tomcat 8 - 480
> * Tomcat 7 - 113
> * Tomcat 6 - 33
> * Jetty 9.4 - 69
> * Jetty 9.3 - 7
> * Jetty 9.2 - 6
> * Jetty 9.1 - 3
> * Jetty 8.1 - 4
>
> The list that looks obvious to remove to me are WF8, AS7, Tomcat 6, Jetty
> 9.3-Jetty 8.1.
>
> Now let's consider the options for those few that may still be using:
>
> * Stick with Keycloak 3.4.3.Final adapter
> * Switch to the coming Keycloak Proxy adapter
> * A different OIDC library
> * Upgrade the container (this is what they should be doing really)
>
> On 24 April 2018 at 13:45, Vlasta Ramik <vramik at redhat.com> wrote:
>
> > Hey guys,
> >
> > I was considering a removal of as7 adapter (EAP6 adapter stays) and also
> > wildfly8 adapter. AFAIK there was just few downloads of those in the
> > past months.
> >
> > I'm working on different test framework for adapter tests and IMO there
> > is a waste of time to put an effort into those.
> >
> > Any concerns or ideas?
> >
> > Thanks
> >
> > Vlasta
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



-- 

--Hynek

From sr.misc at gmail.com  Wed Apr 25 05:36:40 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Wed, 25 Apr 2018 11:36:40 +0200
Subject: [keycloak-user] Page has expired on Forget Password Flow
Message-ID: <CABiaesRi=68BUOQ16uzqMSP6ey2Vcj3zvLFDroXrB-oeQLrh2w@mail.gmail.com>

Hi all,

We're using Keycloak 3.4.2.

We're getting Page has expired page on Forget Password Flow after
submitting your username. Below are the steps that we are following:-

On clicking "Forgot Password?" from Login screen
Redirects to "Forgot Your Password?" screen, where it accepts username and
allow to submit the form.
Shows "Page has expired" screen with two options:-

To restart the login process Click here .
To continue the login process Click here .

Please advise, what is wrong with our Keycloak configuration.

Regards,
SR

From pieter at thehyve.nl  Wed Apr 25 06:43:41 2018
From: pieter at thehyve.nl (Pieter Lukasse)
Date: Wed, 25 Apr 2018 12:43:41 +0200
Subject: [keycloak-user] Sharing a session between 2 different clients of
	the same realm
Message-ID: <CAN-eBc3USEK6sBgnDGUCGV58ms3vAkqSRU0-LBbF-Ck7Ehxg8w@mail.gmail.com>

Hi,

Basically I need a single session to be valid at 2 different client
applications that are connected to the same realm. Is this a known use
case?

Thanks,

Pieter

From ntle at castortech.com  Wed Apr 25 09:37:32 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Wed, 25 Apr 2018 09:37:32 -0400
Subject: [keycloak-user] Sharing a session between 2 different clients
 of the same realm
In-Reply-To: <CAN-eBc3USEK6sBgnDGUCGV58ms3vAkqSRU0-LBbF-Ck7Ehxg8w@mail.gmail.com>
References: <CAN-eBc3USEK6sBgnDGUCGV58ms3vAkqSRU0-LBbF-Ck7Ehxg8w@mail.gmail.com>
Message-ID: <CAJVRZt_2UE6sW5Vc2_u_jv=-0auXpi=MCD5q7ZqcPuUcFWX+hw@mail.gmail.com>

I have some users that has client role in multiple clients. So when they
login, they can access multiple clients.

Thai

On Wed, Apr 25, 2018 at 6:43 AM, Pieter Lukasse <pieter at thehyve.nl> wrote:

> Hi,
>
> Basically I need a single session to be valid at 2 different client
> applications that are connected to the same realm. Is this a known use
> case?
>
> Thanks,
>
> Pieter
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From pieter at thehyve.nl  Wed Apr 25 10:14:36 2018
From: pieter at thehyve.nl (Pieter Lukasse)
Date: Wed, 25 Apr 2018 16:14:36 +0200
Subject: [keycloak-user] Sharing a session between 2 different clients
 of the same realm
In-Reply-To: <CAJVRZt_2UE6sW5Vc2_u_jv=-0auXpi=MCD5q7ZqcPuUcFWX+hw@mail.gmail.com>
References: <CAN-eBc3USEK6sBgnDGUCGV58ms3vAkqSRU0-LBbF-Ck7Ehxg8w@mail.gmail.com>
	<CAJVRZt_2UE6sW5Vc2_u_jv=-0auXpi=MCD5q7ZqcPuUcFWX+hw@mail.gmail.com>
Message-ID: <CAN-eBc2L2Ho_7_PvNU_vYvYOPv6j7z2BxAReY7gDgzHDMj0STQ@mail.gmail.com>

Thanks Thai,

Some more details regarding my use case:


   - 2 clients connected to the same Keycloak realm (via SAML)
   - user logs in to 1st client and opens a webpage that makes a REST API
   calls to both 1st and 2nd client apps

Currently the calls to the REST API of the 2nd client app fail with 401
error (not authorized). Any hints on how to get this working? SSO is
working across both apps (i.e. when the user is logged in to client 1 and
then browses to client 2, he does not need to fill in user name and
password again), but the REST API call is failing.

Thanks,

Pieter



2018-04-25 15:37 GMT+02:00 Nhut Thai Le <ntle at castortech.com>:

> I have some users that has client role in multiple clients. So when they
> login, they can access multiple clients.
>
> Thai
>
> On Wed, Apr 25, 2018 at 6:43 AM, Pieter Lukasse <pieter at thehyve.nl> wrote:
>
>> Hi,
>>
>> Basically I need a single session to be valid at 2 different client
>> applications that are connected to the same realm. Is this a known use
>> case?
>>
>> Thanks,
>>
>> Pieter
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Castor Technologies Inc
> 460 rue St-Catherine St
> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
> Ouest, Suite 613
> Montr?al, Qu?bec H3B-1A7
> (514) 360-7208 o
> (514) 798-2044 f
> ntle at castortech.com
> www.castortech.com
>
> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
> confidential and may be proprietary information intended only for the use
> of the individual or entity to whom it is addressed. If the reader of this
> message is not the intended recipient, you are hereby notified that any
> viewing, dissemination, distribution, disclosure, copy or use of the
> information contained in this e-mail message is strictly prohibited. If you
> have received and/or are viewing this e-mail in error, please immediately
> notify the sender by reply e-mail, and delete it from your system without
> reading, forwarding, copying or saving in any manner. Thank you.
> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
> ? l'usage exclusif du destinataire. Toute autre personne est par les
> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
>

From hasebullah.ansari at syntlogo.de  Wed Apr 25 10:44:23 2018
From: hasebullah.ansari at syntlogo.de (ansarihaseb)
Date: Wed, 25 Apr 2018 07:44:23 -0700 (MST)
Subject: [keycloak-user] Spring boot Keycloak adapter behind a proxy not
 selecting JVM proxy arguments ?
Message-ID: <1524667463049-0.post@n6.nabble.com>

Hello,

      I am securing a spring-boot (client) application with keycloak behind
a corporate web proxy and  somehow this application cannot load JVM web
proxy settings. Is there a way to tell spring-boot-keycloak adapter to load
the proxy settings ? Otherwise I am always getting `Unknownhostexception`
because my app cannot resolve the dns name. Any Help ?



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From rabdill at umn.edu  Wed Apr 25 10:47:03 2018
From: rabdill at umn.edu (Richard Abdill)
Date: Wed, 25 Apr 2018 09:47:03 -0500
Subject: [keycloak-user] SSSD providing metadata for external users?
Message-ID: <CADk+9r2_+n9O26Xo=FrA2BBi0Qs0MNAjMLNZuZ7dymw-=yR8hA@mail.gmail.com>

Hi all, Keycloak newbie here. I'm about 90 percent of the way to having a
configuration that works the way I want it to, but the other 10 percent is
giving me a lot of trouble.

The short version: I am wondering if anyone has found a way to pull
information from SSSD about users who have authenticated using an external
identity provider.

Here's the longer version:

* We have an external identity provider we want to make available to users
logging in via our Keycloak server. This part works exactly as expected.
* We have a local LDAP server with group membership information about those
users. The external IdP doesn't know about these groups, and unfortunately
we are unable to push this information up to it.
* Because the schema is kind of weird in our LDAP installation, this group
information is currently being pulled into Keycloak via the SSSD
integration.
* We need users logging in via the IdP to have the group information from
SSSD included in the assertion passed along to the protected application.

Right now, the workflow to make this happen is spread out over multiple
steps:

1. A user logs in via the Keycloak login page, using credentials
authenticated via SSSD.
2. The first time the user logs in, their user is created in Keycloak, and
their group information is (accurately!) pulled in via SSSD.
3. The user would then log out, eventually return to the Keycloak login
page, and log in via the external identity provider instead. THIS is the
way we want users to log in for the most part.
4. The user would be sent back to Keycloak, which would think it was a new
person until the user specifies the username that was created in step 2.
The two accounts are merged.

So, at the end of this process, a user is able to log in via the external
identity provider, and have their group information pulled from SSSD once
they authenticate. This is possible because they basically created two
accounts and linked them together manually, in step 4 above.

**We are trying to find a way to have that linkage happen automatically.**

The basic flow, in theory, would be that the user logs in for the first
time via the external IdP, and then we would just use SSSD to map groups to
that user. Is that possible? I'm not aware of a way to bulk-import users
from SSSD into Keycloak; is that the part that would be required?

Thanks very much for your time, and for reading all the way to the bottom
here. Looking forward to chatting about it.

Regards,
Rich

From pulgupta at redhat.com  Wed Apr 25 11:02:17 2018
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Wed, 25 Apr 2018 20:32:17 +0530
Subject: [keycloak-user] weird characters in redirect_uri
Message-ID: <CAApADD2x77LQVmZqL9XRq+LE_nBcJqc80WArTBF0Pfb-JJvq+w@mail.gmail.com>

Hi Team,

We have a JSP + MVC based application for which we are using keycloak to
enable SSO.
For this setup we are using JBoss EAP 6 OIDC client adapter and RH_SSO 7.2
server.

While testing this setup we are facing an issue where we are seeing  "*:0*"
characters in the redirect URI when login is triggered and user is
redirected to login page. Once the user logs in, our redirect fails as we
do not have a valid url with :0 symbol.

Has anybody faced such an issue. Please help!

-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta

https://bluejeans.com/pulgupta
<https://red.ht/sig>

From ntle at castortech.com  Wed Apr 25 11:04:25 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Wed, 25 Apr 2018 11:04:25 -0400
Subject: [keycloak-user] Sharing a session between 2 different clients
 of the same realm
In-Reply-To: <CAN-eBc2L2Ho_7_PvNU_vYvYOPv6j7z2BxAReY7gDgzHDMj0STQ@mail.gmail.com>
References: <CAN-eBc3USEK6sBgnDGUCGV58ms3vAkqSRU0-LBbF-Ck7Ehxg8w@mail.gmail.com>
	<CAJVRZt_2UE6sW5Vc2_u_jv=-0auXpi=MCD5q7ZqcPuUcFWX+hw@mail.gmail.com>
	<CAN-eBc2L2Ho_7_PvNU_vYvYOPv6j7z2BxAReY7gDgzHDMj0STQ@mail.gmail.com>
Message-ID: <CAJVRZt83rxcrbAr3ndSTgYUvshHagYK0wuPb26Gu1_2WFbfeFA@mail.gmail.com>

?My use case is a bit ?different but on the web page that make REST call to
client 1 and 2, do you put the token in the header of the call?

Thai

On Wed, Apr 25, 2018 at 10:14 AM, Pieter Lukasse <pieter at thehyve.nl> wrote:

> Thanks Thai,
>
> Some more details regarding my use case:
>
>
>    - 2 clients connected to the same Keycloak realm (via SAML)
>    - user logs in to 1st client and opens a webpage that makes a REST API
>    calls to both 1st and 2nd client apps
>
> Currently the calls to the REST API of the 2nd client app fail with 401
> error (not authorized). Any hints on how to get this working? SSO is
> working across both apps (i.e. when the user is logged in to client 1 and
> then browses to client 2, he does not need to fill in user name and
> password again), but the REST API call is failing.
>
> Thanks,
>
> Pieter
>
>
>
> 2018-04-25 15:37 GMT+02:00 Nhut Thai Le <ntle at castortech.com>:
>
>> I have some users that has client role in multiple clients. So when they
>> login, they can access multiple clients.
>>
>> Thai
>>
>> On Wed, Apr 25, 2018 at 6:43 AM, Pieter Lukasse <pieter at thehyve.nl>
>> wrote:
>>
>>> Hi,
>>>
>>> Basically I need a single session to be valid at 2 different client
>>> applications that are connected to the same realm. Is this a known use
>>> case?
>>>
>>> Thanks,
>>>
>>> Pieter
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>> Castor Technologies Inc
>> 460 rue St-Catherine St
>> <https://maps.google.com/?q=460+rue+St-Catherine+St&entry=gmail&source=g>
>> Ouest, Suite 613
>> Montr?al, Qu?bec H3B-1A7
>> (514) 360-7208 o
>> (514) 798-2044 f
>> ntle at castortech.com
>> www.castortech.com
>>
>> CONFIDENTIALITY NOTICE: The information contained in this e-mail is
>> confidential and may be proprietary information intended only for the use
>> of the individual or entity to whom it is addressed. If the reader of this
>> message is not the intended recipient, you are hereby notified that any
>> viewing, dissemination, distribution, disclosure, copy or use of the
>> information contained in this e-mail message is strictly prohibited. If you
>> have received and/or are viewing this e-mail in error, please immediately
>> notify the sender by reply e-mail, and delete it from your system without
>> reading, forwarding, copying or saving in any manner. Thank you.
>> AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
>> confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
>> ? l'usage exclusif du destinataire. Toute autre personne est par les
>> pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
>> ou reproduire ce message. Si vous avez re?u cette communication par erreur,
>> veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.
>>
>
>


-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From onlineuser21k at gmail.com  Wed Apr 25 12:09:12 2018
From: onlineuser21k at gmail.com (Online User)
Date: Wed, 25 Apr 2018 12:09:12 -0400
Subject: [keycloak-user] REST Create user api does not read groups (possible
	defect)
Message-ID: <CACkhAFmc3R7aDXeKvw_U++5V3u=_fmA+_sqtejTJHN_JSyGAXg@mail.gmail.com>

Hi,

The REST api for create user does not seem to be reading the groups.

I looked at the source code and it seems to be no looking at the groups in
this case. However, when a user is imported groups are taken care of.

Is there a reason for this difference or is it a defect?

regards
Pradeep

From Emanuele.Gesuato at finantix.com  Wed Apr 25 17:08:44 2018
From: Emanuele.Gesuato at finantix.com (Emanuele Gesuato)
Date: Wed, 25 Apr 2018 23:08:44 +0200
Subject: [keycloak-user] How to use signed JWT to use REST API
Message-ID: <OF5CAC2107.71018BE2-ONC125827A.007322DB-C125827A.0074282F@notes.ce.collabserv.com>

Hi all,

I know that in keycloak 3.4.2 you can use rest admin api by retrieving a 
token. This token can be retrieved by using:
- username & password
- clientid & client secret
- signed jwt

for instance by using clientid & clientsecret I can connect to keycloak 
host by using the following:

    KeycloakBuilder keycloakBuilder = KeycloakBuilder.builder()
             .serverUrl(AUTH_SERVER)
             .realm(ADMIN_REALM)
             .grantType("client_credentials")
             .clientId("admin-cli")
             .clientSecret("XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX")
             .grantType("client_credentials") 
             .resteasyClient(client);

My question is how should I use JWT ?

I changed client authenticator in "credentials" tab by selecting "signed 
jwt" but from documentation it is not clear to me how to connect by using 
this kind of authentication method.

thanks for any help
Emanuele


From ebenzacar at gmail.com  Wed Apr 25 17:19:20 2018
From: ebenzacar at gmail.com (Eric B)
Date: Wed, 25 Apr 2018 17:19:20 -0400
Subject: [keycloak-user] Securing RemoteEJBs with KeyCloak tokens
Message-ID: <CA+T+PjFXv9cwuAr3mWaFf2Y6uzhp1ReXpTD25GJFy6KULyGBBg@mail.gmail.com>

Has anyone successfully been able to secure and/or call RemoteEJBs using
KeyCloak tokens for authentication & authorization?

I've looked at several quickstarts that show how to inject the KC Token in
the EJB context at the client side, and retrieve it at the server side.  So
the call to the EJB can be secured/validated with the KC token.

However, when the RemoteEJB proxy calls the server EJB, it sets up a
remoting connection and needs to authenticate itself.  The quickstarts I've
seen use either JBOSS-LOCAL-USER or a user inserted into the
application-users.properties file.  In either case, they are not using the
KC token for authentication.

How do I authenticate that connection handshaking using the KeyCloak
tokens?

Thanks,

Eric

From luke at code-house.org  Wed Apr 25 19:15:12 2018
From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=)
Date: Thu, 26 Apr 2018 01:15:12 +0200
Subject: [keycloak-user] Mobile application and keycloak
Message-ID: <121b44bb-00b9-6a3c-e653-7776c196af81@code-house.org>

Hi,
I have a usecase with mobile application which is authenticate over
keycloak inside web view.

My concern is caused by "usability" of links generated in certain
actions - for example when user opens verification mail on his phone and
clicks confirmation link he should be "redirected" to moile application
in order to continue over this channel. Once he will finish process
mobile application will be ready to continue.

Another option I see is custom flow, however I am a little bit concerned
given that there are several flows which needs to be ammended and they
do generate HTML output in most of cases which needs to be kept.

What come to my mind is custom SPI, which could be added to keycloak.
Such SPI which would allow to register custom JAXRS filters for
request/response processing. By this way it would be possible to have a
very generic way to customize request handling without necessity to
amending default workflows.
Reason why I include dev mailing list is to see, if there would be
interest in having such extensibility provided by keycloak.

Kind regards,
Lukasz

From arun.velayudhan at motorolasolutions.com  Thu Apr 26 00:35:12 2018
From: arun.velayudhan at motorolasolutions.com (Arun Velayudhan)
Date: Thu, 26 Apr 2018 10:05:12 +0530
Subject: [keycloak-user] Keycloak .well-known/openid-configuration is not
 responding with "https" protocol for the endpoints
Message-ID: <CAFi6rQ8cPgcvu=f0pe2idTwdRoVPR6h9Wzzbv_XjU8WFuQKpcg@mail.gmail.com>

 Hi,

We have deployed Keycloak behind a load balancer which is F5. The OIDC
clients are sitting in public network uses "https" for all communications.
The SSL is terminated in F5 and the packets are forwarded to Keycloak (say
on port 8080).
The OIDC client is designed in a such a way so as to use the endpoints
(like "/token" etc) that it receives in the response for  the
".well-known/openid-configuration" request.

The problem here is that the .well-known config is responding with URLs
with protocol as "http" for all the endpoints where as client is expecting
protocol with  "https". Because of this client is not able to make secure
connection to these URLs.

Question is - how can we have responses for
".well-known/openid-configuration" request return with endpoints with
protocol *"https"* ; like the one mentioned below

======

{"issuer":"*https*://<domain>/auth/realms/master","authorization_endpoint":"*https*://<domain>/auth/realms/master/protocol/openid-connect/auth","token_endpoint":"https://<domain>/auth/realms/master/protocol/openid-connect/token"

.......}

=============

We have followed the steps mentioned in the documentation

https://www.keycloak.org/docs/2.5/server_installation/topics/clustering/load-balancer.html

I.e in F5 added the "x-Forwarded-For" and "x-Forwarded-Proto" and made
the respective keycloak configuration changes as indicated in the
documentation.

Is there any configuration or setting I might be missing?


Arun

From pulgupta at redhat.com  Thu Apr 26 07:05:56 2018
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Thu, 26 Apr 2018 16:35:56 +0530
Subject: [keycloak-user] weird characters in redirect_uri
In-Reply-To: <CAApADD2x77LQVmZqL9XRq+LE_nBcJqc80WArTBF0Pfb-JJvq+w@mail.gmail.com>
References: <CAApADD2x77LQVmZqL9XRq+LE_nBcJqc80WArTBF0Pfb-JJvq+w@mail.gmail.com>
Message-ID: <CAApADD3SkdHw30vTv5aZT=KUfJQoTiNbP7GfT1xo41b+S2t1Lg@mail.gmail.com>

HI Team,

I added some more details in this JIRA.
Can someone please check this?
https://issues.jboss.org/browse/KEYCLOAK-7237

Regards,
Pulkit

On Wed, Apr 25, 2018 at 8:32 PM, Pulkit Gupta <pulgupta at redhat.com> wrote:

> Hi Team,
>
> We have a JSP + MVC based application for which we are using keycloak to
> enable SSO.
> For this setup we are using JBoss EAP 6 OIDC client adapter and RH_SSO 7.2
> server.
>
> While testing this setup we are facing an issue where we are seeing  "*:0*"
> characters in the redirect URI when login is triggered and user is
> redirected to login page. Once the user logs in, our redirect fails as we
> do not have a valid url with :0 symbol.
>
> Has anybody faced such an issue. Please help!
>
> --
>
> PULKIT GUPTA
>
> SENIOR SOFTWARE APPLICATIONS ENGINEER
>
> Red Hat IN IT GBD <https://www.redhat.com/>
>
> Pune - India
>
> pulgupta at redhat.com    T: +91-2066817536
> <http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta
>
> https://bluejeans.com/pulgupta
> <https://red.ht/sig>
>



-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta

https://bluejeans.com/pulgupta
<https://red.ht/sig>

From Tony.Harris at oneadvanced.com  Thu Apr 26 12:17:33 2018
From: Tony.Harris at oneadvanced.com (Tony Harris)
Date: Thu, 26 Apr 2018 16:17:33 +0000
Subject: [keycloak-user] Admin Rest API
Message-ID: <350f5c4dfe7f4e2ab4f30ef5a9169b4a@SL1ACSEXCMB01.acsresource.com>

I am trying to move an application from 3.1.0-Final to 3.4.3-Final
The application creates Realms, clients, roles etc via the admin rest api

At 3.1.0 Immediately after creating the realm I could then find it and add clients etc.  After moving to 3.4.3.Final I am finding that after creating the realm and attempt to immediately find the realm fails.  If I suspend the application after the realm create the realm does not show up in the admin console either.  If I let the application finish because the find fails the realm shows up, in the admin console.

Any help appreciated, superficially looks like some transaction management going on but I can't see any documentation to suggest that's what is going on.

Tony Harris

________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com

From jonathan.j.carrasco at jpl.nasa.gov  Thu Apr 26 15:51:27 2018
From: jonathan.j.carrasco at jpl.nasa.gov (Carrasco, Jonathan J (173F))
Date: Thu, 26 Apr 2018 19:51:27 +0000
Subject: [keycloak-user] Max Size of Kerberos Ticket
Message-ID: <3D166FD4-67D0-4FB2-A7CD-AACFCC801CBD@jpl.nasa.gov>

Is there a max size set for Kerberos ticket? if so, where is it set?

Trying to eliminate a possibility for Kerberos login error? and yes the ticket size Im dealing with could cause login problems.

--
Jonathan Carrasco (173F)
Jet Propulsion Laboratory ? California Institute of Technology


From dev.spike.j at gmail.com  Fri Apr 27 01:35:55 2018
From: dev.spike.j at gmail.com (Spike J)
Date: Fri, 27 Apr 2018 07:35:55 +0200
Subject: [keycloak-user] Possible Bug in ProtectionService.java while
 retrieving ClientModel in resource_set endpoint
Message-ID: <CAKe9+pyfUK+fJRiRfRf-28SE-_1spM2VbSaB4hX0MqAUTsq4TQ@mail.gmail.com>

 Hi there,

I noticed an unfortunate HTTP 500 Server Error, when requesting the
"/protection/resource_set" endpoint of Keycloak. After some debugging it
showed, that the retrieval of the ClientModel returned null, because
identity.getId() returns an User-ID and not the related Client-ID.
Following lines show the current Code vs. my refactored version of
org.keycloak.authorization.protection.ProtectionService.resource() (line
60, master-branch)

This endpoint is requested by an endusers access-token.

Current Code (master-branch), fails:
ClientModel client = realm.getClientById(identity.getId());
--> client = null
--> identity.getId() = user-ID of the user requesting the Endpoint

Refactored Code (works):
ClientModel client = realm.getClientByClientId(identity.getAccessToken().
getIssuedFor());
--> client != null
--> identity.getAccessToken().getIssuedFor() = ClientID (name of the client)
--> calling getClientByClientId() instead of getClientById()

Documentation of this endpoint:
https://www.keycloak.org/docs/latest/authorization_services/
index.html#_service_protection_resources_api

What is the acual purpose of the method "getID()" of KeycloakIdentiy-Class?
In my opinion this class should return the ID of a client and not the ID of
an user.

I am looking forward to your insights regarding this bug.

Best regards

From cdivitotawela at console.com.au  Fri Apr 27 01:55:51 2018
From: cdivitotawela at console.com.au (Chaminda Divitotawela)
Date: Fri, 27 Apr 2018 15:55:51 +1000
Subject: [keycloak-user] Failing to start Keycloak with restored production
 db in test environment due to offline session loading
Message-ID: <CAC0+MiVHZHfFNc6ptZeznyBtriC=LqFE+9DpEa9D-StJy1tNcA@mail.gmail.com>

Hello,

I have a requirement to start Keycloak-2.5.0 in test environment with a
database copy from our production environment. We use AWS for our
infrastructure. Following steps followed to setting up test environment
with prod data.

1. Restored a production db snapshot in our test environment and deleted
the records from table JGROUPSPING (we use JDBC as the cluster instance
discovery as AWS does not support multicast).

2. Start the same version of Keycloak-2.5.0 (same docker image)

3. Keycloak start fails with error as per below.

We use the offline tokens also for our mobile apps. It appears error occurs
when it try to load the offline sessions. If I delete the entries in the
table OFFLINE_USER_SESSION then Keycloak starts correctly.

While it is not required to have the user sessions in the test environment,
I would like to understand why Keycloak start failing to start.

Appreciate for help in advance.


--- Error Log ---
2018-04-27 04:40:09,600 ERROR
[org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer]
(ServerService Thread Pool -- 56) ExecutionException when computed future.
Errors: 1: java.util.concurrent.ExecutionException:
java.lang.NullPointerException
        at java.util.concurrent.FutureTask.report(FutureTask.java:122)
        at java.util.concurrent.FutureTask.get(FutureTask.java:206)
        at
org.infinispan.commons.util.concurrent.NotifyingFutureImpl.get(NotifyingFutureImpl.java:88)
        at
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart.getResult(DefaultExecutorService.java:1084)
        at
org.infinispan.distexec.DefaultExecutorService$DistributedTaskPart.innerGet(DefaultExecutorService.java:869)
        at
org.infinispan.distexec.DefaultExecutorService$DistributedTaskPart.get(DefaultExecutorService.java:849)
        at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:204)
        at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:88)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.run(InfinispanUserSessionProviderFactory.java:101)
        at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:219)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:92)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:76)
        at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:67)
        at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:162)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
        at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
        at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
        at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
        at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
        at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
        at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
        at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
        at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
        at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
        at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
        at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.NullPointerException
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.importClientSession(InfinispanUserSessionProvider.java:672)
        at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.importClientSession(InfinispanUserSessionProvider.java:66)
        at
org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.loadSessions(OfflineUserSessionLoader.java:70)
        at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:74)
        at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:219)
        at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:70)
        at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34)
        at
org.infinispan.commands.read.DistributedExecuteCommand.perform(DistributedExecuteCommand.java:103)
        at
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart$1.doLocalInvoke(DefaultExecutorService.java:1113)
        at
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart$1.call(DefaultExecutorService.java:1103)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

Thanks,
Chaminda

From mposolda at redhat.com  Fri Apr 27 02:10:22 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 27 Apr 2018 08:10:22 +0200
Subject: [keycloak-user] Max Size of Kerberos Ticket
In-Reply-To: <3D166FD4-67D0-4FB2-A7CD-AACFCC801CBD@jpl.nasa.gov>
References: <3D166FD4-67D0-4FB2-A7CD-AACFCC801CBD@jpl.nasa.gov>
Message-ID: <8e6803f4-1c25-2592-6f43-f07ea51b4962@redhat.com>

In theory not, but there is "Authorization: Negotiate" HTTP header sent 
from browser to Keycloak server with informations related to Kerberos 
ticket. Not sure if there are limits for HTTP headers in browsers or for 
servers, theoretically they shouldn't be. Did you already tried and saw 
the issue?

Marek

On 26/04/18 21:51, Carrasco, Jonathan J (173F) wrote:
> Is there a max size set for Kerberos ticket? if so, where is it set?
>
> Trying to eliminate a possibility for Kerberos login error? and yes the ticket size Im dealing with could cause login problems.
>
> --
> Jonathan Carrasco (173F)
> Jet Propulsion Laboratory ? California Institute of Technology
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sr.misc at gmail.com  Fri Apr 27 02:14:24 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Fri, 27 Apr 2018 08:14:24 +0200
Subject: [keycloak-user] Keycloak REST API (send-verify-email) using CURL
Message-ID: <CABiaesTQ2RpQuKR+ORf5d=oLrMqNHtnZgRidPrrZazoWaD2QEA@mail.gmail.com>

Hi all,

I am trying to invoke Keycloak REST API (send-verify-email) from
https://www.keycloak.org/docs-api/3.4/rest-api/index.html on Windows using
CURL

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d
"client_id=admin-cli" -d "username=xxxxx" -d "password=xxxxx" -d
"grant_type=password" "http://localhost:8080/auth/
realms/master/protocol/openid-connect/token"

I get the token from above request which I use in the following request as
follow:-

curl -X PUT -H "Authorization: bearer eyJhb......f2jYzaA"
http://localhost:8080/auth/admin/TestRealm/users/dummy1/send-verify-email

Neither the user (dummy1) get the verification email nor above request
return any response. Please advise what am I doing wrong here.

Regards,
SR

From mposolda at redhat.com  Fri Apr 27 02:17:37 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 27 Apr 2018 08:17:37 +0200
Subject: [keycloak-user] How to use signed JWT to use REST API
In-Reply-To: <OF5CAC2107.71018BE2-ONC125827A.007322DB-C125827A.0074282F@notes.ce.collabserv.com>
References: <OF5CAC2107.71018BE2-ONC125827A.007322DB-C125827A.0074282F@notes.ce.collabserv.com>
Message-ID: <c9ac9f4e-c5eb-7c38-f61a-67215a18e54e@redhat.com>

It is not yet supported on admin client. Feel free to create JIRA to 
support this. Ideally we should be able to re-use same code for "plug" 
client credentials like it's used in our adapters. Maybe we would need 
to move some classes from adapter into some more generic module like 
"keycloak-core", I am not sure.

Marek

On 25/04/18 23:08, Emanuele Gesuato wrote:
> Hi all,
>
> I know that in keycloak 3.4.2 you can use rest admin api by retrieving a
> token. This token can be retrieved by using:
> - username & password
> - clientid & client secret
> - signed jwt
>
> for instance by using clientid & clientsecret I can connect to keycloak
> host by using the following:
>
>      KeycloakBuilder keycloakBuilder = KeycloakBuilder.builder()
>               .serverUrl(AUTH_SERVER)
>               .realm(ADMIN_REALM)
>               .grantType("client_credentials")
>               .clientId("admin-cli")
>               .clientSecret("XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX")
>               .grantType("client_credentials")
>               .resteasyClient(client);
>
> My question is how should I use JWT ?
>
> I changed client authenticator in "credentials" tab by selecting "signed
> jwt" but from documentation it is not clear to me how to connect by using
> this kind of authentication method.
>
> thanks for any help
> Emanuele
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Apr 27 02:19:53 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 27 Apr 2018 08:19:53 +0200
Subject: [keycloak-user] Admin Rest API
In-Reply-To: <350f5c4dfe7f4e2ab4f30ef5a9169b4a@SL1ACSEXCMB01.acsresource.com>
References: <350f5c4dfe7f4e2ab4f30ef5a9169b4a@SL1ACSEXCMB01.acsresource.com>
Message-ID: <0c08870c-399b-9e44-aa0b-b1ad451f6a44@redhat.com>

You can see our testsuite, which adds realms, clients etc in many places 
in the tests and it works. For example see class RealmTest

On 26/04/18 18:17, Tony Harris wrote:
> I am trying to move an application from 3.1.0-Final to 3.4.3-Final
> The application creates Realms, clients, roles etc via the admin rest api
>
> At 3.1.0 Immediately after creating the realm I could then find it and add clients etc.  After moving to 3.4.3.Final I am finding that after creating the realm and attempt to immediately find the realm fails.  If I suspend the application after the realm create the realm does not show up in the admin console either.  If I let the application finish because the find fails the realm shows up, in the admin console.
>
> Any help appreciated, superficially looks like some transaction management going on but I can't see any documentation to suggest that's what is going on.
>
> Tony Harris
>
> ________________________________
>
> Please consider the environment: Think before you print!
>
>
> This message has been scanned for malware by Websense. www.websense.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From pulgupta at redhat.com  Fri Apr 27 05:14:03 2018
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Fri, 27 Apr 2018 14:44:03 +0530
Subject: [keycloak-user] Logouts in a clustered environment with OIDC based
	apps
Message-ID: <CAApADD0=ao4FchBGi_Cvfe8gwBpCWjLK5wphXUcch7Ci9rSRiQ@mail.gmail.com>

Hi All,

Sometime back I reported an issue https://issues.jboss.org
/browse/KEYCLOAK-4288 <https://issues.jboss.org/browse/KEYCLOAK-4288> in
which the back channel logouts were not working for SAML in a clustered
JBoss environment with EAP6 SAML Adapter. It was fixed and released as well.

I started on an app and was using OIDC RH_SS0-7.2 EAP 6(3.4.3) adapter in a
clustered environment. We do not have an option for setting back
channel/Front channel logouts for OIDC client but it looks like we are
facing a similar issue for clustered application where even after logging
out we can see that all sessions are not invalidated and we can see secure
pages without logging in again.

Please suggest if someone has faced similar issue.

-- 

PULKIT GUPTA

From pulgupta at redhat.com  Fri Apr 27 07:06:45 2018
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Fri, 27 Apr 2018 16:36:45 +0530
Subject: [keycloak-user] Logouts in a clustered environment with OIDC
	based apps
In-Reply-To: <CAApADD0=ao4FchBGi_Cvfe8gwBpCWjLK5wphXUcch7Ci9rSRiQ@mail.gmail.com>
References: <CAApADD0=ao4FchBGi_Cvfe8gwBpCWjLK5wphXUcch7Ci9rSRiQ@mail.gmail.com>
Message-ID: <CAApADD0hhj5HwwNSMLSx1hVQk+soGSSqZMfskmyjf-r8TL2Ocg@mail.gmail.com>

Hi All,

Please ignore this for now. We are doing more debugging to validate if this
is a real issue anymore.

Regards,
Pulkit


On Fri, Apr 27, 2018 at 2:44 PM, Pulkit Gupta <pulgupta at redhat.com> wrote:

> Hi All,
>
> Sometime back I reported an issue https://issues.jboss.org
> /browse/KEYCLOAK-4288 <https://issues.jboss.org/browse/KEYCLOAK-4288> in
> which the back channel logouts were not working for SAML in a clustered
> JBoss environment with EAP6 SAML Adapter. It was fixed and released as well.
>
> I started on an app and was using OIDC RH_SS0-7.2 EAP 6(3.4.3) adapter in
> a clustered environment. We do not have an option for setting back
> channel/Front channel logouts for OIDC client but it looks like we are
> facing a similar issue for clustered application where even after logging
> out we can see that all sessions are not invalidated and we can see secure
> pages without logging in again.
>
> Please suggest if someone has faced similar issue.
>
> --
>
> PULKIT GUPTA
>



-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta

https://bluejeans.com/pulgupta
<https://red.ht/sig>

From Dennis.Bayer.82+keycloak-user at gmail.com  Fri Apr 27 09:02:11 2018
From: Dennis.Bayer.82+keycloak-user at gmail.com (Dennis Bayer)
Date: Fri, 27 Apr 2018 13:02:11 +0000
Subject: [keycloak-user] Securing an endpoint using Wildfly-Swarm,
	Keycloak and MP-JWT-Auth
Message-ID: <CAC9+atP=M183jGGWJzz1WjcmpReek95nBL9Y+9+521P2sdMJ-A@mail.gmail.com>

Hi there,

I hope this is the right place to raise my question. Currently I am having
some problems to get my example working. The authentication works fine, but
the authorization fails, because the roles are omitted during the request.

Thus it's mostly easier to have a reproducible example than writing a wall
of text, I created a project (
https://github.com/DennisBayer/playground-mp-jwt-auth).

I'd appreciate any hints pointing out what is going wrong.

In addition I already raised this question in the mp-jwt-auth-project (
https://github.com/eclipse/microprofile-jwt-auth/issues/89)/gitter room (
https://gitter.im/eclipse/microprofile-bom#). At first glimpse, the usage
of the mp-jwt-auth seems to be ok according to one of the microprofile
members (he said he's not an expert on jwt) and he pointed me to the
keycloak mailing list.

Thanks in advance and best regards

Dennis

From ntle at castortech.com  Fri Apr 27 09:30:39 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Fri, 27 Apr 2018 09:30:39 -0400
Subject: [keycloak-user] How to use signed JWT to use REST API
In-Reply-To: <c9ac9f4e-c5eb-7c38-f61a-67215a18e54e@redhat.com>
References: <OF5CAC2107.71018BE2-ONC125827A.007322DB-C125827A.0074282F@notes.ce.collabserv.com>
	<c9ac9f4e-c5eb-7c38-f61a-67215a18e54e@redhat.com>
Message-ID: <CAJVRZt-=oDFwgOOamGrk1sMSXw1kKs1RhKq5h7P5TQitZ0JEQg@mail.gmail.com>

I am also interested in this feature, if anyone open ticket please post the
ticket number so i can follow it

Thank you

Thai

On Fri, Apr 27, 2018 at 2:17 AM, Marek Posolda <mposolda at redhat.com> wrote:

> It is not yet supported on admin client. Feel free to create JIRA to
> support this. Ideally we should be able to re-use same code for "plug"
> client credentials like it's used in our adapters. Maybe we would need
> to move some classes from adapter into some more generic module like
> "keycloak-core", I am not sure.
>
> Marek
>
> On 25/04/18 23:08, Emanuele Gesuato wrote:
> > Hi all,
> >
> > I know that in keycloak 3.4.2 you can use rest admin api by retrieving a
> > token. This token can be retrieved by using:
> > - username & password
> > - clientid & client secret
> > - signed jwt
> >
> > for instance by using clientid & clientsecret I can connect to keycloak
> > host by using the following:
> >
> >      KeycloakBuilder keycloakBuilder = KeycloakBuilder.builder()
> >               .serverUrl(AUTH_SERVER)
> >               .realm(ADMIN_REALM)
> >               .grantType("client_credentials")
> >               .clientId("admin-cli")
> >               .clientSecret("XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX")
> >               .grantType("client_credentials")
> >               .resteasyClient(client);
> >
> > My question is how should I use JWT ?
> >
> > I changed client authenticator in "credentials" tab by selecting "signed
> > jwt" but from documentation it is not clear to me how to connect by using
> > this kind of authentication method.
> >
> > thanks for any help
> > Emanuele
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From dometec at gmail.com  Fri Apr 27 10:20:08 2018
From: dometec at gmail.com (Domenico Briganti)
Date: Fri, 27 Apr 2018 16:20:08 +0200
Subject: [keycloak-user] Fine grain permission on "listing" endpoint
Message-ID: <1524838808.13709.1.camel@gmail.com>

Hi list, 
 I have a question about Authorization Services. I made a demo project
in which I list maintenance tasks of some machines. I would like to
call the list endpoint (/api/tasks) and return all tasks if the current
logged user has the role ADMIN, and only the tasks assigned to the
current logged user if this is not ADMIN.

I've read the Authorization Services guide and I think I understand how
to manage permissions on single resource (es GET/POST/DELETE on
/api/tasks/1?https://github.com/keycloak/keycloak/blob/3.4.3.Final/exam
ples/authz/photoz/photoz-restful-
api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L
102-L134).?

Now I would like to move the condition that manager this filter in my
code (pseudo code: 
if (!request.isUserInRole(Roles.ADMIN))
  tasksFilter += " and t.assigned = " + request.getUserPrincipal();
)

into Keycloak, and having my application ask Keycloak for some sort of
filter to add to sql query for filtering the output listing the tasks.
It's possible?  

What I've seen until now is that with Protection API I can check if the
current request can go to Protected Resource or not. What I need
instead is to get a value whereby I can filter the Protected Resources
returned.

I hope I explained myself, available for clarification.

Thanks,
Domenico




From byron.chris at gmail.com  Fri Apr 27 15:40:24 2018
From: byron.chris at gmail.com (Chris Byron)
Date: Fri, 27 Apr 2018 19:40:24 +0000
Subject: [keycloak-user] Keycloak Duo MFA SPI
Message-ID: <CAMG9nQVD694Xx-qzD6xmxMg1L_T+QMpWGq-coh6tLCx_ppSn0w@mail.gmail.com>

I searched for an authentication integration with Duo Security and came
across the recommendation in this user list to write it as an Authenticator
SPI (
http://lists.jboss.org/pipermail/keycloak-user/2016-November/008234.html).
I have written one and just wanted to share it here:

https://github.com/mulesoft-labs/keycloak-duo-spi

Please advise if there is a better place to promote this!

Cheers,
Chris Byron

From ntle at castortech.com  Mon Apr 30 09:44:08 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Mon, 30 Apr 2018 09:44:08 -0400
Subject: [keycloak-user] keycloak admin-client not return error message when
 password violate password policy
Message-ID: <CAJVRZt9SsEZk_MXWjz+QqtpQJtC7pFCWfdnQRdbo6YrBLoK3aQ@mail.gmail.com>

Hello,

I configued some password policy on keycloak console and it's working fine.
However when using the admin-client to reset password:
realm.users().get(userUuid).resetPassword(cred);
I get an exception nesting a http 400 error  (expected) but there is no
message about which policy is being violate. If i call the admin REST api
directly, i got the error message in the body.

Is there anyway I can retrieve the error message using admin-client?

Thai

From jfherouard.almerys at gmail.com  Mon Apr 30 10:31:49 2018
From: jfherouard.almerys at gmail.com (=?UTF-8?Q?Jean=2DFran=C3=A7ois_HEROUARD?=)
Date: Mon, 30 Apr 2018 16:31:49 +0200
Subject: [keycloak-user] User account enabled on a period
Message-ID: <CAKWZXaGHEQXQHspDOAjwBPmFXqKF7Y4OYb0+2C3vdmUBmiFYHQ@mail.gmail.com>

Hi,

I am looking for a way to enable a user account only during a period (after
a date and / or before an ending date), to follow a delayed user
provisionning process.
I have not found any previous question about that feature and do not see an
easy way to implement it. Does anybody had the same need or a workaround ?

Thanks.

From luke at code-house.org  Mon Apr 30 11:00:09 2018
From: luke at code-house.org (luke at code-house.org)
Date: Mon, 30 Apr 2018 17:00:09 +0200
Subject: [keycloak-user] User Attributes security and organization
In-Reply-To: <CA+T+PjGi8K_ADVSRr4c_iL0b3Bse9fkZKh-8zS5texCTA0YG1Q@mail.gmail.com>
References: <CA+T+PjGi8K_ADVSRr4c_iL0b3Bse9fkZKh-8zS5texCTA0YG1Q@mail.gmail.com>
Message-ID: <6E660D0C-5D83-43FA-8C6E-B39EE5F8C1A9@code-house.org>

Hey Eric,
Currently there is no validation nor extension in Keycloak itself which could control these things. I don?t know Keycloak internals well enough to say if there is a way to configure that via federation or any other mechanism. Given that keycloak keeps copy of user records I would expect that some attributes are not backed by federated system. In the end, point of having Keycloak is sometimes to enrich user model.

I wrote a simple extension (FormAction) which can be plugged into registration flow in order to build blacklist/whitelist policy. You can check it out here: https://github.com/apifocal/apifocal-id/tree/master/keycloak/extension/attributes <https://github.com/apifocal/apifocal-id/tree/master/keycloak/extension/attributes>.
Feel free to submit issues on GitHub if you find any bug or gap to be filled in.

Cheers,
Lukasz

> On 20 Apr 2018, at 19:53, Eric B <ebenzacar at gmail.com> wrote:
> 
> I just starting working with KeyCloak (3.4.3) and have been looking at the
> user attributes and trying to determine how I can leverage some custom
> attributes for my different clients.  Two things in particular stand out
> when I look at the user attributes:
> 
> 1) there is no mapping/assignment of attributes per client
> 2) there is no security assignment on the attributes (ex: what can be
> self-administered, what is read-only, what is visible to the client, etc)
> 
> This becomes an issue when a user logs into the admin panel.  Once he is
> logged in, he can essentially post a form with any attributes defined and
> these will automatically be persisted in the KeyCloak DB.  While I'm not
> concerned about CSRF, I am concerned about a malicious user trying to
> explode by DB by submitting an extraneous number of attributes that KC will
> persist.
> 
> Additionally, if I want to use a user attribute to specify some read-only
> information about a user, if the user knows the attribute name, he can
> override it via a form post.  So essentially, I have no way to secure the
> attributes.
> 
> In a similar vein, I am a bit taken aback that all attributes are
> associated to the user only and cannot be assigned to a client.  I would
> like to be able to specify some client-specific attributes, and have KC
> automatically filter the attributes available to a client token
> accordingly.  Is this not feasible?
> 
> Are either of these functionalities implementable through some form of
> customization, or are they on the roadmap for a future version?
> 
> Thanks,
> 
> Eric
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From onlineuser21k at gmail.com  Mon Apr 30 11:07:06 2018
From: onlineuser21k at gmail.com (Online User)
Date: Mon, 30 Apr 2018 11:07:06 -0400
Subject: [keycloak-user] Access Token Timeout behaviour - Changes
 between Keycloak 2.5.5 and Keycloak 3.4.1
In-Reply-To: <CACkhAFnpc_T3=L0S8ZNRxb1jhq1EVTCqrG0jhXTUTM8LoWOXxw@mail.gmail.com>
References: <CACkhAFnpc_T3=L0S8ZNRxb1jhq1EVTCqrG0jhXTUTM8LoWOXxw@mail.gmail.com>
Message-ID: <CACkhAFmf=nmxQ8Cxj3EVTtz1ga2Z7AqnBurirDpD9CBrPaE+-w@mail.gmail.com>

Looks like there was a change!

FYI ... There was a +2 Mins wait time added to sessionIdle timeout in
AuthenticationManager for cross-DC support.

On Thu, Apr 12, 2018 at 4:52 PM, Online User <onlineuser21k at gmail.com>
wrote:

> How do I know what changed between these versions in subject?
>
> An internal client of mine reports that there is a change in the behaviour
> between these versions.
>
> He is observing in 3.4.1 that, keycloak redirects the user to the service
> after access token expirey and before the session timeout where in he
> expected to be redirected to the login page.
>
>

From uo67113 at gmail.com  Mon Apr 30 13:26:41 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Mon, 30 Apr 2018 19:26:41 +0200
Subject: [keycloak-user] SAML2. Keycloak How to check if a user has been
	authenticated?
Message-ID: <CACp70M=_HVq6y+FEvb-VXp5pnKB6MhSN-Ob2gQc-5=rYyBTWzg@mail.gmail.com>

Hello there,

I am using the SAML Java Servlet Filter adapter [1] (4.0.0.CR1-SNAPSHOT) in
apache tomcat 9 [2]. Is there a way to know is the user has been
authenticated?

The thing is that the good and old HttpServletRequest.getUserPrincipal()
[3] returns the principal (SAMLPrincipal) when there is a
<security-constraint> declared for the url-pattern that matches the request.

The purpose of this is to implement the "anonymous navigation" in some of
our applications.  Nowadays in some of our applications like this one
https://phonebook.cern.ch/phonebook we do something like this:

1. User can navigate through the application

2. Sign-in link redirect the user to /secure/sso triggering the redirection
to the IdP

3. The application makes use of the
weblogic.security.Security.getCurrentSubject()
[4] to check if the user has been logged in.

Any thoughts on this?

Thanks in advance,

Luis


[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter


[2] https://tomcat.apache.org/download-90.cgi

[3]
https://tomcat.apache.org/tomcat-9.0-doc/servletapi/javax/servlet/http/HttpServletRequest.html#getUserPrincipal--

[4]
https://docs.oracle.com/cd/E68505_01/wls/WLAPI/weblogic/security/Security.html#getCurrentSubject()

From ShengHong.Pan at halliburton.com  Mon Apr 30 15:22:28 2018
From: ShengHong.Pan at halliburton.com (Sheng Hong Pan)
Date: Mon, 30 Apr 2018 19:22:28 +0000
Subject: [keycloak-user] keycloak reset issue.
Message-ID: <C8C6980ECAF09F449AF026CA1D850AA085F394@NP1EXMB102.corp.halliburton.com>

We are having issue with Keycloak (3.0.0) reset feature. User is getting an error of  "WE'RE SORRY ... An error occurred, please login again through your application". We looked log and there are many errors (see below) related to invalid_code.

2018-04-30 13:13:09,188 WARN  [org.keycloak.events] (default task-60) type=RESET_PASSWORD_ERROR, realmId=<realm name>, clientId=null, userId=null, ipAddress=<ip>, error=invalid_code

After further investigation, we found that multiple requests with same active code are hitting on the server and it looks like that reset password url becomes invalid after first access. There is a similar complain ( http://lists.jboss.org/pipermail/keycloak-user/2016-February/004828.html ) on an older version of keycloak. Is the issue addressed in the 3.0.0?

Thanks.

-Sheng

----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient.  Any review, use, distribution, or disclosure by others is strictly prohibited.  If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.

From ebenzacar at gmail.com  Mon Apr 30 22:51:30 2018
From: ebenzacar at gmail.com (Eric B)
Date: Mon, 30 Apr 2018 22:51:30 -0400
Subject: [keycloak-user] User Attributes security and organization
In-Reply-To: <6E660D0C-5D83-43FA-8C6E-B39EE5F8C1A9@code-house.org>
References: <CA+T+PjGi8K_ADVSRr4c_iL0b3Bse9fkZKh-8zS5texCTA0YG1Q@mail.gmail.com>
	<6E660D0C-5D83-43FA-8C6E-B39EE5F8C1A9@code-house.org>
Message-ID: <CA+T+PjEmyvEMG6Pfjgi6w+AswB6iqHJSiHBi+pG1PVB3QPGf1g@mail.gmail.com>

Hi Lukasz,

Thanks for the extension.  I took a quick look at it, and I think it should
be able to help me out.  I wonder if I need to be concerned about keycloak
API accesses that need to be secured as well, since your FormAction is
clearly a UI related thing.  I haven't had a chance to look at the API yet,
however, and/or if there is something I would need to do along that line as
well.

Thanks!

Eric


On Mon, Apr 30, 2018 at 11:00 AM, <luke at code-house.org> wrote:

> Hey Eric,
> Currently there is no validation nor extension in Keycloak itself which
> could control these things. I don?t know Keycloak internals well enough to
> say if there is a way to configure that via federation or any other
> mechanism. Given that keycloak keeps copy of user records I would expect
> that some attributes are not backed by federated system. In the end, point
> of having Keycloak is sometimes to enrich user model.
>
> I wrote a simple extension (FormAction) which can be plugged into
> registration flow in order to build blacklist/whitelist policy. You can
> check it out here: https://github.com/apifocal/apifocal-id/tree/
> master/keycloak/extension/attributes.
> Feel free to submit issues on GitHub if you find any bug or gap to be
> filled in.
>
> Cheers,
> Lukasz
>
> On 20 Apr 2018, at 19:53, Eric B <ebenzacar at gmail.com> wrote:
>
> I just starting working with KeyCloak (3.4.3) and have been looking at the
> user attributes and trying to determine how I can leverage some custom
> attributes for my different clients.  Two things in particular stand out
> when I look at the user attributes:
>
> 1) there is no mapping/assignment of attributes per client
> 2) there is no security assignment on the attributes (ex: what can be
> self-administered, what is read-only, what is visible to the client, etc)
>
> This becomes an issue when a user logs into the admin panel.  Once he is
> logged in, he can essentially post a form with any attributes defined and
> these will automatically be persisted in the KeyCloak DB.  While I'm not
> concerned about CSRF, I am concerned about a malicious user trying to
> explode by DB by submitting an extraneous number of attributes that KC will
> persist.
>
> Additionally, if I want to use a user attribute to specify some read-only
> information about a user, if the user knows the attribute name, he can
> override it via a form post.  So essentially, I have no way to secure the
> attributes.
>
> In a similar vein, I am a bit taken aback that all attributes are
> associated to the user only and cannot be assigned to a client.  I would
> like to be able to specify some client-specific attributes, and have KC
> automatically filter the attributes available to a client token
> accordingly.  Is this not feasible?
>
> Are either of these functionalities implementable through some form of
> customization, or are they on the roadmap for a future version?
>
> Thanks,
>
> Eric
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>