From uo67113 at gmail.com Fri Jun 1 03:09:30 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Fri, 1 Jun 2018 09:09:30 +0200 Subject: [keycloak-user] Keycloak on OpenShift In-Reply-To: References: Message-ID: Hello Stian, Thank you for this, very interesting! We also use openshift, indeed it is very nice! About the template, have you taken it from this repo[1]? Are these templates under apache license or similar? Thanks in advance, Luis [1] https://github.com/jboss-openshift/application-templates/tree/master/sso 2018-05-31 22:48 GMT+02:00 Stian Thorgersen : > I wrote up a blog post and did a screencast showing how to deploy Keycloak > on OpenShift. Of course I also deployed and secure a Node.js service and a > HTML5 application for good measures. > > The blog post is here: > https://blog.keycloak.org/2018/05/keycloak-on-openshift.html > > And for those that prefer a screencast here you go: > https://youtu.be/9zUWqbK3BqI. > > This OpenShift thing is really nice! The more I use it the more I like it. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From valsarajpv at gmail.com Fri Jun 1 05:12:37 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Fri, 1 Jun 2018 14:42:37 +0530 Subject: [keycloak-user] Programmatically login as a user In-Reply-To: References: Message-ID: I tried following code: > loginContext = new LoginContext("keycloak", new CallbackHandler() { > @Override > public void handle(Callback[] callbacks) { > int len = callbacks.length; > Callback cb; > for (int i = 0; i < len; i++) { > cb = callbacks[i]; > if (cb instanceof NameCallback) { > NameCallback ncb = (NameCallback) cb; > ncb.setName(mdbuserName); > } else if (cb instanceof PasswordCallback) { > PasswordCallback pcb = (PasswordCallback) cb; > pcb.setPassword(mdbUsrPass); > } > } > } > }); > loginContext.login(); For following dependency issue while trying to login: > *[Server:app-node-00] unable to find LoginModule class: > org.keycloak.adapters.jboss.KeycloakLoginModule from [Module > "deployment.app.ear.appEJB.jar:main" from Service Module Loader] at > javax.security.auth.login.LoginContext (line 794)* On Thu, May 31, 2018 at 6:11 PM, valsaraj pv wrote: > > Hi, > > I have web application login via Keycloak working fine. But for a > background processing like reading messages from a queue, need to login as > a dedicated queue user behind the scenes. For this we can't redirect to > login page. Earlier it was done pro grammatically by using JAAS login > context and passing login module & credentials. Now when we switch to KC, > what is the appropriate model to do this? > Please advice! > > Thanks! > -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan From valsarajpv at gmail.com Fri Jun 1 05:42:20 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Fri, 1 Jun 2018 15:12:20 +0530 Subject: [keycloak-user] Programmatically login as a user In-Reply-To: References: Message-ID: Added dependency to module: org.keycloak.keycloak-jboss-adapter-core & fixed above issue. But got following error: Message null failed: Login Failure: all modules ignored at javax.security.auth.login.LoginContext (line 906) Any thoughts? On Fri, Jun 1, 2018 at 2:42 PM, valsaraj pv wrote: > I tried following code: > >> loginContext = new LoginContext("keycloak", new CallbackHandler() { >> @Override >> public void handle(Callback[] callbacks) { >> int len = callbacks.length; >> Callback cb; >> for (int i = 0; i < len; i++) { >> cb = callbacks[i]; >> if (cb instanceof NameCallback) { >> NameCallback ncb = (NameCallback) cb; >> ncb.setName(mdbuserName); >> } else if (cb instanceof PasswordCallback) { >> PasswordCallback pcb = (PasswordCallback) cb; >> pcb.setPassword(mdbUsrPass); >> } >> } >> } >> }); >> loginContext.login(); > > > For following dependency issue while trying to login: > >> *[Server:app-node-00] unable to find LoginModule class: >> org.keycloak.adapters.jboss.KeycloakLoginModule from [Module >> "deployment.app.ear.appEJB.jar:main" from Service Module Loader] at >> javax.security.auth.login.LoginContext (line 794)* > > > > On Thu, May 31, 2018 at 6:11 PM, valsaraj pv wrote: > >> >> Hi, >> >> I have web application login via Keycloak working fine. But for a >> background processing like reading messages from a queue, need to login as >> a dedicated queue user behind the scenes. For this we can't redirect to >> login page. Earlier it was done pro grammatically by using JAAS login >> context and passing login module & credentials. Now when we switch to KC, >> what is the appropriate model to do this? >> Please advice! >> >> Thanks! >> > > > > -- > Life is like this: "Just when we get all the answers of life.... God > changes the question paper.... > > Valsaraj Viswanathan > -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan From Tony.Harris at oneadvanced.com Fri Jun 1 05:46:05 2018 From: Tony.Harris at oneadvanced.com (Tony Harris) Date: Fri, 1 Jun 2018 09:46:05 +0000 Subject: [keycloak-user] Programmatically login as a user In-Reply-To: References: Message-ID: <31268726de984f87ac4593cdd1dab913@SL1ACSEXCMB01.acsresource.com> Why not look at a confidential client and login using the client id and client secret -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of valsaraj pv Sent: 01 June 2018 10:13 To: keycloak-user Subject: Re: [keycloak-user] Programmatically login as a user I tried following code: > loginContext = new LoginContext("keycloak", new CallbackHandler() { > @Override > public void handle(Callback[] callbacks) { int len = callbacks.length; > Callback cb; for (int i = 0; i < len; i++) { > cb = callbacks[i]; > if (cb instanceof NameCallback) { NameCallback ncb = > (NameCallback) cb; ncb.setName(mdbuserName); > } else if (cb instanceof PasswordCallback) { PasswordCallback pcb > = (PasswordCallback) cb; pcb.setPassword(mdbUsrPass); > } > } > } > }); > loginContext.login(); For following dependency issue while trying to login: > *[Server:app-node-00] unable to find LoginModule class: > org.keycloak.adapters.jboss.KeycloakLoginModule from [Module > "deployment.app.ear.appEJB.jar:main" from Service Module Loader] at > javax.security.auth.login.LoginContext (line 794)* On Thu, May 31, 2018 at 6:11 PM, valsaraj pv wrote: > > Hi, > > I have web application login via Keycloak working fine. But for a > background processing like reading messages from a queue, need to > login as a dedicated queue user behind the scenes. For this we can't > redirect to login page. Earlier it was done pro grammatically by > using JAAS login context and passing login module & credentials. Now > when we switch to KC, what is the appropriate model to do this? > Please advice! > > Thanks! > -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com From valsarajpv at gmail.com Fri Jun 1 05:53:56 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Fri, 1 Jun 2018 15:23:56 +0530 Subject: [keycloak-user] Programmatically login as a user In-Reply-To: <31268726de984f87ac4593cdd1dab913@SL1ACSEXCMB01.acsresource.com> References: <31268726de984f87ac4593cdd1dab913@SL1ACSEXCMB01.acsresource.com> Message-ID: Thanks! Would you share more details? Any link will be helpful . On Fri, Jun 1, 2018 at 3:16 PM, Tony Harris wrote: > Why not look at a confidential client and login using the client id and > client secret > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of valsaraj pv > Sent: 01 June 2018 10:13 > To: keycloak-user > Subject: Re: [keycloak-user] Programmatically login as a user > > I tried following code: > > > loginContext = new LoginContext("keycloak", new CallbackHandler() { > > @Override > > public void handle(Callback[] callbacks) { int len = callbacks.length; > > Callback cb; for (int i = 0; i < len; i++) { > > cb = callbacks[i]; > > if (cb instanceof NameCallback) { NameCallback ncb = > > (NameCallback) cb; ncb.setName(mdbuserName); > > } else if (cb instanceof PasswordCallback) { PasswordCallback pcb > > = (PasswordCallback) cb; pcb.setPassword(mdbUsrPass); > > } > > } > > } > > }); > > loginContext.login(); > > > For following dependency issue while trying to login: > > > *[Server:app-node-00] unable to find LoginModule class: > > org.keycloak.adapters.jboss.KeycloakLoginModule from [Module > > "deployment.app.ear.appEJB.jar:main" from Service Module Loader] at > > javax.security.auth.login.LoginContext (line 794)* > > > > On Thu, May 31, 2018 at 6:11 PM, valsaraj pv wrote: > > > > > Hi, > > > > I have web application login via Keycloak working fine. But for a > > background processing like reading messages from a queue, need to > > login as a dedicated queue user behind the scenes. For this we can't > > redirect to login page. Earlier it was done pro grammatically by > > using JAAS login context and passing login module & credentials. Now > > when we switch to KC, what is the appropriate model to do this? > > Please advice! > > > > Thanks! > > > > > > -- > Life is like this: "Just when we get all the answers of life.... God > changes the question paper.... > > Valsaraj Viswanathan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ________________________________ > > Please consider the environment: Think before you print! > > > This message has been scanned for malware by Websense. www.websense.com > -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan From sthorger at redhat.com Fri Jun 1 06:09:54 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 1 Jun 2018 12:09:54 +0200 Subject: [keycloak-user] Keycloak on OpenShift In-Reply-To: References: Message-ID: On 1 June 2018 at 09:09, Luis Rodr?guez Fern?ndez wrote: > Hello Stian, > > Thank you for this, very interesting! > > We also use openshift, indeed it is very nice! > > About the template, have you taken it from this repo[1]? Are these > templates under apache license or similar? > The template is written from scratch, but I used the sso72-https.json template as a reference. The SSO templates are under the ASL2 licenses ( https://github.com/jboss-openshift/application-templates/blob/master/LICENSE ). At the moment it's very basic and doesn't cover a lot of things like DB, clustering, etc.. > > Thanks in advance, > > Luis > > > [1] https://github.com/jboss-openshift/application- > templates/tree/master/sso > > > > > > > > 2018-05-31 22:48 GMT+02:00 Stian Thorgersen : > >> I wrote up a blog post and did a screencast showing how to deploy Keycloak >> on OpenShift. Of course I also deployed and secure a Node.js service and a >> HTML5 application for good measures. >> >> The blog post is here: >> https://blog.keycloak.org/2018/05/keycloak-on-openshift.html >> >> And for those that prefer a screencast here you go: >> https://youtu.be/9zUWqbK3BqI. >> >> This OpenShift thing is really nice! The more I use it the more I like it. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett > From valsarajpv at gmail.com Fri Jun 1 07:47:40 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Fri, 1 Jun 2018 17:17:40 +0530 Subject: [keycloak-user] Permission issue in calling EJB from MDB Message-ID: Hi, We have recently switched from JAAS to Keycloak. Application is JavaEE application with EJBs & MDBs. Set keycloak login module in WildFly to propagate user from wen to EJB & it worked. But facing issue when an EJB is called from MDB. There is anonymoius user in MDB when message received. So that user don't have permission to invoke EJB protected by: > > * > > false > keycloak > In JAAS version, we have programmatic login using dedicated mdb user. loginContext = new LoginContext("ldap", new CallbackHandler() { @Override public void handle(Callback[] callbacks) { int len = callbacks.length; Callback cb; for (int i = 0; i < len; i++) { cb = callbacks[i]; if (cb instanceof NameCallback) { NameCallback ncb = (NameCallback) cb; ncb.setName(mdbuserName); } else if (cb instanceof PasswordCallback) { PasswordCallback pcb = (PasswordCallback) cb; pcb.setPassword(mdbUsrPass); } } } }); loginContext.login(); This have user with required permission. Since now moved to Keycloak, this code will not work. What is the option to prevent permission issue in calling EJB from MDB? Thanks! From raisandeepkmr at gmail.com Fri Jun 1 07:55:17 2018 From: raisandeepkmr at gmail.com (Sandeep Rai) Date: Fri, 1 Jun 2018 13:55:17 +0200 Subject: [keycloak-user] Fwd: Modify roles in Token after user login SPI In-Reply-To: References: Message-ID: Hi All, Any idea how should I proceed with this ? Any pointers or document ? Regards ---------- Forwarded message --------- From: Sandeep Rai Date: Thu, 31 May 2018, 02:25 Subject: Modify roles in Token after user login SPI To: Hi Community, I'm trying to add more roles into the token after the token has been generated following the isValid() return of the Authentication SPI. I have a application which has SMS otp functionality. After the user has verified the OTP I want to grant more roles to the user by adding those roles into the token. But how do I modify the existing token or even renew it with new roles ? Is there a endpoint I can use to do so ? Or anyother ProviderInterface that I can use to achieve this ? Regards From Jana.Neujahr at gisa.de Fri Jun 1 09:29:30 2018 From: Jana.Neujahr at gisa.de (Neujahr, Jana) Date: Fri, 1 Jun 2018 13:29:30 +0000 Subject: [keycloak-user] E-Mail template: which template is used for which action? How to alter this? Message-ID: Dear keycloak users, I'm to configure keycloak email messages. I aleady found the folders and the FTL-files. Strangely, keycloak does not seem to use the email_verification.ftl when sending an activation link. It's using the executeActions.ftl, though I found out that the "requiredAction" actually is VERIFY_EMAIL. So why not using the apropriate template? Is there a possibility form e to change the use of ftl-templates with the different actions? Alternatively, does anybody know whether in the executeActions case there can be several "requiredActions"? If it's sure to be only one, I could do the modulation to the different templates in the executeActions.ftl, checking the requiredActions. I apreciate every hint or idea. PS: If someone needs to know how far I'm gone with checking the requiredActions in the executeActions.ftl, I'll happily share. Kind regards Jana Treffen Sie GISA auf folgenden Veranstaltungen! 15.06.2018 WEBINAR: GISA 365 ? Wie sieht Ihr Weg in die Cloud aus? 19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig 19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & P?fungen, Leipzig 23.-24.10.2018 metering days 2018, Fulda Aufsichtsratsvorsitzender: Norbert Rotter Gesch?ftsf?hrung: Michael Kr?ger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Empf?nger sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte gesch?tzt. Die GISA GmbH haftet ausdr?cklich nicht f?r den Inhalt und die Vollst?ndigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zul?ssig - nicht f?r die hieraus entstehenden Sch?den. From ndekefa at gmail.com Fri Jun 1 09:43:59 2018 From: ndekefa at gmail.com (Anselme Ndeke) Date: Fri, 1 Jun 2018 15:43:59 +0200 Subject: [keycloak-user] How to use jaxrs-oauth-client for authorization code grant? Message-ID: Hi, I'm looking for a way to use the authorization code grant flow using a pure jaxrs filter. So far, I've successfully added the jaxrs-oauth-client ( https://github.com/keycloak/keycloak/blob/master/adapters/ oidc/jaxrs-oauth-client) to my rest app, which sends errors on requests without a token. Then, I wonder if jaxrs-oauth-client supports the authorization code grant? This class https://github.com/keycloak/keycloak/blob/master/adapters/ oidc/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/ JaxrsOAuthClient.java has some methods about redirect but I couldn't find any example. I want some URLs to send redirects to auth server instead of auth errors, like in the vanilla getting started guide and without using wildfly/jetty/tomcat/spring adapters. Thanks From pritiguleria10 at gmail.com Sat Jun 2 05:23:11 2018 From: pritiguleria10 at gmail.com (priti guleria) Date: Sat, 2 Jun 2018 14:53:11 +0530 Subject: [keycloak-user] Hardware requirements of keycloak cluster Message-ID: Hi Team, I want to deploy a clustered keycloak setup in production. Can someone help me with what should be the minimum harware requirements for this setup ? Thanks, Priti From subodhcjoshi82 at gmail.com Sat Jun 2 07:22:40 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Sat, 2 Jun 2018 16:52:40 +0530 Subject: [keycloak-user] Hardware requirements of keycloak cluster In-Reply-To: References: Message-ID: We r using four virtual linux server with 8GB ram,200GB space and it's working well even after creating load up to 1k users. On Sat, 2 Jun 2018, 14:59 priti guleria, wrote: > Hi Team, > > I want to deploy a clustered keycloak setup in production. > > Can someone help me with what should be the minimum harware requirements > for this setup ? > > Thanks, > Priti > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From arun.velayudhan at motorolasolutions.com Sun Jun 3 02:08:10 2018 From: arun.velayudhan at motorolasolutions.com (Arun Velayudhan) Date: Sun, 3 Jun 2018 11:38:10 +0530 Subject: [keycloak-user] Hardware requirements of keycloak cluster In-Reply-To: References: Message-ID: If we have two clusters, are the tokens valid across clusters? I.e if token is generated by one cluster, will this be valid on the other cluster? We are trying to address cluster down situations and clients sending requests with the token (which was generated prior to cluster going down). Arun On Sat, Jun 2, 2018 at 4:52 PM, Subodh Joshi wrote: > We r using four virtual linux server with 8GB ram,200GB space and it's > working well even after creating load up to 1k users. > > On Sat, 2 Jun 2018, 14:59 priti guleria, wrote: > > > Hi Team, > > > > I want to deploy a clustered keycloak setup in production. > > > > Can someone help me with what should be the minimum harware requirements > > for this setup ? > > > > Thanks, > > Priti > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. > jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c= > q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_ > 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=_ > FxvaXKfwdhfvELKarPSabT7eMaLbPkusvYBgPueoZ8&s=kFWcPD_PGOorHyNdSCm- > soMZoGe9hm59TBZL5CRPHlA&e= > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. > jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c= > q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_ > 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=_ > FxvaXKfwdhfvELKarPSabT7eMaLbPkusvYBgPueoZ8&s=kFWcPD_PGOorHyNdSCm- > soMZoGe9hm59TBZL5CRPHlA&e= > From subodhcjoshi82 at gmail.com Sun Jun 3 02:44:50 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Sun, 3 Jun 2018 12:14:50 +0530 Subject: [keycloak-user] Hardware requirements of keycloak cluster In-Reply-To: References: Message-ID: For my development environment I personally tested thing with HA. In that I made 3 node for key cloak one node for shared DB,1 node for load balancer and 2 node for JSF application and token was working well for all request even other node was down where keycloak installed. Before going further in detail,Is your cluster environment is ready or still u guys doing paper work? On Sun, 3 Jun 2018, 11:38 Arun Velayudhan, < arun.velayudhan at motorolasolutions.com> wrote: > If we have two clusters, are the tokens valid across clusters? I.e if > token is generated by one cluster, will this be valid on the other cluster? > We are trying to address cluster down situations and clients sending > requests with the token (which was generated prior to cluster going down). > > Arun > > > On Sat, Jun 2, 2018 at 4:52 PM, Subodh Joshi > wrote: > >> We r using four virtual linux server with 8GB ram,200GB space and it's >> working well even after creating load up to 1k users. >> >> On Sat, 2 Jun 2018, 14:59 priti guleria, >> wrote: >> >> > Hi Team, >> > >> > I want to deploy a clustered keycloak setup in production. >> > >> > Can someone help me with what should be the minimum harware requirements >> > for this setup ? >> > >> > Thanks, >> > Priti >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=_FxvaXKfwdhfvELKarPSabT7eMaLbPkusvYBgPueoZ8&s=kFWcPD_PGOorHyNdSCm-soMZoGe9hm59TBZL5CRPHlA&e= >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=_FxvaXKfwdhfvELKarPSabT7eMaLbPkusvYBgPueoZ8&s=kFWcPD_PGOorHyNdSCm-soMZoGe9hm59TBZL5CRPHlA&e= >> > > From ebenzacar at gmail.com Sun Jun 3 11:33:07 2018 From: ebenzacar at gmail.com (Eric B) Date: Sun, 3 Jun 2018 11:33:07 -0400 Subject: [keycloak-user] Force additional authentication for specific pages? Message-ID: I'm not sure how this can be done in Keycloak, but I suspect that it must be feasible. Is there a way to use Resources, or something similar, that would force an already-authenticated user to reauthenticate himself when accessing a specific set of resources? For example, if a user wants to access high-level administrative functions, I would like for the user to reauthenticate themselves again. This reauthentication could be valid for a finite period of time (ex: 5 mins), before the user would have to once-again reauthenticate themselves to continue using the high-level admin functions. During the period where the user re-authenticates himself for the high-level functions, I want his existing Keycloak session to continue as it was; there should be no interruption in his original session or credentials. I've been looking to see if there was a way to use Keycloak Authorization Resources and Permissions to accomplish this. Are there any good examples or docs that could help steer me? Or am I looking down the wrong path? Thanks, Eric From Scotthezzell at benefex.co.uk Sun Jun 3 15:24:37 2018 From: Scotthezzell at benefex.co.uk (Scott Hezzell) Date: Sun, 3 Jun 2018 19:24:37 +0000 Subject: [keycloak-user] Bulk user import recommendations Message-ID: Hi Keycloak 3.4.0 - running 5 instances in containers using standalone clustered mode running against postgres. I am looking for the recommended approach to bulk user imports into keycloak. I initially hoped to use the admin api but I am looking at having to import batches of up to 80,000 users and initial tests look to top out at just under 40 requests per second. At that throughput it will take 33 minutes to import a set of 80,000 users. Is this an expected throughput level? Any techniques to increase this? Any alternative techniques? I thought about inserting directly into the keycloak postgres db but I am concerned about the upgrade experience. Could implementing my own user store and adding my own custom user storage provider, enabling me to import directly into my own db and implementing defined interfaces for the user storage provider so hopefully help the upgrade path, be an option? Are there any migration options I could take advantage of? Many thanks Scott [Benefex Logo] Scott Hezzell Senior Developer hellobenefex.com [https://s3-eu-west-1.amazonaws.com/commsmedia-bucket/images/benefex/social+LinkedIn.png] [Twitter] Benefex Ltd, Mountbatten House, Grosvenor Square, Southampton, SO15 2JU. Registered Number: 04768546 As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you! This message has been scanned for malware by Websense. www.websense.com From juanjo.vazquez.delgado at tecsisa.com Mon Jun 4 04:14:46 2018 From: juanjo.vazquez.delgado at tecsisa.com (=?UTF-8?Q?Juan_Jos=C3=A9_V=C3=A1zquez_Delgado?=) Date: Mon, 4 Jun 2018 10:14:46 +0200 Subject: [keycloak-user] RPT vs regular access tokens Message-ID: Hello everyone!. According to the documentation, an RPT is just a jwt token with permission claims. In order to disambiguate between RPT and regular access tokens, is there any way to do this apart from checking the existence of these permission claims?. Thanks!. From benoit.herard at orange.com Mon Jun 4 04:40:21 2018 From: benoit.herard at orange.com (Benoit HERARD) Date: Mon, 4 Jun 2018 10:40:21 +0200 Subject: [keycloak-user] Admin console and reverse proxy Message-ID: <767f57b9-b8d8-3df4-3f88-539b6e9932a4@orange.com> Hi All I've installed the latest version (4.0.0.Beta3) on a test box and followed this guide (https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy) to access keycloak through an apache reverse proxy. For the moment, in order to facilitate troubleshooting, my configuration is using http only (for keycloak and apache). Apache is listening on port 80 and keycloak on 8080 For now, I can perfectly connect and use the user account management via the proxy (http://localhost/auth/realms/master/account) As well, I can configure and use mod_auth_openid to protect backends on apache. My probelm is when I want to connect the keycloak admin console. If I go directly on WildFly (http://localhost:8080/auth/admin) it works. I can login and use the admin console. But if a go there via the proxy (http://localhost/auth/admin) it fails. The login form open, I can entrer and submit my creds but then a blank page opens when admin console GUI should be available. With developers tools of by browser I can see that cookies seems to be set correctly by authent. server (f.e. from this blank page I type the url of account management and it's displayed without re-entering creds, so I conclude that I am logged in). Developer tools call stack shows that it fails in calling https://localhost/auth/admin/master/console/whoami with HTTP 401 (unauthorized) Any idea? Thx From Rens.Verhage at topicus.nl Mon Jun 4 05:27:33 2018 From: Rens.Verhage at topicus.nl (Rens Verhage) Date: Mon, 4 Jun 2018 09:27:33 +0000 Subject: [keycloak-user] Mapping SAML attributes from ADFS Message-ID: <6AE01B04-0EC9-4A52-93C0-2F4F9CA58D2B@topicus.nl> Hi all, I?m having some trouble importing users from ADFS. On first time login, Keycloak displays the user registration form with only the username pre-filled, first name, last name and e-mail address are empty. According to the ADFS administrator, these attributes are being sent in the SAML response. Do I have to explicitly map these attributes? How can I log the SAML response in plain text? All SAML assertions are encrypted, how can I log / debug the mapping of user attributes? Rens From Rens.Verhage at topicus.nl Mon Jun 4 06:23:43 2018 From: Rens.Verhage at topicus.nl (Rens Verhage) Date: Mon, 4 Jun 2018 10:23:43 +0000 Subject: [keycloak-user] Mapping SAML attributes from ADFS In-Reply-To: References: <6AE01B04-0EC9-4A52-93C0-2F4F9CA58D2B@topicus.nl> Message-ID: <7A4B74A9-E28A-49C1-A0DE-78B3A3FEBFDE@topicus.nl> Thanks Tony! This helped a lot. After mapping the attributes like this everything works fine: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname -> lastName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname -> firstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -> email Rens On 4 Jun 2018, at 11:58, Tony Harris > wrote: This might help get you started. This maps the surname claim in SAML to the LastName attribute in Keycloak. The SAML names here should give you the name of the others. https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/concepts/saml_assertion_credential_token_mapping_adfs_azure.html -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Rens Verhage Sent: 04 June 2018 10:28 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Mapping SAML attributes from ADFS Hi all, I?m having some trouble importing users from ADFS. On first time login, Keycloak displays the user registration form with only the username pre-filled, first name, last name and e-mail address are empty. According to the ADFS administrator, these attributes are being sent in the SAML response. Do I have to explicitly map these attributes? How can I log the SAML response in plain text? All SAML assertions are encrypted, how can I log / debug the mapping of user attributes? Rens _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com From psilva at redhat.com Mon Jun 4 07:59:38 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 4 Jun 2018 08:59:38 -0300 Subject: [keycloak-user] RPT vs regular access tokens In-Reply-To: References: Message-ID: No, there isn't. If it helps, if you are using our adapters you are not forced any longer to send RPTs to your backend in order to enforce access to your resources. Now you can just send regular access tokens and PEP will take care of exchanging a RPT and enforce access decisions based on the permissions granted by the server. Could you elaborate more what you are trying to achieve? On Mon, Jun 4, 2018 at 5:14 AM, Juan Jos? V?zquez Delgado < juanjo.vazquez.delgado at tecsisa.com> wrote: > Hello everyone!. According to the documentation, an RPT is just a jwt token > with permission claims. In order to disambiguate between RPT and regular > access tokens, is there any way to do this apart from checking the > existence of these permission claims?. Thanks!. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From valsarajpv at gmail.com Mon Jun 4 08:16:41 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Mon, 4 Jun 2018 17:46:41 +0530 Subject: [keycloak-user] JAAS login context propagation issue with Keyclock Message-ID: Hi, I am facing issue with JAAS login context propagation when using Keyclock. Following code is executed from Message Driven Bean to login as application MDB user. > loginContext = new LoginContext("keycloak", new CallbackHandler() { > > @Override > > public void handle(Callback[] callbacks) { > > int len = callbacks.length; > > Callback cb; > > for (int i = 0; i < len; i++) { > > cb = callbacks[i]; > > if (cb instanceof NameCallback) { > > NameCallback ncb = (NameCallback) cb; > > ncb.setName(mdbuserName); > > } else if (cb instanceof PasswordCallback) { > > PasswordCallback pcb = (PasswordCallback) cb; > > pcb.setPassword(mdbUserPass); > > } > > } > > } > > }); > > loginContext.login(); > > After that when I check the principal, I got anonymous! > Principal p = ctx.getCallerPrincipal(); > Is there any work around for this issue? Thanks! From pinguwien at gmail.com Mon Jun 4 08:46:10 2018 From: pinguwien at gmail.com (Dominik Guhr) Date: Mon, 4 Jun 2018 14:46:10 +0200 Subject: [keycloak-user] Get old password in custom update-password required action Message-ID: Hi everyone, I need help with the following custom authentication flow: 1a. user logs in via a custom username/pw form authenticator. Success case: he gets logged in, backendwise into a third-party system via a REST call. User is created in keycloak. => works! 1b. user logs in, but thirdparty system returns a flag that user has to change his password. For this, I created a required action which just uses the "normal" update_password required action, but in its processAction method calls the thirdparty system. => Doesn'T really work, because: one requirement of the thirdparty-API for updating the pw of a user to a new one is, there has to be the old password in the request json, syntax: { username: "...", passwordNew: "...", passwordOld: "..." } Now I am struggling a little to get the old password in my required action-form, which, as of now, is the login-update-password.ftl as can be found here: https://github.com/keycloak/keycloak/blob/master/themes/src/main/resources/theme/base/login/login-update-password.ftl It seems there already is a hidden field for the current password, but this has no value. So this seemed not to work, and now I am thinking to create my own form and set it for the required action. Therefor I have one problem (so far): The code I use now for creating the update pw-form which is the "normal" kc-form looks like this: @Override public void requiredActionChallenge(RequiredActionContext context) { Response challenge = context.form() .setAttribute("username", context.getAuthenticationSession().getAuthenticatedUser().getUsername()) .createResponse(UserModel.RequiredAction.UPDATE_PASSWORD); context.challenge(challenge); } Now I want to use my own form, containing another form element where user has to put in his old pw. So, what do I need to change here? I saw the secretactionrequiredaction at github, which uses createForm("...ftl"), but not the setAttribute and/or createResponse - so, one question is: is createForm... enough to get my own form loaded at the required action? (aside from putting a custom ftl in the theme I use) Would be great to get some hints here! Thanks in advance, Dominik dominik.guhr at codecentric.de From cobace742 at gmail.com Mon Jun 4 10:02:34 2018 From: cobace742 at gmail.com (Lenay Schminzh) Date: Mon, 4 Jun 2018 16:02:34 +0200 Subject: [keycloak-user] Keycloak SAML redirection stuck in loop after logging in Message-ID: I'm trying to secure a url : /monitoring with Keycloak using SAML. I've modified my web.xml : KEYCLOAK-SAML this is ignored currently monitoringrole Monitoring /monitoring monitoringrole org.springframework.web.context.request.RequestContextListener I've also modified my tomcat7's context.xml file with the correct Valve and added the keycloak-saml.xml in /WEB-INF. I'm correctly redirected to the IdP, but even after successfully logging in, I keep getting this message : *You are already logged in* I guess I'm redirecting to the same url I'm securing, but shouldn't keycloak grant me access to the page ? [image: Capture.PNG] ? Here is my configuration on the keycloak server : ? [image: 7252z.png] ? Am I missing something on the configuration side ? Thank you. -------------- next part -------------- A non-text attachment was scrubbed... Name: Capture.PNG Type: image/png Size: 54251 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180604/3f5f5e17/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: 7252z.png Type: image/png Size: 76769 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180604/3f5f5e17/attachment-0003.png From vinayatoz at gmail.com Mon Jun 4 10:21:14 2018 From: vinayatoz at gmail.com (Vinay) Date: Mon, 4 Jun 2018 10:21:14 -0400 Subject: [keycloak-user] LDAP failover In-Reply-To: References: Message-ID: Nope. It doesn't work. What is recommendation for these high availability usecases, use loadbalancer between keycloak and LDAP ? It seems pretty common usecase. On Thu, May 31, 2018 at 2:15 AM, Marek Posolda wrote: > JNDI itself supports it per the docs: https://docs.oracle.com/javase > /1.5.0/docs/guide/jndi/jndi-ldap-gl.html#url . > > So it's possible that if you just configure "Connection URL" and add more > URLs, the failover will just work. But I never tried to test it, so no > guarantee... > > Marek > > > On 30/05/18 18:40, Vinay wrote: > >> Does keycloak provide LDAP failover i.e. provide two LDAP URLs while >> creating an LDAP provider so that users can be search on both primary and >> secondary LDAP server ? This is required for high availability ? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From Marian.Rainer-Harbach at apa.at Mon Jun 4 10:36:12 2018 From: Marian.Rainer-Harbach at apa.at (Rainer-Harbach Marian) Date: Mon, 4 Jun 2018 14:36:12 +0000 Subject: [keycloak-user] LDAP failover In-Reply-To: References: Message-ID: <3601eb2eac8847a2e1b86f4af7e0b6d5787b1653.camel@apa.at> Hi, we tried this some time ago and it does work: When you specify multiple (space-separated) connection URLs Keycloak uses the first one. If it goes down, it switches to the next one. We tested this extensively and failover works as expected. Marian On Mon, 2018-06-04 at 10:21 -0400, Vinay wrote: > Nope. It doesn't work. What is recommendation for these high > availability > usecases, use loadbalancer between keycloak and LDAP ? It seems > pretty > common usecase. > > On Thu, May 31, 2018 at 2:15 AM, Marek Posolda > wrote: > > > JNDI itself supports it per the docs: https://docs.oracle.com/javas > > e > > /1.5.0/docs/guide/jndi/jndi-ldap-gl.html#url . > > > > So it's possible that if you just configure "Connection URL" and > > add more > > URLs, the failover will just work. But I never tried to test it, so > > no > > guarantee... > > > > Marek > > > > > > On 30/05/18 18:40, Vinay wrote: > > > > > Does keycloak provide LDAP failover i.e. provide two LDAP URLs > > > while > > > creating an LDAP provider so that users can be search on both > > > primary and > > > secondary LDAP server ? This is required for high availability ? > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vinayatoz at gmail.com Mon Jun 4 10:41:02 2018 From: vinayatoz at gmail.com (Vinay) Date: Mon, 4 Jun 2018 10:41:02 -0400 Subject: [keycloak-user] Non ASCII characters in local part of email Message-ID: Any reason why keycloak doesn't support non ASCII characters in the local part of the email address ? As per RFC 6531 , these chars are allowed. -Vinay From ntle at castortech.com Mon Jun 4 12:30:05 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Mon, 4 Jun 2018 12:30:05 -0400 Subject: [keycloak-user] how to notify app when keycloak session timeout or user logout? Message-ID: Hello, My app has quite some sessions that starts when a user login though keycloak. I want to close these sessions when keycloak session expires or the user logout. Is there any notification/call back from keycloak server when such event occurs ? Thai From robinsousa at gmail.com Mon Jun 4 15:03:37 2018 From: robinsousa at gmail.com (Miguel Sousa) Date: Mon, 4 Jun 2018 20:03:37 +0100 Subject: [keycloak-user] Keycloak consent required In-Reply-To: References: Message-ID: Hello, Regarding the Keycloak consent screen I have two questions: - Is it possible to have a checkbox for each access privilege that the user is granting to the client instead of just an option to allow or deny all of them? - Can the client specify the access privileges that it needs through the scope request parameter in the authorization flow? Thanks in advance, Miguel Sousa From avinash at avinash.com.np Tue Jun 5 01:38:58 2018 From: avinash at avinash.com.np (Avinash Kundaliya) Date: Tue, 5 Jun 2018 11:23:58 +0545 Subject: [keycloak-user] cannot change token times/settings in realm settings Message-ID: Hello Community, I just setup a keycloak-4 beta3 and have the issue that when i nagivate to the "Tokens" page, it shows up for a brief moment and then redirects to the "Resource not found" page. In the network requests, we can see that the request [1] returns a 404. The same doesnt happen for the master realm. We have the same issue in keycloak-4 beta1 as well (which is why i wanted to update and try) Any suggestion would be helpful here. Regards, Avinash [1] /auth/admin/realms/myrealm?$promise={}&$resolved=true&accessCodeLifespan={"unit":"Minutes","time":1}&accessCodeLifespanLogin={"unit":"Minutes","time":30}&accessCodeLifespanUserAction={"unit":"Minutes","time":5}&accessTokenLifespan={"unit":"Minutes","time":5}&accessTokenLifespanForImplicitFlow={"unit":"Minutes","time":15}&actionTokenGeneratedByAdminLifespan={"unit":"Hours","time":12}&actionTokenGeneratedByUserLifespan={"unit":"Minutes","time":5}&adminEventsDetailsEnabled=false&adminEventsEnabled=false&attributes={"_browser_header.xXSSProtection":"1;+mode=block","_browser_header.xFrameOptions":"SAMEORIGIN","_browser_header.strictTransportSecurity":"max-age=31536000;+includeSubDomains","permanentLockout":"false","quickLoginCheckMilliSeconds":"1000","_browser_header.xRobotsTag":"none","maxFailureWaitSeconds":"900","minimumQuickLoginWaitSeconds":"60","failureFactor":"30","actionTokenGeneratedByUserLifespan":"300","maxDeltaTimeSeconds":"43200","_browser_header.xContentTypeOptions":"nosniff","actionTokenGeneratedByAdminLifespan":"43200","bruteForceProtected":"false","_browser_header.contentSecurityPolicy":"frame-src+'self';+frame-ancestors+'self';+object-src+'none';","waitIncrementSeconds":"60"}&browserFlow=browser&browserSecurityHeaders={"xContentTypeOptions":"nosniff","xRobotsTag":"none","xFrameOptions":"SAMEORIGIN","xXSSProtection":"1;+mode=block","contentSecurityPolicy":"frame-src+'self';+frame-ancestors+'self';+object-src+'none';","strictTransportSecurity":"max-age=31536000;+includeSubDomains"}&bruteForceProtected=false&clientAuthenticationFlow=clients&defaultRoles=offline_access&defaultRoles=uma_authorization&directGrantFlow=direct+grant&dockerAuthenticationFlow=docker+auth&duplicateEmailsAllowed=false&editUsernameAllowed=true&enabled=true&eventsEnabled=false&eventsListeners=jboss-logging&failureFactor=30&internationalizationEnabled=false&loginWithEmailAllowed=true&maxDeltaTimeSeconds=43200&maxFailureWaitSeconds=900&minimumQuickLoginWaitSeconds=60¬Before=0&offlineSessionIdleTimeout={"unit":"Days","time":30}&otpPolicyAlgorithm=HmacSHA1&otpPolicyDigits=6&otpPolicyInitialCounter=0&otpPolicyLookAheadWindow=1&otpPolicyPeriod=30&otpPolicyType=totp&otpSupportedApplications=FreeOTP&otpSupportedApplications=Google+Authenticator&permanentLockout=false&quickLoginCheckMilliSeconds=1000&realm=myrealm&refreshTokenMaxReuse=0®istrationAllowed=true®istrationEmailAsUsername=false®istrationFlow=registration&rememberMe=false&requiredCredentials=password&resetCredentialsFlow=reset+credentials&resetPasswordAllowed=false&revokeRefreshToken=false&smtpServer={}&sslRequired=all&ssoSessionIdleTimeout={"unit":"Minutes","time":30}&ssoSessionMaxLifespan={"unit":"Hours","time":10}&userManagedAccessAllowed=false&verifyEmail=false&waitIncrementSeconds=60 -- --- Avinash Kundaliya avinash at avinash.com.np http://avinash.com.np From Rens.Verhage at topicus.nl Tue Jun 5 02:16:48 2018 From: Rens.Verhage at topicus.nl (Rens Verhage) Date: Tue, 5 Jun 2018 06:16:48 +0000 Subject: [keycloak-user] Mapping SAML attributes from ADFS In-Reply-To: <7A4B74A9-E28A-49C1-A0DE-78B3A3FEBFDE@topicus.nl> References: <6AE01B04-0EC9-4A52-93C0-2F4F9CA58D2B@topicus.nl> <7A4B74A9-E28A-49C1-A0DE-78B3A3FEBFDE@topicus.nl> Message-ID: <869E99C6-5F58-4FFF-A0B7-FAB5C18F0B26@topicus.nl> Still have one more question though. Seems like the ADFS I?m connecting with doesn?t send me the custom attributes we have agreed upon (at least I?m suspecting, not sure). Is it possible to log the decrypted assertion so that I can verify? Tried adding trace level logging, but no luck? > On 4 Jun 2018, at 12:23, Rens Verhage wrote: > > Thanks Tony! This helped a lot. > > After mapping the attributes like this everything works fine: > > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname -> lastName > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname -> firstName > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress -> email > > > Rens > > On 4 Jun 2018, at 11:58, Tony Harris > wrote: > > This might help get you started. This maps the surname claim in SAML to the LastName attribute in Keycloak. > > The SAML names here should give you the name of the others. https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/concepts/saml_assertion_credential_token_mapping_adfs_azure.html > > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Rens Verhage > Sent: 04 June 2018 10:28 > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Mapping SAML attributes from ADFS > > Hi all, > > I?m having some trouble importing users from ADFS. On first time login, Keycloak displays the user registration form with only the username pre-filled, first name, last name and e-mail address are empty. According to the ADFS administrator, these attributes are being sent in the SAML response. > > Do I have to explicitly map these attributes? > > How can I log the SAML response in plain text? All SAML assertions are encrypted, how can I log / debug the mapping of user attributes? > > > Rens > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ________________________________ > > Please consider the environment: Think before you print! > > > > This message has been scanned for malware by Websense. www.websense.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From uo67113 at gmail.com Tue Jun 5 03:01:00 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Tue, 5 Jun 2018 09:01:00 +0200 Subject: [keycloak-user] how to notify app when keycloak session timeout or user logout? In-Reply-To: References: Message-ID: Hello Thai, I do think this issue has been discussed in this thread: http://lists.jboss.org/pipermail/keycloak-user/2018-May/014050.html Hope it helps, Luis 2018-06-04 18:30 GMT+02:00 Nhut Thai Le : > Hello, > > My app has quite some sessions that starts when a user login though > keycloak. I want to close these sessions when keycloak session expires or > the user logout. Is there any notification/call back from keycloak server > when such event occurs ? > > Thai > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From lemso at free.fr Tue Jun 5 04:36:55 2018 From: lemso at free.fr (=?UTF-8?Q?Lamine_L=C3=A9o_Keita?=) Date: Tue, 5 Jun 2018 10:36:55 +0200 Subject: [keycloak-user] No sync between infinispan and keycloak in cluster Message-ID: Hi, I am facing an issue with the cluster example. I have 2 sites on each I have 1 Keycloak and 1 infinispan running. Infinispan see each other and are configured as the example in documentaion. Each keycloak see the infinispan on his site. When I open 2 sessions, one on each sites, I see 2 entry in the session cache on the infinispan but on each keycloak I see that only one session is running! Did someone already had this issue? Could somebody help me please? Lamine From pinguwien at gmail.com Tue Jun 5 04:51:51 2018 From: pinguwien at gmail.com (Dominik Guhr) Date: Tue, 5 Jun 2018 10:51:51 +0200 Subject: [keycloak-user] How to return custom error messages from custom spnego authenticator? Message-ID: <5657b9b7-c6c3-772f-b7cb-029a184e992c@gmail.com> Hi everyone, So I just posted this question on SO, hoping to reach more people, but would be great to get an answer here too, obviously: https://stackoverflow.com/questions/50695959/how-do-i-return-custom-error-messages-to-frontend-in-custom-spnego-authenticator Thanks! Best regards, Dominik From lists at stefan-hesse.net Tue Jun 5 07:01:39 2018 From: lists at stefan-hesse.net (Stefan Hesse) Date: Tue, 5 Jun 2018 13:01:39 +0200 Subject: [keycloak-user] Where did "Requesting Entitlements" go? Message-ID: Hello everyone, in keycloak 3.3 one could easily request entitlements as described here: https://www.keycloak.org/docs/3.3/authorization_services/topics/service/entitlement/entitlement-api-aapi.html In keycloak 4.0 this options seems to be gone. Where did it go? What is the new URL? The old way now returns a 404. And BTW: Where are these breaking changes documented? I can't find them in the release notes, and checking all the issues seems a little cumbersome. Best Regards Stefan From pinguwien at gmail.com Tue Jun 5 07:55:22 2018 From: pinguwien at gmail.com (Dominik Guhr) Date: Tue, 5 Jun 2018 13:55:22 +0200 Subject: [keycloak-user] Add custom Attributes to user from Kerberos ticket Message-ID: <9659f74d-4549-7395-97b0-0658aaee04fd@gmail.com> Hi, so I am writing a custom authenticator right now which handles a kerberos ticket from an ldap federation provider I added via admin panel. This works, only thing is due to the internationalization bug I don't import the users from the Federation provider. Now in my custom authenticator, I try to call a thirdparty api and add some attributes to this user. To achieve this, I customized the authenticate(AuthenticationFlowContext context) - method to call my thirdparty api via apache HttpClient (works). Then, I try to read everything the resultjson of thirdparty returns, and map it into a UserModel. I do it like this: if (responseCode == 200) { ObjectMapper mapper = new ObjectMapper(); ObjectNode rootnode = (ObjectNode) mapper.readTree(responseString); rootnode.fieldNames().forEachRemaining(s -> { String val = rootnode.get(s).asText(); if (s.equals("lastname") output.getAuthenticatedUser().setLastName(val); else if (s.equals("firstname")) output.getAuthenticatedUser().setFirstName(val); else if (s.equals("email")) output.getAuthenticatedUser().setEmail(val); else if (s.equals("username")) ; // skip this completely. else if (s.equals("newPasswordRequired")) { // TODO when required action works, set it here // user.addRequiredAction("UPDATE_THIRDPARTY_PASSWORD"); } else { output.getAuthenticatedUser().setAttribute(s, Arrays.asList(val)); logger.info("adding attribute to usermodel: " + s); } }); context.setUser(output.getAuthenticatedUser()); So here I set the Attributes etc. dynamically. Which works pretty fine. But in my token I don'T get these Attributes - seems like I only get those who are actually mapped from LDAP, too. So I tried to add a mapper for "employeeID" to my federation provider, but that didn't change something. In my client, for sure I added that mapper via User Attribute and, for the sake of idk, later tried with User Property, but had no effect So, I need to get the other Attributes too, dynamically would be perfect, but even statically would be good. Is there any chance to do this, or do I have to stick with the fields from ldap? I thought the context.setUser ... would do, but seems it doesn't. Perhaps I have to set the user not for the context, but elsewhere? Any help is highly appreciated. Thank you, Dominik From psilva at redhat.com Tue Jun 5 08:31:21 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 5 Jun 2018 09:31:21 -0300 Subject: [keycloak-user] Where did "Requesting Entitlements" go? In-Reply-To: References: Message-ID: I'll to write a migration guide before Final. Due to some changes in new UMA 2.0 spec, permissions are now obtained from a single endpoint, the token endpoint. For now, I would ask you to take a look at [1]. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions On Tue, Jun 5, 2018 at 8:01 AM, Stefan Hesse wrote: > Hello everyone, > > in keycloak 3.3 one could easily request entitlements as described here: > https://www.keycloak.org/docs/3.3/authorization_services/ > topics/service/entitlement/entitlement-api-aapi.html > > In keycloak 4.0 this options seems to be gone. Where did it go? What is > the new URL? The old way now returns a 404. > > And BTW: Where are these breaking changes documented? I can't find them > in the release notes, and checking all the issues seems a little > cumbersome. > > Best Regards > > Stefan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From neo11078016 at gmail.com Tue Jun 5 08:34:26 2018 From: neo11078016 at gmail.com (Min Han Lee) Date: Tue, 5 Jun 2018 13:34:26 +0100 Subject: [keycloak-user] Keycloak HA with NATIVE S3 Ping and JDBC Ping guide Message-ID: Hello, I wondered if anyone can give me some pointer on how to implement KC HA with NATIVE S3 Ping or JDBC Ping? I had some search in google but couldn't find any good guides. Thanks Kind Regards Neo Lee From giohappy at gmail.com Tue Jun 5 09:22:19 2018 From: giohappy at gmail.com (G. Allegri) Date: Tue, 5 Jun 2018 15:22:19 +0200 Subject: [keycloak-user] Unable to verify Google certificate during reCaptcha verification Message-ID: Hi, I've configured Recaptcha for the registration form. It appears and works fine from the browser side, but Keycloak cannot access the verification URL [1] because the SSL Java chain cannot verify the certificate. I've followed the guide in the docs [2] to configure the TrustStore (in standalone mode), after having created the truststore and importing the google cert. I've verified that keytool list the Google certificate correctly, and I've double checked file paths and password, but I keep receiving the following exception: 2018-06-05 13:06:35,921 ERROR [org.keycloak.services] (default task-9) KC-SERVICES0028: Recaptcha failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) (...) I've also tried to set Djavax.net.ssl.trustStore= when I launch the standalone.sh, but it neither works. Do I miss something or am I doing something wrong? Thanks, Giovanni [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/forms/RegistrationRecaptcha.java#L140 [2] https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore From c.otano at ibermatica.com Tue Jun 5 09:36:56 2018 From: c.otano at ibermatica.com (=?iso-8859-1?Q?Ota=F1o_Pavo=2C_Cesar?=) Date: Tue, 5 Jun 2018 13:36:56 +0000 Subject: [keycloak-user] Keycloak and Citrix Storefront Message-ID: Good afternoon Is it possible to use the configuration SAML SP "Citrix StoreFront" and IdP "Keycloak"? Thank you very much C?sar AVISO LEGAL El contenido de este mensaje de correo electr?nico, incluidos los ficheros adjuntos, es confidencial y est? protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents. From vinayatoz at gmail.com Tue Jun 5 12:50:26 2018 From: vinayatoz at gmail.com (Vinay) Date: Tue, 5 Jun 2018 12:50:26 -0400 Subject: [keycloak-user] Keycloak Training for Developers Message-ID: Is there a training program on keycloak for developers ? From msakho at redhat.com Tue Jun 5 15:03:30 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 5 Jun 2018 21:03:30 +0200 Subject: [keycloak-user] Keycloak Training for Developers In-Reply-To: References: Message-ID: Not yet Vinay, not yet. 2018-06-05 18:50 GMT+02:00 Vinay : > Is there a training program on keycloak for developers ? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From subodhcjoshi82 at gmail.com Tue Jun 5 20:37:31 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Wed, 6 Jun 2018 06:07:31 +0530 Subject: [keycloak-user] Keycloak Training for Developers In-Reply-To: References: Message-ID: Training from keycloak team ? On Tue, 5 Jun 2018, 22:53 Vinay, wrote: > Is there a training program on keycloak for developers ? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pulkitsrivastavajd at gmail.com Wed Jun 6 02:20:48 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Wed, 6 Jun 2018 11:50:48 +0530 Subject: [keycloak-user] Keycloak Licence Message-ID: Hi, I need to know if there would be any legal/licence issues if i download open source code for keycloak and deploy it after doing certain code level changes. I know the forum says its open source, but i just need to be sure before i start using it. Can anyone confirm that.? Thanks, Pulkit From sblanc at redhat.com Wed Jun 6 02:26:43 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 6 Jun 2018 08:26:43 +0200 Subject: [keycloak-user] Keycloak Licence In-Reply-To: References: Message-ID: Yes, it's Apache 2 License. You can do all of this. https://github.com/keycloak/keycloak/blob/master/License.html On Wed, Jun 6, 2018 at 8:20 AM, Pulkit Srivastava < pulkitsrivastavajd at gmail.com> wrote: > Hi, > I need to know if there would be any legal/licence issues if i download > open source code for keycloak and deploy it after doing certain code level > changes. > > I know the forum says its open source, but i just need to be sure before i > start using it. > > Can anyone confirm that.? > > Thanks, > Pulkit > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sm.info at tradeboox.com Wed Jun 6 04:07:41 2018 From: sm.info at tradeboox.com (S Mishra) Date: Wed, 6 Jun 2018 13:37:41 +0530 Subject: [keycloak-user] Fwd: Users in Multiple Realms In-Reply-To: References: Message-ID: Hello Please excuse me if this has been asked before (I'm sure it has), and I would be grateful if someone could point me to the right resources. I have 2 realms, REALM1 and REALM2, in my local instance of KC. I would like to validate and issue tokens for users who are members of a particular group in another realm on the same server. I.e., In REALM2, I've created a group e.g., REALM1-GROUP, and assigned users to this group, who I want to be validated in REALM1. How can I do this? Thanks in advance. Sam From hmlnarik at redhat.com Wed Jun 6 04:08:31 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 6 Jun 2018 10:08:31 +0200 Subject: [keycloak-user] Wrong event after email verify started by REST (send-verify-email) In-Reply-To: <005c01d3edb9$81a2a910$84e7fb30$@bricsys.com> References: <005c01d3edb9$81a2a910$84e7fb30$@bricsys.com> Message-ID: The event is correct, due to way the send-verify-email endpoint works. However I believe adding a detail of which actions were required to the event seems a relevant feature, feel free to file a feature request JIRA. On Thu, May 17, 2018 at 10:31 AM, wrote: > Hi all, > > > > We are using the REST API Keycloak to trigger an email verification email. > (.../send-verify-email) > > When the verification process is done, the EVENT logged is a > CUSTOM_REQUIRED_ACTION event. > > Email verification is not a customization, so it should probably be logged > as VERIFY_EMAIL. > > > > Is this expected behaviour? Or can this be considered is as a bug? > > > > Kind regards, > > Pieter > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From mark.howells at mjog.com Wed Jun 6 05:42:23 2018 From: mark.howells at mjog.com (Mark Howells) Date: Wed, 6 Jun 2018 10:42:23 +0100 Subject: [keycloak-user] SQRL (or similar) Message-ID: I'm investigating requirements for a project that we're working on. We'd like to implement a SQRL-like workflow for users. Basically, We have a mobile application that goes to great lengths to identify the user. We'd like to allow users to access web services via a PC by browsing to a login page that shows a QR code and then scanning that code from within the app. I'm aware of tiqr? but I'm not sure how 'proprietary' that solution is (nor how readily we absorb the tiqr app functionality into our own app) ?. Are there any projects around this area that we can consider? or do we have to roll our own. Cheers, Mark -- NOTICE AND DISCLAIMER This email contains MJog information, which may be privileged or confidential. It's meant only for the individual(s) or entity named above.?If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited.?If you've received this email in error, please let me know immediately on the email address above. Thank you.**** MJog Limited is?a limited company registered in England and Wales.?Company?Registration?No: 2313464 Registered Office: The Old School, 23 High Street, Wilburton, ELY, CB6 3RB We monitor our email system, and may record your emails. From Jana.Neujahr at gisa.de Wed Jun 6 07:48:17 2018 From: Jana.Neujahr at gisa.de (Neujahr, Jana) Date: Wed, 6 Jun 2018 11:48:17 +0000 Subject: [keycloak-user] E-Mail templates: list of possible parameters? Message-ID: Dear keycloak users, for altering the keycloak e-mail templates it would be nice to know which parameters you can use in your FTL files. Is there a list somewhere? If not, would you all kindly help to create a list for present and future users? I'd like to begin: E-mail template parameters, in alphabetical order: user.firstName (first name of concerned user) user.lastName (last name of concerned user) link (link for user action) linkExpiration (expiration time oft he link) linkExpirationFormatter (formatter for expiration time into days, hours, minutes) event.date (date oft he triggered event) event.ipAddress (IP address oft he user who triggered the event) requiredActions (list oft he triggered Actions, String values) realmName (name of the concerned realm) code (?) identityProviderAlias (alias of used identity provider, e.g. Facebook) identityProviderContext.username (username of used identity provider) Kindly yours Jana Treffen Sie GISA auf folgenden Veranstaltungen! 15.06.2018 WEBINAR: GISA 365 ? Wie sieht Ihr Weg in die Cloud aus? 19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig 19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & P?fungen, Leipzig 23.-24.10.2018 metering days 2018, Fulda Aufsichtsratsvorsitzender: Norbert Rotter Gesch?ftsf?hrung: Michael Kr?ger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Empf?nger sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte gesch?tzt. Die GISA GmbH haftet ausdr?cklich nicht f?r den Inhalt und die Vollst?ndigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zul?ssig - nicht f?r die hieraus entstehenden Sch?den. From ashihara at fukuokabank.co.jp Thu Jun 7 01:57:04 2018 From: ashihara at fukuokabank.co.jp (=?ISO-2022-JP?B?GyRCaUM4NhsoQiAbJEJCZ0plGyhCLxskQjlUMHcbKEIvGyRCSiEbKEI=?= =?ISO-2022-JP?B?GyRCMiw2ZDlUGyhC?=) Date: Thu, 7 Jun 2018 14:57:04 +0900 Subject: [keycloak-user] unintentionally changing the client ID in the sequence of registration Message-ID: I am using keycloak -3.4.3.Final. I am troubled by unintentionally changing the client ID in the sequence of registration transitions. The details are as follows. ??After new user is registered, E-mail is sent from Keycloak.(client ID:"sample app") ??When I click the link of E-Mail, the confirmation validity screen of the mail address is displayed.(client ID:"sample app") ??When I click the link "click here to proceed" on the confirmation validity screen of the mail address, client ID is changed from "sample app" to "account". Is the behavior of the above 3 a Keycloak specification? Is it impossible to make the screen transition of Client ID as Sample app? thanks From Athulya.Pillai at cybertech.com Thu Jun 7 05:23:08 2018 From: Athulya.Pillai at cybertech.com (Athulya Pillai) Date: Thu, 7 Jun 2018 09:23:08 +0000 Subject: [keycloak-user] Keycloak latest beta version for Sql server support Message-ID: <5D7282EF8AC38B41BA812672DABBF6B6DB0897A9@CSSLEX1.Cybertech.Com> Hi Team, Latest verson for keycloak is 4.0.0 beta2. When we deploy this version as a docker images, there is a a mandatory environment variable to be set. The variable is DB_VENDOR which accepts only 4 values -H2, POSTGRES,MYSQL and MARIADB. Please let me know the value for above parameter DB_VENDOR to deploy this keycloak image with microsoft sql server Thanks and Regards Athulya Pillai From r.favier at tkhinnovations.com Thu Jun 7 05:44:04 2018 From: r.favier at tkhinnovations.com (Raphael Favier) Date: Thu, 7 Jun 2018 11:44:04 +0200 Subject: [keycloak-user] search-friendly mailing list archives? Message-ID: Hello, I'm a new subscriber to this mailing list and I'm happy to see how active it is. However I am quite surprised that it is very hard to search its archived messages. Of course archives are here but they are only provided as .txt files. Which makes it quite hard to navigate. For now I am basically using Google and the "site" operator to look for messages that were posted prior to my subscription to the list. Or is there an easier way? I have seen other open source projects using Nabble or Google groups to make it easier for their user to search in their mailing list archives. I think such a tool would reduce the number of questions asked over and over and ease help between users. with kind regards Raphael From bruno at abstractj.org Thu Jun 7 05:52:59 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 7 Jun 2018 06:52:59 -0300 Subject: [keycloak-user] search-friendly mailing list archives? In-Reply-To: References: Message-ID: <20180607095259.GA13550@abstractj.org> You can search the archives using https://www.keycloak.org/search.html On 2018-06-07, Raphael Favier wrote: > Hello, > > I'm a new subscriber to this mailing list and I'm happy to see how active > it is. > > However I am quite surprised that it is very hard to search its archived > messages. > Of course archives are here but they are only provided as .txt files. Which > makes it quite hard to navigate. > For now I am basically using Google and the "site" operator to look for > messages that were posted prior to my subscription to the list. > > Or is there an easier way? > > I have seen other open source projects using Nabble or Google groups to > make it easier for their user to search in their mailing list archives. > > I think such a tool would reduce the number of questions asked over and > over and ease help between users. > > with kind regards > Raphael > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From r.favier at tkhinnovations.com Thu Jun 7 05:57:33 2018 From: r.favier at tkhinnovations.com (Raphael Favier) Date: Thu, 7 Jun 2018 11:57:33 +0200 Subject: [keycloak-user] search-friendly mailing list archives? In-Reply-To: <20180607095259.GA13550@abstractj.org> References: <20180607095259.GA13550@abstractj.org> Message-ID: Thanks! On Thu, Jun 7, 2018 at 11:52 AM, Bruno Oliveira wrote: > You can search the archives using https://www.keycloak.org/search.html > > On 2018-06-07, Raphael Favier wrote: > > Hello, > > > > I'm a new subscriber to this mailing list and I'm happy to see how active > > it is. > > > > However I am quite surprised that it is very hard to search its archived > > messages. > > Of course archives are here but they are only provided as .txt files. > Which > > makes it quite hard to navigate. > > For now I am basically using Google and the "site" operator to look for > > messages that were posted prior to my subscription to the list. > > > > Or is there an easier way? > > > > I have seen other open source projects using Nabble or Google groups to > > make it easier for their user to search in their mailing list archives. > > > > I think such a tool would reduce the number of questions asked over and > > over and ease help between users. > > > > with kind regards > > Raphael > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > abstractj > From Athulya.Pillai at cybertech.com Thu Jun 7 06:14:52 2018 From: Athulya.Pillai at cybertech.com (Athulya Pillai) Date: Thu, 7 Jun 2018 10:14:52 +0000 Subject: [keycloak-user] Keycloak latest beta version for Sql server support In-Reply-To: References: <5D7282EF8AC38B41BA812672DABBF6B6DB0897A9@CSSLEX1.Cybertech.Com> Message-ID: <5D7282EF8AC38B41BA812672DABBF6B6DB089828@CSSLEX1.Cybertech.Com> Hi Raphael, The link which you shared seems to keycloak using MYSQL as database. However, in my case it is MS Sql Server. This seems to be a bug in 4.0.0. Beta2 Thanks and Regards Athulya Pillai From: Raphael Favier [mailto:r.favier at tkhinnovations.com] Sent: Thursday, June 07, 2018 3:41 PM To: Athulya Pillai Subject: Re: [keycloak-user] Keycloak latest beta version for Sql server support Hi Athulya, According to http://lists.jboss.org/pipermail/keycloak-user/2017-November/012377.html I guess it should be MYSQL with kind regards Raphael On Thu, Jun 7, 2018 at 11:23 AM, Athulya Pillai > wrote: Hi Team, Latest verson for keycloak is 4.0.0 beta2. When we deploy this version as a docker images, there is a a mandatory environment variable to be set. The variable is DB_VENDOR which accepts only 4 values -H2, POSTGRES,MYSQL and MARIADB. Please let me know the value for above parameter DB_VENDOR to deploy this keycloak image with microsoft sql server Thanks and Regards Athulya Pillai _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From manisha04.nandal at gmail.com Thu Jun 7 07:28:25 2018 From: manisha04.nandal at gmail.com (Manisha Nandal) Date: Thu, 7 Jun 2018 16:58:25 +0530 Subject: [keycloak-user] Keycloak - User registration flow query Message-ID: Hi Team, I have used keycloak identity provider for my web application for authentication purpose. I have a query related to user registration flow - Validations of attributes like "first name" and several other (say optional or mandatory) on user registration page is on the client or server side ? As far i have checked i can't see any client side validation in "register.ftl" file. Idea is to add some custom attributes and perform some basic validations for them. Thanks, Manisha From sthorger at redhat.com Thu Jun 7 09:45:19 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Jun 2018 15:45:19 +0200 Subject: [keycloak-user] Keycloak latest beta version for Sql server support In-Reply-To: <5D7282EF8AC38B41BA812672DABBF6B6DB089828@CSSLEX1.Cybertech.Com> References: <5D7282EF8AC38B41BA812672DABBF6B6DB0897A9@CSSLEX1.Cybertech.Com> <5D7282EF8AC38B41BA812672DABBF6B6DB089828@CSSLEX1.Cybertech.Com> Message-ID: The image does not support SQL Server, only MySQL and PostgreSQL. To use SQL Server you will have to extend the image to add the JDBC drivers and datasource configuration yourself. On 7 June 2018 at 12:14, Athulya Pillai wrote: > > Hi Raphael, > The link which you shared seems to keycloak using MYSQL as database. > However, in my case it is MS Sql Server. > > This seems to be a bug in 4.0.0. Beta2 > Thanks and Regards > Athulya Pillai > > From: Raphael Favier [mailto:r.favier at tkhinnovations.com] > Sent: Thursday, June 07, 2018 3:41 PM > To: Athulya Pillai > Subject: Re: [keycloak-user] Keycloak latest beta version for Sql server > support > > Hi Athulya, > According to > http://lists.jboss.org/pipermail/keycloak-user/2017-November/012377.html > I guess it should be MYSQL > > with kind regards > Raphael > > On Thu, Jun 7, 2018 at 11:23 AM, Athulya Pillai < > Athulya.Pillai at cybertech.com> wrote: > Hi Team, > Latest verson for keycloak is 4.0.0 beta2. When we deploy this version as > a docker images, there is a a mandatory environment variable to be set. > The variable is DB_VENDOR which accepts only 4 values -H2, POSTGRES,MYSQL > and MARIADB. > > Please let me know the value for above parameter DB_VENDOR to deploy this > keycloak image with microsoft sql server > > Thanks and Regards > Athulya Pillai > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mbelivea at redhat.com Thu Jun 7 13:04:20 2018 From: mbelivea at redhat.com (Matthew Beliveau) Date: Thu, 7 Jun 2018 13:04:20 -0400 (EDT) Subject: [keycloak-user] Updating data provider information on the fly In-Reply-To: <460458371.27084403.1528390906843.JavaMail.zimbra@redhat.com> Message-ID: <1453957072.27084587.1528391060363.JavaMail.zimbra@redhat.com> Hello, I am trying to find a place in the Keycloak code where I can update data provider information on a fly. Use case: I have a Keycloak server connected to an back end identity source. This Keycloak server is configured to use an external IdP as an authentication source. When the user is authenticated against the external source and Keycloak receives his assertion or OIDC ticket I want to get info from that ticket and check if the information about this user known to the particular data back end. If the data is not there or different I would like to update the data in the back end. I know where the code for the back end data providers is and can create my own or extend existing one. I found a place where Keycloak processes assertions and tickets. https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/broker/oidc Is this the right place to invoke the data provider API to do the data update in the back end? Are there any precedents of such code in the Keycloak code base or around? Thanks, Matthew Beliveau From vandana0242 at gmail.com Thu Jun 7 14:26:04 2018 From: vandana0242 at gmail.com (vandana thota) Date: Thu, 7 Jun 2018 13:26:04 -0500 Subject: [keycloak-user] is it must to buy keycloak license Message-ID: Hello Is it must to buy keycloak license by client ? Thanks, Vandana From subodhcjoshi82 at gmail.com Thu Jun 7 14:40:27 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Fri, 8 Jun 2018 00:10:27 +0530 Subject: [keycloak-user] is it must to buy keycloak license In-Reply-To: References: Message-ID: Keycloak come under Apache license 2. According to Apache License The *Apache License* is a permissive > free > software license > written by the Apache Software Foundation > (ASF).[5] > > The Apache License, Version 2.0 requires preservation of the copyright > notice and disclaimer > . Like other free software > licenses , *the > license allows the user of the software the freedom to use the software for > any purpose, to distribute it, to modify it, and to distribute modified > versions of the software, under the terms of the license, without concern > for royalties *. This makes ALv2 > a FRAND-RF > > license. The ASF and its projects release the software they produce under > the Apache License and many non-ASF projects are also using the ALv2. > So no need to buy the license by client. On Fri, Jun 8, 2018 at 12:00 AM vandana thota wrote: > Hello > > Is it must to buy keycloak license by client ? > > > Thanks, > Vandana > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From vandana0242 at gmail.com Thu Jun 7 14:50:23 2018 From: vandana0242 at gmail.com (vandana thota) Date: Thu, 7 Jun 2018 13:50:23 -0500 Subject: [keycloak-user] is it must to buy keycloak license In-Reply-To: References: Message-ID: So keycloak is free to use ? Thanks, Vandana On Thu, Jun 7, 2018 at 1:40 PM, Subodh Joshi wrote: > Keycloak come under Apache license 2. According to Apache License > > The *Apache License* is a permissive >> free >> software license >> written by the Apache Software Foundation >> (ASF).[5] >> >> The Apache License, Version 2.0 requires preservation of the copyright >> notice and disclaimer >> . Like other free software >> licenses , *the >> license allows the user of the software the freedom to use the software for >> any purpose, to distribute it, to modify it, and to distribute modified >> versions of the software, under the terms of the license, without concern >> for royalties *. This makes >> ALv2 a FRAND-RF >> >> license. The ASF and its projects release the software they produce under >> the Apache License and many non-ASF projects are also using the ALv2. >> > > So no need to buy the license by client. > > On Fri, Jun 8, 2018 at 12:00 AM vandana thota > wrote: > >> Hello >> >> Is it must to buy keycloak license by client ? >> >> >> Thanks, >> Vandana >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.trendsinnews.com > From robinsousa at gmail.com Thu Jun 7 14:51:44 2018 From: robinsousa at gmail.com (Miguel Sousa) Date: Thu, 7 Jun 2018 19:51:44 +0100 Subject: [keycloak-user] Keycloak consent required In-Reply-To: References: Message-ID: Hello community, Can you help me on this? :) Thanks, Miguel Sousa A segunda, 4/06/2018, 20:03, Miguel Sousa escreveu: > Hello, > > Regarding the Keycloak consent screen I have two questions: > - Is it possible to have a checkbox for each access privilege that the > user is granting to the client instead of just an option to allow or deny > all of them? > - Can the client specify the access privileges that it needs through the > scope request parameter in the authorization flow? > > Thanks in advance, > Miguel Sousa > From subodhcjoshi82 at gmail.com Thu Jun 7 14:52:09 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Fri, 8 Jun 2018 00:22:09 +0530 Subject: [keycloak-user] is it must to buy keycloak license In-Reply-To: References: Message-ID: Yes, it is. On Fri, 8 Jun 2018, 00:20 vandana thota, wrote: > So keycloak is free to use ? > > > Thanks, > Vandana > > On Thu, Jun 7, 2018 at 1:40 PM, Subodh Joshi > wrote: > >> Keycloak come under Apache license 2. According to Apache License >> >> The *Apache License* is a permissive >>> free >>> software license >>> written by the Apache Software Foundation >>> (ASF).[5] >>> >>> The Apache License, Version 2.0 requires preservation of the copyright >>> notice and disclaimer >>> . Like other free software >>> licenses , *the >>> license allows the user of the software the freedom to use the software for >>> any purpose, to distribute it, to modify it, and to distribute modified >>> versions of the software, under the terms of the license, without concern >>> for royalties *. This makes >>> ALv2 a FRAND-RF >>> >>> license. The ASF and its projects release the software they produce under >>> the Apache License and many non-ASF projects are also using the ALv2. >>> >> >> So no need to buy the license by client. >> >> On Fri, Jun 8, 2018 at 12:00 AM vandana thota >> wrote: >> >>> Hello >>> >>> Is it must to buy keycloak license by client ? >>> >>> >>> Thanks, >>> Vandana >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> -- >> Subodh Chandra Joshi >> subodh1_joshi82 at yahoo.co.in >> http://www.trendsinnews.com >> > > From vandana0242 at gmail.com Thu Jun 7 14:52:55 2018 From: vandana0242 at gmail.com (vandana thota) Date: Thu, 7 Jun 2018 13:52:55 -0500 Subject: [keycloak-user] is it must to buy keycloak license In-Reply-To: References: Message-ID: ok thanks . So you are working as keycloak admin support ? On Thu, Jun 7, 2018 at 1:52 PM, Subodh Joshi wrote: > Yes, it is. > > On Fri, 8 Jun 2018, 00:20 vandana thota, wrote: > >> So keycloak is free to use ? >> >> >> Thanks, >> Vandana >> >> On Thu, Jun 7, 2018 at 1:40 PM, Subodh Joshi >> wrote: >> >>> Keycloak come under Apache license 2. According to Apache License >>> >>> The *Apache License* is a permissive >>>> free >>>> software license >>>> written by the Apache Software Foundation >>>> (ASF).[5] >>>> >>>> The Apache License, Version 2.0 requires preservation of the copyright >>>> notice and disclaimer >>>> . Like other free software >>>> licenses , *the >>>> license allows the user of the software the freedom to use the software for >>>> any purpose, to distribute it, to modify it, and to distribute modified >>>> versions of the software, under the terms of the license, without concern >>>> for royalties *. This makes >>>> ALv2 a FRAND-RF >>>> >>>> license. The ASF and its projects release the software they produce under >>>> the Apache License and many non-ASF projects are also using the ALv2. >>>> >>> >>> So no need to buy the license by client. >>> >>> On Fri, Jun 8, 2018 at 12:00 AM vandana thota >>> wrote: >>> >>>> Hello >>>> >>>> Is it must to buy keycloak license by client ? >>>> >>>> >>>> Thanks, >>>> Vandana >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> -- >>> Subodh Chandra Joshi >>> subodh1_joshi82 at yahoo.co.in >>> http://www.trendsinnews.com >>> >> >> From sthorger at redhat.com Thu Jun 7 15:18:38 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Jun 2018 21:18:38 +0200 Subject: [keycloak-user] is it must to buy keycloak license In-Reply-To: References: Message-ID: Keycloak is completely free to use. There's some limitations to that of course. Limited (no guaranteed) support. We expect the community to help out answering questions and fixing issues. No backporting of fixes or CVEs to previous versions. Etc. If you want enterprise level support Red Hat provides that through Red Hat Single Sign-On, which is our productized and fully supported build of Keycloak. On 7 June 2018 at 20:52, vandana thota wrote: > ok thanks . > > So you are working as keycloak admin support ? > > > > On Thu, Jun 7, 2018 at 1:52 PM, Subodh Joshi > wrote: > > > Yes, it is. > > > > On Fri, 8 Jun 2018, 00:20 vandana thota, wrote: > > > >> So keycloak is free to use ? > >> > >> > >> Thanks, > >> Vandana > >> > >> On Thu, Jun 7, 2018 at 1:40 PM, Subodh Joshi > >> wrote: > >> > >>> Keycloak come under Apache license 2. According to Apache License > >>> > >>> The *Apache License* is a permissive > >>>> free > >>>> software license > > >>>> written by the Apache Software Foundation > >>>> (ASF).[5] > >>>> nmr-permissive-5> > >>>> The Apache License, Version 2.0 requires preservation of the copyright > >>>> notice and disclaimer > >>>> . Like other free software > >>>> licenses , *the > >>>> license allows the user of the software the freedom to use the > software for > >>>> any purpose, to distribute it, to modify it, and to distribute > modified > >>>> versions of the software, under the terms of the license, without > concern > >>>> for royalties *. This makes > >>>> ALv2 a FRAND-RF > >>>> discriminatory_licensing> > >>>> license. The ASF and its projects release the software they produce > under > >>>> the Apache License and many non-ASF projects are also using the ALv2. > >>>> > >>> > >>> So no need to buy the license by client. > >>> > >>> On Fri, Jun 8, 2018 at 12:00 AM vandana thota > >>> wrote: > >>> > >>>> Hello > >>>> > >>>> Is it must to buy keycloak license by client ? > >>>> > >>>> > >>>> Thanks, > >>>> Vandana > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> > >>> -- > >>> Subodh Chandra Joshi > >>> subodh1_joshi82 at yahoo.co.in > >>> http://www.trendsinnews.com > >>> > >> > >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From vandana0242 at gmail.com Thu Jun 7 16:06:33 2018 From: vandana0242 at gmail.com (vandana thota) Date: Thu, 7 Jun 2018 15:06:33 -0500 Subject: [keycloak-user] is it must to buy keycloak license In-Reply-To: References: Message-ID: Thanks for the information , I have installed keycloak on wildfly 11 server . Our wildfly server has three standalone instances. It's non -prod, Dev environment. Do I have to install keycloak on wildfly server or install it on separate VM Do I need to install keycloak on a separate VM for prod widlfy server and another saparate VM for Non-prod Wildfly server ? Which is the best option On Thu, Jun 7, 2018 at 2:18 PM, Stian Thorgersen wrote: > Keycloak is completely free to use. There's some limitations to that of > course. Limited (no guaranteed) support. We expect the community to help > out answering questions and fixing issues. No backporting of fixes or CVEs > to previous versions. Etc. > > If you want enterprise level support Red Hat provides that through Red Hat > Single Sign-On, which is our productized and fully supported build of > Keycloak. > > On 7 June 2018 at 20:52, vandana thota wrote: > >> ok thanks . >> >> So you are working as keycloak admin support ? >> >> >> >> On Thu, Jun 7, 2018 at 1:52 PM, Subodh Joshi >> wrote: >> >> > Yes, it is. >> > >> > On Fri, 8 Jun 2018, 00:20 vandana thota, wrote: >> > >> >> So keycloak is free to use ? >> >> >> >> >> >> Thanks, >> >> Vandana >> >> >> >> On Thu, Jun 7, 2018 at 1:40 PM, Subodh Joshi > > >> >> wrote: >> >> >> >>> Keycloak come under Apache license 2. According to Apache License >> >>> >> >>> The *Apache License* is a permissive >> >>>> >> free >> >>>> software license > /Free_software_license> >> >>>> written by the Apache Software Foundation >> >>>> (ASF).[5] >> >>>> > permissive-5> >> >>>> The Apache License, Version 2.0 requires preservation of the >> copyright >> >>>> notice and disclaimer >> >>>> . Like other free software >> >>>> licenses , *the >> >>>> license allows the user of the software the freedom to use the >> software for >> >>>> any purpose, to distribute it, to modify it, and to distribute >> modified >> >>>> versions of the software, under the terms of the license, without >> concern >> >>>> for royalties *. This makes >> >>>> ALv2 a FRAND-RF >> >>>> > tory_licensing> >> >>>> license. The ASF and its projects release the software they produce >> under >> >>>> the Apache License and many non-ASF projects are also using the ALv2. >> >>>> >> >>> >> >>> So no need to buy the license by client. >> >>> >> >>> On Fri, Jun 8, 2018 at 12:00 AM vandana thota >> >>> wrote: >> >>> >> >>>> Hello >> >>>> >> >>>> Is it must to buy keycloak license by client ? >> >>>> >> >>>> >> >>>> Thanks, >> >>>> Vandana >> >>>> _______________________________________________ >> >>>> keycloak-user mailing list >> >>>> keycloak-user at lists.jboss.org >> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>> >> >>> >> >>> >> >>> -- >> >>> Subodh Chandra Joshi >> >>> subodh1_joshi82 at yahoo.co.in >> >>> http://www.trendsinnews.com >> >>> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Fri Jun 8 01:11:02 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Jun 2018 07:11:02 +0200 Subject: [keycloak-user] is it must to buy keycloak license In-Reply-To: References: Message-ID: We recommend installing Keycloak using the standalone distribution rather than deploy on top of existing WildFly server. If you want one for non-prod and one for prod is up to you. Usually it's good practice to have one for either. On 7 June 2018 at 22:06, vandana thota wrote: > Thanks for the information , > > I have installed keycloak on wildfly 11 server . Our wildfly server has > three standalone instances. It's non -prod, Dev environment. > > Do I have to install keycloak on wildfly server or install it on > separate VM > > Do I need to install keycloak on a separate VM for prod widlfy server > and another saparate VM for Non-prod Wildfly server ? > > Which is the best option > > > On Thu, Jun 7, 2018 at 2:18 PM, Stian Thorgersen > wrote: > >> Keycloak is completely free to use. There's some limitations to that of >> course. Limited (no guaranteed) support. We expect the community to help >> out answering questions and fixing issues. No backporting of fixes or CVEs >> to previous versions. Etc. >> >> If you want enterprise level support Red Hat provides that through Red >> Hat Single Sign-On, which is our productized and fully supported build of >> Keycloak. >> >> On 7 June 2018 at 20:52, vandana thota wrote: >> >>> ok thanks . >>> >>> So you are working as keycloak admin support ? >>> >>> >>> >>> On Thu, Jun 7, 2018 at 1:52 PM, Subodh Joshi >>> wrote: >>> >>> > Yes, it is. >>> > >>> > On Fri, 8 Jun 2018, 00:20 vandana thota, >>> wrote: >>> > >>> >> So keycloak is free to use ? >>> >> >>> >> >>> >> Thanks, >>> >> Vandana >>> >> >>> >> On Thu, Jun 7, 2018 at 1:40 PM, Subodh Joshi < >>> subodhcjoshi82 at gmail.com> >>> >> wrote: >>> >> >>> >>> Keycloak come under Apache license 2. According to Apache License >>> >>> >>> >>> The *Apache License* is a permissive >>> >>>> >>> free >>> >>>> software license >> /Free_software_license> >>> >>>> written by the Apache Software Foundation >>> >>>> >>> (ASF).[5] >>> >>>> >> permissive-5> >>> >>>> The Apache License, Version 2.0 requires preservation of the >>> copyright >>> >>>> notice and disclaimer >>> >>>> . Like other free >>> software >>> >>>> licenses , >>> *the >>> >>>> license allows the user of the software the freedom to use the >>> software for >>> >>>> any purpose, to distribute it, to modify it, and to distribute >>> modified >>> >>>> versions of the software, under the terms of the license, without >>> concern >>> >>>> for royalties *. This >>> makes >>> >>>> ALv2 a FRAND-RF >>> >>>> >> tory_licensing> >>> >>>> license. The ASF and its projects release the software they produce >>> under >>> >>>> the Apache License and many non-ASF projects are also using the >>> ALv2. >>> >>>> >>> >>> >>> >>> So no need to buy the license by client. >>> >>> >>> >>> On Fri, Jun 8, 2018 at 12:00 AM vandana thota >> > >>> >>> wrote: >>> >>> >>> >>>> Hello >>> >>>> >>> >>>> Is it must to buy keycloak license by client ? >>> >>>> >>> >>>> >>> >>>> Thanks, >>> >>>> Vandana >>> >>>> _______________________________________________ >>> >>>> keycloak-user mailing list >>> >>>> keycloak-user at lists.jboss.org >>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>>> >>> >>> >>> >>> >>> >>> -- >>> >>> Subodh Chandra Joshi >>> >>> subodh1_joshi82 at yahoo.co.in >>> >>> http://www.trendsinnews.com >>> >>> >>> >> >>> >> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From vandana0242 at gmail.com Fri Jun 8 01:17:21 2018 From: vandana0242 at gmail.com (vandana thota) Date: Fri, 8 Jun 2018 00:17:21 -0500 Subject: [keycloak-user] is it must to buy keycloak license In-Reply-To: References: Message-ID: Ok, thanks. On Fri, Jun 8, 2018, 12:11 AM Stian Thorgersen wrote: > We recommend installing Keycloak using the standalone distribution rather > than deploy on top of existing WildFly server. > > If you want one for non-prod and one for prod is up to you. Usually it's > good practice to have one for either. > > On 7 June 2018 at 22:06, vandana thota wrote: > >> Thanks for the information , >> >> I have installed keycloak on wildfly 11 server . Our wildfly server >> has three standalone instances. It's non -prod, Dev environment. >> >> Do I have to install keycloak on wildfly server or install it on >> separate VM >> >> Do I need to install keycloak on a separate VM for prod widlfy server >> and another saparate VM for Non-prod Wildfly server ? >> >> Which is the best option >> >> >> On Thu, Jun 7, 2018 at 2:18 PM, Stian Thorgersen >> wrote: >> >>> Keycloak is completely free to use. There's some limitations to that of >>> course. Limited (no guaranteed) support. We expect the community to help >>> out answering questions and fixing issues. No backporting of fixes or CVEs >>> to previous versions. Etc. >>> >>> If you want enterprise level support Red Hat provides that through Red >>> Hat Single Sign-On, which is our productized and fully supported build of >>> Keycloak. >>> >>> On 7 June 2018 at 20:52, vandana thota wrote: >>> >>>> ok thanks . >>>> >>>> So you are working as keycloak admin support ? >>>> >>>> >>>> >>>> On Thu, Jun 7, 2018 at 1:52 PM, Subodh Joshi >>>> wrote: >>>> >>>> > Yes, it is. >>>> > >>>> > On Fri, 8 Jun 2018, 00:20 vandana thota, >>>> wrote: >>>> > >>>> >> So keycloak is free to use ? >>>> >> >>>> >> >>>> >> Thanks, >>>> >> Vandana >>>> >> >>>> >> On Thu, Jun 7, 2018 at 1:40 PM, Subodh Joshi < >>>> subodhcjoshi82 at gmail.com> >>>> >> wrote: >>>> >> >>>> >>> Keycloak come under Apache license 2. According to Apache License >>>> >>> >>>> >>> The *Apache License* is a permissive >>>> >>>> >>>> free >>>> >>>> software license < >>>> https://en.wikipedia.org/wiki/Free_software_license> >>>> >>>> written by the Apache Software Foundation >>>> >>>> >>>> (ASF).[5] >>>> >>>> < >>>> https://en.wikipedia.org/wiki/Apache_License#cite_note-nmr-permissive-5 >>>> > >>>> >>>> The Apache License, Version 2.0 requires preservation of the >>>> copyright >>>> >>>> notice and disclaimer >>>> >>>> . Like other free >>>> software >>>> >>>> licenses , >>>> *the >>>> >>>> license allows the user of the software the freedom to use the >>>> software for >>>> >>>> any purpose, to distribute it, to modify it, and to distribute >>>> modified >>>> >>>> versions of the software, under the terms of the license, without >>>> concern >>>> >>>> for royalties *. This >>>> makes >>>> >>>> ALv2 a FRAND-RF >>>> >>>> < >>>> https://en.wikipedia.org/wiki/Reasonable_and_non-discriminatory_licensing >>>> > >>>> >>>> license. The ASF and its projects release the software they >>>> produce under >>>> >>>> the Apache License and many non-ASF projects are also using the >>>> ALv2. >>>> >>>> >>>> >>> >>>> >>> So no need to buy the license by client. >>>> >>> >>>> >>> On Fri, Jun 8, 2018 at 12:00 AM vandana thota < >>>> vandana0242 at gmail.com> >>>> >>> wrote: >>>> >>> >>>> >>>> Hello >>>> >>>> >>>> >>>> Is it must to buy keycloak license by client ? >>>> >>>> >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Vandana >>>> >>>> _______________________________________________ >>>> >>>> keycloak-user mailing list >>>> >>>> keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> >>>> >>> >>>> >>> -- >>>> >>> Subodh Chandra Joshi >>>> >>> subodh1_joshi82 at yahoo.co.in >>>> >>> http://www.trendsinnews.com >>>> >>> >>>> >> >>>> >> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From manisha04.nandal at gmail.com Fri Jun 8 02:03:53 2018 From: manisha04.nandal at gmail.com (Manisha Nandal) Date: Fri, 8 Jun 2018 11:33:53 +0530 Subject: [keycloak-user] Keycloak - User registration flow query In-Reply-To: References: Message-ID: Any update on above query. On Thu, Jun 7, 2018 at 4:58 PM, Manisha Nandal wrote: > Hi Team, > > I have used keycloak identity provider for my web application for > authentication purpose. I have a query related to user registration flow - > Validations of attributes like "first name" and several other (say optional > or mandatory) on user registration page is on the client or server side ? > As far i have checked i can't see any client side validation in > "register.ftl" file. > > Idea is to add some custom attributes and perform some basic validations > for them. > > Thanks, > Manisha > > > From hasebullah.ansari at syntlogo.de Fri Jun 8 03:10:00 2018 From: hasebullah.ansari at syntlogo.de (Ansari, Hasebullah) Date: Fri, 8 Jun 2018 07:10:00 +0000 Subject: [keycloak-user] Manage-user permission is always overriden in fine-grain permission Message-ID: <679B9AD5-73D1-46C3-95AA-FF79D7FFFB37@syntlogo.de> Hello, I have a use-case where I want to create a dedicated realm for one organization with an admin user. But when I give the role ?realm-admin? to this user and literally he could anything in this realm, managing clients, managing user, etc. And if the user is not very well known with keycloak then he can also disturb the settings or configuration of the realm it self. Like deleting roles from ?realm-management? and with managing user with ?manage-user? stuff client for example. Now I have achieved to restrict this admin doing such things but now with the fine grain permission and without ?manage-clients? and ?manage-users? roles, I cannot see the ?create client? and ?create user? button in the dedicated realm admin console. In my usecase I want the admin user to create client and user by himself but not manage everything like stated above. Cheers, Hasebullah A Ansari Master of Engineering in IT, Heidelberg IT Specialist / Java Entwickler Syntlogo GmbH From subodhcjoshi82 at gmail.com Fri Jun 8 03:22:46 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Fri, 8 Jun 2018 12:52:46 +0530 Subject: [keycloak-user] Keycloak - User registration flow query In-Reply-To: References: Message-ID: Here are few example https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/authentication/authenticators/browser https://github.com/keycloak/keycloak/tree/master/examples/providers On Fri, Jun 8, 2018 at 11:40 AM Manisha Nandal wrote: > Any update on above query. > > On Thu, Jun 7, 2018 at 4:58 PM, Manisha Nandal > > wrote: > > > Hi Team, > > > > I have used keycloak identity provider for my web application for > > authentication purpose. I have a query related to user registration flow > - > > Validations of attributes like "first name" and several other (say > optional > > or mandatory) on user registration page is on the client or server side ? > > As far i have checked i can't see any client side validation in > > "register.ftl" file. > > > > Idea is to add some custom attributes and perform some basic validations > > for them. > > > > Thanks, > > Manisha > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From Athulya.Pillai at cybertech.com Fri Jun 8 04:23:01 2018 From: Athulya.Pillai at cybertech.com (Athulya Pillai) Date: Fri, 8 Jun 2018 08:23:01 +0000 Subject: [keycloak-user] Keycloak latest beta version for Sql server support In-Reply-To: References: <5D7282EF8AC38B41BA812672DABBF6B6DB0897A9@CSSLEX1.Cybertech.Com> <5D7282EF8AC38B41BA812672DABBF6B6DB089828@CSSLEX1.Cybertech.Com> Message-ID: <5D7282EF8AC38B41BA812672DABBF6B6DB08BD45@CSSLEX1.Cybertech.Com> Hi Stian, Final version of keycloak 3.4.3 doesnt support sql out of box, for that purpose the repo from we got https://github.com/stocksoftware/docker-keycloak-sqlserver has some customization to include sql server and have created the docker image. But however in beta version of keycloak ie 4.0.0 beta2 , there is a parameter Db_Vendor in docker image which doesnt supports sql server. So even though the customization are in place to support sql server , this parameter value overrides to use H2 Database therby ignoring customization for sql . Any help/suggestions Thanks and Regards Athulya Pillai From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Thursday, June 07, 2018 7:15 PM To: Athulya Pillai Cc: Raphael Favier; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak latest beta version for Sql server support The image does not support SQL Server, only MySQL and PostgreSQL. To use SQL Server you will have to extend the image to add the JDBC drivers and datasource configuration yourself. On 7 June 2018 at 12:14, Athulya Pillai > wrote: Hi Raphael, The link which you shared seems to keycloak using MYSQL as database. However, in my case it is MS Sql Server. This seems to be a bug in 4.0.0. Beta2 Thanks and Regards Athulya Pillai From: Raphael Favier [mailto:r.favier at tkhinnovations.com] Sent: Thursday, June 07, 2018 3:41 PM To: Athulya Pillai Subject: Re: [keycloak-user] Keycloak latest beta version for Sql server support Hi Athulya, According to http://lists.jboss.org/pipermail/keycloak-user/2017-November/012377.html I guess it should be MYSQL with kind regards Raphael On Thu, Jun 7, 2018 at 11:23 AM, Athulya Pillai >> wrote: Hi Team, Latest verson for keycloak is 4.0.0 beta2. When we deploy this version as a docker images, there is a a mandatory environment variable to be set. The variable is DB_VENDOR which accepts only 4 values -H2, POSTGRES,MYSQL and MARIADB. Please let me know the value for above parameter DB_VENDOR to deploy this keycloak image with microsoft sql server Thanks and Regards Athulya Pillai _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From engelhardt at noiseag.ch Fri Jun 8 04:49:40 2018 From: engelhardt at noiseag.ch (Regula Engelhardt) Date: Fri, 08 Jun 2018 10:49:40 +0200 Subject: [keycloak-user] Problem with realm token settings after changing realm name Message-ID: <31472047-5F79-4B89-8F96-2A1279BCE2CC@contoso.com> Hello I have a problem with the token settings. Because my realm name originally had a whitespace in it and the redirection URI for the Google Identity Provider did not work with this name I changed it to a realm name with an underscore instead. Now I can?t change the token settings for my realm with the new name, I always get the error ?Resource not found... We could not find the resource you are looking for. Please make sure the URL you entered is correct.?. If I change the name back though I can go to the token settings. Thanks for your help! Regula Engelhardt Junior Developer Noise AG Sonneggstrasse 76 8006 Z?rich Switzerland engelhardt at noiseag.ch www.noiseag.ch From web at thopap.de Fri Jun 8 08:28:13 2018 From: web at thopap.de (T. Papke) Date: Fri, 8 Jun 2018 14:28:13 +0200 Subject: [keycloak-user] Multiple user stores / Domain separation Message-ID: Hi all, In case multiple user stores are connected (e.g. different Active Directories). Is there any build-in option to provide some kind of domain discriminator (e.g. drop down menu) on the login page? If not, are there any proposals or best practices howto achieve this? How does Keycloak handle the issue that a the username is not unique in case of multiple userstores? Thank you, Regards, Thomas From psilva at redhat.com Fri Jun 8 08:31:36 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 8 Jun 2018 09:31:36 -0300 Subject: [keycloak-user] Manage-user permission is always overriden in fine-grain permission In-Reply-To: <679B9AD5-73D1-46C3-95AA-FF79D7FFFB37@syntlogo.de> References: <679B9AD5-73D1-46C3-95AA-FF79D7FFFB37@syntlogo.de> Message-ID: That is a known limitation. Would you mind creating a RFE for this ? There also other parts where you must have the "manage-*'" roles to perform actions, like those you mentioned. Regards. Pedro Igor On Fri, Jun 8, 2018 at 4:10 AM, Ansari, Hasebullah < hasebullah.ansari at syntlogo.de> wrote: > Hello, > > I have a use-case where I want to create a dedicated realm > for one organization with an admin user. But when I give the role > ?realm-admin? to this user and literally he could anything in this realm, > managing clients, managing user, etc. And if the user is not very well > known with keycloak then he can also disturb the settings or configuration > of the realm it self. Like deleting roles from ?realm-management? and with > managing user with ?manage-user? stuff client for example. Now I have > achieved to restrict this admin doing such things but now with the fine > grain permission and without ?manage-clients? and ?manage-users? roles, I > cannot see the ?create client? and ?create user? button in the dedicated > realm admin console. In my usecase I want the admin user to create client > and user by himself but not manage everything like stated above. > > Cheers, > > Hasebullah A Ansari > Master of Engineering in IT, Heidelberg > > IT Specialist / Java Entwickler > Syntlogo GmbH > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vinayatoz at gmail.com Fri Jun 8 13:33:55 2018 From: vinayatoz at gmail.com (Vinay) Date: Fri, 8 Jun 2018 13:33:55 -0400 Subject: [keycloak-user] hierarchical multi-tenancy Message-ID: Is hierarchical multi-tenancy possible in keycloak i.e. a realm can have sub-realms ? -Vinay From vandana0242 at gmail.com Fri Jun 8 14:31:43 2018 From: vandana0242 at gmail.com (vandana thota) Date: Fri, 8 Jun 2018 13:31:43 -0500 Subject: [keycloak-user] How to take the Service Provider Metadata file or url on Keycloak for wildfly server ? Message-ID: Hello How to take the Service Provider Metadata file or url on Keycloak for wildfly server ? What configurations needs to be done to get that Service Provider Metada file. Thanks, Vandana From sengstrom at ena.com Fri Jun 8 15:03:13 2018 From: sengstrom at ena.com (Stefan Engstrom) Date: Fri, 8 Jun 2018 19:03:13 +0000 Subject: [keycloak-user] Unexpected behavior: self-registration through a provided IDP Message-ID: I have a setup where self-registration is disallowed on the realm > login page. Meanwhile, I have Google set up as an identity provider and if I attempt to authenticate using a google account (that doesn't yet exist in the realm) Keycloak asks me to verify my email and is happy to create an account for me. Is there a way to prevent this from happening? Stefan Engstr?m Lead Research & Development Engineer Education Networks of America 618 Grassmere Park Drive Suite 12 Nashville, TN 37211 Phone: 615-312-6136 CTAC: 888-612-2880 Video @ https://ena.zoom.us/my/sengstrom Mobile: 615-500-3223 <= Best option From mitya at cargosoft.ru Sat Jun 9 04:30:18 2018 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Sat, 09 Jun 2018 11:30:18 +0300 Subject: [keycloak-user] hierarchical multi-tenancy In-Reply-To: References: Message-ID: <1528533018.3664.1.camel@cargosoft.ru> Vinay, There are no sub-realms in Keycloak at the moment. The next step down the hierarchy is groups, which can be nested. Isn't what you want achievable with groups/roles/permissions? Dmitry On Fri, 2018-06-08 at 13:33 -0400, Vinay wrote: > Is hierarchical multi-tenancy possible in keycloak i.e.??a realm can > have > sub-realms ? > > > -Vinay > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From subodhcjoshi82 at gmail.com Sat Jun 9 10:34:43 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Sat, 9 Jun 2018 20:04:43 +0530 Subject: [keycloak-user] hierarchical multi-tenancy In-Reply-To: References: Message-ID: That what Dmitry replied in his last mail There are no sub-realms in Keycloak at the moment. The next step down > the hierarchy is groups, which can be nested. > On Sat, Jun 9, 2018 at 7:48 PM Vinay wrote: > Is hierarchical multi-tenancy possible in keycloak i.e. a realm can have > sub-realms ? > > > -Vinay > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From sinsn_619 at abv.bg Sun Jun 10 15:35:18 2018 From: sinsn_619 at abv.bg (Pedro Pedro) Date: Sun, 10 Jun 2018 22:35:18 +0300 (EEST) Subject: [keycloak-user] Using java admin client with Wildfly In-Reply-To: <943595197.670295.1528659276864.JavaMail.apache@nm82.abv.bg> References: <943595197.670295.1528659276864.JavaMail.apache@nm82.abv.bg> Message-ID: <1710605715.670328.1528659318927.JavaMail.apache@nm82.abv.bg> Hi all, I am trying to use the admin client in maven project, but on startup fails with this: Caused by: java.lang.RuntimeException: Could not find constructor for class: org.keycloak.admin.client.resource.ServerInfoResource at org.jboss.resteasy.spi.metadata.ResourceBuilder.constructor(ResourceBuilder.java:683) at org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.registered(POJOResourceFactory.java:41) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:207) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:193) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:179) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:156) at org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75) at org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400) at org.jboss.restea sy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241) Any ideas about this? From ebenzacar at gmail.com Sun Jun 10 20:57:13 2018 From: ebenzacar at gmail.com (Eric B) Date: Sun, 10 Jun 2018 20:57:13 -0400 Subject: [keycloak-user] Using java admin client with Wildfly In-Reply-To: <1710605715.670328.1528659318927.JavaMail.apache@nm82.abv.bg> References: <943595197.670295.1528659276864.JavaMail.apache@nm82.abv.bg> <1710605715.670328.1528659318927.JavaMail.apache@nm82.abv.bg> Message-ID: I'm using the client in my app, but need to explicitly add the resteasy dependencies to the jboss-deployment-structure.XML file, pointing to the resteasy modules in the wildfly folder. On Sun, Jun 10, 2018, 3:43 PM Pedro Pedro, wrote: > > > > Hi all, > > > > > I am trying to use the admin client in maven project, but on startup > fails with this: > > > > > > > Caused by: java.lang.RuntimeException: Could not find constructor for > class: org.keycloak.admin.client.resource.ServerInfoResource at > org.jboss.resteasy.spi.metadata.ResourceBuilder.constructor(ResourceBuilder.java:683) > at > org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.registered(POJOResourceFactory.java:41) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:207) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:193) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:179) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:156) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75) > at > org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400) > at org.jboss.restea > sy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241) > > > Any ideas about this? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From valsarajpv at gmail.com Sun Jun 10 22:04:10 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Mon, 11 Jun 2018 07:34:10 +0530 Subject: [keycloak-user] Using java admin client with Wildfly In-Reply-To: <1710605715.670328.1528659318927.JavaMail.apache@nm82.abv.bg> References: <943595197.670295.1528659276864.JavaMail.apache@nm82.abv.bg> <1710605715.670328.1528659318927.JavaMail.apache@nm82.abv.bg> Message-ID: I faced issues like this and resolved by setting resteasy wildfly module dependency. On Mon 11 Jun, 2018, 4:40 AM Pedro Pedro, wrote: > > > > Hi all, > > > > > I am trying to use the admin client in maven project, but on startup > fails with this: > > > > > > > Caused by: java.lang.RuntimeException: Could not find constructor for > class: org.keycloak.admin.client.resource.ServerInfoResource at > org.jboss.resteasy.spi.metadata.ResourceBuilder.constructor(ResourceBuilder.java:683) > at > org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.registered(POJOResourceFactory.java:41) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:207) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:193) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:179) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:156) > at > org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75) > at > org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400) > at org.jboss.restea > sy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241) > > > Any ideas about this? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From c.otano at ibermatica.com Mon Jun 11 02:38:11 2018 From: c.otano at ibermatica.com (=?iso-8859-1?Q?Ota=F1o_Pavo=2C_Cesar?=) Date: Mon, 11 Jun 2018 06:38:11 +0000 Subject: [keycloak-user] information about post "How to configure MS AD FS 3.0 as an identity provider corrected in Keycloak" Message-ID: Hi all, I am reviewing the post "How to configure MS AD FS 3.0 as an identity provider corrected in Keycloak": https://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html At the beginning of the post, in the section "Configure the Keycloak server" there are two points that are: - Configure key layer for the incoming HTTPS connection - Export the AD FS certificate to a Java trust store to enable outgoing HTTPS connections These two points have a link with instructions on the steps to follow, the instructions are in GitBook. When I try to register, the page redirects me to the new Gitbook site to register. I registered in the new site but I cannot find the instructions that I commented before. The documents are not in the new platform and the old one does not let me sign up. ?Can someone send me the information or can send me an invitation to collaborate? Thank you Regards C?sar AVISO LEGAL El contenido de este mensaje de correo electr?nico, incluidos los ficheros adjuntos, es confidencial y est? protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents. From siddharthachak at gmail.com Mon Jun 11 04:11:28 2018 From: siddharthachak at gmail.com (siddhartha chakraborty) Date: Mon, 11 Jun 2018 13:41:28 +0530 Subject: [keycloak-user] How to avoid Logout from IDP when application Logs out using Keycloak Message-ID: Hi All, So we are logging out from our Application using : *KeycloakDeployment deployment =keycloakSecurityContext.getDeployment();* *keycloakSecurityContext.logout(deployment);* But as a result we are getting logged out from the IDP also, which is not desirable. Basically we dont want to log out from the IDP , when our application logs out. Any help please. We tried providing some invalid URL(example: www.google.com) in the Logout URL in the OpenID Connect Config, but the session was not redirected to www.google.com. We even tried enabling the Backchannel Logout, but it didnt work. Any help will be much appreciated. Thanks, Siddhartha From pnowak.pierre at gmail.com Mon Jun 11 05:01:19 2018 From: pnowak.pierre at gmail.com (Pierre Nowak) Date: Mon, 11 Jun 2018 11:01:19 +0200 Subject: [keycloak-user] http keycloak proxy behind https traefik proxy Message-ID: Hello, There is PROXY_ADDRESS_FORWARDING=true to configure http keycloak behind an https proxy, it works all good. I can't find a way to make keycloak proxy work the same way. Configured as http behind a https traefik proxy. The proxy headers seem to be forwarded. I access https://keycloakproxy, it gets redirected to https://keycloak {....}redirect_uri=*http*://keycloakproxy I found that : http://lists.jboss.org/pipermail/keycloak-user/2017-November/012407.html saying that it is a misconfiguration of the client (here keycloak proxy) Has someone any clue on how to do that ? Thanks, From manisha04.nandal at gmail.com Mon Jun 11 05:47:36 2018 From: manisha04.nandal at gmail.com (Manisha Nandal) Date: Mon, 11 Jun 2018 15:17:36 +0530 Subject: [keycloak-user] Custom User Registration flow Message-ID: *I built a custom FormAction/FormActionFactory to provide additional behavior in the registration flow. I'm able to build the JAR, I have deployed my changes to standalone/deployments directory. Now when going through the registration process, the FormAction is definitely triggered but an immediate error is thrown:15:10:38,229 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-14) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/services/validation/Validation at org.keycloak.authenticationspi.RegistrationProfile.validate(RegistrationProfile.java:39) at org.keycloak.authentication.FormAuthenticationFlow.processAction(FormAuthenticationFlow.java:214) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:816) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:284) at org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:607) at org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:659) at org.keycloak.services.resources.LoginActionsService.processRegister(LoginActionsService.java:639) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)* *Please tell the missing configuration as it it unable to locate the class files from keycloak dependencies.* *Thanks,* *Manisha* From pnowak.pierre at gmail.com Mon Jun 11 06:02:47 2018 From: pnowak.pierre at gmail.com (Pierre Nowak) Date: Mon, 11 Jun 2018 12:02:47 +0200 Subject: [keycloak-user] http keycloak proxy behind https traefik proxy In-Reply-To: References: Message-ID: I found I can put proxy-address-forwarding in the keycloak security proxy proxy.json here : "applications":[ { "proxy-address-forwarding":true, ...} now the redirect_uri is correct ! but when I login I have the following error: Jun 11, 2018 9:57:04 AM org.keycloak.adapters.OAuthRequestAuthenticator resolveCode ERROR: failed to turn code into token java.net.UnknownHostException: keycloakaddress 2018-06-11 11:01 GMT+02:00 Pierre Nowak : > Hello, > > There is PROXY_ADDRESS_FORWARDING=true to configure http keycloak behind > an https proxy, it works all good. > > I can't find a way to make keycloak proxy work the same way. Configured as > http behind a https traefik proxy. > > The proxy headers seem to be forwarded. > > I access https://keycloakproxy, it gets redirected to https://keycloak > {....}redirect_uri=*http*://keycloakproxy > > I found that : http://lists.jboss.org/pipermail/keycloak-user/2017- > November/012407.html > > saying that it is a misconfiguration of the client (here keycloak proxy) > > Has someone any clue on how to do that ? > > Thanks, > From longman at barramandi.com Mon Jun 11 06:03:08 2018 From: longman at barramandi.com (Long Man) Date: Mon, 11 Jun 2018 18:03:08 +0800 Subject: [keycloak-user] Simple user SSO between keycloak instances Message-ID: I have a pair of keycloak setup as cross datacenter HA as per https://www.keycloak.org/docs/4.0/server_installation/#setup All configuration data is replicated, and changes to session/config are seen immediately in both instances console. However, a user login to /auth/realms/master/account/ cannot re-use the same session between the instances. 1) login to http://host.domain.com:8080/auth/realms/master/account (instance 1) 2) go to http://host.domain.com:9080/auth/realms/master/account (instance 2) prompted to login again although all the cookies are sent to instance2 (AUTH_SESSION_ID, KEYCLOAK_SESSION, KEYCLOAK_IDENTITY) Any help appreciated Thanks a bunch! Regards, BL From balazskov at gmail.com Mon Jun 11 06:37:25 2018 From: balazskov at gmail.com (Balazs Kovacs) Date: Mon, 11 Jun 2018 12:37:25 +0200 Subject: [keycloak-user] UMA PAT clarification Message-ID: Hi, I'd like some help on clarifying the process of obtaining a PAT token. I've collected some relevant text from the UMA2 specifications: ... "protection API access token (PAT)An [RFC6749] access token with the scope uma_protection, used by the resource server as a client of the authorization server's protection API. The resource owner involved in the UMA grant is the same entity taking on the role of the resource owner authorizing issuance of the PAT." ... "As defined in [UMAGrant] , the resource owner -- the entity here authorizing PAT issuance -- MAY be an end-user (natural person) or a non-human entity treated as a person for limited legal purposes (legal person), such as a corporation. A PAT is unique to a resource owner, resource server used for resource management, and authorization server used for protection of those resources. The issuance of the PAT represents the authorization of the resource owner for the resource server to use the authorization server for protecting those resources." ... "Different grant types for PAT issuance might be appropriate for different types of resource owners; for example, the client credentials grant is useful in the case of an organization acting as a resource owner, whereas an interactive grant type is typically more appropriate for capturing the approval of an end-user resource owner. " ... "Use of these endpoints assumes that the resource server has acquired OAuth client credentials from the authorization server by static or dynamic means, and has a valid PAT. Note: Although the resource identifiers that appear in permission and token introspection request messages could sufficiently identify the resource owner, the PAT is still required because it represents the resource owner's authorization to use the protection API, as noted in Section 1.3 . " Apparently, the PAT must represent the identity and consent of the user to be used by the resource server at the authorization server, and this is the _key_ for the authorization server to know whose resource it is handling. In the keycloak documentation, I see an example on how a resource server can act on its own to grab a PAT token, but I don't see or really know a straightforward solution how a resource server could get a PAT on behalf of a user. https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_whatis_obtain_pat In case the resource owner is acting, an authorization code flow conducted by the user-agent facing client will use the token at the resource server, which could be in turn also used by the resource server, if that token has 'uma_protection' scope and AS indicated as token audience. But how can the RS acquire a valid PAT for the correct resource owner, when the requesting-party is trying to access the RS for one of the resource owner's registered resource? The resource owner is not even in the flow in this case Can one clarify this a bit how at all circumstances a resource server can acquire a valid PAT to use on the Protection API so that the AS can always conclude the requested owner? Br, Balazs From uo67113 at gmail.com Mon Jun 11 07:33:40 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Mon, 11 Jun 2018 13:33:40 +0200 Subject: [keycloak-user] How to take the Service Provider Metadata file or url on Keycloak for wildfly server ? In-Reply-To: References: Message-ID: Hello Vandana, If you have keycloak server and you have registered your wildfly SP you can try this [1]. Also you can generate it yourself, there are online tools like this one [2] You can always check the OASIS doc [3], it is oretty well explained and you can even find an example Hope it helps, Luis 2018-06-08 20:31 GMT+02:00 vandana thota : > Hello > > How to take the Service Provider Metadata file or url on Keycloak for > wildfly server ? > > What configurations needs to be done to get that Service Provider > Metada file. > > > Thanks, > Vandana > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From sinsn_619 at abv.bg Mon Jun 11 08:30:35 2018 From: sinsn_619 at abv.bg (Pedro Pedro) Date: Mon, 11 Jun 2018 15:30:35 +0300 (EEST) Subject: [keycloak-user] Using java admin client with Wildfly In-Reply-To: References: <943595197.670295.1528659276864.JavaMail.apache@nm82.abv.bg> <1710605715.670328.1528659318927.JavaMail.apache@nm82.abv.bg> Message-ID: <1058752228.756381.1528720235393.JavaMail.apache@nm81.abv.bg> I added jboss-deployment-structure but still getting the same exception. Here is the content of it: Am I missing something? >-------- ?????????? ????? -------- >??: valsaraj pv valsarajpv at gmail.com >???????: Re: [keycloak-user] Using java admin client with Wildfly >??: Pedro Pedro >????????? ??: 11.06.2018 05:04 I faced issues like this and resolved by setting resteasy wildfly module dependency. On Mon 11 Jun, 2018, 4:40 AM Pedro Pedro, < sinsn_619 at abv.bg > wrote: Hi all, I am trying to use the admin client in maven project, but on startup fails with this: Caused by: java.lang.RuntimeException: Could not find constructor for class: org.keycloak.admin.client.resource.ServerInfoResource at org.jboss.resteasy.spi.metadata.ResourceBuilder.constructor(ResourceBuilder.java:683) at org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.registered(POJOResourceFactory.java:41) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:207) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:193) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:179) at org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:156) at org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75) at org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400) at org.jboss.restea sy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241) Any ideas about this? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From andyyar66 at gmail.com Mon Jun 11 09:51:19 2018 From: andyyar66 at gmail.com (Andy Yar) Date: Mon, 11 Jun 2018 15:51:19 +0200 Subject: [keycloak-user] Group's attributes not being mapped to users? Message-ID: Hello, I use Keycloak 3.4.1.Final and keycloak-js NPM package as client. My use case employs a single level group hierarchy and users who belong to one of the groups. Each group has an attribute. For example attribute department_full_name. Thus users working in the same department could be grouped together and each would inherit its department_full_name attribute from the group. This way it feels natural to me. I've googled a relevant discussion: http://lists.jboss.org/pipermail/keycloak-user/2015-December/004042.html Also the Server Administration confirms this behavior by stating: "The Attributes and Role Mappings tab work exactly as the tabs with similar names under a user. Any attributes and role mappings you define will be inherited by the groups and users that are members of this group." However, it doesn't seem to work for me using Bearer OpenID Connect scheme. Decoded JWT structure simply doesn't contain my mapped attribute (in id_token or access_token). It contains both roles mapped from group and directly set user's attribute but not the group mapped attribute... Am I missing something obvious here? Thanks Andy From ryan.dawson at alfresco.com Mon Jun 11 10:39:00 2018 From: ryan.dawson at alfresco.com (Ryan Dawson) Date: Mon, 11 Jun 2018 14:39:00 +0000 Subject: [keycloak-user] Start keycloak docker image with ssl disabled (or run other kcadm commands?) Message-ID: I?m wondering what is the best way to disable ssl when starting the keycloak docker image. I?m thinking it would be convenient to be able to run this when starting the keycloak docker image: /opt/jboss/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE There already ways to turn off ssl - I could change the master realm?s json or run a db script (https://stackoverflow.com/questions/38337895/globally-disable-https-keycloak) but ideally I want to run a kcadm script as that would be more flexible. I?d also like it to be an install option rather than having to exec/shell in after deploy and change it. I am interested because the helm chart has a preStartScript but that is effectively too early to modify the realm (https://stackoverflow.com/questions/50685882/setting-up-realms-in-keycloak-during-kubernetes-helm-install). I tried adding something to run after docker-entrypoint.sh invokes standalone.sh but realised that is effectively too late (https://github.com/kubernetes/charts/blob/master/stable/keycloak/templates/configmap.yaml#L24). I?m wondering if it would be a good idea to change the startup script (docker-entrypoint.sh and maybe standalone.sh) to expose this as a argument? Or to provide a hook for any custom script to be run? Anyone got any thoughts or suggestions on this? Ryan From vandana0242 at gmail.com Mon Jun 11 10:58:23 2018 From: vandana0242 at gmail.com (vandana thota) Date: Mon, 11 Jun 2018 09:58:23 -0500 Subject: [keycloak-user] How to take the Service Provider Metadata file or url on Keycloak for wildfly server ? In-Reply-To: References: Message-ID: We have IDP Metadata file from OKTA . How can I use that file ? Also How to configure the things for Service provider and service provider metadafile in keycloak and wildfly . Yes have installed keycloak , we have wildfly 11 with three standalone instances . Thanks. On Mon, Jun 11, 2018 at 2:33 AM Luis Rodr?guez Fern?ndez wrote: > Hello Vandana, > > If you have keycloak server and you have registered your wildfly SP you > can try this [1]. > > Also you can generate it yourself, there are online tools like this one [2] > > You can always check the OASIS doc [3], it is oretty well explained and > you can even find an example > > Hope it helps, > > Luis > > > [1] > https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker_saml_sp_descriptor > [2] https://www.samltool.com/sp_metadata.php > [3] > https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf > > 2018-06-08 20:31 GMT+02:00 vandana thota : > >> Hello >> >> How to take the Service Provider Metadata file or url on Keycloak for >> wildfly server ? >> >> What configurations needs to be done to get that Service Provider >> Metada file. >> >> >> Thanks, >> Vandana >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett > From psilva at redhat.com Mon Jun 11 11:19:48 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 11 Jun 2018 12:19:48 -0300 Subject: [keycloak-user] UMA PAT clarification In-Reply-To: References: Message-ID: We allow the resource server to manage any of its resources regardless of the owner of the resource. You can access the Protection API using a PAT obtained using RS's client credentials. Another you can obtain a PAT is using resource owner credentials grant type. You could also use Token Exchange on the resource server to exchange a regular access token with a PAT where the target audience is the resource server. In all cases, we assume that the owner is granted with a "uma_protection scope" (which is actually a client role within the token) for a particular RS. We also only accept PATs if it was issued to the RS. I understand your point, it is different than what is in the specs. But it simplifies a lot RS implementation when using the protection API to manage resources. On Mon, Jun 11, 2018 at 7:37 AM, Balazs Kovacs wrote: > Hi, > I'd like some help on clarifying the process of obtaining a PAT token. > I've collected some relevant text from the UMA2 specifications: > ... > "protection API access token (PAT)An [RFC6749] > 2.0.html#RFC6749> > access token with the scope uma_protection, used by the resource server as > a client of the authorization server's protection API. The resource owner > involved in the UMA grant is the same entity taking on the role of the > resource owner authorizing issuance of the PAT." > > ... > "As defined in [UMAGrant] > 2.0.html#UMAGrant>, > the resource owner -- the entity here authorizing PAT issuance -- MAY be an > end-user (natural person) or a non-human entity treated as a person for > limited legal purposes (legal person), such as a corporation. A PAT is > unique to a resource owner, resource server used for resource management, > and authorization server used for protection of those resources. The > issuance of the PAT represents the authorization of the resource owner for > the resource server to use the authorization server for protecting those > resources." > > ... > "Different grant types for PAT issuance might be appropriate for different > types of resource owners; for example, the client credentials grant is > useful in the case of an organization acting as a resource owner, whereas > an interactive grant type is typically more appropriate for capturing the > approval of an end-user resource owner. " > > ... > "Use of these endpoints assumes that the resource server has acquired OAuth > client credentials from the authorization server by static or dynamic > means, and has a valid PAT. Note: Although the resource identifiers that > appear in permission and token introspection request messages could > sufficiently identify the resource owner, the PAT is still required because > it represents the resource owner's authorization to use the protection API, > as noted in Section 1.3 > 2.0.html#api-sec>. > " > > Apparently, the PAT must represent the identity and consent of the user to > be used by the resource server at the authorization server, and this is the > _key_ for the authorization server to know whose resource it is handling. > > In the keycloak documentation, I see an example on how a resource server > can act on its own to grab a PAT token, but I don't see or really know a > straightforward solution how a resource server could get a PAT on behalf of > a user. > https://www.keycloak.org/docs/latest/authorization_services/ > index.html#_service_protection_whatis_obtain_pat > > In case the resource owner is acting, an authorization code flow conducted > by the user-agent facing client will use the token at the resource server, > which could be in turn also used by the resource server, if that token has > 'uma_protection' scope and AS indicated as token audience. > > But how can the RS acquire a valid PAT for the correct resource owner, when > the requesting-party is trying to access the RS for one of the resource > owner's registered resource? The resource owner is not even in the flow in > this case > > Can one clarify this a bit how at all circumstances a resource server can > acquire a valid PAT to use on the Protection API so that the AS can always > conclude the requested owner? > > Br, > Balazs > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ntle at castortech.com Mon Jun 11 16:38:06 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Mon, 11 Jun 2018 16:38:06 -0400 Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header found in preflight response Message-ID: Hello, I am having issue with CORS, here is my setup: I'm using keycloak 4.0.0.Beta2. In the client setting page of keycloak admin console, I have web origin set to * Keycloak jetty adaptor is configured programmatically as follow: AdapterConfig keycloakConfig = new AdapterConfig(); ... keycloakConfig.setCors(true); keycloakConfig.setCorsAllowedMethods("POST, PUT, DELETE, GET"); keycloakConfig.setCorsAllowedHeaders("Origin, X-Requested-With, Content-Type, Accept, Cache-Control, Cookie, Host, Pragma, Referer, User-Agent"); >From the browser, I see a GEt request: https://dev.test.com:9443/diagram/services/diagrams/rest/common/getData?diagramID=_uulwGnlHS8ycCW-SGOpRjg&synchronize=false&_=1528746961564 And the server response: HTTP/1.1 302 Found Date: Mon, 11 Jun 2018 19:56:04 GMT Set-Cookie: JSESSIONID=node0lc6bl81dkagi1q62aulvltr183.node0;Path=/diagram/services/diagrams/rest;Secure Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: OAuth_Token_Request_State=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73;HttpOnly Location: https://dev.test.com:8543/auth/realms/bigrealm/protocol/openid-connect/auth?response_type=code&client_id=test&redirect_uri=https%3A%2F%2Fdev.test.com%3A9443%2Fdiagram%2Fservices%2Fdiagrams%2Frest%2Fcommon%2FgetData?diagramID%3D_uulwGnlHS8ycCW-SGOpRjg%26synchronize%3Dfalse%26_%3D1528746961564&state=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73&login=true&scope=openid Content-Length: 0 Server: Jetty(9.4.6.v20170531) Somehow this 302 instructs the browser to do a preflight check with OPTIONS: OPTIONS /auth/realms/bigrealm/protocol/openid-connect/auth?response_type=code&client_id=test&redirect_uri=https%3A%2F% 2Fdev.test.com%3A9443%2Fdiagram%2Fservices%2Fdiagrams%2Frest%2Fcommon%2FgetData?diagramID%3D_uulwGnlHS8ycCW-SGOpRjg%26synchronize%3Dfalse%26_%3D1528746961564&state=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73&login=true&scope=openid HTTP/1.1 Host: dev.test.com:8543 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Access-Control-Request-Method: GET Origin: https://dev.test.com:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36 Access-Control-Request-Headers: x-requested-with Accept: */* Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 However, when keycloak reply to the preflight, it set status to 204 (perhaps correct since it has nothing) but no 'Access-Control-Allow-Origin' header is returned. ? I think because of this, the real GET request is not sent. Did I miss anything when config keycloak that may cause this? Thai? ? From carreraariel at gmail.com Mon Jun 11 17:44:03 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Mon, 11 Jun 2018 18:44:03 -0300 Subject: [keycloak-user] Simple user SSO between keycloak instances In-Reply-To: References: Message-ID: Have you got a load balancer in front of keycloaks ? Have you tested it hitting to the balancer? maybe the issuer is changing from one token to other. El El lun, 11 jun. 2018 a las 07:04, Long Man escribi?: > I have a pair of keycloak setup as cross datacenter HA > as per https://www.keycloak.org/docs/4.0/server_installation/#setup > > All configuration data is replicated, and changes to session/config are > seen immediately in both instances console. > > However, a user login to /auth/realms/master/account/ cannot re-use the > same session between the instances. > 1) login to http://host.domain.com:8080/auth/realms/master/account > (instance 1) > 2) go to http://host.domain.com:9080/auth/realms/master/account (instance > 2) > prompted to login again although all the cookies are sent to instance2 > (AUTH_SESSION_ID, KEYCLOAK_SESSION, KEYCLOAK_IDENTITY) > > Any help appreciated > > Thanks a bunch! > > Regards, > BL > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Ariel Carrera From andyyar66 at gmail.com Tue Jun 12 03:08:18 2018 From: andyyar66 at gmail.com (Andy Yar) Date: Tue, 12 Jun 2018 09:08:18 +0200 Subject: [keycloak-user] Group's attributes not being mapped to users? In-Reply-To: References: Message-ID: The solution is to add a User Attribute mapper for the desired Client. This way you can "map" any attribute to selected token. Just specify the group attribute name, desired token name, data type and tokens type(s). On Mon, Jun 11, 2018 at 3:51 PM, Andy Yar wrote: > Hello, > I use Keycloak 3.4.1.Final and keycloak-js NPM package as client. > > My use case employs a single level group hierarchy and users who > belong to one of the groups. Each group has an attribute. > > For example attribute department_full_name. Thus users working in the > same department could be grouped together and each would inherit its > department_full_name attribute from the group. > > This way it feels natural to me. > > I've googled a relevant discussion: > http://lists.jboss.org/pipermail/keycloak-user/2015-December/004042.html > > Also the Server Administration confirms this behavior by stating: "The > Attributes and Role Mappings tab work exactly as the tabs with similar > names under a user. Any attributes and role mappings you define will > be inherited by the groups and users that are members of this group." > > However, it doesn't seem to work for me using Bearer OpenID Connect > scheme. Decoded JWT structure simply doesn't contain my mapped > attribute (in id_token or access_token). It contains both roles mapped > from group and directly set user's attribute but not the group mapped > attribute... > > Am I missing something obvious here? Thanks > > Andy From balazskov at gmail.com Tue Jun 12 03:12:07 2018 From: balazskov at gmail.com (Balazs Kovacs) Date: Tue, 12 Jun 2018 09:12:07 +0200 Subject: [keycloak-user] UMA PAT clarification In-Reply-To: References: Message-ID: Hi Pedro, Thanks for your response. I think the trade-off you described makes perfect sense. However, I also would like to understand how the identity of the resource owner is conveyed by the RS to the AS. From the UMA spec, an example resource creation on the Protection API looks accordingly: POST /rreg/ HTTP/1.1 Content-Type: application/json Authorization: Bearer MHg3OUZEQkZBMjcx ... { "resource_scopes":[ "read-public", "post-updates", "read-private", "http://www.example.com/scopes/all" ], "icon_uri":"http://www.example.com/icons/sharesocial.png", "name":"Tweedl Social Service", "type":"http://www.example.com/rsrcs/socialstream/140-compatible" } If the RS can do resource protection requests by a PAT that it obtained via the client credentials method (and not on users' behalf), through what request attribute does the AS learn which resource owner's data the RS is talking about? In the end the AS needs to assign each registered resource (by RS) to a user account as owner, right? Do maybe the 'resource owner password grant' and the 'token exchange' you mentioned above help on that by having owner identity in the PAT in these cases? What grant type to use for this 'token exchange' method? Br, Balazs On Mon, Jun 11, 2018 at 5:19 PM, Pedro Igor Silva wrote: > We allow the resource server to manage any of its resources regardless of > the owner of the resource. You can access the Protection API using a PAT > obtained using RS's client credentials. > > Another you can obtain a PAT is using resource owner credentials grant > type. > > You could also use Token Exchange on the resource server to exchange a > regular access token with a PAT where the target audience is the resource > server. > > In all cases, we assume that the owner is granted with a "uma_protection > scope" (which is actually a client role within the token) for a > particular RS. We also only accept PATs if it was issued to the RS. > > I understand your point, it is different than what is in the specs. But it > simplifies a lot RS implementation when using the protection API to manage > resources. > > > On Mon, Jun 11, 2018 at 7:37 AM, Balazs Kovacs > wrote: > >> Hi, >> I'd like some help on clarifying the process of obtaining a PAT token. >> I've collected some relevant text from the UMA2 specifications: >> ... >> "protection API access token (PAT)An [RFC6749] >> > federated-authz-2.0.html#RFC6749> >> access token with the scope uma_protection, used by the resource server as >> a client of the authorization server's protection API. The resource owner >> involved in the UMA grant is the same entity taking on the role of the >> resource owner authorizing issuance of the PAT." >> >> ... >> "As defined in [UMAGrant] >> > federated-authz-2.0.html#UMAGrant>, >> the resource owner -- the entity here authorizing PAT issuance -- MAY be >> an >> end-user (natural person) or a non-human entity treated as a person for >> limited legal purposes (legal person), such as a corporation. A PAT is >> unique to a resource owner, resource server used for resource management, >> and authorization server used for protection of those resources. The >> issuance of the PAT represents the authorization of the resource owner for >> the resource server to use the authorization server for protecting those >> resources." >> >> ... >> "Different grant types for PAT issuance might be appropriate for different >> types of resource owners; for example, the client credentials grant is >> useful in the case of an organization acting as a resource owner, whereas >> an interactive grant type is typically more appropriate for capturing the >> approval of an end-user resource owner. " >> >> ... >> "Use of these endpoints assumes that the resource server has acquired >> OAuth >> client credentials from the authorization server by static or dynamic >> means, and has a valid PAT. Note: Although the resource identifiers that >> appear in permission and token introspection request messages could >> sufficiently identify the resource owner, the PAT is still required >> because >> it represents the resource owner's authorization to use the protection >> API, >> as noted in Section 1.3 >> > federated-authz-2.0.html#api-sec>. >> " >> >> Apparently, the PAT must represent the identity and consent of the user to >> be used by the resource server at the authorization server, and this is >> the >> _key_ for the authorization server to know whose resource it is handling. >> >> In the keycloak documentation, I see an example on how a resource server >> can act on its own to grab a PAT token, but I don't see or really know a >> straightforward solution how a resource server could get a PAT on behalf >> of >> a user. >> https://www.keycloak.org/docs/latest/authorization_services/ >> index.html#_service_protection_whatis_obtain_pat >> >> In case the resource owner is acting, an authorization code flow conducted >> by the user-agent facing client will use the token at the resource server, >> which could be in turn also used by the resource server, if that token has >> 'uma_protection' scope and AS indicated as token audience. >> >> But how can the RS acquire a valid PAT for the correct resource owner, >> when >> the requesting-party is trying to access the RS for one of the resource >> owner's registered resource? The resource owner is not even in the flow in >> this case >> >> Can one clarify this a bit how at all circumstances a resource server can >> acquire a valid PAT to use on the Protection API so that the AS can always >> conclude the requested owner? >> >> Br, >> Balazs >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From longman at barramandi.com Tue Jun 12 04:14:12 2018 From: longman at barramandi.com (Long Man) Date: Tue, 12 Jun 2018 16:14:12 +0800 Subject: [keycloak-user] Simple user SSO between keycloak instances In-Reply-To: References: Message-ID: Thanks Ariel. I found out the following, request host.domain.com:port must be identical with the initial authentication. Session cookie itself is not sufficient. So yes, via a load balancer, it will work. Unlike many other SSO product that uses cookie domain .domain.com to share session cookies within the infrastructure, Keycloak does not alllow that and take it one level higher, not even allowing difference of port number. Maybe future version can have option to relax this enforcement as it will be beneficial should multi-site deployments want to have different hostnames within the same domain with each site having own load balancers. ie. ap.sso.domain.com, na.sso.domain.com, eu.sso.domain.com Thanks. Regards, BL On Tue, Jun 12, 2018 at 5:44 AM, Ariel Carrera wrote: > Have you got a load balancer in front of keycloaks ? Have you tested it > hitting to the balancer? maybe the issuer is changing from one token to > other. > > El El lun, 11 jun. 2018 a las 07:04, Long Man > escribi?: > >> I have a pair of keycloak setup as cross datacenter HA >> as per https://www.keycloak.org/docs/4.0/server_installation/#setup >> >> All configuration data is replicated, and changes to session/config are >> seen immediately in both instances console. >> >> However, a user login to /auth/realms/master/account/ cannot re-use the >> same session between the instances. >> 1) login to http://host.domain.com:8080/auth/realms/master/account >> (instance 1) >> 2) go to http://host.domain.com:9080/auth/realms/master/account >> (instance 2) >> prompted to login again although all the cookies are sent to instance2 >> (AUTH_SESSION_ID, KEYCLOAK_SESSION, KEYCLOAK_IDENTITY) >> >> Any help appreciated >> >> Thanks a bunch! >> >> Regards, >> BL >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- > Ariel Carrera > From frederic.seneque at inova-software.com Tue Jun 12 04:46:06 2018 From: frederic.seneque at inova-software.com (=?iso-8859-1?Q?Fr=E9d=E9ric_S=E9n=E8que?=) Date: Tue, 12 Jun 2018 08:46:06 +0000 Subject: [keycloak-user] [Keycloak] Server Development - Custom Forgot Password Branding In-Reply-To: References: Message-ID: Dear all, We need to do some custom branding on the forgot password pages and emails, reset password etc..., and we are planning to extend keycloak theme (version 3.4.3.Final) But we facing an issue on how to get some custom data frome te previous page( the login form ). We tried to look at this, but it seems quite old : https://stackoverflow.com/questions/44072608/keycloak-access-cookie-and-or-url-query-params-inside-freemarker-template I have read the documentation about creating a new SPI and try to create one for the forgot password page (org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider) But it looks like that I need to implement all the login pages (configure TOTP, Update Profile ...) Is there a way to only ? overide ? forgot password and reset password without the need of copy/pasting almost all of the code ? Thanks in advance Regards, Fr?d?ric SENEQUE From carreraariel at gmail.com Tue Jun 12 06:47:49 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Tue, 12 Jun 2018 07:47:49 -0300 Subject: [keycloak-user] Simple user SSO between keycloak instances In-Reply-To: References: Message-ID: Please read chapter clustering, I think you need to set some headers between balancer and kc nodes (x-foward-for, proto... etc) El El mar, 12 jun. 2018 a las 05:14, Long Man escribi?: > Thanks Ariel. > I found out the following, request host.domain.com:port must be identical > with the initial authentication. > Session cookie itself is not sufficient. > So yes, via a load balancer, it will work. > > Unlike many other SSO product that uses cookie domain .domain.com to > share session cookies within the infrastructure, Keycloak does not alllow > that and take it one level higher, not even allowing difference of port > number. > > Maybe future version can have option to relax this enforcement as it will > be beneficial should multi-site deployments want to have different > hostnames within the same domain with each site having own load balancers. > ie. ap.sso.domain.com, na.sso.domain.com, eu.sso.domain.com > > Thanks. > Regards, > BL > > On Tue, Jun 12, 2018 at 5:44 AM, Ariel Carrera > wrote: > >> Have you got a load balancer in front of keycloaks ? Have you tested it >> hitting to the balancer? maybe the issuer is changing from one token to >> other. >> >> El El lun, 11 jun. 2018 a las 07:04, Long Man >> escribi?: >> >>> I have a pair of keycloak setup as cross datacenter HA >>> as per https://www.keycloak.org/docs/4.0/server_installation/#setup >>> >>> All configuration data is replicated, and changes to session/config are >>> seen immediately in both instances console. >>> >>> However, a user login to /auth/realms/master/account/ cannot re-use the >>> same session between the instances. >>> 1) login to http://host.domain.com:8080/auth/realms/master/account >>> (instance 1) >>> 2) go to http://host.domain.com:9080/auth/realms/master/account >>> (instance 2) >>> prompted to login again although all the cookies are sent to instance2 >>> (AUTH_SESSION_ID, KEYCLOAK_SESSION, KEYCLOAK_IDENTITY) >>> >>> Any help appreciated >>> >>> Thanks a bunch! >>> >>> Regards, >>> BL >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> -- >> Ariel Carrera >> > > -- Ariel Carrera From psilva at redhat.com Tue Jun 12 06:50:02 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 12 Jun 2018 07:50:02 -0300 Subject: [keycloak-user] UMA PAT clarification In-Reply-To: References: Message-ID: When creating a resource, you just set the owner property with a value that could be either the username or id. Something like that https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-uma-photoz/photoz-restful-api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L133 . I'm going to improve docs for this area. Thanks. On Tue, Jun 12, 2018 at 4:12 AM, Balazs Kovacs wrote: > Hi Pedro, > > Thanks for your response. > > I think the trade-off you described makes perfect sense. However, I also > would like to understand how the identity of the resource owner is conveyed > by the RS to the AS. From the UMA spec, an example resource creation on the > Protection API looks accordingly: > > POST /rreg/ HTTP/1.1 Content-Type: application/json > Authorization: Bearer MHg3OUZEQkZBMjcx > ... > { > "resource_scopes":[ > "read-public", > "post-updates", > "read-private", > "http://www.example.com/scopes/all" > ], > "icon_uri":"http://www.example.com/icons/sharesocial.png", > "name":"Tweedl Social Service", > "type":"http://www.example.com/rsrcs/socialstream/140-compatible" > } > > If the RS can do resource protection requests by a PAT that it obtained > via the client credentials method (and not on users' behalf), through what > request attribute does the AS learn which resource owner's data the RS is > talking about? In the end the AS needs to assign each registered resource > (by RS) to a user account as owner, right? Do maybe the 'resource owner > password grant' and the 'token exchange' you mentioned above help on that > by having owner identity in the PAT in these cases? What grant type to use > for this 'token exchange' method? > > Br, > Balazs > > On Mon, Jun 11, 2018 at 5:19 PM, Pedro Igor Silva > wrote: > >> We allow the resource server to manage any of its resources regardless of >> the owner of the resource. You can access the Protection API using a PAT >> obtained using RS's client credentials. >> >> Another you can obtain a PAT is using resource owner credentials grant >> type. >> >> You could also use Token Exchange on the resource server to exchange a >> regular access token with a PAT where the target audience is the resource >> server. >> >> In all cases, we assume that the owner is granted with a "uma_protection >> scope" (which is actually a client role within the token) for a >> particular RS. We also only accept PATs if it was issued to the RS. >> >> I understand your point, it is different than what is in the specs. But >> it simplifies a lot RS implementation when using the protection API to >> manage resources. >> >> >> On Mon, Jun 11, 2018 at 7:37 AM, Balazs Kovacs >> wrote: >> >>> Hi, >>> I'd like some help on clarifying the process of obtaining a PAT token. >>> I've collected some relevant text from the UMA2 specifications: >>> ... >>> "protection API access token (PAT)An [RFC6749] >>> >> erated-authz-2.0.html#RFC6749> >>> access token with the scope uma_protection, used by the resource server >>> as >>> a client of the authorization server's protection API. The resource owner >>> involved in the UMA grant is the same entity taking on the role of the >>> resource owner authorizing issuance of the PAT." >>> >>> ... >>> "As defined in [UMAGrant] >>> >> erated-authz-2.0.html#UMAGrant>, >>> the resource owner -- the entity here authorizing PAT issuance -- MAY be >>> an >>> end-user (natural person) or a non-human entity treated as a person for >>> limited legal purposes (legal person), such as a corporation. A PAT is >>> unique to a resource owner, resource server used for resource management, >>> and authorization server used for protection of those resources. The >>> issuance of the PAT represents the authorization of the resource owner >>> for >>> the resource server to use the authorization server for protecting those >>> resources." >>> >>> ... >>> "Different grant types for PAT issuance might be appropriate for >>> different >>> types of resource owners; for example, the client credentials grant is >>> useful in the case of an organization acting as a resource owner, whereas >>> an interactive grant type is typically more appropriate for capturing the >>> approval of an end-user resource owner. " >>> >>> ... >>> "Use of these endpoints assumes that the resource server has acquired >>> OAuth >>> client credentials from the authorization server by static or dynamic >>> means, and has a valid PAT. Note: Although the resource identifiers that >>> appear in permission and token introspection request messages could >>> sufficiently identify the resource owner, the PAT is still required >>> because >>> it represents the resource owner's authorization to use the protection >>> API, >>> as noted in Section 1.3 >>> >> erated-authz-2.0.html#api-sec>. >>> " >>> >>> Apparently, the PAT must represent the identity and consent of the user >>> to >>> be used by the resource server at the authorization server, and this is >>> the >>> _key_ for the authorization server to know whose resource it is handling. >>> >>> In the keycloak documentation, I see an example on how a resource server >>> can act on its own to grab a PAT token, but I don't see or really know a >>> straightforward solution how a resource server could get a PAT on behalf >>> of >>> a user. >>> https://www.keycloak.org/docs/latest/authorization_services/ >>> index.html#_service_protection_whatis_obtain_pat >>> >>> In case the resource owner is acting, an authorization code flow >>> conducted >>> by the user-agent facing client will use the token at the resource >>> server, >>> which could be in turn also used by the resource server, if that token >>> has >>> 'uma_protection' scope and AS indicated as token audience. >>> >>> But how can the RS acquire a valid PAT for the correct resource owner, >>> when >>> the requesting-party is trying to access the RS for one of the resource >>> owner's registered resource? The resource owner is not even in the flow >>> in >>> this case >>> >>> Can one clarify this a bit how at all circumstances a resource server can >>> acquire a valid PAT to use on the Protection API so that the AS can >>> always >>> conclude the requested owner? >>> >>> Br, >>> Balazs >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From vandana0242 at gmail.com Tue Jun 12 11:22:45 2018 From: vandana0242 at gmail.com (vandana thota) Date: Tue, 12 Jun 2018 10:22:45 -0500 Subject: [keycloak-user] How to take the Service Provider Metadata file or url on Keycloak for wildfly server ? In-Reply-To: References: Message-ID: Hello All, 1)How to configure the Serivce Provider on keycloak or on Wildfly ? 2)Once we configure the IDP provider from external IDP and the SP on keycloak or on wildfly , do we need to do configure anything on wildfly server ? Thanks. On Mon, Jun 11, 2018 at 9:58 AM vandana thota wrote: > We have IDP Metadata file from OKTA . > > How can I use that file ? > > Also How to configure the things for Service provider and service > provider metadafile in keycloak and wildfly . > > Yes have installed keycloak , we have wildfly 11 with three > standalone instances . > > Thanks. > > On Mon, Jun 11, 2018 at 2:33 AM Luis Rodr?guez Fern?ndez < > uo67113 at gmail.com> wrote: > >> Hello Vandana, >> >> If you have keycloak server and you have registered your wildfly SP you >> can try this [1]. >> >> Also you can generate it yourself, there are online tools like this one >> [2] >> >> You can always check the OASIS doc [3], it is oretty well explained and >> you can even find an example >> >> Hope it helps, >> >> Luis >> >> >> [1] >> https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker_saml_sp_descriptor >> [2] https://www.samltool.com/sp_metadata.php >> [3] >> https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf >> >> 2018-06-08 20:31 GMT+02:00 vandana thota : >> >>> Hello >>> >>> How to take the Service Provider Metadata file or url on Keycloak for >>> wildfly server ? >>> >>> What configurations needs to be done to get that Service Provider >>> Metada file. >>> >>> >>> Thanks, >>> Vandana >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> -- >> >> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." >> >> - Samuel Beckett >> > From 321j.con at gmail.com Tue Jun 12 12:56:35 2018 From: 321j.con at gmail.com (Jordan Conner) Date: Tue, 12 Jun 2018 12:56:35 -0400 Subject: [keycloak-user] Developing with keycloak-adapter without an OAuth Server Message-ID: Hi all, I've been developing a J2EE application utilizing the keycload-wildfly adapter to connect to a 3rd party OAuth server. Now the customer who I'm developing this application for also has another vendor creating an OAuth server. After almost 2 years of developing they have now restricted access to the OAuth server and I can no longer access it from my local environment. They expect me to push my code up to their remote development server to test changes. What is the best way I can go from here? I have tons of code utilizing the attributes in a token, and I don't understand fully how to customize the keycloak-adapter to skip certain functions in a development environment. I was told my local environment shouldn't need to access the OAuth server yet I don't understand how to bypass/fake certain functions. For example, all of my .xhtml pages are secured in the .WAR's web.xml using KEYCLOAK >From my understanding, if a page is secured in then that is what triggers the redirect to OAuth (if a token isn't active/valid.) How can I basically "skip" this authentication check in a local environment? I have stood up my own keycloak server which I can authenticate with, but the customer's OAuth server vendor has done custom modifications to their keycloak server. For example, they have added extra fields where first/last name are, where on regular keycloak that would be a user-attribute map. TLDR; Is there anything in the keycloak-adapter that would skip authentication in a development environment. Is there a way to create a fake base64 token? Or during login of my application (where I extract user attributes and their custom attributes) should I make it so it works for either OAuth server? Thank you for any help. From pulkitsrivastavajd at gmail.com Wed Jun 13 02:25:11 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Wed, 13 Jun 2018 11:55:11 +0530 Subject: [keycloak-user] Display Calling application name Message-ID: Hi, I have multiple applications that authenticate users using keycloak. Is there a way to show the application name on keycloak login page according to the application from which the user arrived. How this can be achieved? Thanks, Pulkit From pulkitsrivastavajd at gmail.com Wed Jun 13 05:08:05 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Wed, 13 Jun 2018 14:38:05 +0530 Subject: [keycloak-user] Display Calling application name In-Reply-To: References: Message-ID: Any pointer to this.? Prompt reply would be appreciated. On Wed, Jun 13, 2018 at 11:55 AM Pulkit Srivastava < pulkitsrivastavajd at gmail.com> wrote: > Hi, > I have multiple applications that authenticate users using keycloak. Is > there a way to show the application name on keycloak login page according > to the application from which the user arrived. How this can be achieved? > > Thanks, > Pulkit > From subodhcjoshi82 at gmail.com Wed Jun 13 09:23:25 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Wed, 13 Jun 2018 18:53:25 +0530 Subject: [keycloak-user] How to include SMTP server details from admin-cli Message-ID: Hi All As a automation of keycloak we want to automate to include the keycloak SMTP server details .What will be command to include the SMTP server details with realm. For realm creation i am using this command /opt/keycloak/bin/kcadm.sh create realms -s realm=realm_name-s enabled=true -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From vandana0242 at gmail.com Wed Jun 13 11:58:52 2018 From: vandana0242 at gmail.com (vandana thota) Date: Wed, 13 Jun 2018 10:58:52 -0500 Subject: [keycloak-user] keycloak | Service Provider | Wildfly | SAML 2.0 | SSO | Identity Provider | Message-ID: Hello We have below Environment Set up 1) Wildfly -11-final.0.0.0 2)JDK8 3)Linux 7 version 4) Built the wildfly Non-prod as standalone server. Configured 3 Standalone instances on this wildfly server . 5) Deployed the application on all 3 instances 6) Enabled the SSL 7)Installed keycloak and configured and , could able to login to its Administration console 8)SAML 2.0 protocol We need to configure the Service Provider related things on keycloak by using External Identity Provider information . We have already IDP information. What is the next step 1))Do I have do on keycloak inorder to get service provider information. 2) Before having the information about SP what needs to be on keycloak as pre-requisites ? 3)How can I configure anything related to IDP or SDP on wildfly server ( 3 instances ) 's deployed application or standlaone.xml file of 3 instances ? 4)Any other configurations needs to be done related to Single sign on etc Let me know any thing I'm missing to provide as information for the above configuration .If any one knows the information please provide us with detail steps as this was the first time we have installed keycloak and seraching about Service Provider configurations etc . Whole above task is the first time we are going to do. If possible can any one share scree shots step by step . Thanks in advance. From fbernard at appstud.com Wed Jun 13 12:58:37 2018 From: fbernard at appstud.com (Florian Bernard) Date: Wed, 13 Jun 2018 16:58:37 +0000 Subject: [keycloak-user] Keycloak always create user when use exchange_token grant_type Message-ID: <963B4799-721E-4950-A9A6-BFBFA3CD54A9@appstud.com> Hello, We try to implement the following use case. We have a Realm and a Client that allow users to login with the rest api /auth/realms/{Realm}/protocol/openid-connect/token (from a mobile application). Users should be able to login with a Facebook token by using the same rest api but with token-exchange grant_type only if a keycloak user already exists and if it?s linked with Facebook identity provider. Problem: if a user that does not exist in Keycloak exchange a Facebook token, it?ll be automatically created by keycloak and an access_token is return. We try to modify First Login Flow in Identity provider configuration, but it does not work. How we can prevent keycloak to create user and return an error if there is no keycloak user linked to the facebook token? Thanks in advance, Florian From jake.trotman at optum.com Wed Jun 13 18:13:36 2018 From: jake.trotman at optum.com (Trotman, Jake M) Date: Wed, 13 Jun 2018 22:13:36 +0000 Subject: [keycloak-user] Using a User Session Note in an IDP Post Login Flow Authentication SPI Message-ID: Hello, I?m running in to an issue with an Authentication SPI I?m creating. My use case boils down to this: I want to grab a User Session Note I have configured for a specific client in an Authentication SPI during its IDP Post Login flow and do something with it. I have the following configuration set up: A client with a custom mapper for identity_provider_identity to be used as a User Session Note type. A 3rd party IDP used for identity brokering using the OpenID Connect v1.0 configuration. A single custom Authentication SPI configured as the Post Login Flow authentication Flow for this IDP. I?ll omit the beef of the SPI code for brevity, but this code snippet demonstrates the issue I?m running in to: @Override void authenticate(AuthenticationFlowContext context) { context.getAuthenticationSession().getUserSessionNotes().each { println "key: ${it.key}, value: ${it.value}" } context.getAuthenticationSession().getUserSessionNotes() is empty. I?ve tried adding IDP mappers (Hardcoded User Session Attributes), and can see these populate in getUserSessionNotes(), but what I really want is the identity_provider_identity which is only configurable for the client: https://www.keycloak.org/docs/latest/server_admin/index.html#available-user-session-data and available as User Session Data. I?ve tried context.getAuthenticationSession().getClientNotes(), but that does not contain the user session notes. Can anyone help with figuring out a way to pull this user session data into my SPI configured as an IDP post login authentication flow? Thanks for any response, Jake Trotman This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. From gintautas.sulskus at gmail.com Wed Jun 13 18:37:53 2018 From: gintautas.sulskus at gmail.com (Gintautas Sulskus) Date: Wed, 13 Jun 2018 23:37:53 +0100 Subject: [keycloak-user] Can I omit keycloak.securityConstraints and HttpSecurity configuration? Message-ID: Hi, Is it necessary to manually map Spring app endpoints to Keycloak roles, e.g. by configuring keycloak.securityConstraints in app.properties or HttpSecurity in a Java class? At the moment I configure Keycloak by extending KeycloakWebSecurityConfigurerAdapter. The app works only if I override the 'configure(HttpSecurity http)' method and add endpoint-role mappings manually, e.g.: http.authorizeRequests().antMatchers("/test").hasRole("someRole"). If I omit this step, the app fails to start and throws the following expection: > > Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: permitAll only works with HttpSecurity.authorizeRequests() > at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) > at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:579) > ... 26 more > Caused by: java.lang.IllegalStateException: permitAll only works with HttpSecurity.authorizeRequests() > at org.springframework.security.config.annotation.web.configurers.PermitAllSupport.permitAll(PermitAllSupport.java:49) > at org.springframework.security.config.annotation.web.configurers.PermitAllSupport.permitAll(PermitAllSupport.java:36) > at org.springframework.security.config.annotation.web.configurers.LogoutConfigurer.init(LogoutConfigurer.java:275) at org.springframework.security.config.annotation.web.configurers.LogoutConfigurer.init(LogoutConfigurer.java:66) Please find my Keycloak configuration below. Note, I did not set keycloak.securityConstraints[] in my app. keycloak: realm: master auth-server-url: http://localhost/auth ssl-required: external resource: some-service credentials: secret: 6f02848a-0fd1-40fc-96cf-50035110240b use-resource-role-mappings: true confidential-port: 0 principal-attribute: preferred_username policy-enforcer-config: enforcement-mode: ENFORCING Regards, Gin From pulkitsrivastavajd at gmail.com Thu Jun 14 01:25:05 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Thu, 14 Jun 2018 10:55:05 +0530 Subject: [keycloak-user] Display app name on keycloak login page Message-ID: Hi, I have multiple applications that authenticate users using keycloak. Is there a way to show the application name on keycloak login page according to the application from which the user arrived. How this can be achieved? Thanks, Pulkit From fbernard at appstud.com Thu Jun 14 03:16:51 2018 From: fbernard at appstud.com (Florian Bernard) Date: Thu, 14 Jun 2018 07:16:51 +0000 Subject: [keycloak-user] Display app name on keycloak login page In-Reply-To: References: Message-ID: <238C1273-96C7-4F25-9BC5-652753AC8D68@appstud.com> Hello, May you can try to create your own theme to add the application name on the login page. https://www.keycloak.org/docs/latest/server_development/index.html#_themes You can also create a theme for each application and use a custom theme selector in Keycloak: https://www.keycloak.org/docs/latest/server_development/index.html#_theme_selector Hope it'll help you Florian ?On 14/06/2018 07:27, "keycloak-user-bounces at lists.jboss.org on behalf of Pulkit Srivastava" wrote: Hi, I have multiple applications that authenticate users using keycloak. Is there a way to show the application name on keycloak login page according to the application from which the user arrived. How this can be achieved? Thanks, Pulkit _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Thu Jun 14 03:24:33 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jun 2018 09:24:33 +0200 Subject: [keycloak-user] Community maintained extensions Message-ID: We've added a simple page to list community maintained extensions to Keycloak. If you've developed and maintain an extension to Keycloak we would love you to list your work on our website. To do that simply send a PR to https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/extensions . A template for the required json file here https://github.com/keycloak/keycloak-web/blob/master/src/main/resources/extension-template.json . From sthorger at redhat.com Thu Jun 14 03:39:06 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jun 2018 09:39:06 +0200 Subject: [keycloak-user] Keycloak 4.0.0.Final is out Message-ID: https://www.keycloak.org/downloads.html From thomas.darimont at googlemail.com Thu Jun 14 03:52:37 2018 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 14 Jun 2018 09:52:37 +0200 Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final is out In-Reply-To: References: Message-ID: Awesome work! Congrats :) Stian Thorgersen schrieb am Do., 14. Juni 2018, 09:40: > https://www.keycloak.org/downloads.html > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stuarta at squashedfrog.net Thu Jun 14 05:37:45 2018 From: stuarta at squashedfrog.net (Stuart Auchterlonie) Date: Thu, 14 Jun 2018 10:37:45 +0100 Subject: [keycloak-user] Keycloak 4.0.0.Final is out In-Reply-To: References: Message-ID: On 14/06/18 08:39, Stian Thorgersen wrote: > https://www.keycloak.org/downloads.html Have the docker builds been updated? They are reporting 4.0.0.Beta3 # docker inspect jboss/keycloak | grep KEYCLOAK_VERSION "KEYCLOAK_VERSION=4.0.0.Beta3", "KEYCLOAK_VERSION=4.0.0.Beta3", This is image id 935e99b0aeb0 Regards Stuart From valsarajpv at gmail.com Thu Jun 14 06:02:19 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Thu, 14 Jun 2018 15:32:19 +0530 Subject: [keycloak-user] Using java admin client with Wildfly In-Reply-To: <1058752228.756381.1528720235393.JavaMail.apache@nm81.abv.bg> References: <943595197.670295.1528659276864.JavaMail.apache@nm82.abv.bg> <1710605715.670328.1528659318927.JavaMail.apache@nm82.abv.bg> <1058752228.756381.1528720235393.JavaMail.apache@nm81.abv.bg> Message-ID: Here is what I did to solve issue. May be helpful for you. Created keycloak-admin-client module for my application on WildFly to call KC admin APIs. > name="com.app.library.keycloak.keycloak-admin-client"> > > > > > > > > > > > Added dependency in jboss-deployment-structure.xml: > > > .... > > > > > > > > On Mon, Jun 11, 2018 at 6:00 PM, Pedro Pedro wrote: > > I added jboss-deployment-structure but still getting the same exception. > Here is the content of it: > > > > > > > > > > > > > > > Am I missing something? > > > >-------- ?????????? ????? -------- > >??: valsaraj pv valsarajpv at gmail.com > >???????: Re: [keycloak-user] Using java admin client with Wildfly > >??: Pedro Pedro > >????????? ??: 11.06.2018 05:04 > > I faced issues like this and resolved by setting resteasy wildfly module > dependency. > > On Mon 11 Jun, 2018, 4:40 AM Pedro Pedro, < sinsn_619 at abv.bg> wrote: > > > > > Hi all, > > > > > I am trying to use the admin client in maven project, but on startup > fails with this: > > > > > > > Caused by: java.lang.RuntimeException: Could not find constructor for > class: org.keycloak.admin.client.resource.ServerInfoResource > at org.jboss.resteasy.spi.metadata.ResourceBuilder. > constructor(ResourceBuilder.java:683) at > org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory. > registered(POJOResourceFactory.java:41) at org.jboss.resteasy.core. > ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:207) > at org.jboss.resteasy.core.ResourceMethodRegistry. > addResourceFactory(ResourceMethodRegistry.java:193) at > org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFactory( > ResourceMethodRegistry.java:179) at org.jboss.resteasy.core. > ResourceMethodRegistry.addResourceFactory(ResourceMethodRegistry.java:156) > at org.jboss.resteasy.core.ResourceMethodRegistry. > addPerRequestResource(ResourceMethodRegistry.java:75) at > org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400) > at org.jboss.restea > sy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241) > > > Any ideas about this? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan From valsarajpv at gmail.com Thu Jun 14 06:03:10 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Thu, 14 Jun 2018 15:33:10 +0530 Subject: [keycloak-user] Using java admin client with Wildfly In-Reply-To: References: <943595197.670295.1528659276864.JavaMail.apache@nm82.abv.bg> <1710605715.670328.1528659318927.JavaMail.apache@nm82.abv.bg> <1058752228.756381.1528720235393.JavaMail.apache@nm81.abv.bg> Message-ID: Here is what I did to solve issue. May be helpful for you. Created keycloak-admin-client module for my application on WildFly to call KC admin APIs. > > > > > > > > > > > > Added dependency in jboss-deployment-structure.xml: > > > .... > > > > > > > > On Thu, Jun 14, 2018 at 3:32 PM, valsaraj pv wrote: > Here is what I did to solve issue. May be helpful for you. > > Created keycloak-admin-client module for my application on WildFly to call > KC admin APIs. > >> >> >> >> >> >> >> >> >> >> >> >> > > > Added dependency in jboss-deployment-structure.xml: > >> >> >> .... >> >> >> >> >> >> >> >> > > > > > On Mon, Jun 11, 2018 at 6:00 PM, Pedro Pedro wrote: > >> >> I added jboss-deployment-structure but still getting the same exception. >> Here is the content of it: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Am I missing something? >> >> >> >-------- ?????????? ????? -------- >> >??: valsaraj pv valsarajpv at gmail.com >> >???????: Re: [keycloak-user] Using java admin client with Wildfly >> >??: Pedro Pedro >> >????????? ??: 11.06.2018 05:04 >> >> I faced issues like this and resolved by setting resteasy wildfly module >> dependency. >> >> On Mon 11 Jun, 2018, 4:40 AM Pedro Pedro, < sinsn_619 at abv.bg> wrote: >> >> >> >> >> Hi all, >> >> >> >> >> I am trying to use the admin client in maven project, but on startup >> fails with this: >> >> >> >> >> >> >> Caused by: java.lang.RuntimeException: Could not find constructor for >> class: org.keycloak.admin.client.resource.ServerInfoResource >> at org.jboss.resteasy.spi.metadata.ResourceBuilder.constructor(ResourceBuilder.java:683) >> at org.jboss.resteasy.plugins.server.resourcefactory.POJOResour >> ceFactory.registered(POJOResourceFactory.java:41) at >> org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFa >> ctory(ResourceMethodRegistry.java:207) at >> org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFa >> ctory(ResourceMethodRegistry.java:193) at >> org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFa >> ctory(ResourceMethodRegistry.java:179) at >> org.jboss.resteasy.core.ResourceMethodRegistry.addResourceFa >> ctory(ResourceMethodRegistry.java:156) at >> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequest >> Resource(ResourceMethodRegistry.java:75) at >> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400) >> at org.jboss.restea >> sy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241) >> >> >> Any ideas about this? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > -- > Life is like this: "Just when we get all the answers of life.... God > changes the question paper.... > > Valsaraj Viswanathan > -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan From Jana.Neujahr at gisa.de Thu Jun 14 06:19:53 2018 From: Jana.Neujahr at gisa.de (Neujahr, Jana) Date: Thu, 14 Jun 2018 10:19:53 +0000 Subject: [keycloak-user] Display app name on keycloak login page Message-ID: Hello Pulkit, if you have defined a realm for each application, you can also use one theme for all realms/applications and pass the realm name (parameter is named "realmName") to the template. Kind regards Jana Treffen Sie GISA auf folgenden Veranstaltungen! 15.06.2018 WEBINAR: GISA 365 ? Wie sieht Ihr Weg in die Cloud aus? 19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig 19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & P?fungen, Leipzig 23.-24.10.2018 metering days 2018, Fulda Aufsichtsratsvorsitzender: Norbert Rotter Gesch?ftsf?hrung: Michael Kr?ger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Empf?nger sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte gesch?tzt. Die GISA GmbH haftet ausdr?cklich nicht f?r den Inhalt und die Vollst?ndigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zul?ssig - nicht f?r die hieraus entstehenden Sch?den. From Christoph.Leistert at bosch-si.com Thu Jun 14 06:41:50 2018 From: Christoph.Leistert at bosch-si.com (Leistert Christoph (INST/ECS2)) Date: Thu, 14 Jun 2018 10:41:50 +0000 Subject: [keycloak-user] Fine-grained permissions to map a client role to a group Message-ID: <128d54514284441cbc4264369bcd136a@bosch-si.com> Hello, We use Keycloak 3.4.3 and we trying to find out a way to let users create clients with a client role and map this client role to a group they are already a member of. For the client creation and client role creation we assigned the realm role "manage-clients" to the users and this is okay for our setup. Additionally the users are assigned to the "query-groups" realm role, so that they could see the groups. We struggle a bit with the right role/permissions setup to map the client role to a group. First, we tried to use realm roles only. However, for mapping a role to a group the "manage-users" role is needed, which allows the user also to e.g. see all users. This should not be possible for these users. Now we try to use fine-grained permissions to realize our scenario. But for the group entity there are no fine-grained permissions and the "map-role" permission of the "Users" resource does not allow to map a role to a group (403 Forbidden). Is there any other way than using the "manage-users" realm role to map a client role to a group? Is it planned to add fine-grained permissions for a "Groups" resource? Mit freundlichen Gr??en / Best regards Christoph Leistert (INST/ECS2) Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn From sthorger at redhat.com Thu Jun 14 06:57:08 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jun 2018 12:57:08 +0200 Subject: [keycloak-user] Keycloak 4.0.0.Final is out In-Reply-To: References: Message-ID: 4.0.0.Final tag was built, but looks like latest wasn't updated for some reason. Will take a look at it soon. On Thu, 14 Jun 2018, 11:39 Stuart Auchterlonie, wrote: > On 14/06/18 08:39, Stian Thorgersen wrote: > > https://www.keycloak.org/downloads.html > > Have the docker builds been updated? > They are reporting 4.0.0.Beta3 > > > # docker inspect jboss/keycloak | grep KEYCLOAK_VERSION > "KEYCLOAK_VERSION=4.0.0.Beta3", > "KEYCLOAK_VERSION=4.0.0.Beta3", > > This is image id 935e99b0aeb0 > > Regards > Stuart > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Jun 14 07:38:23 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jun 2018 13:38:23 +0200 Subject: [keycloak-user] OpenShift Commons Briefing #129: KeyCloak for Cloud Natives Message-ID: https://www.youtube.com/watch?v=j6PgJIV1UNI From web at thopap.de Thu Jun 14 07:45:25 2018 From: web at thopap.de (T. Papke) Date: Thu, 14 Jun 2018 13:45:25 +0200 Subject: [keycloak-user] Multiple user stores / Domain separation In-Reply-To: References: Message-ID: Hi, I have not yet received any feedback here. Is the usage of multiple user stores in keycloak not a common scenario? I would be grateful to hear some feedback from users that are already using keycloak. Thank you, Thomas 2018-06-08 14:28 GMT+02:00 T. Papke : > Hi all, > > > > In case multiple user stores are connected (e.g. different Active > Directories). Is there any build-in option to provide some kind of domain > discriminator (e.g. drop down menu) on the login page? If not, are there > any proposals or best practices howto achieve this? How does Keycloak > handle the issue that a the username is not unique in case of multiple > userstores? > > > > Thank you, Regards, > > Thomas > > From sthorger at redhat.com Thu Jun 14 07:49:07 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jun 2018 13:49:07 +0200 Subject: [keycloak-user] Multiple user stores / Domain separation In-Reply-To: References: Message-ID: Keycloak will currently just return the user from the first store it finds the user in. We don't have any capabilities beyond that at the moment. On 14 June 2018 at 13:45, T. Papke wrote: > Hi, > > I have not yet received any feedback here. Is the usage of multiple user > stores in keycloak not a common scenario? > > I would be grateful to hear some feedback from users that are already using > keycloak. > > Thank you, > Thomas > > 2018-06-08 14:28 GMT+02:00 T. Papke : > > > Hi all, > > > > > > > > In case multiple user stores are connected (e.g. different Active > > Directories). Is there any build-in option to provide some kind of domain > > discriminator (e.g. drop down menu) on the login page? If not, are there > > any proposals or best practices howto achieve this? How does Keycloak > > handle the issue that a the username is not unique in case of multiple > > userstores? > > > > > > > > Thank you, Regards, > > > > Thomas > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From subodhcjoshi82 at gmail.com Thu Jun 14 08:17:14 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Thu, 14 Jun 2018 17:47:14 +0530 Subject: [keycloak-user] How to include SMTP server details from admin-cli In-Reply-To: References: Message-ID: Any one can guide for same? On Wed, Jun 13, 2018 at 6:53 PM Subodh Joshi wrote: > > Hi All > > As a automation of keycloak we want to automate to include the keycloak > SMTP server details .What will be command to include the SMTP server > details with realm. For realm creation i am using this command > > /opt/keycloak/bin/kcadm.sh create realms -s realm=realm_name-s enabled=true > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.trendsinnews.com > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From lfa at doodle.com Thu Jun 14 08:30:00 2018 From: lfa at doodle.com (Filipe Abrahao) Date: Thu, 14 Jun 2018 08:30:00 -0400 Subject: [keycloak-user] Will Keycloak scale to handle hundreads of LDAP integrations? Message-ID: Hi everyone, I work at Doodle, an online platform to help people to schedule meetings and social events, we have around 28m people that use our product every month and we are in the process of splitting our monolith. We have been experimenting with Keycloak as our auth service, and so far we are pretty happy with it, we just making sure it fulfils all our requirements, but we have one that we are not sure if it would work with Keycloak: Some of our bigger users, like universities and big corporations require to manage their users via LDAP. We know that Keycloak can integrate with LDAP. But my question is if creating one LDAP configuration for each client is the right way to do it. If we have to configure one LDAP integration for each client that requires it, we potentially will end-up with hundreds (perhaps thousands) of them. Will it scale? Will Keycloak be able to handle that? many thanks, Filipe A From ryan.dawson at alfresco.com Thu Jun 14 08:31:11 2018 From: ryan.dawson at alfresco.com (Ryan Dawson) Date: Thu, 14 Jun 2018 12:31:11 +0000 Subject: [keycloak-user] Start keycloak docker image with ssl disabled (or run other kcadm commands?) In-Reply-To: References: Message-ID: FWIW I eventually found a way to do what I was after - https://github.com/kubernetes/charts/pull/6108 On 11 Jun 2018, at 15:38, Ryan Dawson > wrote: I?m wondering what is the best way to disable ssl when starting the keycloak docker image. I?m thinking it would be convenient to be able to run this when starting the keycloak docker image: /opt/jboss/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE There already ways to turn off ssl - I could change the master realm?s json or run a db script (https://stackoverflow.com/questions/38337895/globally-disable-https-keycloak) but ideally I want to run a kcadm script as that would be more flexible. I?d also like it to be an install option rather than having to exec/shell in after deploy and change it. I am interested because the helm chart has a preStartScript but that is effectively too early to modify the realm (https://stackoverflow.com/questions/50685882/setting-up-realms-in-keycloak-during-kubernetes-helm-install). I tried adding something to run after docker-entrypoint.sh invokes standalone.sh but realised that is effectively too late (https://github.com/kubernetes/charts/blob/master/stable/keycloak/templates/configmap.yaml#L24). I?m wondering if it would be a good idea to change the startup script (docker-entrypoint.sh and maybe standalone.sh) to expose this as a argument? Or to provide a hook for any custom script to be run? Anyone got any thoughts or suggestions on this? Ryan From sthorger at redhat.com Thu Jun 14 08:34:40 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jun 2018 14:34:40 +0200 Subject: [keycloak-user] Will Keycloak scale to handle hundreads of LDAP integrations? In-Reply-To: References: Message-ID: Are you planning to have a single realm? The way users are retrieved when there is multiple LDAP servers is currently quite limited. It will simply search through them in order until the user is found. Once found a user with the link to the correct LDAP will be setup. With hundreds of LDAP connections this will most likely be rather slow. It's also not a scenario we've tested so you would have to test and experiment with this yourself. On 14 June 2018 at 14:30, Filipe Abrahao wrote: > Hi everyone, > > I work at Doodle, an online platform to help people to schedule meetings > and social events, we have around 28m people that use our product every > month and we are in the process of splitting our monolith. > > We have been experimenting with Keycloak as our auth service, and so far we > are pretty happy with it, we just making sure it fulfils all our > requirements, but we have one that we are not sure if it would work with > Keycloak: > > Some of our bigger users, like universities and big corporations require to > manage their users via LDAP. We know that Keycloak can integrate with LDAP. > But my question is if creating one LDAP configuration for each client is > the right way to do it. > > If we have to configure one LDAP integration for each client that requires > it, we potentially will end-up with hundreds (perhaps thousands) of them. > Will it scale? Will Keycloak be able to handle that? > > many thanks, > Filipe A > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hylton.peimer at datos-health.com Thu Jun 14 10:43:21 2018 From: hylton.peimer at datos-health.com (Hylton Peimer) Date: Thu, 14 Jun 2018 17:43:21 +0300 Subject: [keycloak-user] Host Header Attack behind Load Balancer Message-ID: A Google Load balancer is proxying HTTP request to a Keycloak instance [container running in Kubernetes]. A penetration test revealed that its possible to inject "X-FORWARDED-HOST" with a malicious host name, and Keycloak will accept this (login page). Is there a way to tell Keycloak (3.4) to only access web requests matching a given host? Thanks Hylton Peimer From daniel.hammarberg at capgemini.com Thu Jun 14 11:48:55 2018 From: daniel.hammarberg at capgemini.com (Hammarberg, Daniel) Date: Thu, 14 Jun 2018 15:48:55 +0000 Subject: [keycloak-user] Will Keycloak scale to handle hundreads of LDAP integrations? In-Reply-To: References: Message-ID: <31225E3A2F1E0E43BA9272CBEBDCC68410F65E0D@DE-CM-MBX26.corp.capgemini.com> Hi all, One more thing to keep in mind is that Keycloak only allows an email address to be used once in every realm. So if a user has the same email address across several ldap servers, it might cause you some problems if all users are in the same realm. I presume the same limitation goes for user names. Cheers /Daniel _______________________________________________________________________ Daniel Hammarberg Managing Delivery Architect | Application Services Capgemini Sweden | G?teborg www.capgemini.com _______________________________________________________________________ Connect with Capgemini: -----Original Message----- From: Stian Thorgersen Sent: den 14 juni 2018 14:35 To: Filipe Abrahao Cc: keycloak-user Subject: Re: [keycloak-user] Will Keycloak scale to handle hundreads of LDAP integrations? Are you planning to have a single realm? The way users are retrieved when there is multiple LDAP servers is currently quite limited. It will simply search through them in order until the user is found. Once found a user with the link to the correct LDAP will be setup. With hundreds of LDAP connections this will most likely be rather slow. It's also not a scenario we've tested so you would have to test and experiment with this yourself. On 14 June 2018 at 14:30, Filipe Abrahao wrote: > Hi everyone, > > I work at Doodle, an online platform to help people to schedule > meetings and social events, we have around 28m people that use our > product every month and we are in the process of splitting our monolith. > > We have been experimenting with Keycloak as our auth service, and so > far we are pretty happy with it, we just making sure it fulfils all > our requirements, but we have one that we are not sure if it would > work with > Keycloak: > > Some of our bigger users, like universities and big corporations > require to manage their users via LDAP. We know that Keycloak can integrate with LDAP. > But my question is if creating one LDAP configuration for each client > is the right way to do it. > > If we have to configure one LDAP integration for each client that > requires it, we potentially will end-up with hundreds (perhaps thousands) of them. > Will it scale? Will Keycloak be able to handle that? > > many thanks, > Filipe A > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > ________________________________ Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. From sthorger at redhat.com Thu Jun 14 15:25:43 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Jun 2018 21:25:43 +0200 Subject: [keycloak-user] Will Keycloak scale to handle hundreads of LDAP integrations? In-Reply-To: <31225E3A2F1E0E43BA9272CBEBDCC68410F65E0D@DE-CM-MBX26.corp.capgemini.com> References: <31225E3A2F1E0E43BA9272CBEBDCC68410F65E0D@DE-CM-MBX26.corp.capgemini.com> Message-ID: If you use login only with email and all users for the same LDAP server has the same domain (user at ldap-1.com, etc.) then we could add config to the LDAP that only matches certain emails. As you proposed it may also be able to somehow autodetect that. On 14 June 2018 at 17:48, Hammarberg, Daniel < daniel.hammarberg at capgemini.com> wrote: > Hi all, > > One more thing to keep in mind is that Keycloak only allows an email > address to be used once in every realm. So if a user has the same email > address across several ldap servers, it might cause you some problems if > all users are in the same realm. I presume the same limitation goes for > user names. > > Cheers > /Daniel > > _______________________________________________________________________ > Daniel Hammarberg > Managing Delivery Architect | Application Services > > Capgemini Sweden | G?teborg > www.capgemini.com > _______________________________________________________________________ > Connect with Capgemini: > > > > -----Original Message----- > From: Stian Thorgersen > Sent: den 14 juni 2018 14:35 > To: Filipe Abrahao > Cc: keycloak-user > Subject: Re: [keycloak-user] Will Keycloak scale to handle hundreads of > LDAP integrations? > > Are you planning to have a single realm? > > The way users are retrieved when there is multiple LDAP servers is > currently quite limited. It will simply search through them in order until > the user is found. Once found a user with the link to the correct LDAP will > be setup. With hundreds of LDAP connections this will most likely be rather > slow. > > It's also not a scenario we've tested so you would have to test and > experiment with this yourself. > > On 14 June 2018 at 14:30, Filipe Abrahao wrote: > > > Hi everyone, > > > > I work at Doodle, an online platform to help people to schedule > > meetings and social events, we have around 28m people that use our > > product every month and we are in the process of splitting our monolith. > > > > We have been experimenting with Keycloak as our auth service, and so > > far we are pretty happy with it, we just making sure it fulfils all > > our requirements, but we have one that we are not sure if it would > > work with > > Keycloak: > > > > Some of our bigger users, like universities and big corporations > > require to manage their users via LDAP. We know that Keycloak can > integrate with LDAP. > > But my question is if creating one LDAP configuration for each client > > is the right way to do it. > > > > If we have to configure one LDAP integration for each client that > > requires it, we potentially will end-up with hundreds (perhaps > thousands) of them. > > Will it scale? Will Keycloak be able to handle that? > > > > many thanks, > > Filipe A > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ________________________________ > > Capgemini is a trading name used by the Capgemini Group of companies which > includes Capgemini Sverige AB, a company registered in Sweden (number > 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? > S-161 24 Bromma. > This message contains information that may be privileged or confidential > and is the property of the Capgemini Group. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain, copy, disseminate, distribute, > or use this message or any part thereof. If you receive this message in > error, please notify the sender immediately and delete all copies of this > message. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From vandana0242 at gmail.com Fri Jun 15 00:30:47 2018 From: vandana0242 at gmail.com (vandana thota) Date: Thu, 14 Jun 2018 23:30:47 -0500 Subject: [keycloak-user] throwing error after running this command adapter-elytron-install.cli Message-ID: Hello When I was trying to run the command to install keycloak adapter on wildfly server from the path its showing below error . May I know how to resolve this error nl00000:/srv/apps/appsrv/wildfly/keycloak/keycloak-4.0.0.Beta3/bin> ./jboss-cli.sh --file=adapter-elytron-install.cli --connect --controller= 0.0.0.0: 8080 Authenticating against security realm: ManagementRealm Username: XXXXX Password: { "outcome" => "failed", "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found", "rolled-back" => true } nl00000:/srv/apps/appsrv/wildfly/keycloak/keycloak-4.0.0.Beta3/bin> Thanks. From sthorger at redhat.com Fri Jun 15 00:32:18 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 15 Jun 2018 06:32:18 +0200 Subject: [keycloak-user] Host Header Attack behind Load Balancer In-Reply-To: References: Message-ID: https://www.keycloak.org/docs/latest/server_admin/index.html#host On 14 June 2018 at 16:43, Hylton Peimer wrote: > A Google Load balancer is proxying HTTP request to a Keycloak instance > [container running in Kubernetes]. > > A penetration test revealed that its possible to inject "X-FORWARDED-HOST" > with a malicious host name, and Keycloak will accept this (login page). > > Is there a way to tell Keycloak (3.4) to only access web requests matching > a given host? > > Thanks > Hylton Peimer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pulkitsrivastavajd at gmail.com Fri Jun 15 03:24:13 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Fri, 15 Jun 2018 12:54:13 +0530 Subject: [keycloak-user] Different IDP's for different clients Message-ID: I have different clients(same realm) setup in keycloak with some IDP's such as google, facebook, twitter etc. I want different clients to see different idp's. For instance, client1 should see google and twitter, client2 should see facebook and google etc. How can this be achieved.? Thanks, Pulkit From sthorger at redhat.com Fri Jun 15 03:34:45 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 15 Jun 2018 09:34:45 +0200 Subject: [keycloak-user] Different IDP's for different clients In-Reply-To: References: Message-ID: Not sure that makes that much sense. The user could login first to client1 with Twitter, then go to client2 and as the user is already logged-in access client2 through Twitter login. On 15 June 2018 at 09:24, Pulkit Srivastava wrote: > I have different clients(same realm) setup in keycloak with some IDP's such > as google, facebook, twitter etc. > I want different clients to see different idp's. > For instance, client1 should see google and twitter, client2 should see > facebook and google etc. > > How can this be achieved.? > > Thanks, > Pulkit > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pulkitsrivastavajd at gmail.com Fri Jun 15 05:19:06 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Fri, 15 Jun 2018 14:49:06 +0530 Subject: [keycloak-user] Different IDP's for different clients In-Reply-To: References: Message-ID: That's what i am saying, user should not be able to login to client2 using twitter because he is allowed to login using only facebook and google. Thanks, Pulkit On Fri, Jun 15, 2018 at 1:04 PM Stian Thorgersen wrote: > Not sure that makes that much sense. The user could login first to client1 > with Twitter, then go to client2 and as the user is already logged-in > access client2 through Twitter login. > > On 15 June 2018 at 09:24, Pulkit Srivastava > wrote: > >> I have different clients(same realm) setup in keycloak with some IDP's >> such >> as google, facebook, twitter etc. >> I want different clients to see different idp's. >> For instance, client1 should see google and twitter, client2 should see >> facebook and google etc. >> >> How can this be achieved.? >> >> Thanks, >> Pulkit >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From lfa at doodle.com Fri Jun 15 05:36:18 2018 From: lfa at doodle.com (Filipe Abrahao) Date: Fri, 15 Jun 2018 11:36:18 +0200 Subject: [keycloak-user] Will Keycloak scale to handle hundreads of LDAP integrations? In-Reply-To: References: <31225E3A2F1E0E43BA9272CBEBDCC68410F65E0D@DE-CM-MBX26.corp.capgemini.com> Message-ID: Thank you for your help. I am not very sure how to proceed to be honest, I will report back to the team. In mean while we are going to continue to experiment with it. Thank you again. On 14 June 2018 at 21:27:56, Stian Thorgersen (sthorger at redhat.com) wrote: If you use login only with email and all users for the same LDAP server has the same domain (user at ldap-1.com, etc.) then we could add config to the LDAP that only matches certain emails. As you proposed it may also be able to somehow autodetect that. On 14 June 2018 at 17:48, Hammarberg, Daniel < daniel.hammarberg at capgemini.com> wrote: > Hi all, > > One more thing to keep in mind is that Keycloak only allows an email > address to be used once in every realm. So if a user has the same email > address across several ldap servers, it might cause you some problems if > all users are in the same realm. I presume the same limitation goes for > user names. > > Cheers > /Daniel > > _______________________________________________________________________ > Daniel Hammarberg > Managing Delivery Architect | Application Services > > Capgemini Sweden | G?teborg > www.capgemini.com > _______________________________________________________________________ > Connect with Capgemini: > > > > -----Original Message----- > From: Stian Thorgersen > Sent: den 14 juni 2018 14:35 > To: Filipe Abrahao > Cc: keycloak-user > Subject: Re: [keycloak-user] Will Keycloak scale to handle hundreads of > LDAP integrations? > > Are you planning to have a single realm? > > The way users are retrieved when there is multiple LDAP servers is > currently quite limited. It will simply search through them in order until > the user is found. Once found a user with the link to the correct LDAP will > be setup. With hundreds of LDAP connections this will most likely be rather > slow. > > It's also not a scenario we've tested so you would have to test and > experiment with this yourself. > > On 14 June 2018 at 14:30, Filipe Abrahao wrote: > > > Hi everyone, > > > > I work at Doodle, an online platform to help people to schedule > > meetings and social events, we have around 28m people that use our > > product every month and we are in the process of splitting our monolith. > > > > We have been experimenting with Keycloak as our auth service, and so > > far we are pretty happy with it, we just making sure it fulfils all > > our requirements, but we have one that we are not sure if it would > > work with > > Keycloak: > > > > Some of our bigger users, like universities and big corporations > > require to manage their users via LDAP. We know that Keycloak can > integrate with LDAP. > > But my question is if creating one LDAP configuration for each client > > is the right way to do it. > > > > If we have to configure one LDAP integration for each client that > > requires it, we potentially will end-up with hundreds (perhaps > thousands) of them. > > Will it scale? Will Keycloak be able to handle that? > > > > many thanks, > > Filipe A > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ________________________________ > > Capgemini is a trading name used by the Capgemini Group of companies which > includes Capgemini Sverige AB, a company registered in Sweden (number > 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? > S-161 24 Bromma. > This message contains information that may be privileged or confidential > and is the property of the Capgemini Group. It is intended only for the > person to whom it is addressed. If you are not the intended recipient, you > are not authorized to read, print, retain, copy, disseminate, distribute, > or use this message or any part thereof. If you receive this message in > error, please notify the sender immediately and delete all copies of this > message. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Manfred.Schenk at iosb.fraunhofer.de Fri Jun 15 07:15:17 2018 From: Manfred.Schenk at iosb.fraunhofer.de (Schenk, Manfred) Date: Fri, 15 Jun 2018 11:15:17 +0000 Subject: [keycloak-user] Display Calling application name In-Reply-To: References: Message-ID: I thought this would be the standard behaviour: If you configure a name for the client when adding the client configuration to keycloak, keycloak's login page will display that name as title. Or do you mean something different? Regards, Manfred -- Manfred Schenk, Fraunhofer IOSB Informationsmanagement und Leittechnik Fraunhoferstra?e 1,76131 Karlsruhe, Germany Telefon +49 721 6091-391 mailto:Manfred.Schenk at iosb.fraunhofer.de http://www.iosb.fraunhofer.de -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org Im Auftrag von Pulkit Srivastava Gesendet: Mittwoch, 13. Juni 2018 11:08 An: keycloak-user ; keycloak-user-request at lists.jboss.org Betreff: Re: [keycloak-user] Display Calling application name Any pointer to this.? Prompt reply would be appreciated. On Wed, Jun 13, 2018 at 11:55 AM Pulkit Srivastava < pulkitsrivastavajd at gmail.com> wrote: > Hi, > I have multiple applications that authenticate users using keycloak. > Is there a way to show the application name on keycloak login page > according to the application from which the user arrived. How this can be achieved? > > Thanks, > Pulkit > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From renato.totalbanco at gmail.com Fri Jun 15 10:32:07 2018 From: renato.totalbanco at gmail.com (Renato Silveira - Totvs) Date: Fri, 15 Jun 2018 11:32:07 -0300 Subject: [keycloak-user] How to generate OIDC Token for users originating from a saml identity provider? Message-ID: Hello, I'm using saml identity provider and version 3.4.0-final of Keycloak. I made the necessary settings so that these users were persisted as valid users in Keycloak, until this point I had no problem. My application has some modules that work with services authenticated by tokens. Is it possible to generate tokens with the saml assertion of the user who logged in via saml identity provider? Is there any specific grant_type or client_assertion_type for this? I made a series of attempts but without success. Has anyone here needed to implement a similar implementation? https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-20#page-5 From pawad at inboxmarketer.com Fri Jun 15 14:53:48 2018 From: pawad at inboxmarketer.com (Peter Awad) Date: Fri, 15 Jun 2018 14:53:48 -0400 Subject: [keycloak-user] KrakenD and Keycloak Message-ID: We are in the early stages of implementing keycloak and currently have a dev environment setup with keycloak 4.beta3 One of my dev teams is working on an API proxy with KrakenD but are struggling. I assumed that this was going to a bearer type and provided them with the following: { "realm": "InboxAuth", "bearer-only": true, "auth-server-url": "https://dev-idp03.inboxmarketer.net/auth", "ssl-required": "all", "resource": "insights-dev", "confidential-port": 0 } as well as a test user, clientId, secret and Reg Token However krakenD appears to want the following: ClientId - Got that. Client Secret - Got that. Token URL - auth server url does not seem to work here. Scopes - Got that. So I guess the real question is what should I be using for Token URL Thanks *Peter Awad* | Customer Success Specialist pawad at inboxmarketer.com T: 519.824.6664 x220 *To give real service you must add something which cannot be bought or measured with money, and that is sincerity and integrity.* ~ Douglas Adams From subodhcjoshi82 at gmail.com Sat Jun 16 06:47:42 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Sat, 16 Jun 2018 16:17:42 +0530 Subject: [keycloak-user] Why keycloak admin-cli throwing - HTTP error - 415 Unsupported Media Type Message-ID: Hi I am trying to update realm from the admin-cli but end with 415 unsupported Media type. FYI i did not make any single change in demorealm.json file. > /opt/keycloak/bin/kcadm.sh get realms/CRUE_Realm > demorealm.json > /opt/keycloak/bin/kcadm.sh update realms/CRUE_Realm > demorealm.json > * HTTP error - 415 Unsupported Media Type * -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From ahmed at aossama.com Sat Jun 16 16:59:57 2018 From: ahmed at aossama.com (Ahmed Ossama) Date: Sat, 16 Jun 2018 22:59:57 +0200 Subject: [keycloak-user] Replace username with phone number Message-ID: <32e444eb-c18f-0d4b-6251-9c8d98915343@aossama.com> Hi Everyone, I am new to Keycloak and I am considering using it in a project. However I've been playing with Keycloak for a bit and cannot seem to find out a specific need for the project. The need is to signup and make the phone number of a user to be the user identified instead of the username. What I did was: created an empty realm, exported it, then modified the properties using username to be phonenumber, and imported it again. Then created a new theme based on the basic theme and changed username to be phonenumber. But it wasn't enough and in the UI there was a lot of reference to username. So I was wondering if this is possible or not, and if possible how can I achieve it? Thanks in advance. -- Regards, Ahmed Ossama From atx at binaryninja.de Sun Jun 17 04:05:37 2018 From: atx at binaryninja.de (atx at binaryninja.de) Date: Sun, 17 Jun 2018 10:05:37 +0200 Subject: [keycloak-user] Will Keycloak scale to handle hundreads of LDAP integrations? In-Reply-To: References: <31225E3A2F1E0E43BA9272CBEBDCC68410F65E0D@DE-CM-MBX26.corp.capgemini.com> Message-ID: <0526949d-b364-f232-611d-93e0dfeecd46@binaryninja.de> Hey there, we had a somewhat similar issue with the LDAP integration, that comes out of the box, since our users are also stored in many different LDAPs and in addtion needed to be merged, since the information in both LDAPs was redundant... we ended up in writing our own LDAP SPI. It was easier as expected. But reading your request, I wonder if you should have ONE Realm with hundreds of customer LDAPs in it? Even with universities they tend to have at most a couple of LDAPs. I would guess you wan't one realm per customer? BR Am 15.06.2018 um 11:36 schrieb Filipe Abrahao: > Thank you for your help. I am not very sure how to proceed to be honest, I > will report back to the team. > > In mean while we are going to continue to experiment with it. > > Thank you again. > > > On 14 June 2018 at 21:27:56, Stian Thorgersen (sthorger at redhat.com) wrote: > > If you use login only with email and all users for the same LDAP server has > the same domain (user at ldap-1.com, etc.) then we could add config to the > LDAP that only matches certain emails. As you proposed it may also be able > to somehow autodetect that. > > On 14 June 2018 at 17:48, Hammarberg, Daniel < > daniel.hammarberg at capgemini.com> wrote: > >> Hi all, >> >> One more thing to keep in mind is that Keycloak only allows an email >> address to be used once in every realm. So if a user has the same email >> address across several ldap servers, it might cause you some problems if >> all users are in the same realm. I presume the same limitation goes for >> user names. >> >> Cheers >> /Daniel >> >> _______________________________________________________________________ >> Daniel Hammarberg >> Managing Delivery Architect | Application Services >> >> Capgemini Sweden | G?teborg >> www.capgemini.com >> _______________________________________________________________________ >> Connect with Capgemini: >> >> >> >> -----Original Message----- >> From: Stian Thorgersen >> Sent: den 14 juni 2018 14:35 >> To: Filipe Abrahao >> Cc: keycloak-user >> Subject: Re: [keycloak-user] Will Keycloak scale to handle hundreads of >> LDAP integrations? >> >> Are you planning to have a single realm? >> >> The way users are retrieved when there is multiple LDAP servers is >> currently quite limited. It will simply search through them in order until >> the user is found. Once found a user with the link to the correct LDAP > will >> be setup. With hundreds of LDAP connections this will most likely be > rather >> slow. >> >> It's also not a scenario we've tested so you would have to test and >> experiment with this yourself. >> >> On 14 June 2018 at 14:30, Filipe Abrahao wrote: >> >>> Hi everyone, >>> >>> I work at Doodle, an online platform to help people to schedule >>> meetings and social events, we have around 28m people that use our >>> product every month and we are in the process of splitting our monolith. >>> >>> We have been experimenting with Keycloak as our auth service, and so >>> far we are pretty happy with it, we just making sure it fulfils all >>> our requirements, but we have one that we are not sure if it would >>> work with >>> Keycloak: >>> >>> Some of our bigger users, like universities and big corporations >>> require to manage their users via LDAP. We know that Keycloak can >> integrate with LDAP. >>> But my question is if creating one LDAP configuration for each client >>> is the right way to do it. >>> >>> If we have to configure one LDAP integration for each client that >>> requires it, we potentially will end-up with hundreds (perhaps >> thousands) of them. >>> Will it scale? Will Keycloak be able to handle that? >>> >>> many thanks, >>> Filipe A >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> ________________________________ >> >> Capgemini is a trading name used by the Capgemini Group of companies which >> includes Capgemini Sverige AB, a company registered in Sweden (number >> 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? >> S-161 24 Bromma. >> This message contains information that may be privileged or confidential >> and is the property of the Capgemini Group. It is intended only for the >> person to whom it is addressed. If you are not the intended recipient, you >> are not authorized to read, print, retain, copy, disseminate, distribute, >> or use this message or any part thereof. If you receive this message in >> error, please notify the sender immediately and delete all copies of this >> message. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vandana0242 at gmail.com Sun Jun 17 10:36:59 2018 From: vandana0242 at gmail.com (vandana thota) Date: Sun, 17 Jun 2018 10:36:59 -0400 Subject: [keycloak-user] Can able to install keycloak adapters Message-ID: Hello We have wildfly 11.0.0.0 final . We copied keycloak-wildfly-adapter-dist-4.0.0.Final.zip under Wildfly_Home path Unizipped that file. I even created the file layers.conf under the folder Wildfly_Home/Modules Trying to run the command to install the keycloak adapter on wildfly but its throwing the below error , what needs to be done for this any idea ? nl0000:/srv/prop/wildfly/11/bin> ./jboss-cli.sh --file=adapter-elytron-install.cli --connect --controller=0.0.0.0:xxxx Authenticating against security realm: ManagementRealm Username: xxxx Password: { "outcome" => "failed", "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found", "rolled-back" => true "response-headers" => {"process-state" => "reload-required" } } Can't we install this manullay instead of using Jboss-cli or how can we resolve the above error From pulkitsrivastavajd at gmail.com Mon Jun 18 00:32:19 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Mon, 18 Jun 2018 10:02:19 +0530 Subject: [keycloak-user] Different IDP's for different clients In-Reply-To: References: Message-ID: My subscription expired, i have renewed the subscription. If i have missed any update on this please revert. Thanks, Pulkit On Fri, Jun 15, 2018 at 2:49 PM Pulkit Srivastava < pulkitsrivastavajd at gmail.com> wrote: > That's what i am saying, user should not be able to login to client2 using > twitter because he is allowed to login using only facebook and google. > > Thanks, > Pulkit > > On Fri, Jun 15, 2018 at 1:04 PM Stian Thorgersen > wrote: > >> Not sure that makes that much sense. The user could login first to >> client1 with Twitter, then go to client2 and as the user is already >> logged-in access client2 through Twitter login. >> >> On 15 June 2018 at 09:24, Pulkit Srivastava > > wrote: >> >>> I have different clients(same realm) setup in keycloak with some IDP's >>> such >>> as google, facebook, twitter etc. >>> I want different clients to see different idp's. >>> For instance, client1 should see google and twitter, client2 should see >>> facebook and google etc. >>> >>> How can this be achieved.? >>> >>> Thanks, >>> Pulkit >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> From federico at info.nl Mon Jun 18 03:43:33 2018 From: federico at info.nl (Federico Navarro Polo - Info.nl) Date: Mon, 18 Jun 2018 07:43:33 +0000 Subject: [keycloak-user] KrakenD and Keycloak In-Reply-To: References: Message-ID: <7715B9B3-9471-4665-8235-C3FAE63F94E8@info.nl> There is a special URL in keycloak you can access appending /.well-known/openid-configuration to your realm URL. Eg: if your realm is InboxAuth and your base url is https://dev-idp03.inboxmarketer.net/auth , then it would be: https://dev-idp03.inboxmarketer.net/auth/realms/InboxAuth/.well-known/openid-configuration It sounds like you are interested in the token_endpoint url displayed there. Regards, Federico On 15/06/18 20:53, "keycloak-user-bounces at lists.jboss.org on behalf of Peter Awad" wrote: We are in the early stages of implementing keycloak and currently have a dev environment setup with keycloak 4.beta3 One of my dev teams is working on an API proxy with KrakenD but are struggling. I assumed that this was going to a bearer type and provided them with the following: { "realm": "InboxAuth", "bearer-only": true, "auth-server-url": "https://dev-idp03.inboxmarketer.net/auth", "ssl-required": "all", "resource": "insights-dev", "confidential-port": 0 } as well as a test user, clientId, secret and Reg Token However krakenD appears to want the following: ClientId - Got that. Client Secret - Got that. Token URL - auth server url does not seem to work here. Scopes - Got that. So I guess the real question is what should I be using for Token URL Thanks *Peter Awad* | Customer Success Specialist pawad at inboxmarketer.com T: 519.824.6664 x220 *To give real service you must add something which cannot be bought or measured with money, and that is sincerity and integrity.* ~ Douglas Adams _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From robert.discussions at gmail.com Mon Jun 18 04:51:28 2018 From: robert.discussions at gmail.com (Robert .) Date: Mon, 18 Jun 2018 10:51:28 +0200 Subject: [keycloak-user] Keycloak sso logout Message-ID: I have been having problems with the Keycloak sso logout functionality in Keycloak 3.4.3. Previously I have tested the single sign-out functionality in Keycloak 2.4.0, and did not experience such problems. I have debugged the issue in 3.4.3 and noticed that the sessionCreated method in HttpSessionManager is never called. This means that no http session is invalidated in the logout methods. To fix this I have created my own HttpSessionManager based on a Spring ApplicationListener.and registered it as a listener in my web.xml. I would like to know if this is a known issue. Has this been fixed in 4.0.0? Can it also be fixed in a 3.4.4 version? public class MyHttpSessionManager extends HttpSessionManager implements ApplicationListener { @Override public void onApplicationEvent(ApplicationEvent event) { if (event instanceof HttpSessionCreatedEvent) { HttpSession session = ((HttpSessionCreatedEvent) event).getSession(); HttpSessionEvent creationEvent = new HttpSessionEvent(session); this.sessionCreated(creationEvent); } } } From pkboucher801 at gmail.com Mon Jun 18 08:01:22 2018 From: pkboucher801 at gmail.com (pkboucher801 at gmail.com) Date: Mon, 18 Jun 2018 08:01:22 -0400 Subject: [keycloak-user] Brokered logins only? Message-ID: <002701d406fc$13c8f7d0$3b5ae770$@gmail.com> Any way (other than a custom theme that enforces it in the UI) to allow only brokered logins to a realm? For reasons beyond my control, the user's password is the same in the IDP as it is in KC (they point at the same OU in LDAP), but the IDP has been configured with a particular 2FA method that is not supported by KC. So the problem is that if the users login with username/password submission on the KC login page, they can bypass the IDP's 2FA. We can set the IDP as the default, but kc_idp_hint as a blank value will bring up the KC login page. Maybe there's a way to adjust the flows so that brokered login works, but username/password submission on the KC login page fails (or is not even offered)? Maybe setup pre-configured OTPs on the accounts, so that the users can't get past there? (this would be a bad, confusing UX) Any other ideas? Regards, Peter K. Boucher From eivind at jotta.no Mon Jun 18 09:44:45 2018 From: eivind at jotta.no (Eivind Larsen) Date: Mon, 18 Jun 2018 09:44:45 -0400 Subject: [keycloak-user] Keycloak Rest API - sessions Message-ID: Hi Keycloak Users! I am integrating the session data from Keycloak into our existing account settings page. I see Keycloak has an API call for listing user sessions. GET /admin/realms/{realm}/clients/{id}/user-sessions a) I was wondering why this does not include offline sessions? So to list all sessions I need to: 1. List user sessions (call above). 2. List consents. 3. Grab client ids from consents. 4. List offlineSessions for each client in 3. 5. Merge all the session from 1 and 4. b) Am I missing something? Is there a simpler way to list all sessions for a user? Best regards, Eivind Larsen From david.everson at state.mn.us Mon Jun 18 10:40:46 2018 From: david.everson at state.mn.us (Everson, David (MNIT)) Date: Mon, 18 Jun 2018 14:40:46 +0000 Subject: [keycloak-user] Architectural Blueprint/Recommendations Message-ID: Hello, Our organization has been using Keycloak over the last few years. During this time, several versions and implementation approaches of Keycloak have popped up in the organization as various organizational units leveraged Keycloak. We are now at the point of taking Keycloak to the next level of maturity within the organization with a common architecture and governance model around Keycloak/IDAM. We have convened a working group to take our experiences to-date and formulate an architecture which the organization can move forward with. The major point of contention with the future architecture is the nature in which the instances and realms are deployed. To this end, I am looking for some feedback from the community regarding the most scalable architectural blueprint/recommendation to help achieve the following requirements and questions: Here is a list of our assumptions/constraints: 1. The organization consists of 10 organizational units (i.e. realms). 2. Each organization unit supports 10-15 applications (i.e. clients) requiring authentication/authorization. 3. The primary application profile is a web application. (i.e. keycloak access type of 'confidential') 4. The organization is starting to developing an increasing number of web services which leverage bearer-only authn/authz. 5. For the organization, Keycloak would support 100,000 users. 6. Of the 100,000 users, 1-2% of those users would be federated via Active Directory. 7. Within an organization unit, users should be able to leverage SSO for any application within the organizational unit. 8. The primary usage of applications are between core business hours. 9. The applications are accessible 24x7. 10. On any given day, about 20% of the total user base may log into at least one application. 11. Due to inactivity requirements, users may typically have to re-authenticate multiple times during the day. 12. The organization has a desire to maintain a common set of IDAM policies and reporting (i.e. governance) across all organizational units. 13. The organization would provide a default template for all organizational units. 14. Each organization unit may modify/create their own template as business requirements dictate. 15. Keycloak should be clustered for high availability. 16. Keycloak environment would be hosted on AWS, more than likely EC2 instances. 17. Client applications also hosted in AWS. 18. Keycloak's database would be PostgreSQL hosted in AWS RDS. A few questions/concerns of the working group: A. Is there any information available on the maximum size of an Keycloak installation? Will Keycloak be scalable and performant given the above assumptions and constraints. B. What's the best recommendation for distributing the Keycloak instances and realms. Right now the group has three options on the table: 1) A single Keycloak install per application (i.e. client); 2) A single Keycloak install per organizational unit (i.e. realm); or 3) A single Keycloak install per organization (i.e. serving all realms and clients). C. A major concern the group has with a single Keycloak install (#3 in previous bullet) is the high-availability in terms of performance and concerns of a rouge client affecting other applications negatively. What is the community's recommendation for addressing this concern? D. Another major concern the group has with a single Keycloak install is the restarts that are necessary when an organization unit deploys a new or updated template. The concern is that all applications would be unavailable during the restart. We would be operating in a clustered environment, is the best solution to this concern restarting individual members of the cluster rather than the entire cluster? E. For reporting and governance processes, the Keycloak API performs quite poorly when we execute use cases such as "Report all Users of an Application". Given the version we are currently on, to accomplish this we need to query all users in the realm and then filter the users if they have the client/role combination. We understand that a future release addresses this use case, but in the meantime the concern is such a query will negatively affect all other clients using Keycloak. Any recommendations on handling this use case prior to Keycloak 4.x? F. Upgrading Versions of Keycloak. We have experienced some difficulty of upgrading versions on server-side (we need to export, import vs a simple DB backup and deployment). What is the recommendations for handling the upgrade of Keycloak from one version to the next given the size of our user base? I'm sorry for the long post, hopefully folks get to this point. Any insight that we could receive would be greatly appreciated. We are at a critical cross-roads in our Keycloak adoption and want to ensure we do this correctly. Thanks! Dave Dave Everson Application Development Team Lead | Environmental Health Minnesota IT Services | Partners in Minnesota Department of Health 625 Robert Street North St. Paul, MN 55155 O: 651-201-5146 Information Technology for Minnesota Government?|?mn.gov/mnit [Minnesota IT Services Logo] [Facebook logo][LinkedIn logo][Twitter logo] -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 17451 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180618/3218d558/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 349 bytes Desc: image002.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180618/3218d558/attachment-0005.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 829 bytes Desc: image003.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180618/3218d558/attachment-0006.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 455 bytes Desc: image004.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180618/3218d558/attachment-0007.png From corentin.dupont at gmail.com Mon Jun 18 11:08:50 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Mon, 18 Jun 2018 17:08:50 +0200 Subject: [keycloak-user] Entitlement request with additional parameters In-Reply-To: References: Message-ID: Hi Pedro, I see pushed claims (and 4.0.0 release) has landed, congratulations! It's not clear for me how to use them... Is there some doc? Can I continue to use the old entitlement API? Or should I switch to UMA? Best, Corentin On Tue, Apr 10, 2018 at 2:20 PM, Pedro Igor Silva wrote: > Hi Corentin, > > We are adding support for "pushed claims". That is the main task I'm > working with right now. > > If you want to track the changes being made and provide any feedback, > please watch https://issues.jboss.org/browse/KEYCLOAK-4903. So far, I > have enabled pushing claims when using UMA and permission tickets. As you > might know, with the introduction of UMA 2.0 there is no specific endpoint > for entitlements anymore. Now permissions are evaluated using the token > endpoint. Next step is enable "pushed claims" to non-UMA requests (without > permission tickets, just like the old entitlement api). > > On Tue, Apr 10, 2018 at 8:09 AM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> Hi guys, >> I use the entitlement API to check access control on my resources. Here I >> check if a user can update a sensor: >> >> curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer >> $TOKEN" -d '{ >> "permissions" : [ >> { >> "resource_set_name" : "Sensors", >> "scopes" : [ >> "sensors:update" >> ] >> } >> ] >> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" >> >> >> But I would like to make complex policies that check additional >> parameters, >> such as sensor status etc. >> How can I pass along the additional parameters to the request, and use >> them >> in my policies? I use javascript policies mainly. >> >> Thanks >> Corentin >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From marcoh.huenseler+kcml at gmail.com Mon Jun 18 11:17:48 2018 From: marcoh.huenseler+kcml at gmail.com (=?UTF-8?Q?Marco_H=C3=BCnseler?=) Date: Mon, 18 Jun 2018 17:17:48 +0200 Subject: [keycloak-user] "Mapper-spanning" LDAP federation and mapping "Composite Roles" Message-ID: Hello there, I am trying to to import a rather large and complex AD structure into Keycloak and I am facing some rather substantial problems with that. First of all, I have some user groups whose members span over multiple subtrees. Example: Group OU 1 |- Group1 |- Group1.1 Group OU 2 |- Group2 |- Group2.2 Where Group1.1 is a member of Group1, Group2.2 is a member of Group2 and Group2 is a member of Group1. In reality it is a little bit more complex of course and makes much more sense ;-) Unfortunately, this doesn't seem to work as every group mapper only sees its own groups, which leads to (1) that the resulting group-order does not remotely match the one that's in AD and worse (2) when telling a group mapper to watch out for groups that do not exist in upstream anymore, it cleans up everything else. Second, there are (fortunately seperate) OUs containing groups that represent a set of rights granted to the user. Obviously, I want to map them as roles. What I cannot archieve is to map these roles, once I import them, to the groups they point to. Loading the roles recursively would probably possible as well, but I would like to stick to the AD structure as close as possible (I'm planning to connect Keycloak to different data sources as well and it would be pretty awesome to have some reporting against the keycloak db at a later stage). Third, there are quite a lot of groups with multiple "member"s in AD. When listing them, most of them have something in common: They are logically used to pool similar roles, so no one needs to manage them one by one. Which leads me to think that it would be quite accurate to map them as "composite roles". Unfortunately, this does not seem to be supported by the role mappers at all and if it was, it would probably also not work over mapper boundaries. TLDR; Keycloak is able to map groups and roles from AD but is completely missing functionality to do this cooperatively between mappers. I would love to know whether anyone can think of another as-good-as-possible-structure-preserving way of mapping this directory beast inside Keycloak. Also, I would love to hear about your thoughts regarding implementing some "cross-mapper" functionality for the LDAP connector and how far it can or should go to get this upstreamed later eventually so we can proceed with this on -dev :-) Thanks for reading! Marco From vandana0242 at gmail.com Mon Jun 18 12:32:06 2018 From: vandana0242 at gmail.com (vandana thota) Date: Mon, 18 Jun 2018 11:32:06 -0500 Subject: [keycloak-user] How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 Message-ID: Hello I have copied this file on wildfly server keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 and how to open this ? Previously we have zip files and culd open them by running unzip command . But for this sha1 file how to open it and how can we do further configurations on wildfly with this keycloak adapater which is in sha1 format. Thanks. From sthorger at redhat.com Mon Jun 18 14:47:49 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jun 2018 20:47:49 +0200 Subject: [keycloak-user] How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 In-Reply-To: References: Message-ID: You downloaded the wrong file. Click on the ZIP link not the SHA1 link. The SHA1 is a checksum that you can use afterwards to check the integrity of the ZIP file if you want. On Mon, 18 Jun 2018 at 18:49, vandana thota wrote: > Hello > > > > I have copied this file on wildfly server > keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 and how to open > this ? > > > > Previously we have zip files and culd open them by running unzip > command . But for this sha1 file how to open it and how can we do > further configurations on wildfly with this keycloak adapater which is > in sha1 format. > > > > Thanks. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Jun 18 14:49:27 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jun 2018 20:49:27 +0200 Subject: [keycloak-user] Display Calling application name In-Reply-To: References: Message-ID: Did you check with latest releases? With the new theme I believe the application name should be displayed. If not that is something we where planning to add. On Fri, 15 Jun 2018 at 13:25, Schenk, Manfred < Manfred.Schenk at iosb.fraunhofer.de> wrote: > I thought this would be the standard behaviour: > If you configure a name for the client when adding the client > configuration to keycloak, keycloak's login page will display that name as > title. > > Or do you mean something different? > > Regards, > Manfred > > -- > Manfred Schenk, Fraunhofer IOSB > Informationsmanagement und Leittechnik > Fraunhoferstra?e 1,76131 Karlsruhe, Germany > Telefon +49 721 6091-391 > mailto:Manfred.Schenk at iosb.fraunhofer.de > http://www.iosb.fraunhofer.de > > -----Urspr?ngliche Nachricht----- > Von: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> Im Auftrag von Pulkit Srivastava > Gesendet: Mittwoch, 13. Juni 2018 11:08 > An: keycloak-user ; > keycloak-user-request at lists.jboss.org > Betreff: Re: [keycloak-user] Display Calling application name > > Any pointer to this.? > Prompt reply would be appreciated. > > On Wed, Jun 13, 2018 at 11:55 AM Pulkit Srivastava < > pulkitsrivastavajd at gmail.com> wrote: > > > Hi, > > I have multiple applications that authenticate users using keycloak. > > Is there a way to show the application name on keycloak login page > > according to the application from which the user arrived. How this can > be achieved? > > > > Thanks, > > Pulkit > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From vandana0242 at gmail.com Mon Jun 18 14:50:47 2018 From: vandana0242 at gmail.com (vandana thota) Date: Mon, 18 Jun 2018 13:50:47 -0500 Subject: [keycloak-user] How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 In-Reply-To: References: Message-ID: Hello I could download the zip file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip from keycloak .org under the path wildfly_Home path and unzipped the file Created the layers.conf file under the path wildfly_home/modules path tried to run the below but below errors shown up . How can I resolve this ./jboss-cli.sh --file=adapter-elytron-install-saml.cli --connect --controller=0.0.0.0:XXXX Authenticating against security realm: ManagementRealm Username: XXXX Password: { "outcome" => "failed", "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-saml-adapter-subsystem not found", "rolled-back" => true Thanks. On Mon, Jun 18, 2018 at 1:48 PM Stian Thorgersen wrote: > You downloaded the wrong file. Click on the ZIP link not the SHA1 link. > The SHA1 is a checksum that you can use afterwards to check the integrity > of the ZIP file if you want. > > On Mon, 18 Jun 2018 at 18:49, vandana thota wrote: > >> Hello >> >> >> >> I have copied this file on wildfly server >> keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 and how to open >> this ? >> >> >> >> Previously we have zip files and culd open them by running unzip >> command . But for this sha1 file how to open it and how can we do >> further configurations on wildfly with this keycloak adapater which is >> in sha1 format. >> >> >> >> Thanks. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From sthorger at redhat.com Mon Jun 18 14:52:34 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jun 2018 20:52:34 +0200 Subject: [keycloak-user] How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 In-Reply-To: References: Message-ID: You should create a layers.conf the adapters is an add-on. All you need to do is unzip and run the CLI script and it should work. On Mon, 18 Jun 2018 at 20:51, vandana thota wrote: > > > Hello > > > > I could download the zip file > keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip from keycloak .org > under the path wildfly_Home path and unzipped the file > > > > Created the layers.conf file under the path wildfly_home/modules path > > > > tried to run the below but below errors shown up . How can I > resolve this > > > > > > ./jboss-cli.sh --file=adapter-elytron-install-saml.cli --connect > --controller=0.0.0.0:XXXX > > Authenticating against security realm: ManagementRealm > > Username: XXXX > > Password: > > { > > "outcome" => "failed", > > "failure-description" => "WFLYCTL0310: Extension module > org.keycloak.keycloak-saml-adapter-subsystem not found", > > "rolled-back" => true > > > > > > Thanks. > > > On Mon, Jun 18, 2018 at 1:48 PM Stian Thorgersen > wrote: > >> You downloaded the wrong file. Click on the ZIP link not the SHA1 link. >> The SHA1 is a checksum that you can use afterwards to check the integrity >> of the ZIP file if you want. >> >> On Mon, 18 Jun 2018 at 18:49, vandana thota >> wrote: >> >>> Hello >>> >>> >>> >>> I have copied this file on wildfly server >>> keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 and how to >>> open >>> this ? >>> >>> >>> >>> Previously we have zip files and culd open them by running unzip >>> command . But for this sha1 file how to open it and how can we do >>> further configurations on wildfly with this keycloak adapater which >>> is >>> in sha1 format. >>> >>> >>> >>> Thanks. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From sthorger at redhat.com Mon Jun 18 14:52:51 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jun 2018 20:52:51 +0200 Subject: [keycloak-user] How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 References: Message-ID: ...should NOT create a layers.conf.. On Mon, 18 Jun 2018 at 20:52, Stian Thorgersen wrote: > You should create a layers.conf the adapters is an add-on. All you need to > do is unzip and run the CLI script and it should work. > > On Mon, 18 Jun 2018 at 20:51, vandana thota wrote: > >> >> >> Hello >> >> >> >> I could download the zip file >> keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip from keycloak .org >> under the path wildfly_Home path and unzipped the file >> >> >> >> Created the layers.conf file under the path wildfly_home/modules path >> >> >> >> tried to run the below but below errors shown up . How can I >> resolve this >> >> >> >> >> >> ./jboss-cli.sh --file=adapter-elytron-install-saml.cli --connect >> --controller=0.0.0.0:XXXX >> >> Authenticating against security realm: ManagementRealm >> >> Username: XXXX >> >> Password: >> >> { >> >> "outcome" => "failed", >> >> "failure-description" => "WFLYCTL0310: Extension module >> org.keycloak.keycloak-saml-adapter-subsystem not found", >> >> "rolled-back" => true >> >> >> >> >> >> Thanks. >> >> >> On Mon, Jun 18, 2018 at 1:48 PM Stian Thorgersen >> wrote: >> >>> You downloaded the wrong file. Click on the ZIP link not the SHA1 link. >>> The SHA1 is a checksum that you can use afterwards to check the integrity >>> of the ZIP file if you want. >>> >>> On Mon, 18 Jun 2018 at 18:49, vandana thota >>> wrote: >>> >>>> Hello >>>> >>>> >>>> >>>> I have copied this file on wildfly server >>>> keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 and how to >>>> open >>>> this ? >>>> >>>> >>>> >>>> Previously we have zip files and culd open them by running unzip >>>> command . But for this sha1 file how to open it and how can we do >>>> further configurations on wildfly with this keycloak adapater which >>>> is >>>> in sha1 format. >>>> >>>> >>>> >>>> Thanks. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> From sthorger at redhat.com Mon Jun 18 15:08:40 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 18 Jun 2018 21:08:40 +0200 Subject: [keycloak-user] How to open this file keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 In-Reply-To: References: Message-ID: Looks like you are using domain mode. In that case you need to first unzip the adapter to all servers. Then you can run the script afterwards. On Mon, 18 Jun 2018 at 20:52, Stian Thorgersen wrote: > ...should NOT create a layers.conf.. > > On Mon, 18 Jun 2018 at 20:52, Stian Thorgersen > wrote: > >> You should create a layers.conf the adapters is an add-on. All you need >> to do is unzip and run the CLI script and it should work. >> >> On Mon, 18 Jun 2018 at 20:51, vandana thota >> wrote: >> >>> >>> >>> Hello >>> >>> >>> >>> I could download the zip file >>> keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip from keycloak .org >>> under the path wildfly_Home path and unzipped the file >>> >>> >>> >>> Created the layers.conf file under the path wildfly_home/modules path >>> >>> >>> >>> tried to run the below but below errors shown up . How can I >>> resolve this >>> >>> >>> >>> >>> >>> ./jboss-cli.sh --file=adapter-elytron-install-saml.cli --connect >>> --controller=0.0.0.0:XXXX >>> >>> Authenticating against security realm: ManagementRealm >>> >>> Username: XXXX >>> >>> Password: >>> >>> { >>> >>> "outcome" => "failed", >>> >>> "failure-description" => "WFLYCTL0310: Extension module >>> org.keycloak.keycloak-saml-adapter-subsystem not found", >>> >>> "rolled-back" => true >>> >>> >>> >>> >>> >>> Thanks. >>> >>> >>> On Mon, Jun 18, 2018 at 1:48 PM Stian Thorgersen >>> wrote: >>> >>>> You downloaded the wrong file. Click on the ZIP link not the SHA1 link. >>>> The SHA1 is a checksum that you can use afterwards to check the integrity >>>> of the ZIP file if you want. >>>> >>>> On Mon, 18 Jun 2018 at 18:49, vandana thota >>>> wrote: >>>> >>>>> Hello >>>>> >>>>> >>>>> >>>>> I have copied this file on wildfly server >>>>> keycloak-saml-wildfly-adapter-dist-4.0.0.Final.zip.sha1 and how to >>>>> open >>>>> this ? >>>>> >>>>> >>>>> >>>>> Previously we have zip files and culd open them by running unzip >>>>> command . But for this sha1 file how to open it and how can we do >>>>> further configurations on wildfly with this keycloak adapater >>>>> which is >>>>> in sha1 format. >>>>> >>>>> >>>>> >>>>> Thanks. >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> From leo.nunes at gjccorp.com.br Mon Jun 18 16:40:33 2018 From: leo.nunes at gjccorp.com.br (Leonardo Nunes) Date: Mon, 18 Jun 2018 20:40:33 +0000 Subject: [keycloak-user] Implementation of Policy Provider Service Provider Interface Message-ID: <7C1BA4D0-4D9A-4768-8F91-FC83B4908DE0@ojc.com.br> The Authorization documentation says that Keycloak supports different access control mechanisms including (Support for custom access control mechanisms (ACMs) through a Policy Provider Service Provider Interface (SPI)). Which class do I need to extend to implement this SPI. Currently I?m on version 3.4.3.Final. Thank you! -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation From faranda at ntop.org Mon Jun 18 17:53:36 2018 From: faranda at ntop.org (Emanuele Faranda) Date: Mon, 18 Jun 2018 23:53:36 +0200 Subject: [keycloak-user] invalid_token with SAML HTTP redirect binding Message-ID: <78e79c4d-359c-dae3-5290-8bb35880741d@ntop.org> Hello, I'm trying to implement SAML authentication with the help of keycloak, but I cannot make it work. I'm running keycloak 4.0.0.Final as a standalone server distribution on ubuntu 16.04 . I've configured a new SAML identity provider from the "Identity Providers" menu by filling in only the required fields. From command line, I'm sending the following request to my keycloak instance: ??? curl http://192.168.2.165:8080/auth/realms/master/broker/saml/endpoint?SAMLRequest=Zc6xCsIwEIDhVwm3tyYplnK0hYJLQBcVBxeJJWAhudRcAuLTK67O%2Fzf8PdvgV5xKftDRPYvjLMxugJu9z0o3%2FGYQr%2BCJ8QcHKIkwWl4YyQbHmGc8TYc96lrimmKOc%2FQgDHNxhjhbygNoqbpKtpXqzqrFZotaXUFcXOIl0jfXEsZ%2B838yfgA%3D where the SAMLRequest parameter value is the url_encode of base64+deflate (generated from https://www.samltool.com/encode.php) of the following SAML request: Keycloak returns "Invalid Request" in the HTML reply. I've enabled verbose debugging and this is the trace: 23:11:11,462 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-4) RESTEASY002315: PathInfo: /realms/master/broker/saml/endpoint 23:11:11,463 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-4) SAML Redirect Binding 23:11:11,463 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-4) 23:11:11,471 WARN? [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=192.168.2.221, error=invalid_token The debug trace shows that the request is decoded properly, but I get the "invalid_token" warning. If I redirect an HTTP client via a 302 request to the url above I get the same "Invalid Request" and inability to proceed with login. I've also tried with different sample SAML requests XML, but the result are the same. Do you have any clue? Regards, Emanuele From nicolas.gillet at market-ip.com Tue Jun 19 02:34:20 2018 From: nicolas.gillet at market-ip.com (Nicolas Gillet) Date: Tue, 19 Jun 2018 06:34:20 +0000 Subject: [keycloak-user] About issue 6073 Message-ID: Hello, Implementing kc as authentication server for our web application, I stumbled upon what tastes like the jira issue 6073. All our applications servers are in the same network and a HaProxy makes rooting of requests based on the path (The Keycloak server answers all path starting with /auth for instance) From what I got of the auth mechanism, the other applications hosted in our network (aka "clients") need to query Keycloak when they receive a token form the browser, therefore they need to have the kc URL and there comes the glitch: in order to make it work, the url must be strictly equals to token's issuer and when querying over the internal network, it's not the case. Worst for me, our company has several domain names for the very same application, these domains being our customer's domains for whom we "style" the application so using the "external" domain name to query kc is not an option as it's dynamic, depending of the domain name the token was issued on. Anyway that's yet another reason to get interest on the feature request 6073. I had a look in the code to see if I could do the pull request myself but it's very daunting and does not look an easy one for a first contribution. So I'd like to know if the team is planning on implementing this feature one day or if someone is willing to give me more detail about the way to do it (my background in oAuth and security beeing very light) Many thanks, Nicolas GILLET From Sebastian.Loesch at governikus.de Tue Jun 19 03:19:42 2018 From: Sebastian.Loesch at governikus.de (=?utf-8?B?TMO2c2NoLCBTZWJhc3RpYW4=?=) Date: Tue, 19 Jun 2018 07:19:42 +0000 Subject: [keycloak-user] Release plan RH-SSO Message-ID: Hello, the new Keycloak release 4.0.0.Final is out now and I wonder what's the next RH-SSO release. Is there any release plan regarding RH-SSO? (And is this mailing list the right place to ask?) Best regards, Sebastian From matthias.kesternich at moneymeets.com Tue Jun 19 07:47:59 2018 From: matthias.kesternich at moneymeets.com (Matthias Kesternich) Date: Tue, 19 Jun 2018 11:47:59 +0000 Subject: [keycloak-user] Client scopes not checked? Message-ID: <69251AE1-DD80-49F8-8BDB-F3C729632182@moneymeets.com> Hello, I am trying to setup a keycloak configuration for my use case which goes like this: - I have an api called test-api, written in python and using oauth2/oicd. - Simple endpoints can be accessed if the access token's scope contains "test-api-read-write". This scope is granted to admin and api users. - Admin endpoints can be accessed if the access token's scope contains "test-api-admin". This scope is granted only to admin users. - All other users requesting an access token should not be granted any of the scopes. Now I've set it up like this in keycloak: 1. Create new realm "test" 2. Create user "norights". 3. Create new client scopes "test-api-read-write" and "test-api-admin" (display consent = off). 4. Create new client "test-api" (confidential, openid-connect). 5. Add "test-api-read-write" to default client scopes of "test-api", add "test-api-admin" to optional client scopes. 6. Under "Scope" set "Full scope allowed" = off. To test the setup I go to the test-api client scopes page and click "Evaluate" with - optional client scopes: test-api-admin - user: norights This returns a generated access token like shown at the bottom of this mail. Especially, it contains the line "scope": "openid profile test-api-admin email test-api-read-write" This is really suprising to me, I expected "scopes" to *not* contain any of the "test-api-*" scopes. After all the user norights does not have any roles or permissions setup yet. Quoting from a previous mail on this list: "If full scope is disabled: access token, issued to specific client will have intersection of user own roles with client scope, defined in scope section of client configuration" Here, the intersection with the users own roles/scopes seems to be missing. I've looked at the code here: https://github.com/keycloak/keycloak/blob/49407c2e4f870659e1d5a00c7fd6cf1fbd16f8de/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java . It seems initToken does "token.setScope(clientSessionCtx.getScopeString());" which seems to merely copy the scopes from the request. There's also this applyScope() method that sees to do the intersection thing, but doesn't seem to be called in this case. Is my understanding of client scope just plain wrong? I could get it to work if I use the "Authorize" tab and setup all this complicated policies stuff, but client scopes just seem so much easier. Thanks for creating such an impressive open source SSO solution! -Matthias Generated access token: { "jti": "14f8a8e5-b39f-4092-aaa8-25ce62ceac2e", "exp": 1529408429, "nbf": 0, "iat": 1529408129, "iss": "http://localhost:8080/auth/realms/test", "aud": "test-api", "sub": "f4ecc77a-45ad-4dbf-9295-87d2fa4518c9", "typ": "Bearer", "azp": "test-api", "auth_time": 0, "session_state": "35140ca3-6107-4a79-8f46-b1b298d4bb58", "acr": "1", "allowed-origins": [], "resource_access": {}, "scope": "openid profile test-api-admin email test-api-read-write", "email_verified": true, "preferred_username": "norights" } From rdg7739 at gmail.com Tue Jun 19 08:16:07 2018 From: rdg7739 at gmail.com (rdg77390) Date: Tue, 19 Jun 2018 05:16:07 -0700 (MST) Subject: [keycloak-user] keycloak without token Message-ID: <1529410567065-0.post@n6.nabble.com> Hi, I created an application using tomcat 8 and keycloak. The application has some rest API that will call from the browser. So the application is both server and application. I believe with Jsessionid in a cookie, I do not need to pass authentication token if I'm talking to the same server in the same session. isn't it? Could someone clear this for me? or should I have to pass access token even if I'm talking to the same server? also, I want to use Orbeon in the same tomcat, I set up crosscontext as true. I want it to be secure, but without setup security-constraint, it seems like keycloak does not protect orbeon path. but it should be protected and should be able to access without passing access token. Is this make sense? I do not know if I'm right track or not. -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From rdg7739 at gmail.com Tue Jun 19 08:24:01 2018 From: rdg7739 at gmail.com (rdg77390) Date: Tue, 19 Jun 2018 05:24:01 -0700 (MST) Subject: [keycloak-user] keycloak without token Message-ID: <1529411041480-0.post@n6.nabble.com> Hi, I created an application using tomcat 8 and keycloak. The application has some rest API that will call from the browser. So the application is both server and application. I believe with Jsessionid in a cookie, I do not need to pass authentication token if I'm talking to the same server in the same session. isn't it? Could someone clear this for me? or should I have to pass access token even if I'm talking to the same server? also, I want to use Orbeon in the same tomcat, I set up crosscontext as true. I want it to be secure, but without setup security-constraint, it seems like keycloak does not protect orbeon path. but it should be protected and should be able to access without passing access token. Is this make sense? I do not know if I'm right track or not. -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From rdg7739 at gmail.com Tue Jun 19 09:06:48 2018 From: rdg7739 at gmail.com (rdg77390) Date: Tue, 19 Jun 2018 06:06:48 -0700 (MST) Subject: [keycloak-user] keycloak without token Message-ID: <1529413608990-0.post@n6.nabble.com> Hi, I created an application using tomcat 8 and keycloak. The application has some rest API that will call from the browser. So the application is both server and application. I believe with Jsessionid in a cookie, I do not need to pass authentication token if I'm talking to the same server in the same session. isn't it? Could someone clear this for me? or should I have to pass access token even if I'm talking to the same server? also, I want to use Orbeon in the same tomcat, I set up crosscontext as true. I want it to be secure, but without setup security-constraint, it seems like keycloak does not protect orbeon path. but it should be protected and should be able to access without passing access token. Is this make sense? I do not know if I'm right track or not. -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From mposolda at redhat.com Tue Jun 19 10:55:31 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 19 Jun 2018 16:55:31 +0200 Subject: [keycloak-user] Client scopes not checked? In-Reply-To: <69251AE1-DD80-49F8-8BDB-F3C729632182@moneymeets.com> References: <69251AE1-DD80-49F8-8BDB-F3C729632182@moneymeets.com> Message-ID: Hi Matthias, Unfortunately the word "scope" is a bit overloaded in Keycloak. Few things to clarify: - The client scopes are those, which are referenced in OAuth2 scope parameter. There are 2 types of this: -- Default client scopes: they are always assigned used and will be in access token even if you don't use any special value of "scope" parameter sent from the application -- Optional client scopes: they are added just if they are requested by scope parameter. In your case, you added Optional scope "test-api-admin" . So you will see that if you use scope parameter like "openid test-api-admin" , it will use "test-api-admin" client scope. But if you don't use any specific value of scope parameter by your adapter, then "test-api-admin" won't be used - The "Full Scope Allowed" in the tab "Scope" of the client is unrelated to the Client Scopes. These point to Role Scope Mappings. I've tried to clearify this a bit in the recent docs for 4.0.0.Final [1]. Let me know if it's still unclear. [1] https://www.keycloak.org/docs/latest/server_admin/index.html#scopes-explained Marek On 19/06/18 13:47, Matthias Kesternich wrote: > Hello, > > > > I am trying to setup a keycloak configuration for my use case which goes like this: > > > > - I have an api called test-api, written in python and using oauth2/oicd. > > - Simple endpoints can be accessed if the access token's scope contains "test-api-read-write". This scope is granted to admin and api users. > > - Admin endpoints can be accessed if the access token's scope contains "test-api-admin". This scope is granted only to admin users. > > - All other users requesting an access token should not be granted any of the scopes. > > > > Now I've set it up like this in keycloak: > > > > 1. Create new realm "test" > > 2. Create user "norights". > > 3. Create new client scopes "test-api-read-write" and "test-api-admin" (display consent = off). > > 4. Create new client "test-api" (confidential, openid-connect). > > 5. Add "test-api-read-write" to default client scopes of "test-api", add "test-api-admin" to optional client scopes. > > 6. Under "Scope" set "Full scope allowed" = off. > > > > To test the setup I go to the test-api client scopes page and click "Evaluate" with > > - optional client scopes: test-api-admin > > - user: norights > > > > This returns a generated access token like shown at the bottom of this mail. Especially, it contains the line > > > > "scope": "openid profile test-api-admin email test-api-read-write" > > > > This is really suprising to me, I expected "scopes" to *not* contain any of the "test-api-*" scopes. After all the user norights does not have any roles or permissions setup yet. Quoting from a previous mail on this list: > > > > "If full scope is disabled: access token, issued to specific client will have intersection of user own roles with client scope, defined in scope section of client configuration" > > > > Here, the intersection with the users own roles/scopes seems to be missing. > > > > I've looked at the code here: https://github.com/keycloak/keycloak/blob/49407c2e4f870659e1d5a00c7fd6cf1fbd16f8de/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java . > > > > It seems initToken does "token.setScope(clientSessionCtx.getScopeString());" which seems to merely copy the scopes from the request. There's also this applyScope() method that sees to do the intersection thing, but doesn't seem to be called in this case. > > > > Is my understanding of client scope just plain wrong? I could get it to work if I use the "Authorize" tab and setup all this complicated policies stuff, but client scopes just seem so much easier. > > > > Thanks for creating such an impressive open source SSO solution! > > -Matthias > > > > Generated access token: > > { > > "jti": "14f8a8e5-b39f-4092-aaa8-25ce62ceac2e", > > "exp": 1529408429, > > "nbf": 0, > > "iat": 1529408129, > > "iss": "http://localhost:8080/auth/realms/test", > > "aud": "test-api", > > "sub": "f4ecc77a-45ad-4dbf-9295-87d2fa4518c9", > > "typ": "Bearer", > > "azp": "test-api", > > "auth_time": 0, > > "session_state": "35140ca3-6107-4a79-8f46-b1b298d4bb58", > > "acr": "1", > > "allowed-origins": [], > > "resource_access": {}, > > "scope": "openid profile test-api-admin email test-api-read-write", > > "email_verified": true, > > "preferred_username": "norights" > > } > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Jun 19 10:57:32 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 19 Jun 2018 16:57:32 +0200 Subject: [keycloak-user] keycloak without token In-Reply-To: <1529411041480-0.post@n6.nabble.com> References: <1529411041480-0.post@n6.nabble.com> Message-ID: <2c35a5ad-c6fd-cd55-057c-9cfc371c2220@redhat.com> On 19/06/18 14:24, rdg77390 wrote: > Hi, I created an application using tomcat 8 and keycloak. > The application has some rest API that will call from the browser. So the > application is both server and application. I believe with Jsessionid in a > cookie, I do not need to pass authentication token if I'm talking to the > same server in the same session. isn't it? Could someone clear this for me? Yes, you're right. The path should be authenticated by the cookie "JSessionId", so you don't need token. Token is needed just if something else calls this REST endpoint under "orbeon" path. Marek > or should I have to pass access token even if I'm talking to the same > server? > also, I want to use Orbeon in the same tomcat, I set up crosscontext as > true. > I want it to be secure, but without setup security-constraint, it seems like > keycloak does not protect orbeon path. but it should be protected and should > be able to access without passing access token. Is this make sense? I do not > know if I'm right track or not. > > > > > -- > Sent from: http://keycloak-user.88327.x6.nabble.com/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jbf.nospam at gmail.com Tue Jun 19 11:01:57 2018 From: jbf.nospam at gmail.com (Jean-Baptiste Fouet) Date: Tue, 19 Jun 2018 17:01:57 +0200 Subject: [keycloak-user] Getting a realm public key without credentials Message-ID: Hi, we are trying to integrate keycloak in our system, and in order to check the genreate access token, we need a realm public key. We would like to avoid configuring crednetila on all endpoint needing to check a JWT token, so it would be great to be able to get keycloak key without any credentials. i did found the endpoint http://localhost:8080/auth/realms/{realm} which give the following json,without auth: {"realm":{realm},"public_key":"xx","token-service":"http://localhost:8080/auth/realms/{realm}/protocol/openid-connect","account-service":"http://localhost:8080/auth/realms/{realm}/account","tokens-not-before":0} Unfortunately, here there is no key id, so i can't handle several JWT provider or even a single keycloak with key rotation. Now, i found a more detailed key interface under http://localhost:8080/auth/admin/realms/{realms}/keys, returning for each key the status, type (algorithm), an the keyid. But i need credentials to access this interface, even though its only public data (HMAC & AES keys are NOT provided). I accessed it with the keycloak master admin, i do not want to spread his credentials everywhere, but i would be ok if i could create a user with limited rights to access only that Any suggestions on how to proceed ? Is there another endpoint to get this fulll info ? The doc doesnt clearly states the roles needed to access auth/admin/realms/{realms}/keys Thank you JB From mposolda at redhat.com Tue Jun 19 11:20:06 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 19 Jun 2018 17:20:06 +0200 Subject: [keycloak-user] "Mapper-spanning" LDAP federation and mapping "Composite Roles" In-Reply-To: References: Message-ID: <4e5950bb-773e-5fd9-7143-eb87e4b11c51@redhat.com> Hi, I was wondering when/if someone asks for this flexibility ;) Until now, there are not so much people asking for it AFAIK. It won't be bad to have this, but I am concerned about complexity. Few things: - The Groups in Keycloak are represented as tree where every group has single parent and no recursion is allowed. In LDAP recursion is possible (EG. having "group1" has parent "group2", which has parent "group3", which has again parent "group1" ). This limitation applies just to Keycloak groups. Keycloak roles are fine. - If you specify "LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY" as a value of "User Roles Retrieve strategy", then Keycloak will be able to query MSAD recursively. This is using MSAD LDAP_MATCHING_RULE_IN_CHAIN functionality. So that Keycloak users will be assigned to roles+groups from LDAP, which are assigned recursively to them in LDAP. The limitation is, that in Keycloak admin console, the relationship between Roles, Composite Roles and Groups will not match the relationships from LDAP. However the final roles in the token for users should be correct and all the transitively assigned LDAP roles should be there. Could this help? Marek On 18/06/18 17:17, Marco H?nseler wrote: > Hello there, > > I am trying to to import a rather large and complex AD structure into > Keycloak and I am facing some rather substantial problems with that. > > First of all, I have some user groups whose members span over multiple > subtrees. > > Example: > Group OU 1 > |- Group1 > |- Group1.1 > Group OU 2 > |- Group2 > |- Group2.2 > Where Group1.1 is a member of Group1, Group2.2 is a member of Group2 and > Group2 is a member of Group1. In reality it is a little bit more complex of > course and makes much more sense ;-) > > Unfortunately, this doesn't seem to work as every group mapper only sees > its own groups, which leads to (1) that the resulting group-order does not > remotely match the one that's in AD and worse (2) when telling a group > mapper to watch out for groups that do not exist in upstream anymore, it > cleans up everything else. > > Second, there are (fortunately seperate) OUs containing groups that > represent a set of rights granted to the user. Obviously, I want to map > them as roles. What I cannot archieve is to map these roles, once I import > them, to the groups they point to. Loading the roles recursively would > probably possible as well, but I would like to stick to the AD structure as > close as possible (I'm planning to connect Keycloak to different data > sources as well and it would be pretty awesome to have some reporting > against the keycloak db at a later stage). > > Third, there are quite a lot of groups with multiple "member"s in AD. When > listing them, most of them have something in common: They are logically > used to pool similar roles, so no one needs to manage them one by one. > Which leads me to think that it would be quite accurate to map them as > "composite roles". Unfortunately, this does not seem to be supported by the > role mappers at all and if it was, it would probably also not work over > mapper boundaries. > > TLDR; Keycloak is able to map groups and roles from AD but is completely > missing functionality to do this cooperatively between mappers. I would > love to know whether anyone can think of another > as-good-as-possible-structure-preserving way of mapping this directory > beast inside Keycloak. Also, I would love to hear about your thoughts > regarding implementing some "cross-mapper" functionality for the LDAP > connector and how far it can or should go to get this upstreamed later > eventually so we can proceed with this on -dev :-) > > Thanks for reading! > Marco > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Jun 19 11:21:10 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 19 Jun 2018 17:21:10 +0200 Subject: [keycloak-user] Keycloak Rest API - sessions In-Reply-To: References: Message-ID: I think you're right that usability can be improved. Could you please create JIRA for this? Thanks, Marek On 18/06/18 15:44, Eivind Larsen wrote: > Hi Keycloak Users! > > I am integrating the session data from Keycloak into our existing > account settings page. > > I see Keycloak has an API call for listing user sessions. > > GET /admin/realms/{realm}/clients/{id}/user-sessions > > a) I was wondering why this does not include offline sessions? > > So to list all sessions I need to: > > 1. List user sessions (call above). > 2. List consents. > 3. Grab client ids from consents. > 4. List offlineSessions for each client in 3. > 5. Merge all the session from 1 and 4. > > b) Am I missing something? Is there a simpler way to list all sessions > for a user? > > > Best regards, > Eivind Larsen > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Tue Jun 19 11:40:20 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 19 Jun 2018 17:40:20 +0200 Subject: [keycloak-user] Getting a realm public key without credentials In-Reply-To: References: Message-ID: /auth/realms/{my_realm}/.well-known/openid-configuration will give you a list of openId endpoints, there you can find `jwks_uri` and looks like it is what you are looking for , http://localhost:8080/auth/realms/{my_realm}/protocol/openid-connect/certs On Tue, Jun 19, 2018 at 5:01 PM, Jean-Baptiste Fouet wrote: > Hi, we are trying to integrate keycloak in our system, and in order to > check the genreate access token, we need a realm public key. We would like > to avoid configuring crednetila on all endpoint needing to check a JWT > token, so it would be great to be able to get keycloak key without any > credentials. > > i did found the endpoint > > http://localhost:8080/auth/realms/{realm} > > > which give the following json,without auth: > > {"realm":{realm},"public_key":"xx","token-service":"http:// > localhost:8080/auth/realms/{realm}/protocol/openid-connect > ","account-service":"http://localhost:8080/auth/realms/{realm}/account > ","tokens-not-before":0} > > Unfortunately, here there is no key id, so i can't handle several JWT > provider or even a single keycloak with key rotation. > > Now, i found a more detailed key interface under > > http://localhost:8080/auth/admin/realms/{realms}/keys, returning for > each key the status, type (algorithm), an the keyid. > > But i need credentials to access this interface, even though its only > public data (HMAC & AES keys are NOT provided). > > I accessed it with the keycloak master admin, i do not want to spread > his credentials everywhere, but i would be ok if i could create a > user with limited rights to access only that > > Any suggestions on how to proceed ? Is there another endpoint to get > this fulll info ? > The doc doesnt clearly states the roles needed to access > > auth/admin/realms/{realms}/keys > > Thank you > > JB > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From waldemar.schmalz at codecentric.de Tue Jun 19 12:56:20 2018 From: waldemar.schmalz at codecentric.de (Waldemar Schmalz) Date: Tue, 19 Jun 2018 18:56:20 +0200 Subject: [keycloak-user] Add custom roles in realm-management client Message-ID: Hello, I have created a new client-role in client "realm-management". It's called "manage-roles" and its purpose is (or should be) to grant users access to create, edit and delete roles in their realms. In the base theme this is only possible when users have access to the role "manage-realm" in client "realm-management". But with this client-role the user is able to manage the whole realm, not only the roles. My user is only allowed to manage roles, users and groups in this case. I changed the html-files so that the keycloak sidebar menu is working: Menu item "Roles" is visible for user with my custom client-role "manage-role". I also extented the getAccessObject() method in my themes controller/realm.js with the needed new role "manageRoles". Accessing the roles-list page is working, but accessing the role-details page (when clicking on a specific role) fails. I get a 403 Forbidden. My question is: Is there something I forgot?, where is the check for returning a 200 OK or a Forbidden for this case? It seems it is not in the templates files, like for the side-menu? If I forgot any information or something, please contact me. Thank you, your help is much appreciated! Best regards Waldemar From rdenadai at gmail.com Tue Jun 19 16:12:32 2018 From: rdenadai at gmail.com (Rodolfo De Nadai) Date: Tue, 19 Jun 2018 17:12:32 -0300 Subject: [keycloak-user] Keycloak as SAML IdP - Google sign-out problem Message-ID: Hi, i'm configuring my keycloak installation as an IdP and Google apps as an SSO. I'm able to login but when trying to logout i got no success... My configuration follows the described here: https://stories.scandiweb.com/sign-in-to-google-apps-using-saml-protocol-and-keycloak-as-identity-provider-79227fd2e063 There were a thread in the mailing list which was able to login also, but didn't mention logout process. As i thought it should be almost as transparent, since no documentation say anything, is begging to transform in a problem. If someone could help or point in some direction i appreciate. thanks From matthew.evans at oracle.com Tue Jun 19 20:04:21 2018 From: matthew.evans at oracle.com (Matt Evans) Date: Tue, 19 Jun 2018 17:04:21 -0700 (PDT) Subject: [keycloak-user] Identity Provider Mappers are not being deleted when Identity Provider is deleted Message-ID: <8657a4bb-3e4e-4fce-84b0-6e0ed399b882@default> I'm using kcadm to add and remove identity providers, and identity provider mappers. I've noticed that I can delete an identity provider that has a mapper assigned to it, and then when I read the whole realm, the identityProviderMappers element contains all the mappers, including ones for the identity providers that I have deleted. I don't seem to be able to delete them then, I can't use the documented api url because it is a sub route of the identity-provider, which doesn't exist now, so it returns 404. Is there an admin url that can manipulate the provider mappers collection itself? Or is this an issue and deleting the provider should also delete it's mappers? Matt From mposolda at redhat.com Tue Jun 19 23:47:40 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 20 Jun 2018 05:47:40 +0200 Subject: [keycloak-user] Identity Provider Mappers are not being deleted when Identity Provider is deleted In-Reply-To: <8657a4bb-3e4e-4fce-84b0-6e0ed399b882@default> References: <8657a4bb-3e4e-4fce-84b0-6e0ed399b882@default> Message-ID: Dne 20.6.2018 v 02:04 Matt Evans napsal(a): > I'm using kcadm to add and remove identity providers, and identity provider mappers. > > > > I've noticed that I can delete an identity provider that has a mapper assigned to it, and then when I read the whole realm, the identityProviderMappers element contains all the mappers, including ones for the identity providers that I have deleted. > > > > I don't seem to be able to delete them then, I can't use the documented api url because it is a sub route of the identity-provider, which doesn't exist now, so it returns 404. > > > > Is there an admin url that can manipulate the provider mappers collection itself? Or is this an issue and deleting the provider should also delete it's mappers? Looks like yes. Feel free to create JIRA. Marek > > > > Matt > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Jun 20 02:38:34 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 20 Jun 2018 08:38:34 +0200 Subject: [keycloak-user] Release plan RH-SSO In-Reply-To: References: Message-ID: There will be a RH-SSO released based on Keycloak 4.x. Keycloak has a 3 week release cadence, while RH-SSO releases come every 9-12 months. On Tue, 19 Jun 2018 at 09:20, L?sch, Sebastian < Sebastian.Loesch at governikus.de> wrote: > Hello, > > the new Keycloak release 4.0.0.Final is out now and I wonder what's the > next RH-SSO release. Is there any release plan regarding RH-SSO? (And > is this mailing list the right place to ask?) > > Best regards, > Sebastian > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From eivind at jotta.no Wed Jun 20 03:27:31 2018 From: eivind at jotta.no (Eivind Larsen) Date: Wed, 20 Jun 2018 00:27:31 -0700 Subject: [keycloak-user] Keycloak Rest API - sessions In-Reply-To: References: Message-ID: Hi, I created issue https://issues.jboss.org/browse/KEYCLOAK-7664 to improve listing all sessions for a user. On 19 June 2018 at 17:21:12, Marek Posolda (mposolda at redhat.com) wrote: I think you're right that usability can be improved. Could you please create JIRA for this? Thanks, Marek On 18/06/18 15:44, Eivind Larsen wrote: > Hi Keycloak Users! > > I am integrating the session data from Keycloak into our existing > account settings page. > > I see Keycloak has an API call for listing user sessions. > > GET /admin/realms/{realm}/clients/{id}/user-sessions > > a) I was wondering why this does not include offline sessions? > > So to list all sessions I need to: > > 1. List user sessions (call above). > 2. List consents. > 3. Grab client ids from consents. > 4. List offlineSessions for each client in 3. > 5. Merge all the session from 1 and 4. > > b) Am I missing something? Is there a simpler way to list all sessions > for a user? > > > Best regards, > Eivind Larsen > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jbf.nospam at gmail.com Wed Jun 20 03:36:26 2018 From: jbf.nospam at gmail.com (Jean-Baptiste Fouet) Date: Wed, 20 Jun 2018 09:36:26 +0200 Subject: [keycloak-user] Getting a realm public key without credentials In-Reply-To: References: Message-ID: Thanks, thats what i was looking for JB 2018-06-19 17:40 GMT+02:00 Sebastien Blanc : > /auth/realms/{my_realm}/.well-known/openid-configuration will give you a > list of openId endpoints, there you can find `jwks_uri` and looks like it > is what you are looking for , http://localhost:8080/auth/ > realms/{my_realm}/protocol/openid-connect/certs > > On Tue, Jun 19, 2018 at 5:01 PM, Jean-Baptiste Fouet > wrote: > >> Hi, we are trying to integrate keycloak in our system, and in order to >> check the genreate access token, we need a realm public key. We would like >> to avoid configuring crednetila on all endpoint needing to check a JWT >> token, so it would be great to be able to get keycloak key without any >> credentials. >> >> i did found the endpoint >> >> http://localhost:8080/auth/realms/{realm} >> >> >> which give the following json,without auth: >> >> {"realm":{realm},"public_key":"xx","token-service":"http://l >> ocalhost:8080/auth/realms/{realm}/protocol/openid-connect"," >> account-service":"http://localhost:8080/auth/realms/{realm}/account >> ","tokens-not-before":0} >> >> Unfortunately, here there is no key id, so i can't handle several JWT >> provider or even a single keycloak with key rotation. >> >> Now, i found a more detailed key interface under >> >> http://localhost:8080/auth/admin/realms/{realms}/keys, returning for >> each key the status, type (algorithm), an the keyid. >> >> But i need credentials to access this interface, even though its only >> public data (HMAC & AES keys are NOT provided). >> >> I accessed it with the keycloak master admin, i do not want to spread >> his credentials everywhere, but i would be ok if i could create a >> user with limited rights to access only that >> >> Any suggestions on how to proceed ? Is there another endpoint to get >> this fulll info ? >> The doc doesnt clearly states the roles needed to access >> >> auth/admin/realms/{realms}/keys >> >> Thank you >> >> JB >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From max.mayr at axonivy.com Wed Jun 20 03:37:01 2018 From: max.mayr at axonivy.com (Max Mayr) Date: Wed, 20 Jun 2018 07:37:01 +0000 Subject: [keycloak-user] Keycloak 2.3.0.Final Docker container without ssl Message-ID: Hello there, is there a possiblity to start the Keycloak 2.3.0.Final Docker container without ssl? Maybe with changing the standalone.xml ? Or add properties? Kind Regards, Max From matthias.kesternich at moneymeets.com Wed Jun 20 05:23:58 2018 From: matthias.kesternich at moneymeets.com (Matthias Kesternich) Date: Wed, 20 Jun 2018 09:23:58 +0000 Subject: [keycloak-user] Client scopes not checked? In-Reply-To: References: <69251AE1-DD80-49F8-8BDB-F3C729632182@moneymeets.com> Message-ID: Hi Marek, thanks for your answer. > - The client scopes are those, which are referenced in OAuth2 scope > parameter. There are 2 types of this: Yes, OAuth2 scope parameters are the ones I actually want to use. > -- Default client scopes: they are always assigned used and will be in > access token even if you don't use any special value of "scope" > parameter sent from the application Ok, this is what was irritating me. According to this section in the spec https://tools.ietf.org/html/rfc6749#section-3.3 : "The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions." I assumed that Keycloak would exercise some "authorization server policy" to restrict the scopes that are returned. Right now it seems to restrict the value of "scope" only to the client scopes, but it does make any further scope restrictions based on e.g. the user's roles. This leads me to my next question: If I want to return only the scopes that a user actually may acquire, how do I do this in Keycloak? Do I use the "Authorization" tab and configure appropriate policies? Do I write a custom mapper that overwrites the default "scope" value? I'm going to experiment with this anyways, but I'd like to know if I'm abusing the wrong machinery to achieve this goal. > - The "Full Scope Allowed" in the tab "Scope" of the client is unrelated > to the Client Scopes. These point to Role Scope Mappings. I've tried to > clearify this a bit in the recent docs for 4.0.0.Final [1]. Let me know > if it's still unclear. Yes, I've read that paragraph before and actually it helps me to know that there are different scopes, but it's not always clear to me in which context which scope is actually being referred to. I guess a diagram about the different interactions between roles, users, policies, mappers and whatnot could help to clear this up a bit. It's probably easier to put in a picture than to explain with words. When I get the time and understand things, I'll draw one myself and share it here. Best, -Matthias ?Am 19.06.18, 16:55 schrieb "Marek Posolda" : Hi Matthias, Unfortunately the word "scope" is a bit overloaded in Keycloak. Few things to clarify: - The client scopes are those, which are referenced in OAuth2 scope parameter. There are 2 types of this: -- Default client scopes: they are always assigned used and will be in access token even if you don't use any special value of "scope" parameter sent from the application -- Optional client scopes: they are added just if they are requested by scope parameter. In your case, you added Optional scope "test-api-admin" . So you will see that if you use scope parameter like "openid test-api-admin" , it will use "test-api-admin" client scope. But if you don't use any specific value of scope parameter by your adapter, then "test-api-admin" won't be used - The "Full Scope Allowed" in the tab "Scope" of the client is unrelated to the Client Scopes. These point to Role Scope Mappings. I've tried to clearify this a bit in the recent docs for 4.0.0.Final [1]. Let me know if it's still unclear. [1] https://www.keycloak.org/docs/latest/server_admin/index.html#scopes-explained Marek On 19/06/18 13:47, Matthias Kesternich wrote: > Hello, > > > > I am trying to setup a keycloak configuration for my use case which goes like this: > > > > - I have an api called test-api, written in python and using oauth2/oicd. > > - Simple endpoints can be accessed if the access token's scope contains "test-api-read-write". This scope is granted to admin and api users. > > - Admin endpoints can be accessed if the access token's scope contains "test-api-admin". This scope is granted only to admin users. > > - All other users requesting an access token should not be granted any of the scopes. > > > > Now I've set it up like this in keycloak: > > > > 1. Create new realm "test" > > 2. Create user "norights". > > 3. Create new client scopes "test-api-read-write" and "test-api-admin" (display consent = off). > > 4. Create new client "test-api" (confidential, openid-connect). > > 5. Add "test-api-read-write" to default client scopes of "test-api", add "test-api-admin" to optional client scopes. > > 6. Under "Scope" set "Full scope allowed" = off. > > > > To test the setup I go to the test-api client scopes page and click "Evaluate" with > > - optional client scopes: test-api-admin > > - user: norights > > > > This returns a generated access token like shown at the bottom of this mail. Especially, it contains the line > > > > "scope": "openid profile test-api-admin email test-api-read-write" > > > > This is really suprising to me, I expected "scopes" to *not* contain any of the "test-api-*" scopes. After all the user norights does not have any roles or permissions setup yet. Quoting from a previous mail on this list: > > > > "If full scope is disabled: access token, issued to specific client will have intersection of user own roles with client scope, defined in scope section of client configuration" > > > > Here, the intersection with the users own roles/scopes seems to be missing. > > > > I've looked at the code here: https://github.com/keycloak/keycloak/blob/49407c2e4f870659e1d5a00c7fd6cf1fbd16f8de/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java . > > > > It seems initToken does "token.setScope(clientSessionCtx.getScopeString());" which seems to merely copy the scopes from the request. There's also this applyScope() method that sees to do the intersection thing, but doesn't seem to be called in this case. > > > > Is my understanding of client scope just plain wrong? I could get it to work if I use the "Authorize" tab and setup all this complicated policies stuff, but client scopes just seem so much easier. > > > > Thanks for creating such an impressive open source SSO solution! > > -Matthias > > > > Generated access token: > > { > > "jti": "14f8a8e5-b39f-4092-aaa8-25ce62ceac2e", > > "exp": 1529408429, > > "nbf": 0, > > "iat": 1529408129, > > "iss": "http://localhost:8080/auth/realms/test", > > "aud": "test-api", > > "sub": "f4ecc77a-45ad-4dbf-9295-87d2fa4518c9", > > "typ": "Bearer", > > "azp": "test-api", > > "auth_time": 0, > > "session_state": "35140ca3-6107-4a79-8f46-b1b298d4bb58", > > "acr": "1", > > "allowed-origins": [], > > "resource_access": {}, > > "scope": "openid profile test-api-admin email test-api-read-write", > > "email_verified": true, > > "preferred_username": "norights" > > } > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From manisha04.nandal at gmail.com Wed Jun 20 06:42:18 2018 From: manisha04.nandal at gmail.com (Manisha Nandal) Date: Wed, 20 Jun 2018 16:12:18 +0530 Subject: [keycloak-user] keycloak SAML response - Authentication method information Message-ID: Hi, I authenticated my client application using google IDP. i want to retrieve the information of IDP used for authentication from keycloak SAML response. I have checked in keycloak documentation that "AuthnStatement" give us the authentication method used (password, etc.) as well as a timestamp of the login. But, my SAML response does not provide any such information. SAML contains user name used for authentication under "NameID" but i want the identity provider information, say in my case google is IDP urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Can you please guide me on the same Thanks, Manisha From matthias.kesternich at moneymeets.com Wed Jun 20 07:36:53 2018 From: matthias.kesternich at moneymeets.com (Matthias Kesternich) Date: Wed, 20 Jun 2018 11:36:53 +0000 Subject: [keycloak-user] Client scopes not checked? In-Reply-To: References: <69251AE1-DD80-49F8-8BDB-F3C729632182@moneymeets.com> Message-ID: > This leads me to my next question: If I want to return only the scopes that > a user actually may acquire, how do I do this in Keycloak? Do I use the > "Authorization" tab and configure appropriate policies? Do I write a custom > mapper that overwrites the default "scope" value? I'm going to experiment > with this anyways, but I'd like to know if I'm abusing the wrong machinery > to achieve this goal. So I experimented a bit and it seems I can just use a "User Client Role" mapper that adds the roles/permissions to the token. This is much easier than the full UMA thing under "Authorization". There seem to be almost no working python clients for UMA as well. I am also probably going to separate "scope" and "permissions". I'm realizing that "scope" means "the client is allowed to access this and that" while "permissions" means "the user is allowed to access this and that". This understanding seems to be verified by https://stackoverflow.com/questions/48351332/oauth-scopes-and-application-roles-permissions . Does the solution using "User Client Role" make any sense to you? Best, -Matthias From pawad at inboxmarketer.com Wed Jun 20 08:40:27 2018 From: pawad at inboxmarketer.com (Peter Awad) Date: Wed, 20 Jun 2018 08:40:27 -0400 Subject: [keycloak-user] KrakenD and Keycloak In-Reply-To: <7715B9B3-9471-4665-8235-C3FAE63F94E8@info.nl> References: <7715B9B3-9471-4665-8235-C3FAE63F94E8@info.nl> Message-ID: Thanks Federico, that's exactly what we needed. *Peter Awad* | Customer Success Specialist pawad at inboxmarketer.com T: 519.824.6664 x220 *To give real service you must add something which cannot be bought or measured with money, and that is sincerity and integrity.* ~ Douglas Adams On Mon, Jun 18, 2018 at 3:43 AM, Federico Navarro Polo - Info.nl < federico at info.nl> wrote: > There is a special URL in keycloak you can access appending > /.well-known/openid-configuration to your realm URL. > > Eg: if your realm is InboxAuth and your base url is https://dev-idp03. > inboxmarketer.net/auth , then it would be: > > https://dev-idp03.inboxmarketer.net/auth/realms/ > InboxAuth/.well-known/openid-configuration > > It sounds like you are interested in the token_endpoint url displayed > there. > > Regards, > Federico > > On 15/06/18 20:53, "keycloak-user-bounces at lists.jboss.org on behalf of > Peter Awad" pawad at inboxmarketer.com> wrote: > > We are in the early stages of implementing keycloak and currently have > a > dev environment setup with keycloak 4.beta3 > > One of my dev teams is working on an API proxy with KrakenD but are > struggling. > I assumed that this was going to a bearer type and provided them with > the > following: > { > "realm": "InboxAuth", > "bearer-only": true, > "auth-server-url": "https://dev-idp03.inboxmarketer.net/auth", > "ssl-required": "all", > "resource": "insights-dev", > "confidential-port": 0 > } > as well as a test user, clientId, secret and Reg Token > > However krakenD appears to want the following: > ClientId - Got that. > Client Secret - Got that. > Token URL - auth server url does not seem to work here. > Scopes - Got that. > > So I guess the real question is what should I be using for Token URL > > Thanks > > *Peter Awad* | Customer Success Specialist > pawad at inboxmarketer.com > T: 519.824.6664 x220 > > > *To give real service you must add something which cannot be bought or > measured with money, and that is sincerity and integrity.* ~ Douglas > Adams > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From corentin.dupont at gmail.com Wed Jun 20 09:04:39 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 20 Jun 2018 15:04:39 +0200 Subject: [keycloak-user] Keycloak 4 Message-ID: Hi guys, I'm playing with the new version of Keycloak ( https://www.keycloak.org/docs/latest/release_notes/index.html) I have some questions: - where is the "account management console"? - How to use pushed claims? Which APIs are affected? Thanks! Corentin From alvaro.martin at bluetab.net Wed Jun 20 09:22:33 2018 From: alvaro.martin at bluetab.net (Alvaro Martin) Date: Wed, 20 Jun 2018 15:22:33 +0200 Subject: [keycloak-user] Secure RESTfull API with keycloak In-Reply-To: References: Message-ID: Hi, We are evaluating keycloak as an IAM for a future application. We are building a prototype with an Angular front app and a spring boot 2 backend. The bankend app exposes a RESTfull API whose access we want to restrict down to the HTTP verb level. At least we want to achive two access levels on each endpoint: readonly access (HTTP GET) and full access (GET, POST, PUT, DELETE). We have configured keycloak and built the application but the backend doesn?t seem to restrict the access. Here it is the application.yml. We are trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for full access). keycloak: auth-server-url: http://localhost:8010/auth bearer-only: true public-client: true realm: blue-energy resource: client-service securityConstraints: - authRoles: - ROLE_CLIENT_RO securityCollections: - name: protected resource patterns: - /clients - /clients/ methods: - GET ssl-required: external The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP verb. If we assign the realm role ROLE_CLIENT_RO to the user that should grant just readonly access he has unrestricted access to the whole enpoint (i.e. all the verbs). We are using keycloak 4.0.0.Final. Is this configuration supposed to work? We haven?t found much references on how to setup and scenario like this? Thanks in advance, *?lvaro Mart?n Garc?a*[image: bluetab.net] alvaro.martin at bluetab.net +34 91 457 16 97 +34 687 398 622 From eivind at jotta.no Wed Jun 20 09:31:10 2018 From: eivind at jotta.no (Eivind Larsen) Date: Wed, 20 Jun 2018 06:31:10 -0700 Subject: [keycloak-user] Admin API: Deleting an offline session Message-ID: Hi Keycloak Users In the admin API there is a call to delete a session by ID: DELETE /{realm}/sessions/{session} This works for user (online) sessions, but when given the session ID of an offline session, it gives 404 error and nothing is deleted. Seeing as this is the only way to delete a given sessionId, I would expect the call to also delete offline sessions. 1. Is there a way to delete an offline session by id? 2. I think it would be more useful if this call was scoped per user. Currently you have to load all user sessions, verify that this session ID is indeed owned by the user, then call delete. Scoping per user would make it impossible to delete a wrong user's session, and it would reduce requests to the keycloak instance significantly. Best Regards, Eivind Larsen From yordan.pavlov at sap.com Wed Jun 20 10:26:11 2018 From: yordan.pavlov at sap.com (Pavlov, Yordan) Date: Wed, 20 Jun 2018 14:26:11 +0000 Subject: [keycloak-user] Keycloak on Kubernetes - HTTPS required Message-ID: Hi all, I?m evaluating Keycloak as IAM for one open source project [1], so far, I?ve tested it successfully on a minikube (local) Kubernetes cluster and I want to run it in on a real cluster. The real cluster (created by Gardener [2]) is running on AWS and the access to the Keycloak is exposed through an Ingress controller [3]. We?ve also installed ?cert-manager? for automated certificates management of Let?s Encrypt issued certificates. So far so good, but when I try to login to the ?Admin Console? I get the following error: ?We're sorry... HTTPS required? In the logs of the pod, there is the following warning: ?WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6, error=ssl_required? As far as I understand, the Let?s Encrypt certificated is trusted by the browsers and it appears to be trusted by the OpenJDK also [4]. Then what should be done in order to access the Admin Console? Last but not least, we are using jboss/keycloak:latest image (I know that we should be using some stable version like 4.0.0, but it appears that the issue is not related to the image version). Regards, Yordan Pavlov [1] ProMART: https://github.com/promart-io | https://www.promart.io/ [2] Gardener: https://github.com/gardener [3] Keycloak: https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757 From sblanc at redhat.com Wed Jun 20 11:49:50 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 20 Jun 2018 17:49:50 +0200 Subject: [keycloak-user] Secure RESTfull API with keycloak In-Reply-To: References: Message-ID: Hi ! I must admit that the Servlet Security constraints regarding METHODS is not easy to grasp. If you add another security constraint that covers also the POST/PUT/DELETE then it should work , something like that (sorry using old school properties) : keycloak.security-constraints[0].authRoles[0]=user keycloak.security-constraints[0].securityCollections[0].patterns[0]=/products/* keycloak.security-constraints[0].securityCollections[0].methods[0]=GET keycloak.security-constraints[1].authRoles[0]=super keycloak.security-constraints[1].securityCollections[0].patterns[0]=/products/* keycloak.security-constraints[1].securityCollections[0].methods[0]=POST keycloak.security-constraints[1].securityCollections[0].methods[1]=PUT keycloak.security-constraints[1].securityCollections[0].methods[2]=DELETE Also make sure that the user that has full access has also the readonly role. Hope this helps. Sebi On Wed, Jun 20, 2018 at 3:22 PM, Alvaro Martin wrote: > Hi, > > We are evaluating keycloak as an IAM for a future application. We are > building a prototype with an Angular front app and a spring boot 2 backend. > The bankend app exposes a RESTfull API whose access we want to restrict > down to the HTTP verb level. At least we want to achive two access levels > on each endpoint: readonly access (HTTP GET) and full access (GET, POST, > PUT, DELETE). > > We have configured keycloak and built the application but the backend > doesn?t seem to restrict the access. Here it is the application.yml. We are > trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for > full access). > > keycloak: > auth-server-url: http://localhost:8010/auth > bearer-only: true > public-client: true > realm: blue-energy > resource: client-service > securityConstraints: > - authRoles: > - ROLE_CLIENT_RO > securityCollections: > - name: protected resource > patterns: > - /clients > - /clients/ > methods: > - GET > ssl-required: external > > The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP > verb. If we assign the realm role ROLE_CLIENT_RO to the user that should > grant just readonly access he has unrestricted access to the whole enpoint > (i.e. all the verbs). > > We are using keycloak 4.0.0.Final. > > Is this configuration supposed to work? We haven?t found much references on > how to setup and scenario like this? > > Thanks in advance, > > > *?lvaro Mart?n Garc?a*[image: bluetab.net] > alvaro.martin at bluetab.net > > +34 91 457 16 97 > > +34 687 398 622 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From alvaro.martin at bluetab.net Wed Jun 20 11:54:27 2018 From: alvaro.martin at bluetab.net (Alvaro Martin) Date: Wed, 20 Jun 2018 17:54:27 +0200 Subject: [keycloak-user] Secure RESTfull API with keycloak In-Reply-To: References: Message-ID: Hi Sebi, It has worked! Thanks a lot for your help, *?lvaro Mart?n Garc?a*[image: bluetab.net] alvaro.martin at bluetab.net +34 91 457 16 97 +34 687 398 622 2018-06-20 17:49 GMT+02:00 Sebastien Blanc : > Hi ! > > I must admit that the Servlet Security constraints regarding METHODS is > not easy to grasp. If you add another security constraint that covers also > the POST/PUT/DELETE then it should work , something like that (sorry using > old school properties) : > > keycloak.security-constraints[0].authRoles[0]=user > keycloak.security-constraints[0].securityCollections[0]. > patterns[0]=/products/* > keycloak.security-constraints[0].securityCollections[0].methods[0]=GET > > keycloak.security-constraints[1].authRoles[0]=super > keycloak.security-constraints[1].securityCollections[0]. > patterns[0]=/products/* > keycloak.security-constraints[1].securityCollections[0].methods[0]=POST > keycloak.security-constraints[1].securityCollections[0].methods[1]=PUT > keycloak.security-constraints[1].securityCollections[0].methods[2]=DELETE > > Also make sure that the user that has full access has also the readonly > role. > > Hope this helps. > > Sebi > > > On Wed, Jun 20, 2018 at 3:22 PM, Alvaro Martin > wrote: > >> Hi, >> >> We are evaluating keycloak as an IAM for a future application. We are >> building a prototype with an Angular front app and a spring boot 2 >> backend. >> The bankend app exposes a RESTfull API whose access we want to restrict >> down to the HTTP verb level. At least we want to achive two access levels >> on each endpoint: readonly access (HTTP GET) and full access (GET, POST, >> PUT, DELETE). >> >> We have configured keycloak and built the application but the backend >> doesn?t seem to restrict the access. Here it is the application.yml. We >> are >> trying to setup a ROLE_CLIENT_RO (for readonly) and ROLE_CLIENT_FA (for >> full access). >> >> keycloak: >> auth-server-url: http://localhost:8010/auth >> bearer-only: true >> public-client: true >> realm: blue-energy >> resource: client-service >> securityConstraints: >> - authRoles: >> - ROLE_CLIENT_RO >> securityCollections: >> - name: protected resource >> patterns: >> - /clients >> - /clients/ >> methods: >> - GET >> ssl-required: external >> >> The backend app seem to honor the ROLE_CLIENT_RO role but not the HTTP >> verb. If we assign the realm role ROLE_CLIENT_RO to the user that should >> grant just readonly access he has unrestricted access to the whole enpoint >> (i.e. all the verbs). >> >> We are using keycloak 4.0.0.Final. >> >> Is this configuration supposed to work? We haven?t found much references >> on >> how to setup and scenario like this? >> >> Thanks in advance, >> >> >> *?lvaro Mart?n Garc?a*[image: bluetab.net] >> alvaro.martin at bluetab.net >> >> +34 91 457 16 97 >> >> +34 687 398 622 >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From rafaelweingartner at gmail.com Thu Jun 21 03:31:05 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 21 Jun 2018 09:31:05 +0200 Subject: [keycloak-user] Keycloak as an identity provider (either SAML or OpenID Connect)? Message-ID: Hello, Keycloak community, I am evaluating Keycloak, and after some reading, I got the impression that it supports OpenID Connect and SAML (which fits exactly on my requirement). However, after installing it, and digging a little deeper in the configuration overview, I got confused. I have used OpenID Connect before with MITREid implementation. So, when I install and configure MITREid IdP, it will be working as an IdP for my federation. I understand that key cloak can do identity brokering, which is super nice, but what I wonder is the following. Is Keycloak prepared to be an IdP out of the box with either SAML or OpenID Connect protocols? Or, Does it depends on IdPs that implement those protocols to work? -- Rafael Weing?rtner From miguel.sanz at kairosds.com Thu Jun 21 03:34:18 2018 From: miguel.sanz at kairosds.com (Miguel Sanz) Date: Thu, 21 Jun 2018 09:34:18 +0200 Subject: [keycloak-user] New ftl template and routing Message-ID: Hello, my team want to add a new template in the User Account Management because we need to show other useful data to the user. Of course, If we want to add this new template, we want to have access to it from the routing and we also need the user token. I think that we need to modify the server code if we want to add this new feature. But we would like to modify the code as little as possible. How can we add a new template and the route without changing the code much? Thank you very much. -- [image: Kair?s Digital Solutions] [image: Miguel Sanz Mart?n] Full-stack Developer *Kair?s Digital Solutions* Castellana 43 - WeWork, Madrid 28046 https://www.kairosds.com/ *Nota legal*: Este mensaje y cualquier archivo adjunto est? destinado ?nicamente a quien se dirige y es confidencial. Si usted ha recibido este mensaje por error, comun?queselo al remitente y b?rrelo inmediatamente. La utilizaci?n, revelaci?n y/o reproducci?n del mensaje puede constituir un delito. *Protecci?n de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND BIG DATA SOLUTIONS, S.L.**Finalidad.* Env?o de informaci?n, respuesta a consultas y contactos gen?ricos, mientras dure nuestra relaci?n y tengamos su consentimiento. *Destinatarios.* No se ceder?n datos a terceros salvo obligaci?n legal. *Derechos.* Puede ejercer los derechos de acceso, rectificaci?n, supresi?n y oposici?n, limitar el tratamiento de sus datos, o directamente oponerse al tratamiento, o ejercer el derecho a la portabilidad de los mismos. Todo ello, mediante escrito, acompa?ado de copia de documento oficial que le identifique, dirigido al RESPONSABLE. En caso de disconformidad con el tratamiento, tambi?n tiene derecho a presentar una reclamaci?n ante la Agencia Espa?ola de Protecci?n de Datos. Tambi?n podr? oponerse a nuestros env?os de comunicaciones comerciales (Art.21.2 de la LSSI) a trav?s de la siguiente direcci?n de correo electr?nico: info at kairosds.com -- Nota legal: Este mensaje y cualquier archivo adjunto est? destinado ?nicamente a quien se dirige y es confidencial. Si usted ha recibido este mensaje por error, comun?queselo al remitente y b?rrelo inmediatamente. La utilizaci?n, revelaci?n y/o reproducci?n del mensaje puede constituir un delito. Protecci?n de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND BIG DATA SOLUTIONS, S.L.Finalidad.?Env?o de informaci?n, respuesta a consultas y contactos gen?ricos, mientras dure nuestra relaci?n y tengamos su consentimiento.?Destinatarios.?No se ceder?n datos a terceros salvo obligaci?n legal.?Derechos.?Puede ejercer los derechos de acceso, rectificaci?n, supresi?n y oposici?n, limitar el tratamiento de sus datos, o directamente oponerse al tratamiento, o ejercer el derecho a la portabilidad de los mismos. Todo ello, mediante escrito, acompa?ado de copia de documento oficial que le identifique, dirigido al RESPONSABLE. En caso de disconformidad con el tratamiento, tambi?n tiene derecho a presentar una reclamaci?n ante la Agencia Espa?ola de Protecci?n de Datos. Tambi?n podr? oponerse a nuestros env?os de comunicaciones comerciales (Art.21.2 de la LSSI) a trav?s de la siguiente direcci?n de correo electr?nico:?info at kairosds.com From sthorger at redhat.com Thu Jun 21 04:28:24 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 21 Jun 2018 10:28:24 +0200 Subject: [keycloak-user] Keycloak as an identity provider (either SAML or OpenID Connect)? In-Reply-To: References: Message-ID: Of course Keycloak can stand on its own. Brokering is just an additional optional thing. On 21 Jun 2018 9:33 am, "Rafael Weing?rtner" wrote: Hello, Keycloak community, I am evaluating Keycloak, and after some reading, I got the impression that it supports OpenID Connect and SAML (which fits exactly on my requirement). However, after installing it, and digging a little deeper in the configuration overview, I got confused. I have used OpenID Connect before with MITREid implementation. So, when I install and configure MITREid IdP, it will be working as an IdP for my federation. I understand that key cloak can do identity brokering, which is super nice, but what I wonder is the following. Is Keycloak prepared to be an IdP out of the box with either SAML or OpenID Connect protocols? Or, Does it depends on IdPs that implement those protocols to work? -- Rafael Weing?rtner _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From rafaelweingartner at gmail.com Thu Jun 21 04:33:21 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 21 Jun 2018 10:33:21 +0200 Subject: [keycloak-user] Keycloak as an identity provider (either SAML or OpenID Connect)? In-Reply-To: References: Message-ID: Thanks for the answer Stian. >From my readings and testing, it looks like Keycloak is able to have ?multiple IdPs inside itself?. I mean, it uses the idea of ?realms?, and they can have different configurations. Therefore, for an external client (SP), each realm will look like a different IdP. At least, that is my feeling when I discovered the ?OpenID Connect discovery URL? ( http://localhost:8080/auth/realms/master/.well-known/openid-configuration). On Thu, Jun 21, 2018 at 10:28 AM, Stian Thorgersen wrote: > Of course Keycloak can stand on its own. Brokering is just an additional > optional thing. > > On 21 Jun 2018 9:33 am, "Rafael Weing?rtner" > wrote: > > Hello, Keycloak community, > > I am evaluating Keycloak, and after some reading, I got the impression that > it supports OpenID Connect and SAML (which fits exactly on my requirement). > However, after installing it, and digging a little deeper in the > configuration overview, I got confused. > > I have used OpenID Connect before with MITREid implementation. So, when I > install and configure MITREid IdP, it will be working as an IdP for my > federation. I understand that key cloak can do identity brokering, which is > super nice, but what I wonder is the following. Is Keycloak prepared to be > an IdP out of the box with either SAML or OpenID Connect protocols? Or, > Does it depends on IdPs that implement those protocols to work? > > -- > Rafael Weing?rtner > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Rafael Weing?rtner From gpayet at evolutive-group.com Thu Jun 21 04:48:15 2018 From: gpayet at evolutive-group.com (=?UTF-8?Q?G=C3=A9rald_Payet?=) Date: Thu, 21 Jun 2018 10:48:15 +0200 Subject: [keycloak-user] how to import json user md5 password? Message-ID: Dear All, Can somebody explain how to import users with a current database? All info in the json file are fine except the md5 password. Is the way to manage with my current md5 password at the begining (import process with the json file) for that? Thanks a lot. Regards, *G?rald PAYET* From bruno at abstractj.org Thu Jun 21 05:12:55 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 21 Jun 2018 05:12:55 -0400 Subject: [keycloak-user] how to import json user md5 password? In-Reply-To: References: Message-ID: I don't think it's support that. And we do that for a good reason, MD5 is completely unsafe and should never be used for passwords. Take a look at this thread it may help you http://lists.jboss.org/pipermail/keycloak-user/2015-December/004212.html On Thu, Jun 21, 2018, 4:48 AM G?rald Payet wrote: > Dear All, > > > Can somebody explain how to import users with a current database? > > All info in the json file are fine except the md5 password. > > Is the way to manage with my current md5 password at the begining (import > process with the json file) for that? > > > Thanks a lot. > > > Regards, > > *G?rald PAYET* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From gpayet at evolutive-group.com Thu Jun 21 05:33:36 2018 From: gpayet at evolutive-group.com (=?UTF-8?Q?G=C3=A9rald_Payet?=) Date: Thu, 21 Jun 2018 11:33:36 +0200 Subject: [keycloak-user] how to import json user md5 password? In-Reply-To: References: Message-ID: Hello, So to import all my customers i need to reset the md5 password for all? Not really UX :-( Thanks a lot. Le jeu. 21 juin 2018 ? 11:13, Bruno Oliveira a ?crit : > I don't think it's support that. And we do that for a good reason, MD5 is > completely unsafe and should never be used for passwords. > > Take a look at this thread it may help you > http://lists.jboss.org/pipermail/keycloak-user/2015-December/004212.html > > On Thu, Jun 21, 2018, 4:48 AM G?rald Payet > wrote: > >> Dear All, >> >> >> Can somebody explain how to import users with a current database? >> >> All info in the json file are fine except the md5 password. >> >> Is the way to manage with my current md5 password at the begining (import >> process with the json file) for that? >> >> >> Thanks a lot. >> >> >> Regards, >> >> *G?rald PAYET* >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Cordialement, *G?rald PAYET* Directeur Technique - Technical Director Phone : +33 (0)9 72 57 66 82 Skype : eb2.gerald.payet Twitter / Facebook / Evolutive-group.com From slaskawi at redhat.com Thu Jun 21 07:18:24 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Thu, 21 Jun 2018 13:18:24 +0200 Subject: [keycloak-user] Keycloak on Kubernetes - HTTPS required In-Reply-To: References: Message-ID: I'm an expert on Ingress (I usually work with Routes on OCP) but it probably depends on the Ingress configuration. If I'm not mistaken, the default Ingress configuration terminates TLS and sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not unencrypted HTTP request. I think you have a couple of options how to solve it: - Use Pass-through TLS termination (this simply forwards encrypted (HTTPS) traffic to the Pod, without termination). A similar configuration to this one: https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351 - Use a Load Balancer Service to access Keycloak (the final result will be the same as in the previous solution - a Pod will get HTTPS traffic) - Turn "Require SLL" option in the "Realm Settings". But please remember to always use properly configured ingress in front of Keycloak. Otherwise you might compromise it!!! Thanks, Sebastian On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan wrote: > Hi all, > > I?m evaluating Keycloak as IAM for one open source project [1], so far, > I?ve tested it successfully on a minikube (local) Kubernetes cluster and I > want to run it in on a real cluster. > > The real cluster (created by Gardener [2]) is running on AWS and the > access to the Keycloak is exposed through an Ingress controller [3]. > We?ve also installed ?cert-manager? for automated certificates management > of Let?s Encrypt issued certificates. > > So far so good, but when I try to login to the ?Admin Console? I get the > following error: > ?We're sorry... HTTPS required? > > In the logs of the pod, there is the following warning: > ?WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6, > error=ssl_required? > > As far as I understand, the Let?s Encrypt certificated is trusted by the > browsers and it appears to be trusted by the OpenJDK also [4]. > Then what should be done in order to access the Admin Console? > > Last but not least, we are using jboss/keycloak:latest image (I know that > we should be using some stable version like 4.0.0, but it appears that the > issue is not related to the image version). > > Regards, > Yordan Pavlov > > [1] ProMART: https://github.com/promart-io | https://www.promart.io/ > [2] Gardener: https://github.com/gardener > [3] Keycloak: > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757 > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From betalb at gmail.com Thu Jun 21 07:26:48 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Thu, 21 Jun 2018 14:26:48 +0300 Subject: [keycloak-user] Keycloak on Kubernetes - HTTPS required In-Reply-To: References: Message-ID: There is one more option, if Ingress injects usual Proxy headers: X-Forwarded-Host && X-Forwarded-Proto, Keycloak docker container can be instructed to read them when determining connection type (http vs https), otherwise, it will detect https by socket type, which is plain, non-encrypted in your case because ssl traffic is terminated on Ingress. To instruct Keycloak to read those headers -- start docker container with PROXY_ADDRESS_FORWARDING=true env variable set On Thu, Jun 21, 2018 at 2:19 PM Sebastian Laskawiec wrote: > I'm an expert on Ingress (I usually work with Routes on OCP) but it > probably depends on the Ingress configuration. > > If I'm not mistaken, the default Ingress configuration terminates TLS and > sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not > unencrypted HTTP request. > > I think you have a couple of options how to solve it: > - Use Pass-through TLS termination (this simply forwards encrypted (HTTPS) > traffic to the Pod, without termination). A similar configuration to this > one: > https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351 > - Use a Load Balancer Service to access Keycloak (the final result will be > the same as in the previous solution - a Pod will get HTTPS traffic) > - Turn "Require SLL" option in the "Realm Settings". But please remember to > always use properly configured ingress in front of Keycloak. Otherwise you > might compromise it!!! > > Thanks, > Sebastian > > On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan > wrote: > > > Hi all, > > > > I?m evaluating Keycloak as IAM for one open source project [1], so far, > > I?ve tested it successfully on a minikube (local) Kubernetes cluster and > I > > want to run it in on a real cluster. > > > > The real cluster (created by Gardener [2]) is running on AWS and the > > access to the Keycloak is exposed through an Ingress controller [3]. > > We?ve also installed ?cert-manager? for automated certificates management > > of Let?s Encrypt issued certificates. > > > > So far so good, but when I try to login to the ?Admin Console? I get the > > following error: > > ?We're sorry... HTTPS required? > > > > In the logs of the pod, there is the following warning: > > ?WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, > > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6, > > error=ssl_required? > > > > As far as I understand, the Let?s Encrypt certificated is trusted by the > > browsers and it appears to be trusted by the OpenJDK also [4]. > > Then what should be done in order to access the Admin Console? > > > > Last but not least, we are using jboss/keycloak:latest image (I know that > > we should be using some stable version like 4.0.0, but it appears that > the > > issue is not related to the image version). > > > > Regards, > > Yordan Pavlov > > > > [1] ProMART: https://github.com/promart-io | https://www.promart.io/ > > [2] Gardener: https://github.com/gardener > > [3] Keycloak: > > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com > > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757 > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From yordan.pavlov at sap.com Thu Jun 21 08:04:23 2018 From: yordan.pavlov at sap.com (Pavlov, Yordan) Date: Thu, 21 Jun 2018 12:04:23 +0000 Subject: [keycloak-user] Keycloak on Kubernetes - HTTPS required In-Reply-To: References: Message-ID: <35773E09-1F33-4CC2-8B33-D617E9F0942D@sap.com> Hi Sebastian and Vitalii, Thank you very much for the replies!!! I?ve managed to solve the issue by adding ?PROXY_ADDRESS_FORWARDING=true? property, after that I was able to log into the Admin Console. The next step in my scenario is to secure a web application running on Tomcat server, where I have the Tomcat adapter and the application ?keycloak.json?. After configuring the keycloak client for my application, I?ve experienced several issues: * Invalid redirect_uri * I had to set ?confidential-port? property to be ?443? in the keycloak.json of my application * Also, for the client configuration in Keycloak, I had to add the http version of my application URI in the ?Valid Redirect URIs? * After successful authentication into my application, I got 403 * This was really strange as it the user had all required roles and it turn out to be the ?ssl-required? property (now is set to ?none?) Finally, everything works great, but I?m not sure if this configuration isn?t compromised somehow: * Keycloak client configuration * Valid Redirect URIs * https://> * http://> * Application keycloak.json { "realm": "master", "auth-server-url": "https://", "ssl-required": "none", "resource": "", "public-client": true, "principal-attribute": "preferred_username", "confidential-port": "443", "use-resource-role-mappings": true } @Vitalii, Sebastian, what do you think? Regards, Yordan From: ??????? ?????? Date: Thursday, 21 June 2018, 14:27 To: Sebastian Laskawiec Cc: "Pavlov, Yordan" , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Keycloak on Kubernetes - HTTPS required There is one more option, if Ingress injects usual Proxy headers: X-Forwarded-Host && X-Forwarded-Proto, Keycloak docker container can be instructed to read them when determining connection type (http vs https), otherwise, it will detect https by socket type, which is plain, non-encrypted in your case because ssl traffic is terminated on Ingress. To instruct Keycloak to read those headers -- start docker container with PROXY_ADDRESS_FORWARDING=true env variable set On Thu, Jun 21, 2018 at 2:19 PM Sebastian Laskawiec > wrote: I'm an expert on Ingress (I usually work with Routes on OCP) but it probably depends on the Ingress configuration. If I'm not mistaken, the default Ingress configuration terminates TLS and sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not unencrypted HTTP request. I think you have a couple of options how to solve it: - Use Pass-through TLS termination (this simply forwards encrypted (HTTPS) traffic to the Pod, without termination). A similar configuration to this one: https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351 - Use a Load Balancer Service to access Keycloak (the final result will be the same as in the previous solution - a Pod will get HTTPS traffic) - Turn "Require SLL" option in the "Realm Settings". But please remember to always use properly configured ingress in front of Keycloak. Otherwise you might compromise it!!! Thanks, Sebastian On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan > wrote: > Hi all, > > I?m evaluating Keycloak as IAM for one open source project [1], so far, > I?ve tested it successfully on a minikube (local) Kubernetes cluster and I > want to run it in on a real cluster. > > The real cluster (created by Gardener [2]) is running on AWS and the > access to the Keycloak is exposed through an Ingress controller [3]. > We?ve also installed ?cert-manager? for automated certificates management > of Let?s Encrypt issued certificates. > > So far so good, but when I try to login to the ?Admin Console? I get the > following error: > ?We're sorry... HTTPS required? > > In the logs of the pod, there is the following warning: > ?WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6, > error=ssl_required? > > As far as I understand, the Let?s Encrypt certificated is trusted by the > browsers and it appears to be trusted by the OpenJDK also [4]. > Then what should be done in order to access the Admin Console? > > Last but not least, we are using jboss/keycloak:latest image (I know that > we should be using some stable version like 4.0.0, but it appears that the > issue is not related to the image version). > > Regards, > Yordan Pavlov > > [1] ProMART: https://github.com/promart-io | https://www.promart.io/ > [2] Gardener: https://github.com/gardener > [3] Keycloak: > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757 > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sberyozkin at gmail.com Thu Jun 21 08:44:02 2018 From: sberyozkin at gmail.com (Sergey Beryozkin) Date: Thu, 21 Jun 2018 13:44:02 +0100 Subject: [keycloak-user] How to cause 401 if KeycloakConfigResolver finds no KeycloakDeployment Message-ID: Hi At the moment a client gets 500 if KeycloakConfigResolver returns null. Is it possible to throw a Keycloak runtime exception for Keycloak return 401 ? If not, would it make sense to open a minor enhancement request ? Thanks, Sergey From henning.waack at codecentric.de Thu Jun 21 09:31:42 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Thu, 21 Jun 2018 15:31:42 +0200 Subject: [keycloak-user] Keycloak: Failed to verify token - Invalid token issuer Message-ID: <92c7372c-f1e0-47b0-b331-c1ca69a86534@Spark> Hi all. Using KC 4.0.0.Final behind a Apache https proxy, we have the following issue with OIDC tokens as logged in the Keycloak server.log: 2018-06-21 13:59:47,626 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Verifying access_token 2018-06-21 13:59:47,628 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://nak/auth/realms/NAK', but was 'https://nak.xxx.de/auth/realms/NAK' at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:108) --- The URL "https://nak.xxx.de/auth/realms/NAK/.well-known/openid-configuration" looks fine, all endpoints have the right format, e.g. > issuer: "https://nak.xxx.de/auth/realms/NAK" > authorization_endpoint: "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/auth" > token_endpoint : "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/token" The X-Forward Headers also look fine, I have enabled header logging in Wildfly, and we have the following headers for example: header=X-Forwarded-For=80.242.xx.xx, 10.10.51.5 header=X_FORWARDED_PROTO=https header=Host=nak.xxx.de header=X-Forwarded-Host=nak.xxx.de, nak.xxx.de header=X-Forwarded-Server=nak.xxx.de, xxx.dip0.t-ipconnect.de header=X-Forwarded-Proto=https In my KC standlone.xml config I have set the "proxy-address-forwarding" parameter for the http-listener to "true". So why is KC still expecting the token issuer to be "http://nak/..." instead of "https://nak.xxx.de/..."? Thanks & greetings Henning From henning.waack at codecentric.de Thu Jun 21 11:48:37 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Thu, 21 Jun 2018 17:48:37 +0200 Subject: [keycloak-user] Keycloak: Failed to verify token - Invalid token issuer [RESOLVED] In-Reply-To: <92c7372c-f1e0-47b0-b331-c1ca69a86534@Spark> References: <92c7372c-f1e0-47b0-b331-c1ca69a86534@Spark> Message-ID: <805c11e3-773a-49c2-a7d0-a6c901e24a91@Spark> Ok, resolved this issue. The problem was that I still had a wrong "keycloak.auth-server-url? in my Spring Boot application.properties file. The old config was: ?keycloak.auth-server-url=http://nak/auth The new (working) config is: ?keycloak.auth-server-url=https://nak.xxx.de.net/auth Since requesting the token was done against "https://nak.xxx.de.net/auth? I had this mismatch. So the value of auth-server-url must match the endpoint URL to which requests for tokens are sent. Greetings Henning Am 21. Juni 2018, 15:31 +0200 schrieb Henning Waack : > Hi all. > > Using KC 4.0.0.Final behind a Apache https proxy, we have the following issue with OIDC tokens as logged in the Keycloak server.log: > > 2018-06-21 13:59:47,626 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Verifying access_token > 2018-06-21 13:59:47,628 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://nak/auth/realms/NAK', but was 'https://nak.xxx.de/auth/realms/NAK' > at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:108) > --- > > The URL "https://nak.xxx.de/auth/realms/NAK/.well-known/openid-configuration" looks fine, all endpoints have the right format, e.g. > > > issuer: "https://nak.xxx.de/auth/realms/NAK" > > authorization_endpoint: "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/auth" > > token_endpoint : "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/token" > > The X-Forward Headers also look fine, I have enabled header logging in Wildfly, and we have the following headers for example: > > header=X-Forwarded-For=80.242.xx.xx, 10.10.51.5 > header=X_FORWARDED_PROTO=https > header=Host=nak.xxx.de > header=X-Forwarded-Host=nak.xxx.de, nak.xxx.de > header=X-Forwarded-Server=nak.xxx.de, xxx.dip0.t-ipconnect.de > header=X-Forwarded-Proto=https > > In my KC standlone.xml config I have set the "proxy-address-forwarding" parameter for the http-listener to "true". > > So why is KC still expecting the token issuer to be "http://nak/..." instead of "https://nak.xxx.de/..."? > > Thanks & greetings > > Henning From vinayatoz at gmail.com Thu Jun 21 12:50:22 2018 From: vinayatoz at gmail.com (Vinay) Date: Thu, 21 Jun 2018 12:50:22 -0400 Subject: [keycloak-user] Keycloak client Message-ID: Hi there, In what scenario an application should have multiple clients defined in the keycloak server ? How keycloak client defers from a resource ? I understand it is an application that asks for an authentication, but I am not sure when do we need multiple clients in an application. What is the basis for defining clients ? From dmitriy.semiushkin at pleeco.com Thu Jun 21 13:57:37 2018 From: dmitriy.semiushkin at pleeco.com (Dmitriy Semiushkin) Date: Thu, 21 Jun 2018 20:57:37 +0300 Subject: [keycloak-user] Offline token revocation via API Message-ID: <976F7148-E34A-463E-BE5B-B6B2C8898967@pleeco.com> Hello there! I?m trying to find a way to allow user revoking their offline token via my web app (i.e. using keycloak?s API), not visiting keycloak?s page. I?ve tried using DELETE /auth/admin/realms/R/users/U/consents/C request, but it requires `manage-users` role which is kinda wide. I need a way to narrow this role to ?allow user only revoke his tokens, not other users? ones?. I?ve tried implementing this in JavaScript Policy, but Evalution API have no information about user I?m trying to manage, so I can?t compare user id with identity id to tell if this is the same user. Is there any way to implement this? Thanks in advance! From david.everson at state.mn.us Thu Jun 21 14:06:11 2018 From: david.everson at state.mn.us (Everson, David (MNIT)) Date: Thu, 21 Jun 2018 18:06:11 +0000 Subject: [keycloak-user] FW: Architectural Blueprint/Recommendations In-Reply-To: References: Message-ID: Good Afternoon, If this is not the appropriate place to ask these types of questions, where does the community suggest that I seek these answers? Thanks! Dave -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Everson, David (MNIT) Sent: Monday, June 18, 2018 9:41 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Architectural Blueprint/Recommendations Hello, Our organization has been using Keycloak over the last few years. During this time, several versions and implementation approaches of Keycloak have popped up in the organization as various organizational units leveraged Keycloak. We are now at the point of taking Keycloak to the next level of maturity within the organization with a common architecture and governance model around Keycloak/IDAM. We have convened a working group to take our experiences to-date and formulate an architecture which the organization can move forward with. The major point of contention with the future architecture is the nature in which the instances and realms are deployed. To this end, I am looking for some feedback from the community regarding the most scalable architectural blueprint/recommendation to help achieve the following requirements and questions: Here is a list of our assumptions/constraints: 1. The organization consists of 10 organizational units (i.e. realms). 2. Each organization unit supports 10-15 applications (i.e. clients) requiring authentication/authorization. 3. The primary application profile is a web application. (i.e. keycloak access type of 'confidential') 4. The organization is starting to developing an increasing number of web services which leverage bearer-only authn/authz. 5. For the organization, Keycloak would support 100,000 users. 6. Of the 100,000 users, 1-2% of those users would be federated via Active Directory. 7. Within an organization unit, users should be able to leverage SSO for any application within the organizational unit. 8. The primary usage of applications are between core business hours. 9. The applications are accessible 24x7. 10. On any given day, about 20% of the total user base may log into at least one application. 11. Due to inactivity requirements, users may typically have to re-authenticate multiple times during the day. 12. The organization has a desire to maintain a common set of IDAM policies and reporting (i.e. governance) across all organizational units. 13. The organization would provide a default template for all organizational units. 14. Each organization unit may modify/create their own template as business requirements dictate. 15. Keycloak should be clustered for high availability. 16. Keycloak environment would be hosted on AWS, more than likely EC2 instances. 17. Client applications also hosted in AWS. 18. Keycloak's database would be PostgreSQL hosted in AWS RDS. A few questions/concerns of the working group: A. Is there any information available on the maximum size of an Keycloak installation? Will Keycloak be scalable and performant given the above assumptions and constraints. B. What's the best recommendation for distributing the Keycloak instances and realms. Right now the group has three options on the table: 1) A single Keycloak install per application (i.e. client); 2) A single Keycloak install per organizational unit (i.e. realm); or 3) A single Keycloak install per organization (i.e. serving all realms and clients). C. A major concern the group has with a single Keycloak install (#3 in previous bullet) is the high-availability in terms of performance and concerns of a rouge client affecting other applications negatively. What is the community's recommendation for addressing this concern? D. Another major concern the group has with a single Keycloak install is the restarts that are necessary when an organization unit deploys a new or updated template. The concern is that all applications would be unavailable during the restart. We would be operating in a clustered environment, is the best solution to this concern restarting individual members of the cluster rather than the entire cluster? E. For reporting and governance processes, the Keycloak API performs quite poorly when we execute use cases such as "Report all Users of an Application". Given the version we are currently on, to accomplish this we need to query all users in the realm and then filter the users if they have the client/role combination. We understand that a future release addresses this use case, but in the meantime the concern is such a query will negatively affect all other clients using Keycloak. Any recommendations on handling this use case prior to Keycloak 4.x? F. Upgrading Versions of Keycloak. We have experienced some difficulty of upgrading versions on server-side (we need to export, import vs a simple DB backup and deployment). What is the recommendations for handling the upgrade of Keycloak from one version to the next given the size of our user base? I'm sorry for the long post, hopefully folks get to this point. Any insight that we could receive would be greatly appreciated. We are at a critical cross-roads in our Keycloak adoption and want to ensure we do this correctly. Thanks! Dave Dave Everson Application Development Team Lead | Environmental Health Minnesota IT Services | Partners in Minnesota Department of Health 625 Robert Street North St. Paul, MN 55155 O: 651-201-5146 Information Technology for Minnesota Government?|?mn.gov/mnit [Minnesota IT Services Logo] [Facebook logo][LinkedIn logo][Twitter logo] From danilodoval at gmail.com Thu Jun 21 15:16:29 2018 From: danilodoval at gmail.com (Danilo do Val) Date: Thu, 21 Jun 2018 16:16:29 -0300 Subject: [keycloak-user] Using two or more access types Message-ID: `` ` Boa tarde senhores Estou implementando o Servi?o de Autoriza??o Keycloak e, al?m do JWT, precisamos usar um segundo tipo de acesso, por exemplo, o Apikey ou o Basic Auth, algu?m tem experi?ncia ou conhecimento de como suportar diferentes tipos de autentica??o dos adaptadores? Nosso estudo de caso usa o exemplo app-authz-a-photoz ( https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz ) -- __________________ http://br.linkedin.com/in/daniloval 19 9227.9082 From dt at acutus.pro Thu Jun 21 18:26:08 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 22 Jun 2018 01:26:08 +0300 Subject: [keycloak-user] Architectural Blueprint/Recommendations In-Reply-To: References: Message-ID: <1529619968.6161.1.camel@acutus.pro> Hi David, Please see the answers and remarks inline. On Mon, 2018-06-18 at 14:40 +0000, Everson, David (MNIT) wrote: (skipped) > 15. Keycloak should be clustered for high availability. > 16. Keycloak environment would be hosted on AWS, more than likely EC2 > instances. > 17. Client applications also hosted in AWS. > 18. Keycloak's database would be PostgreSQL hosted in AWS RDS. Speaking of Keycloak on AWS, this is absolutely doable, but not that trivial. Please be sure to have read the document [1], especially the "Troubleshooting AWS specifics" part, and relevant ML postings [2]. Long story short, AWS doesn't allow for IP multicast between the nodes, which is the default node discovery mode in JGroups (the backbone of Keycloak clustering). You should use S3_PING or JDBC_PING instead. > > A few questions/concerns of the working group: > > A. Is there any information available on the maximum size of an > Keycloak installation? Will Keycloak be scalable and performant given > the above assumptions and constraints. AFAIK, nobody has performed actual Keycloak benchmarking yet (publicly). There's however a Keycloak benchmarking suite based on Gatling [3]. It hasn't been updated for about two years, so first we'll need to make sure it works with recent Keycloak versions. > > B. What's the best recommendation for distributing the Keycloak > instances and realms.??Right now the group has three options on the > table:??1) A single Keycloak install per application (i.e. > client);??2) A single Keycloak install per organizational unit (i.e. > realm); or 3) A single Keycloak install per organization (i.e. > serving all realms and clients). The pros for A and B is obviously that you get some degree of separation/isolation, which might be good from the security and availability POV. However, this comes at a price of complexity; you'll have to deploy, monitor & maintain each separate instance / group of instances, each having different configs and dedicated database. Another big issue is load distribution. I doubt that your clients/realms all have equal, uniform load patterns. Given that each Keycloak instance will have its hardware limitations (CPU, RAM), you potentially end up with some nodes overloaded and others idle. The C scenario is obviously free from this issue. > > C. A major concern the group has with a single Keycloak install (#3 > in previous bullet) is the high-availability in terms of performance > and concerns of a rouge client affecting other applications > negatively.??What is the community's recommendation for addressing > this concern? As you will necessarily have a load balancer / reverse proxy in front of your Keycloak cluster, you can enforce rate limiting / throttling on your load balancer. For example, haproxy implements rate limiting based on IP addresses, URLs and HTTP headers [4]. > > D. Another major concern the group has with a single Keycloak install > is the restarts that are necessary when an organization unit deploys > a new or updated template.??The concern is that all applications > would be unavailable during the restart.???We would be operating in a > clustered environment, is the best solution to this concern > restarting individual members of the cluster rather than the entire > cluster? Could you please elaborate on template deployment? In Keycloak parlance, "templates" can be understood either as "client templates" or "HTML templates" (within custom GUI themes). Client templates surely can be created/updated via GUI or REST API, without the need for restart. For GUI themes, they can be deployed a) as Wildfly modules, b) via "themes" directory. While the former option indeed requires restart, the latter does not. Keycloak 4.x also adds c) hot deployment of themes by dropping theme JARs into the "deployments" directory. > > E. For reporting and governance processes, the Keycloak API performs > quite poorly when we execute use cases such as "Report all Users of > an Application".??Given the version we are currently on, to > accomplish this we need to query all users in the realm and then > filter the users if they have the client/role combination.??We > understand that a future release addresses this use case, but in the > meantime the concern is such a query will negatively affect all other > clients using Keycloak.??Any recommendations on handling this use > case prior to Keycloak 4.x? Is this indeed addressed by Keycloak 4.x? (just wondering, couldn't find any info) Keycloak admin REST API has an endpoint called "Return List of Users that have the specified role name", see [5] (identical for KC 3.x and 4.x). You could use this endpoint, however you will have to iterate over client roles and then merge and de-duplicate the results. Anyway, this should be much more efficient than your current approach. In general, this looks like a classical use case for Realm Resource Provider [6]. The query you described easily maps to a single SQL/JPQL statement, so you could implement a custom REST resource that would execute exactly that query and return results. Unfortunately, custom REST resources in Keycloak are public by default (protected resources should become a part of the hypothetical Admin Resource SPI somewhere in the future). However, you can implement that (relatively) easily with the techniques demonstrated in Beercloak [7]. > > F. Upgrading Versions of Keycloak.??We have experienced some > difficulty of upgrading versions on server-side (we need to export, > import vs a simple DB backup and deployment).??What is the > recommendations for handling the upgrade of Keycloak from one version > to the next given the size of our user base? Could you please elaborate a bit on the problems that you're facing? The export/import scenario is relevant for database upgrades (e.g. PostgreSQL 9 -> 10), but Keycloak does ship migration scripts that should upgrade the data+metadata automatically. Why doesn't that work in your case? Let us know, probably this could be fixed. > > I'm sorry for the long post, hopefully folks get to this point.??Any > insight that we could receive would be greatly appreciated. We are at > a critical cross-roads in our Keycloak adoption and want to ensure we > do this correctly. Sorry it took so long to reply. Keycloak is a great product, I hope it fulfills your needs. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training [1] https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup- in-aws.html [2] https://www.keycloak.org/search.html?q=aws [3] https://github.com/rvansa/keycloak-benchmark [4] https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-lim iting/ [5] https://www.keycloak.org/docs-api/3.4/rest-api/index.html [6] https://www.keycloak.org/docs/latest/server_development/index.html# _extensions_rest [7] https://github.com/dteleguin/beercloak > > Thanks! > Dave > > > Dave Everson > Application Development Team Lead | Environmental Health > Minnesota IT Services | Partners in Minnesota Department of Health > 625 Robert Street North > St. Paul, MN 55155 > O: 651-201-5146 > Information Technology for Minnesota Government?| > ?mn.gov/mnit > [Minnesota IT Services Logo] > [Facebook logo][LinkedIn > logo][Twitter > logo] > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Thu Jun 21 20:38:30 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 22 Jun 2018 03:38:30 +0300 Subject: [keycloak-user] Add custom roles in realm-management client In-Reply-To: References: Message-ID: <1529627910.9620.1.camel@acutus.pro> Hi Waldemar, What version of Keycloak are you on? Things are different for pre-3.2.0 and post-3.2.0. Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022) 888-30-71 E-mail:?info at acutus.pro > Hello, > > I have created a new client-role in client "realm-management". It's > called > "manage-roles" and its purpose is (or should be) to grant users > access to > create, edit and delete roles in their realms. In the base theme this > is > only possible when users have access to the role "manage-realm" in > client > "realm-management". But with this client-role the user is able to > manage > the whole realm, not only the roles. My user is only allowed to > manage > roles, users and groups in this case. > > I changed the html-files so that the keycloak sidebar menu is > working: Menu > item "Roles" is visible for user with my custom client-role "manage- > role". > I also extented the getAccessObject() method in my themes > controller/realm.js with the needed new role "manageRoles". > > Accessing the roles-list page is working, but accessing the role- > details > page (when clicking on a specific role) fails. I get a 403 Forbidden. > My > question is: Is there something I forgot?, where is the check for > returning > a 200 OK or a Forbidden for this case? It seems it is not in the > templates > files, like for the side-menu? > > If I forgot any information or something, please contact me. > > Thank you, your help is much appreciated! > > Best regards > Waldemar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Thu Jun 21 21:34:35 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 22 Jun 2018 04:34:35 +0300 Subject: [keycloak-user] Keycloak client In-Reply-To: References: Message-ID: <1529631275.9620.4.camel@acutus.pro> Hi Vinay, In Keycloak, client is (simply speaking) a combination of base URL, protocol (OIDC/SAML), roles and authorization rules. So, if your application lives under a single base URL, it's simply impossible to have many clients per application. Moreover, an adapter (that you use to secure your application) is configured for a particular client. Hence, there is a 1-to-1 relationship between an application and a client. However, if your application is heterogeneous, i.e. consists of separate components living under different base URLs (and created with different technologies), you will have to define individual clients for them. Resource is an URI under client's base URL, and is used to define fine- grained authorization rules within that client. Cheers,Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic + 42 (022) 888-30-71 E-mail: info at acutus.pro ? Thu, 21/06/2018 ? 12:50 -0400, Vinay ?????: > Hi there, > In what scenario an application should have multiple clients defined > in the > keycloak server ? How keycloak client defers from a resource ? I > understand > it is an application that asks for an authentication, but I am not > sure > when do we need multiple clients in an application. What is the basis > for > defining clients ? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From manisha04.nandal at gmail.com Fri Jun 22 00:35:51 2018 From: manisha04.nandal at gmail.com (Manisha Nandal) Date: Fri, 22 Jun 2018 10:05:51 +0530 Subject: [keycloak-user] keycloak SAML response - Authentication method information In-Reply-To: References: Message-ID: Any update ? On Wed, Jun 20, 2018 at 4:12 PM, Manisha Nandal wrote: > Hi, > > I authenticated my client application using google IDP. i want to retrieve > the information of IDP used for authentication from keycloak SAML > response. I have checked in keycloak documentation that > "AuthnStatement" give us the authentication method used (password, etc.) > as well as a timestamp of the login. > > But, my SAML response does not provide any such information. SAML contains > user name used for authentication under "NameID" but i want the identity > provider information, say in my case google is IDP > > SessionIndex="08cf3868-ae2d-467b-b69e-926c244f5794:: > 7f6d3293-8370-413f-b958-1763df3bb078"> > > urn:oasis:names:tc:SAML:2.0: > ac:classes:unspecified > > > > Can you please guide me on the same > > > Thanks, > Manisha > From t.ruiten at rdmedia.com Fri Jun 22 04:00:53 2018 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Fri, 22 Jun 2018 10:00:53 +0200 Subject: [keycloak-user] Keycloak as SAML IdP - Google sign-out problem In-Reply-To: References: Message-ID: Signout is working for us, I initially used the same guide but had to make some changes. My setup differs in the following places: Include OneTimeUse Condition - off Optimize REDIRECT signing key lookup - off SAML Signature Key Name - NONE Bse URL - /auth/realms/{realmname}/protocol/saml/clients/googleapps (note the lack of &RelayState=true) I set the signout URL in the Google Apps dashboard to https://ourdomain.tld/auth/realms/{realmname}/account/ On 19 June 2018 at 22:12, Rodolfo De Nadai wrote: > Hi, > > i'm configuring my keycloak installation as an IdP and Google apps as an > SSO. > > I'm able to login but when trying to logout i got no success... > > My configuration follows the described here: > https://stories.scandiweb.com/sign-in-to-google-apps-using- > saml-protocol-and-keycloak-as-identity-provider-79227fd2e063 > > There were a thread in the mailing list which was able to login also, but > didn't mention logout process. As i thought it should be almost as > transparent, since no documentation say anything, is begging to transform > in a problem. > > If someone could help or point in some direction i appreciate. > > thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Tiemen Ruiten Systems Engineer R&D Media From stier at fzi.de Fri Jun 22 04:09:27 2018 From: stier at fzi.de (Christian Stier) Date: Fri, 22 Jun 2018 08:09:27 +0000 Subject: [keycloak-user] Group-based permissions for resources Message-ID: <4847e9d891c4412cb19b2c1c0dcd6ac8@fzi.de> Dear all, I am in the process of implementing an authorization solution for the REST API of an application using Keycloak/OIDC. The application manages resources based on their association with user groups. Its simplified path schema is similar to /{organization}/{resourcename}. All users of an organization should be allowed to access its resources. My current approach is to map organizations to Keycloak user groups. 1) Is it possible to define an authorization policy in Keycloak that handles group-based authorization for a single resource defined for the path /{organization}/{resourcename}? My idea here was to check if the organization path of an URL matches a scope of the calling client that is mapped from its group memberships. I looked into JS policy examples and the Evaluation API but I did not see a way to check against path parameters. 2) Or: Do I have to (programmatically) create separate resource/policy pairs for each organization to support this type of group-based authorization? Thanks for any pointers and input. Best regards Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7656 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180622/de804de4/attachment.bin From manglade at nextoo.fr Fri Jun 22 04:56:37 2018 From: manglade at nextoo.fr (Matthias ANGLADE) Date: Fri, 22 Jun 2018 10:56:37 +0200 Subject: [keycloak-user] Apache X509 cert-lookup Message-ID: Hello, I'm trying to setup a client cert authentication. Since my Keycloak server is running behind an SSL reverse proxy I modified the domain.xml file in order to declare the Apache cert lookup SPI. I checked that the certificate was properly embedded in the HTTP header still, I can't get to authenticate using this approach. In the log file I see no line related to this authentication (I should be able to see log coming from AbstractClientCertificateFromHttpHeadersLookup. It behaves just as if the SPI wasn't active. Note that even if my proxy isn't an Apache server, the certificate it emits is formatted like for Apache. Any clue on this ? Regards, From hylton.peimer at datos-health.com Fri Jun 22 05:11:38 2018 From: hylton.peimer at datos-health.com (Hylton Peimer) Date: Fri, 22 Jun 2018 12:11:38 +0300 Subject: [keycloak-user] Setting up certificate for SAML SP side Message-ID: Are there any resources explaining how to install certificates in Keycloak that are required to verify SAML signatures? From mposolda at redhat.com Fri Jun 22 06:01:28 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 22 Jun 2018 12:01:28 +0200 Subject: [keycloak-user] Client scopes not checked? In-Reply-To: References: <69251AE1-DD80-49F8-8BDB-F3C729632182@moneymeets.com> Message-ID: <277eba95-ef9f-9b36-db9c-a67181f3852f@redhat.com> On 20/06/18 13:36, Matthias Kesternich wrote: >> This leads me to my next question: If I want to return only the scopes that >> a user actually may acquire, how do I do this in Keycloak? Do I use the >> "Authorization" tab and configure appropriate policies? Do I write a custom >> mapper that overwrites the default "scope" value? I'm going to experiment >> with this anyways, but I'd like to know if I'm abusing the wrong machinery >> to achieve this goal. > > > So I experimented a bit and it seems I can just use a "User Client Role" mapper > > that adds the roles/permissions to the token. This is much easier than the full > > UMA thing under "Authorization". There seem to be almost no working python > > clients for UMA as well. > > I am also probably going to separate "scope" and "permissions". I'm realizing > > that "scope" means "the client is allowed to access this and that" while > > "permissions" means "the user is allowed to access this and that". > > This understanding seems to be verified by https://stackoverflow.com/questions/48351332/oauth-scopes-and-application-roles-permissions . Yes, exactly. The "scope" is "the client is allowed to access this and that" . In other words, if you create client scope "admin-write" and you add it as default client scope to the client "foo", then access token issued for client "foo" will always contain scope "admin-write" . Regardless of the roles which user actually has. One more note: Access token already contains the roles available to user by default. You can see claims "realm-access" and "resource-access" inside access token. Which you can doublecheck in "Evaluate" tab of client. Right now, we're adding those claims "realm-access" and "resource-access" into the token automatically, but we want to add protocolMapper to add them just "on demand" . The "User Client Role" protocol mapper is needed just if you want roles in the access token in some different format, than built-in claims "realm-access" and "resource-access" use. This was the case just for some 3rd party OIDC adapters (AFAIK it was Apache mod-auth-oidc, which was the original reason why "User Client Role" protocolMapper was developed and contributed by our community). Marek > > > > Does the solution using "User Client Role" make any sense to you? > > > > Best, > > -Matthias > > From THOMAS.PEETERS at Hvw-Capac.fgov.be Fri Jun 22 07:11:50 2018 From: THOMAS.PEETERS at Hvw-Capac.fgov.be (PEETERS.THOMAS (ICT)) Date: Fri, 22 Jun 2018 11:11:50 +0000 Subject: [keycloak-user] Keycloak 3.4.x client-url and SSO questions Message-ID: <14C92FB32B792D4BA0514728C09286B817E1792C@ounas.hermes.dom> Hey all, While implementing a Keycloak based secure application set (3 internal web applications) with Spring-Security, I?ve come upon some details that I can?t seem to find an adequate answer to. Our environment and implementations: The security layer is implemented on the front-end only (for now). JBoss EAP 6.4, JSF 2.1 Mojarra with RichFaces 4, Spring 3.2.18, Spring-security 3.2.10, Keycloak-spring-security-adapter 3.4.1 (same as the Keycloak server being used). What we?ve got working: 2 applications with SSL and SSO. Both redirect to the Keycloak login page. When we log in to app1 we?re also logged in in app2, so that?s good. What we want but can?t seem to achieve: ? Log out of app1 --> refresh of app2 should redirect to the Keycloak login page. At this point it seems that the user credentials remain active as long as the browser session remains active. ? After successful login from the Keycloak login page always redirect to the application welcome page (index.xhtml for instance). Use case: A user is working in one of our secured applications, has its browser session ended and clicks on some kind of link. The application correctly redirects this user to the Keycloak login page. The user correctly logs in and gets taken back to where he/she was. However, when this is an AJAX kind-of request the user sees plain XML when taken back the application. To avoid this I would like to always redirect to the welcome page of the application when the user logs in through the Keycloak login page. I can?t seem to find a way to do this. ? Logout doesn?t always work well. Sometimes the Spring AntPathRequestMatcher doesn?t correctly match our logout pattern (/sso/logout**). Therefore we?ve provided an alternative that we?ve found in the documentation in the form of: ?https:///auth/realms//protocol/openid-connect/logout?redirect_uri= However this doesn?t always work either. There are situations, depending on invalid rights for certain application parts where this never logs out a user. We?ve got a Spring-security application context in XML that is roughly the same as the one found in the documentation. And a keycloak.json file that looks like this: { "realm": "", "auth-server-url": "/auth", "ssl-required": "all", "truststore": "", "truststore-password":"", "resource": "", "public-client": true, "always-refresh-token": true } Due to the large number of Keycloak releases and accompanied configuration changes it?s really hard for us to find relevant information. When we first started by creating a POC we used the most recent Keycloak version (3.4.1-Final). A lot of information that is not old appears to be outdated. Just an observation. Thanks for reading. Klik hier voor onze disclaimer Cliquez ici pour notre disclaimer Klicken Sie hier f?r unseren Disclaimer From matthias.kesternich at moneymeets.com Fri Jun 22 07:15:45 2018 From: matthias.kesternich at moneymeets.com (Matthias Kesternich) Date: Fri, 22 Jun 2018 11:15:45 +0000 Subject: [keycloak-user] Client scopes not checked? In-Reply-To: <277eba95-ef9f-9b36-db9c-a67181f3852f@redhat.com> References: <69251AE1-DD80-49F8-8BDB-F3C729632182@moneymeets.com> <277eba95-ef9f-9b36-db9c-a67181f3852f@redhat.com> Message-ID: <743A0C95-E86E-4C5F-A14A-68F287E91601@moneymeets.com> Hi Marek, thanks again for your answer. > One more note: Access token already contains the roles available to user > by default. You can see claims "realm-access" and "resource-access" > inside access token. Which you can doublecheck in "Evaluate" tab of > client. Right now, we're adding those claims "realm-access" and > "resource-access" into the token automatically, but we want to add > protocolMapper to add them just "on demand" . I have gone further now and used the script mapper below. It takes the information from "resource-access" and copies each role to the "scope" claim. I think this is ok, because the "scope" claim in the access token does not mean "client scope" anymore, but "rights associated with this token". This seems to be supported by RFC 6749, sections 3.3. and 10.3. This is also the very same thing Auth0 does: https://auth0.com/docs/architecture-scenarios/spa-api/part-2#create-a-rule-to-validate-token-scopes . Something like this might be useful as a builtin mapper I think. When looking at other people's solutions to the problem of creating a scope restricted by user permissions this mapper would have solved their problems. var scopes = token.scope.split(" "); var resourceAccess = token.getResourceAccess(); for (var resourceKey in resourceAccess) { var roles = resourceAccess[resourceKey].getRoles().toArray(); for (var i = 0; i < roles.length; i++) { scopes.push(resourceKey + ":" + roles[i]); } } scopes.join(" "); The only downside to this is that "roles"/"client roles" in the UI are really something like "permissions"/"scopes" now. On a sidenote I also had to write a mapper like this to get multiple audiences into my access token: var aud = java.lang.reflect.Array.newInstance(java.lang.String.class, 3); aud[0] = "client0"; aud[1] = "client1"; aud[2] = "client2"; aud; This was necessary, because I couldn't really find any libraries that support token exchange. "client0" actually requests the token, but it does not only use this token for itself, but also to call "client1" and "client2". Best, -Matthias From mposolda at redhat.com Fri Jun 22 07:28:58 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 22 Jun 2018 13:28:58 +0200 Subject: [keycloak-user] Offline token revocation via API In-Reply-To: <976F7148-E34A-463E-BE5B-B6B2C8898967@pleeco.com> References: <976F7148-E34A-463E-BE5B-B6B2C8898967@pleeco.com> Message-ID: <865060a4-ab0b-32bb-7459-bd8b3235a266@redhat.com> Hi, this is not yet supported. In future versions, we plan to have Account-management based on Angular + REST API. This will allow to expose REST endpoints for various actions like revoke offline tokens, so you will be able to do this then. Until that, you may need to create your own REST provider (See keycloak-examples distribution and directory "providers"), which will allow to authenticate user with his token and revoke offline token based on that. Marek On 21/06/18 19:57, Dmitriy Semiushkin wrote: > Hello there! > > I?m trying to find a way to allow user revoking their offline token via my web app (i.e. using keycloak?s API), not visiting keycloak?s page. > > I?ve tried using DELETE /auth/admin/realms/R/users/U/consents/C request, but it requires `manage-users` role which is kinda wide. > > I need a way to narrow this role to ?allow user only revoke his tokens, not other users? ones?. > > I?ve tried implementing this in JavaScript Policy, but Evalution API have no information about user I?m trying to manage, so I can?t compare user id with identity id to tell if this is the same user. > > Is there any way to implement this? > > Thanks in advance! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Jana.Neujahr at gisa.de Fri Jun 22 09:00:09 2018 From: Jana.Neujahr at gisa.de (Neujahr, Jana) Date: Fri, 22 Jun 2018 13:00:09 +0000 Subject: [keycloak-user] realm JSON download without authorization check Message-ID: Dear keycloak users, we found a little security gap which we do not know how to fix: When you type and open the URL https:///auth/realms/>, then a download of the keycloak JSON starts without checking for authorization! The JSON contains the realm name, public key, account-service and the parameter tokens-not-before. How can we prohibid this URL/JSON for others than a specific role? Thank you in advance for your help. Kind regards Jana Treffen Sie GISA auf folgenden Veranstaltungen! 15.06.2018 WEBINAR: GISA 365 ? Wie sieht Ihr Weg in die Cloud aus? 19.06.2018 Energieforen: Fachtag SAP HANA, Leipzig 19.-20.06.2018 PraxisForum Digitale Prozesse - GoBD & P?fungen, Leipzig 23.-24.10.2018 metering days 2018, Fulda Aufsichtsratsvorsitzender: Norbert Rotter Gesch?ftsf?hrung: Michael Kr?ger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Empf?nger sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte gesch?tzt. Die GISA GmbH haftet ausdr?cklich nicht f?r den Inhalt und die Vollst?ndigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zul?ssig - nicht f?r die hieraus entstehenden Sch?den. From danilodoval at gmail.com Fri Jun 22 10:04:26 2018 From: danilodoval at gmail.com (Danilo do Val) Date: Fri, 22 Jun 2018 11:04:26 -0300 Subject: [keycloak-user] Using two or more access types In-Reply-To: References: Message-ID: Good afternoon sirs I am implementing the Keycloak Authorization Service and, in addition to JWT, we need to use a second type of access, for example, Apikey or Basic Auth, does anyone have experience or knowledge of how to support different authentication types of the adapters? Our case study uses the example app-authz-a-photoz ( https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz ) Em sex, 22 de jun de 2018 ?s 08:57, escreveu: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Using two or more access types (Danilo do Val) > 2. Re: Architectural Blueprint/Recommendations (Dmitry Telegin) > 3. Re: Add custom roles in realm-management client (Dmitry Telegin) > 4. Re: Keycloak client (Dmitry Telegin) > 5. Re: keycloak SAML response - Authentication method > information (Manisha Nandal) > 6. Re: Keycloak as SAML IdP - Google sign-out problem (Tiemen Ruiten) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 21 Jun 2018 16:16:29 -0300 > From: Danilo do Val > Subject: [keycloak-user] Using two or more access types > To: keycloak-user at lists.jboss.org > Message-ID: > < > CAOPhXAm0rQVoE1aL5SnG513T8xKa5mVLDuRXXk+rSBPfPxRH1w at mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > `` ` > > Boa tarde senhores > > Estou implementando o Servi?o de Autoriza??o Keycloak e, al?m do JWT, > precisamos usar um segundo tipo de acesso, por exemplo, o Apikey ou o Basic > Auth, algu?m tem experi?ncia ou conhecimento de como suportar diferentes > tipos de autentica??o dos adaptadores? > > Nosso estudo de caso usa o exemplo app-authz-a-photoz ( > > https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz > ) > > > -- > __________________ > http://br.linkedin.com/in/daniloval > 19 9227.9082 > > > ------------------------------ > > Message: 2 > Date: Fri, 22 Jun 2018 01:26:08 +0300 > From: Dmitry Telegin
> Subject: Re: [keycloak-user] Architectural Blueprint/Recommendations > To: "Everson, David (MNIT)" , > "keycloak-user at lists.jboss.org" > Message-ID: <1529619968.6161.1.camel at acutus.pro> > Content-Type: text/plain; charset="UTF-8" > > Hi David, > > Please see the answers and remarks inline. > > On Mon, 2018-06-18 at 14:40 +0000, Everson, David (MNIT) wrote: > (skipped) > > 15. Keycloak should be clustered for high availability. > > 16. Keycloak environment would be hosted on AWS, more than likely EC2 > > instances. > > 17. Client applications also hosted in AWS. > > 18. Keycloak's database would be PostgreSQL hosted in AWS RDS. > > Speaking of Keycloak on AWS, this is absolutely doable, but not that > trivial. Please be sure to have read the document [1], especially the > "Troubleshooting AWS specifics" part, and relevant ML postings [2]. > Long story short, AWS doesn't allow for IP multicast between the nodes, > which is the default node discovery mode in JGroups (the backbone of > Keycloak clustering). You should use S3_PING or JDBC_PING instead. > > > > > A few questions/concerns of the working group: > > > > A. Is there any information available on the maximum size of an > > Keycloak installation? Will Keycloak be scalable and performant given > > the above assumptions and constraints. > > AFAIK, nobody has performed actual Keycloak benchmarking yet > (publicly). There's however a Keycloak benchmarking suite based on > Gatling [3]. It hasn't been updated for about two years, so first we'll > need to make sure it works with recent Keycloak versions. > > > > > B. What's the best recommendation for distributing the Keycloak > > instances and realms.??Right now the group has three options on the > > table:??1) A single Keycloak install per application (i.e. > > client);??2) A single Keycloak install per organizational unit (i.e. > > realm); or 3) A single Keycloak install per organization (i.e. > > serving all realms and clients). > > The pros for A and B is obviously that you get some degree of > separation/isolation, which might be good from the security and > availability POV. However, this comes at a price of complexity; you'll > have to deploy, monitor & maintain each separate instance / group of > instances, each having different configs and dedicated database. > > Another big issue is load distribution. I doubt that your > clients/realms all have equal, uniform load patterns. Given that each > Keycloak instance will have its hardware limitations (CPU, RAM), you > potentially end up with some nodes overloaded and others idle. The C > scenario is obviously free from this issue. > > > > > C. A major concern the group has with a single Keycloak install (#3 > > in previous bullet) is the high-availability in terms of performance > > and concerns of a rouge client affecting other applications > > negatively.??What is the community's recommendation for addressing > > this concern? > > As you will necessarily have a load balancer / reverse proxy in front > of your Keycloak cluster, you can enforce rate limiting / throttling on > your load balancer. For example, haproxy implements rate limiting based > on IP addresses, URLs and HTTP headers [4]. > > > > > D. Another major concern the group has with a single Keycloak install > > is the restarts that are necessary when an organization unit deploys > > a new or updated template.??The concern is that all applications > > would be unavailable during the restart.???We would be operating in a > > clustered environment, is the best solution to this concern > > restarting individual members of the cluster rather than the entire > > cluster? > > Could you please elaborate on template deployment? In Keycloak > parlance, "templates" can be understood either as "client templates" or > "HTML templates" (within custom GUI themes). > > Client templates surely can be created/updated via GUI or REST API, > without the need for restart. For GUI themes, they can be deployed a) > as Wildfly modules, b) via "themes" directory. While the former option > indeed requires restart, the latter does not. Keycloak 4.x also adds c) > hot deployment of themes by dropping theme JARs into the "deployments" > directory. > > > > > E. For reporting and governance processes, the Keycloak API performs > > quite poorly when we execute use cases such as "Report all Users of > > an Application".??Given the version we are currently on, to > > accomplish this we need to query all users in the realm and then > > filter the users if they have the client/role combination.??We > > understand that a future release addresses this use case, but in the > > meantime the concern is such a query will negatively affect all other > > clients using Keycloak.??Any recommendations on handling this use > > case prior to Keycloak 4.x? > > Is this indeed addressed by Keycloak 4.x? (just wondering, couldn't > find any info) > > Keycloak admin REST API has an endpoint called "Return List of Users > that have the specified role name", see [5] (identical for KC 3.x and > 4.x). You could use this endpoint, however you will have to iterate > over client roles and then merge and de-duplicate the results. Anyway, > this should be much more efficient than your current approach. > > In general, this looks like a classical use case for Realm Resource > Provider [6]. The query you described easily maps to a single SQL/JPQL > statement, so you could implement a custom REST resource that would > execute exactly that query and return results. > > Unfortunately, custom REST resources in Keycloak are public by default > (protected resources should become a part of the hypothetical Admin > Resource SPI somewhere in the future). However, you can implement that > (relatively) easily with the techniques demonstrated in Beercloak [7]. > > > > > F. Upgrading Versions of Keycloak.??We have experienced some > > difficulty of upgrading versions on server-side (we need to export, > > import vs a simple DB backup and deployment).??What is the > > recommendations for handling the upgrade of Keycloak from one version > > to the next given the size of our user base? > > Could you please elaborate a bit on the problems that you're facing? > The export/import scenario is relevant for database upgrades (e.g. > PostgreSQL 9 -> 10), but Keycloak does ship migration scripts that > should upgrade the data+metadata automatically. Why doesn't that work > in your case? Let us know, probably this could be fixed. > > > > > I'm sorry for the long post, hopefully folks get to this point.??Any > > insight that we could receive would be greatly appreciated. We are at > > a critical cross-roads in our Keycloak adoption and want to ensure we > > do this correctly. > > Sorry it took so long to reply. Keycloak is a great product, I hope it > fulfills your needs. Good luck! > > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > [1] https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup- > in-aws.html > > [2] https://www.keycloak.org/search.html?q=aws > [3] https://github.com/rvansa/keycloak-benchmark > [4] https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-lim > iting/ > > [5] https://www.keycloak.org/docs-api/3.4/rest-api/index.html > [6] https://www.keycloak.org/docs/latest/server_development/index.html# > _extensions_rest > [7] https://github.com/dteleguin/beercloak > > > > > Thanks! > > Dave > > > > > > Dave Everson > > Application Development Team Lead | Environmental Health > > Minnesota IT Services | Partners in Minnesota Department of Health > > 625 Robert Street North > > St. Paul, MN 55155 > > O: 651-201-5146 > > Information Technology for Minnesota Government?| > > ?mn.gov/mnit > > [Minnesota IT Services Logo] > > [Facebook logo][LinkedIn > > logo][Twitter > > logo] > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ------------------------------ > > Message: 3 > Date: Fri, 22 Jun 2018 03:38:30 +0300 > From: Dmitry Telegin
> Subject: Re: [keycloak-user] Add custom roles in realm-management > client > To: Waldemar Schmalz , > keycloak-user at lists.jboss.org > Message-ID: <1529627910.9620.1.camel at acutus.pro> > Content-Type: text/plain; charset="UTF-8" > > Hi Waldemar, > What version of Keycloak are you on? Things are different for pre-3.2.0 > and post-3.2.0. > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022) > 888-30-71 > E-mail:?info at acutus.pro > > Hello, > > > > I have created a new client-role in client "realm-management". It's > > called > > "manage-roles" and its purpose is (or should be) to grant users > > access to > > create, edit and delete roles in their realms. In the base theme this > > is > > only possible when users have access to the role "manage-realm" in > > client > > "realm-management". But with this client-role the user is able to > > manage > > the whole realm, not only the roles. My user is only allowed to > > manage > > roles, users and groups in this case. > > > > I changed the html-files so that the keycloak sidebar menu is > > working: Menu > > item "Roles" is visible for user with my custom client-role "manage- > > role". > > I also extented the getAccessObject() method in my themes > > controller/realm.js with the needed new role "manageRoles". > > > > Accessing the roles-list page is working, but accessing the role- > > details > > page (when clicking on a specific role) fails. I get a 403 Forbidden. > > My > > question is: Is there something I forgot?, where is the check for > > returning > > a 200 OK or a Forbidden for this case? It seems it is not in the > > templates > > files, like for the side-menu? > > > > If I forgot any information or something, please contact me. > > > > Thank you, your help is much appreciated! > > > > Best regards > > Waldemar > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ------------------------------ > > Message: 4 > Date: Fri, 22 Jun 2018 04:34:35 +0300 > From: Dmitry Telegin
> Subject: Re: [keycloak-user] Keycloak client > To: Vinay , keycloak-user at lists.jboss.org > Message-ID: <1529631275.9620.4.camel at acutus.pro> > Content-Type: text/plain; charset="UTF-8" > > Hi Vinay, > In Keycloak, client is (simply speaking) a combination of base URL, > protocol (OIDC/SAML), roles and authorization rules. So, if your > application lives under a single base URL, it's simply impossible to > have many clients per application. Moreover, an adapter (that you use > to secure your application) is configured for a particular client. > Hence, there is a 1-to-1 relationship between an application and a > client. > However, if your application is heterogeneous, i.e. consists of > separate components living under different base URLs (and created with > different technologies), you will have to define individual clients for > them. > Resource is an URI under client's base URL, and is used to define fine- > grained authorization rules within that client. > Cheers,Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > + 42 (022) 888-30-71 > E-mail: info at acutus.pro > ? Thu, 21/06/2018 ? 12:50 -0400, Vinay ?????: > > Hi there, > > In what scenario an application should have multiple clients defined > > in the > > keycloak server ? How keycloak client defers from a resource ? I > > understand > > it is an application that asks for an authentication, but I am not > > sure > > when do we need multiple clients in an application. What is the basis > > for > > defining clients ? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > ------------------------------ > > Message: 5 > Date: Fri, 22 Jun 2018 10:05:51 +0530 > From: Manisha Nandal > Subject: Re: [keycloak-user] keycloak SAML response - Authentication > method information > To: keycloak-user at lists.jboss.org > Message-ID: > < > CAP63w5Ti+nKSk2FF4n_urmEkNPBY5HYKq-5MvBS88Jnbnss2Xg at mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Any update ? > > On Wed, Jun 20, 2018 at 4:12 PM, Manisha Nandal < > manisha04.nandal at gmail.com> > wrote: > > > Hi, > > > > I authenticated my client application using google IDP. i want to > retrieve > > the information of IDP used for authentication from keycloak SAML > > response. I have checked in keycloak documentation that > > "AuthnStatement" give us the authentication method used (password, etc.) > > as well as a timestamp of the login. > > > > But, my SAML response does not provide any such information. SAML > contains > > user name used for authentication under "NameID" but i want the identity > > provider information, say in my case google is IDP > > > > > SessionIndex="08cf3868-ae2d-467b-b69e-926c244f5794:: > > 7f6d3293-8370-413f-b958-1763df3bb078"> > > > > urn:oasis:names:tc:SAML:2.0: > > ac:classes:unspecified > > > > > > > > Can you please guide me on the same > > > > > > Thanks, > > Manisha > > > > > ------------------------------ > > Message: 6 > Date: Fri, 22 Jun 2018 10:00:53 +0200 > From: Tiemen Ruiten > Subject: Re: [keycloak-user] Keycloak as SAML IdP - Google sign-out > problem > To: Rodolfo De Nadai > Cc: keycloak-user > Message-ID: > < > CAAegNz0QKWJn0zdOZst36GsOujrsXuyhvwYAHnSvnZ8xxGpn_g at mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Signout is working for us, I initially used the same guide but had to make > some changes. My setup differs in the following places: > > Include OneTimeUse Condition - off > Optimize REDIRECT signing key lookup - off > SAML Signature Key Name - NONE > Bse URL - /auth/realms/{realmname}/protocol/saml/clients/googleapps (note > the lack of &RelayState=true) > > I set the signout URL in the Google Apps dashboard to > https://ourdomain.tld/auth/realms/{realmname}/account/ > > On 19 June 2018 at 22:12, Rodolfo De Nadai wrote: > > > Hi, > > > > i'm configuring my keycloak installation as an IdP and Google apps as an > > SSO. > > > > I'm able to login but when trying to logout i got no success... > > > > My configuration follows the described here: > > https://stories.scandiweb.com/sign-in-to-google-apps-using- > > saml-protocol-and-keycloak-as-identity-provider-79227fd2e063 > > > > There were a thread in the mailing list which was able to login also, but > > didn't mention logout process. As i thought it should be almost as > > transparent, since no documentation say anything, is begging to transform > > in a problem. > > > > If someone could help or point in some direction i appreciate. > > > > thanks > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 54, Issue 32 > ********************************************* > -- __________________ http://br.linkedin.com/in/daniloval 19 9227.9082 From dmitriy.semiushkin at pleeco.com Fri Jun 22 10:05:29 2018 From: dmitriy.semiushkin at pleeco.com (Dmitriy Semiushkin) Date: Fri, 22 Jun 2018 17:05:29 +0300 Subject: [keycloak-user] Offline token revocation via API In-Reply-To: <865060a4-ab0b-32bb-7459-bd8b3235a266@redhat.com> References: <976F7148-E34A-463E-BE5B-B6B2C8898967@pleeco.com> <865060a4-ab0b-32bb-7459-bd8b3235a266@redhat.com> Message-ID: Thanks, Marek, I?ll try this approach. From psilva at redhat.com Fri Jun 22 10:30:46 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 22 Jun 2018 11:30:46 -0300 Subject: [keycloak-user] Group-based permissions for resources In-Reply-To: <4847e9d891c4412cb19b2c1c0dcd6ac8@fzi.de> References: <4847e9d891c4412cb19b2c1c0dcd6ac8@fzi.de> Message-ID: You should be able to push arbitrary claims to your policies such as the request URI. Your policy could check if {organization} is among the groups the user is a member of. A single policy could serve for this purpose. I've added more information about this in docs, the PR is about to be merged. I'm also working with a quickstart that shows how to solve a similar problem. Something like "access to /api/{user}/salary is only allowed if current user is {user}". On Fri, Jun 22, 2018 at 5:09 AM, Christian Stier wrote: > Dear all, > > I am in the process of implementing an authorization solution for the REST > API of an application using Keycloak/OIDC. > > The application manages resources based on their association with user > groups. Its simplified path schema is similar to > /{organization}/{resourcename}. All users of an organization should be > allowed to access its resources. My current approach is to > map organizations to Keycloak user groups. > > 1) Is it possible to define an authorization policy in Keycloak that > handles group-based authorization for a single resource defined > for the path /{organization}/{resourcename}? My idea here was to check if > the organization path of an URL matches a scope of the > calling client that is mapped from its group memberships. I looked into JS > policy examples and the Evaluation API but I did not see > a way to check against path parameters. > > 2) Or: Do I have to (programmatically) create separate resource/policy > pairs for each organization to support this type of > group-based authorization? > > Thanks for any pointers and input. > > Best regards > Christian > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Fri Jun 22 10:37:03 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 22 Jun 2018 11:37:03 -0300 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: Hi, We have a few changes to docs that were not released because the PR [1] was not merged on time. But you can check about pushed claims (if you are using our adapters) here [2]. Regards. Pedro igor [1] https://github.com/keycloak/keycloak-documentation/pull/402 [2] https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont wrote: > Hi guys, > I'm playing with the new version of Keycloak ( > https://www.keycloak.org/docs/latest/release_notes/index.html) > > I have some questions: > - where is the "account management console"? > - How to use pushed claims? Which APIs are affected? > > Thanks! > Corentin > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From betalb at gmail.com Fri Jun 22 10:46:10 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Fri, 22 Jun 2018 17:46:10 +0300 Subject: [keycloak-user] Keycloak as an identity provider (either SAML or OpenID Connect)? In-Reply-To: References: Message-ID: It really is, you can even use one realm as idp for other realm within the same KC when doing identity brokering ??, 22 ???? 2018 ?. ? 10:04, Rafael Weing?rtner : > Thanks for the answer Stian. > > From my readings and testing, it looks like Keycloak is able to have > ?multiple IdPs inside itself?. I mean, it uses the idea of ?realms?, and > they can have different configurations. Therefore, for an external client > (SP), each realm will look like a different IdP. At least, that is my > feeling when I discovered the ?OpenID Connect discovery URL? ( > http://localhost:8080/auth/realms/master/.well-known/openid-configuration > ). > > On Thu, Jun 21, 2018 at 10:28 AM, Stian Thorgersen > wrote: > > > Of course Keycloak can stand on its own. Brokering is just an additional > > optional thing. > > > > On 21 Jun 2018 9:33 am, "Rafael Weing?rtner" < > rafaelweingartner at gmail.com> > > wrote: > > > > Hello, Keycloak community, > > > > I am evaluating Keycloak, and after some reading, I got the impression > that > > it supports OpenID Connect and SAML (which fits exactly on my > requirement). > > However, after installing it, and digging a little deeper in the > > configuration overview, I got confused. > > > > I have used OpenID Connect before with MITREid implementation. So, when I > > install and configure MITREid IdP, it will be working as an IdP for my > > federation. I understand that key cloak can do identity brokering, which > is > > super nice, but what I wonder is the following. Is Keycloak prepared to > be > > an IdP out of the box with either SAML or OpenID Connect protocols? Or, > > Does it depends on IdPs that implement those protocols to work? > > > > -- > > Rafael Weing?rtner > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > -- > Rafael Weing?rtner > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Fri Jun 22 10:49:45 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 22 Jun 2018 11:49:45 -0300 Subject: [keycloak-user] Implementation of Policy Provider Service Provider Interface In-Reply-To: <7C1BA4D0-4D9A-4768-8F91-FC83B4908DE0@ojc.com.br> References: <7C1BA4D0-4D9A-4768-8F91-FC83B4908DE0@ojc.com.br> Message-ID: Hi, We don't have any docs for this yet because this is not a supported SPI. I want to change this in next version and provide more docs about how to write custom policy providers. For now, you can take a look at some code examples we have here https://github.com/keycloak/keycloak/tree/master/authz/policy/common/src/main . Regards. Pedro Igor On Mon, Jun 18, 2018 at 5:40 PM, Leonardo Nunes wrote: > The Authorization documentation says that Keycloak supports different > access control mechanisms including (Support for custom access control > mechanisms (ACMs) through a Policy Provider Service Provider Interface > (SPI)). > > Which class do I need to extend to implement this SPI. > > Currently I?m on version 3.4.3.Final. > > > Thank you! > > -- > Leonardo Nunes > ________________________________ > Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se > voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, > n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar > qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por > engano, por favor avise imediatamente o remetente, respondendo o e-mail e > em seguida apague-o. Agradecemos sua coopera??o. > > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From corentin.dupont at gmail.com Fri Jun 22 11:09:06 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Fri, 22 Jun 2018 17:09:06 +0200 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: Thanks Pedro, I went through the pull request. I'm not sure how to modify my entitlement requests? For example I have: curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{ "permissions" : [ { "resource_set_name" : "Sensors", "scopes" : [ "sensors:update" ] } ] }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" This call has been moved to uma-2, right? Can I add pushed claims to this call? What I'm imagining is: curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{ "permissions" : [ { "resource_set_name" : "Sensors", "scopes" : [ "sensors:update" ] } ], claims: ["owner": "cdupont"] }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" In this example, I would like to push the owner of the sensor ("cdupont"), which I take from our own database before calling the API. Sorry about the questions, maybe I should just wait that the documentation is merged :) On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva wrote: > Hi, > > We have a few changes to docs that were not released because the PR [1] > was not merged on time. But you can check about pushed claims (if you are > using our adapters) here [2]. > > Regards. > Pedro igor > > [1] https://github.com/keycloak/keycloak-documentation/pull/402 > [2] https://www.keycloak.org/docs/latest/authorization_ > services/index.html#_enforcer_claim_information_point > > On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> Hi guys, >> I'm playing with the new version of Keycloak ( >> https://www.keycloak.org/docs/latest/release_notes/index.html) >> >> I have some questions: >> - where is the "account management console"? >> - How to use pushed claims? Which APIs are affected? >> >> Thanks! >> Corentin >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From Manfred.Schenk at iosb.fraunhofer.de Fri Jun 22 12:00:26 2018 From: Manfred.Schenk at iosb.fraunhofer.de (Schenk, Manfred) Date: Fri, 22 Jun 2018 16:00:26 +0000 Subject: [keycloak-user] Is there any update on https://issues.jboss.org/browse/KEYCLOAK-2940 ? Message-ID: Does anyone have information about https://issues.jboss.org/browse/KEYCLOAK-2940 ? Is there something planned for the near future or will we have to wait for years before this will be implemented? Some kind of roadmap could be helpful. Regards, Manfred -- Manfred Schenk, Fraunhofer IOSB Informationsmanagement und Leittechnik Fraunhoferstra?e 1,76131 Karlsruhe, Germany Telefon +49 721 6091-391 mailto:Manfred.Schenk at iosb.fraunhofer.de http://www.iosb.fraunhofer.de From psilva at redhat.com Fri Jun 22 13:09:32 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 22 Jun 2018 14:09:32 -0300 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: The new form of obtaining entitlements relies solely on the token endpoint just like when you are obtaining access tokens using other OAuth2 grant types. With that in mind the new format of the request should be a HTTP POST + parameters. Check this documentation [1] for more details. Regarding pushing claims to your policies, there is a specific HTTP parameter that you can use to pass a Base64 encoded JSON with the claims you want to push. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont wrote: > Thanks Pedro, I went through the pull request. > I'm not sure how to modify my entitlement requests? > For example I have: > curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer > $TOKEN" -d '{ > "permissions" : [ > { > "resource_set_name" : "Sensors", > "scopes" : [ > "sensors:update" > ] > } > ] > }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" > > This call has been moved to uma-2, right? > Can I add pushed claims to this call? What I'm imagining is: > > curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer > $TOKEN" -d '{ > "permissions" : [ > { > "resource_set_name" : "Sensors", > "scopes" : [ > "sensors:update" > ] > } > ], > claims: ["owner": "cdupont"] > }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" > > In this example, I would like to push the owner of the sensor ("cdupont"), > which I take from our own database before calling the API. > > Sorry about the questions, maybe I should just wait that the documentation > is merged :) > > > > On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva > wrote: > >> Hi, >> >> We have a few changes to docs that were not released because the PR [1] >> was not merged on time. But you can check about pushed claims (if you are >> using our adapters) here [2]. >> >> Regards. >> Pedro igor >> >> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >> [2] https://www.keycloak.org/docs/latest/authorization_servi >> ces/index.html#_enforcer_claim_information_point >> >> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> Hi guys, >>> I'm playing with the new version of Keycloak ( >>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>> >>> I have some questions: >>> - where is the "account management console"? >>> - How to use pushed claims? Which APIs are affected? >>> >>> Thanks! >>> Corentin >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From psilva at redhat.com Fri Jun 22 14:05:22 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 22 Jun 2018 15:05:22 -0300 Subject: [keycloak-user] Fine-grained permissions to map a client role to a group In-Reply-To: <128d54514284441cbc4264369bcd136a@bosch-si.com> References: <128d54514284441cbc4264369bcd136a@bosch-si.com> Message-ID: Hi, We do support fine-grained permissions for Groups. But I think your problem is related to the fact that there is no specific permission for mapping role to a group. Is that correct? Regarding the "manage-users" role, this is the role that grants access to groups. As well "view-users". Regards. Pedro Igor On Thu, Jun 14, 2018 at 7:41 AM, Leistert Christoph (INST/ECS2) < Christoph.Leistert at bosch-si.com> wrote: > Hello, > We use Keycloak 3.4.3 and we trying to find out a way to let users create > clients with a client role and map this client role to a group they are > already a member of. > For the client creation and client role creation we assigned the realm > role "manage-clients" to the users and this is okay for our setup. > Additionally the users are assigned to the "query-groups" realm role, so > that they could see the groups. > We struggle a bit with the right role/permissions setup to map the client > role to a group. > First, we tried to use realm roles only. However, for mapping a role to a > group the "manage-users" role is needed, which allows the user also to e.g. > see all users. This should not be possible for these users. > Now we try to use fine-grained permissions to realize our scenario. But > for the group entity there are no fine-grained permissions and the > "map-role" permission of the "Users" resource does not allow to map a role > to a group (403 Forbidden). > Is there any other way than using the "manage-users" realm role to map a > client role to a group? > Is it planned to add fine-grained permissions for a "Groups" resource? > > Mit freundlichen Gr??en / Best regards > > Christoph Leistert > > (INST/ECS2) > Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY > | www.bosch-si.com > > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. > Stefan Ferber, Michael Hahn > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pnalyvayko at agi.com Fri Jun 22 21:30:12 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Sat, 23 Jun 2018 01:30:12 +0000 Subject: [keycloak-user] Apache X509 cert-lookup In-Reply-To: References: Message-ID: Hi Matthias, Can you attach the x509 cert lookup SPI config? --Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Matthias ANGLADE [manglade at nextoo.fr] Sent: Friday, June 22, 2018 4:56 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Apache X509 cert-lookup Hello, I'm trying to setup a client cert authentication. Since my Keycloak server is running behind an SSL reverse proxy I modified the domain.xml file in order to declare the Apache cert lookup SPI. I checked that the certificate was properly embedded in the HTTP header still, I can't get to authenticate using this approach. In the log file I see no line related to this authentication (I should be able to see log coming from AbstractClientCertificateFromHttpHeadersLookup. It behaves just as if the SPI wasn't active. Note that even if my proxy isn't an Apache server, the certificate it emits is formatted like for Apache. Any clue on this ? Regards, _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From pnalyvayko at agi.com Fri Jun 22 21:36:47 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Sat, 23 Jun 2018 01:36:47 +0000 Subject: [keycloak-user] Apache X509 cert-lookup In-Reply-To: References: , Message-ID: Also, just to confirm: are you running kc in a cluster mode or standalone? In your post you mentioned domain.xml so I am assuming you are running a cluster, but just want to make sure... ________________________________________ From: Nalyvayko, Peter Sent: Friday, June 22, 2018 9:30 PM To: Matthias ANGLADE; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Apache X509 cert-lookup Hi Matthias, Can you attach the x509 cert lookup SPI config? --Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Matthias ANGLADE [manglade at nextoo.fr] Sent: Friday, June 22, 2018 4:56 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Apache X509 cert-lookup Hello, I'm trying to setup a client cert authentication. Since my Keycloak server is running behind an SSL reverse proxy I modified the domain.xml file in order to declare the Apache cert lookup SPI. I checked that the certificate was properly embedded in the HTTP header still, I can't get to authenticate using this approach. In the log file I see no line related to this authentication (I should be able to see log coming from AbstractClientCertificateFromHttpHeadersLookup. It behaves just as if the SPI wasn't active. Note that even if my proxy isn't an Apache server, the certificate it emits is formatted like for Apache. Any clue on this ? Regards, _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From pkboucher801 at gmail.com Sat Jun 23 14:09:25 2018 From: pkboucher801 at gmail.com (pkboucher801 at gmail.com) Date: Sat, 23 Jun 2018 14:09:25 -0400 Subject: [keycloak-user] Brokered logins only? In-Reply-To: <002701d406fc$13c8f7d0$3b5ae770$@gmail.com> References: <002701d406fc$13c8f7d0$3b5ae770$@gmail.com> Message-ID: <000f01d40b1d$52280aa0$f6781fe0$@gmail.com> Am I asking on the wrong list? Is this question uninteresting? Too easy? Too hard? -----Original Message----- From: pkboucher801 at gmail.com [mailto:pkboucher801 at gmail.com] Sent: Monday, June 18, 2018 8:01 AM To: keycloak-user at lists.jboss.org Subject: Brokered logins only? Any way (other than a custom theme that enforces it in the UI) to allow only brokered logins to a realm? For reasons beyond my control, the user's password is the same in the IDP as it is in KC (they point at the same OU in LDAP), but the IDP has been configured with a particular 2FA method that is not supported by KC. So the problem is that if the users login with username/password submission on the KC login page, they can bypass the IDP's 2FA. We can set the IDP as the default, but kc_idp_hint as a blank value will bring up the KC login page. Maybe there's a way to adjust the flows so that brokered login works, but username/password submission on the KC login page fails (or is not even offered)? Maybe setup pre-configured OTPs on the accounts, so that the users can't get past there? (this would be a bad, confusing UX) Any other ideas? Regards, Peter K. Boucher From aram.aslanyan at clincapture.com Sat Jun 23 14:37:44 2018 From: aram.aslanyan at clincapture.com (Aram Aslanyan) Date: Sat, 23 Jun 2018 21:37:44 +0300 Subject: [keycloak-user] Keycloak not sending backchannel logout requests Message-ID: Hi, I am usinng Keycloak 3.4.3. My webapp uses Keycloak adapter to interact with auth server. I am using Open ID Connect protocol. Admin URL is provided for the client in Keycloak server. When I logout user session via Keycloak admin console, it seem not to send backchannel logout request to my webapp. Local session still lives (until access token becomes invalid). What am I missing? Thanks, Aram -- *Aram Aslanyan* Application Developer Email: *aram.aslanyan at clincapture.com * *www.clincapture.com * *Follow us on social media: * *Confidentiality Notice: Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this e-mail by anyone else is unauthorized. If you are not an addressee, please inform the sender immediately.* From rdenadai at gmail.com Sun Jun 24 06:15:53 2018 From: rdenadai at gmail.com (Rodolfo De Nadai) Date: Sun, 24 Jun 2018 07:15:53 -0300 Subject: [keycloak-user] Keycloak as SAML IdP - Google sign-out problem In-Reply-To: References: Message-ID: I was able to make it work... point the logout url of Google to openid-connect logout url. Em sex, 22 de jun de 2018 ?s 05:01, Tiemen Ruiten escreveu: > Signout is working for us, I initially used the same guide but had to make > some changes. My setup differs in the following places: > > Include OneTimeUse Condition - off > Optimize REDIRECT signing key lookup - off > SAML Signature Key Name - NONE > Bse URL - /auth/realms/{realmname}/protocol/saml/clients/googleapps > (note the lack of &RelayState=true) > > I set the signout URL in the Google Apps dashboard to > https://ourdomain.tld/auth/realms/{realmname}/account/ > > On 19 June 2018 at 22:12, Rodolfo De Nadai wrote: > >> Hi, >> >> i'm configuring my keycloak installation as an IdP and Google apps as an >> SSO. >> >> I'm able to login but when trying to logout i got no success... >> >> My configuration follows the described here: >> >> https://stories.scandiweb.com/sign-in-to-google-apps-using-saml-protocol-and-keycloak-as-identity-provider-79227fd2e063 >> >> There were a thread in the mailing list which was able to login also, but >> didn't mention logout process. As i thought it should be almost as >> transparent, since no documentation say anything, is begging to transform >> in a problem. >> >> If someone could help or point in some direction i appreciate. >> >> thanks >> > _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > From lists at merit.unu.edu Sun Jun 24 08:30:40 2018 From: lists at merit.unu.edu (mj) Date: Sun, 24 Jun 2018 14:30:40 +0200 Subject: [keycloak-user] brokered-login only Message-ID: Hi, Is there a way to create a realm in keycloak with a few brokered IdP's, *without* the local username/password fields on the login screen, but *only* a list of external IdP's to choose from? Thanks! MJ From lists at merit.unu.edu Sun Jun 24 13:17:38 2018 From: lists at merit.unu.edu (mj) Date: Sun, 24 Jun 2018 19:17:38 +0200 Subject: [keycloak-user] Brokered logins only? In-Reply-To: <000f01d40b1d$52280aa0$f6781fe0$@gmail.com> References: <002701d406fc$13c8f7d0$3b5ae770$@gmail.com> <000f01d40b1d$52280aa0$f6781fe0$@gmail.com> Message-ID: Wow I just noticed your question, after I posted *exactly* the same question. I guess that means that I should also not expect a reply... :-) MJ On 06/23/2018 08:09 PM, pkboucher801 at gmail.com wrote: > Am I asking on the wrong list? > > Is this question uninteresting? Too easy? Too hard? > > -----Original Message----- > From: pkboucher801 at gmail.com [mailto:pkboucher801 at gmail.com] > Sent: Monday, June 18, 2018 8:01 AM > To: keycloak-user at lists.jboss.org > Subject: Brokered logins only? > > Any way (other than a custom theme that enforces it in the UI) to allow only > brokered logins to a realm? > > For reasons beyond my control, the user's password is the same in the IDP as > it is in KC (they point at the same OU in LDAP), but the IDP has been > configured with a particular 2FA method that is not supported by KC. So the > problem is that if the users login with username/password submission on the > KC login page, they can bypass the IDP's 2FA. > > We can set the IDP as the default, but kc_idp_hint as a blank value will > bring up the KC login page. > > Maybe there's a way to adjust the flows so that brokered login works, but > username/password submission on the KC login page fails (or is not even > offered)? > > Maybe setup pre-configured OTPs on the accounts, so that the users can't get > past there? (this would be a bad, confusing UX) > > Any other ideas? > > Regards, > Peter K. Boucher > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Mon Jun 25 02:49:15 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 25 Jun 2018 08:49:15 +0200 Subject: [keycloak-user] brokered-login only In-Reply-To: References: Message-ID: It's possible to remove username/password fields from login screen by doing custom theme and override freemarker template for login screen. You may need to remove tab "password" from account management as well so that users are not able to set their password here. This can be also achieved through theme. Thing is, that after changing themes, users will be still able to login with their username/passwords if they "simulate" sending the same HTTP request, which login screen is sending (they can also simulate changing their password in account management by HTTP request even if "password" tab is not in the UI). So if you expect to have malicious users, which would try to do something like this and you want to be safe and avoid this, you may need to change/override the UsernamePassword Authenticator too and avoid authentication of users with username/password. Then login with username/password will be impossible even if user is trying to "simulate" the request like this. Marek On 24/06/18 14:30, mj wrote: > Hi, > > Is there a way to create a realm in keycloak with a few brokered IdP's, > *without* the local username/password fields on the login screen, but > *only* a list of external IdP's to choose from? > > Thanks! > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Jun 25 05:25:29 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 25 Jun 2018 11:25:29 +0200 Subject: [keycloak-user] brokered-login only In-Reply-To: References: Message-ID: Yes, sure. If you need to just override themes, you may not need to override authentication flow. But if you need to override UsernamePassword Authenticator and change the implementation, so that it doesn't allow to login with username/password at all, then you will need to add this authenticator implementation into new browser authentication flow. Maybe instead of overriding UsernamePassword authenticator, it's easier to create new implementation of authenticator, which will just show the Freemarker form with links to brokers (No username/password). In that case you will also need to create new authentication flow and add that new authenticator implementation to it. Marek On 25/06/18 08:57, Corbetta, Francesco wrote: > Hello > > What about changing the browser authentication flow? > > Best > > Francesco > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org On Behalf Of Marek Posolda > Sent: 25 June 2018 08:49 > To: mj ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] brokered-login only > > It's possible to remove username/password fields from login screen by doing custom theme and override freemarker template for login screen. > > You may need to remove tab "password" from account management as well so that users are not able to set their password here. This can be also achieved through theme. > > Thing is, that after changing themes, users will be still able to login with their username/passwords if they "simulate" sending the same HTTP request, which login screen is sending (they can also simulate changing their password in account management by HTTP request even if "password" > tab is not in the UI). So if you expect to have malicious users, which would try to do something like this and you want to be safe and avoid this, you may need to change/override the UsernamePassword Authenticator too and avoid authentication of users with username/password. Then login with username/password will be impossible even if user is trying to "simulate" the request like this. > > Marek > > > On 24/06/18 14:30, mj wrote: >> Hi, >> >> Is there a way to create a realm in keycloak with a few brokered IdP's, >> *without* the local username/password fields on the login screen, >> but >> *only* a list of external IdP's to choose from? >> >> Thanks! >> >> MJ >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From henning.waack at codecentric.de Mon Jun 25 07:35:53 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Mon, 25 Jun 2018 13:35:53 +0200 Subject: [keycloak-user] Get all users for a given client with consent Message-ID: Hi. Is it possible to get a list of all users who have given their consent for a specific client? I am working with KC 4.0 (and Spring Boot 2.0). Thanks & greetings Henning From sthorger at redhat.com Mon Jun 25 07:41:13 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 25 Jun 2018 13:41:13 +0200 Subject: [keycloak-user] Is there any update on https://issues.jboss.org/browse/KEYCLOAK-2940 ? In-Reply-To: References: Message-ID: At the moment that one isn't a priority to us. A community contribution would be more than welcome though. On Fri, 22 Jun 2018 at 18:10, Schenk, Manfred < Manfred.Schenk at iosb.fraunhofer.de> wrote: > Does anyone have information about > https://issues.jboss.org/browse/KEYCLOAK-2940 ? > Is there something planned for the near future or will we have to wait for > years before this will be implemented? > > Some kind of roadmap could be helpful. > > Regards, > Manfred > > -- > Manfred Schenk, Fraunhofer IOSB > Informationsmanagement und Leittechnik > Fraunhoferstra?e 1,76131 Karlsruhe, Germany > Telefon +49 721 6091-391 > mailto:Manfred.Schenk at iosb.fraunhofer.de > http://www.iosb.fraunhofer.de > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pkboucher801 at gmail.com Mon Jun 25 09:38:12 2018 From: pkboucher801 at gmail.com (pkboucher801 at gmail.com) Date: Mon, 25 Jun 2018 09:38:12 -0400 Subject: [keycloak-user] brokered-login only In-Reply-To: References: Message-ID: <000401d40c89$c36695c0$4a33c140$@gmail.com> You will need auto-linking of IDP to internal account as well, so they won't be asked for their password in order to approve linking their Keycloak account to the IDP. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda Sent: Monday, June 25, 2018 5:25 AM To: Corbetta, Francesco Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] brokered-login only Yes, sure. If you need to just override themes, you may not need to override authentication flow. But if you need to override UsernamePassword Authenticator and change the implementation, so that it doesn't allow to login with username/password at all, then you will need to add this authenticator implementation into new browser authentication flow. Maybe instead of overriding UsernamePassword authenticator, it's easier to create new implementation of authenticator, which will just show the Freemarker form with links to brokers (No username/password). In that case you will also need to create new authentication flow and add that new authenticator implementation to it. Marek On 25/06/18 08:57, Corbetta, Francesco wrote: > Hello > > What about changing the browser authentication flow? > > Best > > Francesco > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org > On Behalf Of Marek Posolda > Sent: 25 June 2018 08:49 > To: mj ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] brokered-login only > > It's possible to remove username/password fields from login screen by doing custom theme and override freemarker template for login screen. > > You may need to remove tab "password" from account management as well so that users are not able to set their password here. This can be also achieved through theme. > > Thing is, that after changing themes, users will be still able to login with their username/passwords if they "simulate" sending the same HTTP request, which login screen is sending (they can also simulate changing their password in account management by HTTP request even if "password" > tab is not in the UI). So if you expect to have malicious users, which would try to do something like this and you want to be safe and avoid this, you may need to change/override the UsernamePassword Authenticator too and avoid authentication of users with username/password. Then login with username/password will be impossible even if user is trying to "simulate" the request like this. > > Marek > > > On 24/06/18 14:30, mj wrote: >> Hi, >> >> Is there a way to create a realm in keycloak with a few brokered IdP's, >> *without* the local username/password fields on the login screen, >> but >> *only* a list of external IdP's to choose from? >> >> Thanks! >> >> MJ >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Christoph.Leistert at bosch-si.com Mon Jun 25 09:54:03 2018 From: Christoph.Leistert at bosch-si.com (Leistert Christoph (INST/ECS2)) Date: Mon, 25 Jun 2018 13:54:03 +0000 Subject: [keycloak-user] Fine-grained permissions to map a client role to a group In-Reply-To: References: <128d54514284441cbc4264369bcd136a@bosch-si.com> Message-ID: Hi, Thanks for your reply. Sorry I did not found the fine-grained permissions for groups at the first time. Now I think the problem is related to the fact that there is no specific permission for mapping role to a group, as you mentioned. I tried to setup a proper configuration for the described scenario again and run into the following two problems: - Group search by name returns 403 Forbidden, if the user has not the role "view-groups" but the "view" scope permission of a group, which will match the search query. - Mapping a role to a group fails if the user has: - ?view? and "manage" permissions of the group and - "map-role" permission of the role Any further hints how to solve these problems? Mit freundlichen Gr??en / Best regards Christoph Leistert (INST/ECS2) Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn Von: Pedro Igor Silva Gesendet: Freitag, 22. Juni 2018 20:05 An: Leistert Christoph (INST/ECS2) Cc: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Fine-grained permissions to map a client role to a group Hi, We do support fine-grained permissions for Groups. But I think your problem is related to the fact that there is no specific permission for mapping role to a group. Is that correct? Regarding the "manage-users" role, this is the role that grants access to groups. As well "view-users". Regards. Pedro Igor On Thu, Jun 14, 2018 at 7:41 AM, Leistert Christoph (INST/ECS2) > wrote: Hello, We use Keycloak 3.4.3 and we trying to find out a way to let users create clients with a client role and map this client role to a group they are already a member of. For the client creation and client role creation we assigned the realm role "manage-clients" to the users and this is okay for our setup. Additionally the users are assigned to the "query-groups" realm role, so that they could see the groups. We struggle a bit with the right role/permissions setup to map the client role to a group. First, we tried to use realm roles only. However, for mapping a role to a group the "manage-users" role is needed, which allows the user also to e.g. see all users. This should not be possible for these users. Now we try to use fine-grained permissions to realize our scenario. But for the group entity there are no fine-grained permissions and the "map-role" permission of the "Users" resource does not allow to map a role to a group (403 Forbidden). Is there any other way than using the "manage-users" realm role to map a client role to a group? Is it planned to add fine-grained permissions for a "Groups" resource? Mit freundlichen Gr??en / Best regards Christoph Leistert (INST/ECS2) Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From lists at merit.unu.edu Mon Jun 25 10:30:38 2018 From: lists at merit.unu.edu (lists) Date: Mon, 25 Jun 2018 16:30:38 +0200 Subject: [keycloak-user] brokered-login only In-Reply-To: <000401d40c89$c36695c0$4a33c140$@gmail.com> References: <000401d40c89$c36695c0$4a33c140$@gmail.com> Message-ID: <911cb405-a916-974e-e961-ef9426781005@merit.unu.edu> Hi, ok, that seems like a lot of things to keep into consideration for (what I guess) would be the most basic use case: create a dedicated 'brokering' realm, where users can only logon 'brokered'. I mean, to combine 'local' and brokered users in the same realm would be more unlikely and advanced..right? (in our case, for example: we have setup a keycloak realm for our ldap-federated users, and now want to setup a second realm to facilitate SSO between our users and those of some other remote networks) What I am saying: Isn't it more likely to have a brokered-only realm(s), plus other realms with local users? So shouldn't it be 'normal standard behaviour' to disallow local logons for brokered accounts? Or am I missing something here..? From what I see, you would normally want to rely on the remote IdP's data for authentication, and (almost?) never on a local administrative 'ghost copy' of it? Probably there is something I am missing though...? MJ On 25-6-2018 15:38, pkboucher801 at gmail.com wrote: > You will need auto-linking of IDP to internal account as well, so they won't > be asked for their password in order to approve linking their Keycloak > account to the IDP. > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org > [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda > Sent: Monday, June 25, 2018 5:25 AM > To: Corbetta, Francesco > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] brokered-login only > > Yes, sure. > > If you need to just override themes, you may not need to override > authentication flow. But if you need to override UsernamePassword > Authenticator and change the implementation, so that it doesn't allow to > login with username/password at all, then you will need to add this > authenticator implementation into new browser authentication flow. Maybe > instead of overriding UsernamePassword authenticator, it's easier to create > new implementation of authenticator, which will just show the Freemarker > form with links to brokers (No username/password). In that case you will > also need to create new authentication flow and add that new authenticator > implementation to it. > > Marek > > On 25/06/18 08:57, Corbetta, Francesco wrote: >> Hello >> >> What about changing the browser authentication flow? >> >> Best >> >> Francesco >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org >> On Behalf Of Marek Posolda >> Sent: 25 June 2018 08:49 >> To: mj ; keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] brokered-login only >> >> It's possible to remove username/password fields from login screen by > doing custom theme and override freemarker template for login screen. >> >> You may need to remove tab "password" from account management as well so > that users are not able to set their password here. This can be also > achieved through theme. >> >> Thing is, that after changing themes, users will be still able to login > with their username/passwords if they "simulate" sending the same HTTP > request, which login screen is sending (they can also simulate changing > their password in account management by HTTP request even if "password" >> tab is not in the UI). So if you expect to have malicious users, which > would try to do something like this and you want to be safe and avoid this, > you may need to change/override the UsernamePassword Authenticator too and > avoid authentication of users with username/password. Then login with > username/password will be impossible even if user is trying to "simulate" > the request like this. >> >> Marek >> >> >> On 24/06/18 14:30, mj wrote: >>> Hi, >>> >>> Is there a way to create a realm in keycloak with a few brokered IdP's, >>> *without* the local username/password fields on the login screen, >>> but >>> *only* a list of external IdP's to choose from? >>> >>> Thanks! >>> >>> MJ >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From msakho at redhat.com Mon Jun 25 11:04:47 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Mon, 25 Jun 2018 17:04:47 +0200 Subject: [keycloak-user] Keycloak on Kubernetes - HTTPS required In-Reply-To: References: Message-ID: Sebastien, I'm trying to use Kubernetes TLS Client side authentication with keycloak ona cloud environment called Apprenda (based on kubernetes and docker). I can't manage to make it work and I don't know if the problem is from my ingress configuration or from the nginx configuration. In regard to the bug described below: https://github.com/kubernetes/ingress-nginx/issues/2287 I seems like it's from the nginx configuration. But I'm not sure. My ingress configuration is the following: apiVersion: extensions/v1beta1 kind: Ingress metadata: namespace: opengie-proto name: keycloak-opengie-proto-ssl labels: app: keycloak-opengie-proto annotations: nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret" nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3" nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" spec: rules: - host: keycloak-opengie-ssl.proto.paas.eclair.local http: paths: - path: / backend: serviceName: keycloak-opengie-proto servicePort: https tls: - hosts: - keycloak-opengie-ssl.proto.paas.eclair.local Is there something strange that you're seeing in my configuration? Could you give me some hints in the nginx configuration that I have to pay attention? thanks, Meissa 2018-06-21 13:18 GMT+02:00 Sebastian Laskawiec : > I'm an expert on Ingress (I usually work with Routes on OCP) but it > probably depends on the Ingress configuration. > > If I'm not mistaken, the default Ingress configuration terminates TLS and > sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not > unencrypted HTTP request. > > I think you have a couple of options how to solve it: > - Use Pass-through TLS termination (this simply forwards encrypted (HTTPS) > traffic to the Pod, without termination). A similar configuration to this > one: https://github.com/kubernetes/ingress-nginx/issues/1947# > issue-290639351 > - Use a Load Balancer Service to access Keycloak (the final result will be > the same as in the previous solution - a Pod will get HTTPS traffic) > - Turn "Require SLL" option in the "Realm Settings". But please remember to > always use properly configured ingress in front of Keycloak. Otherwise you > might compromise it!!! > > Thanks, > Sebastian > > On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan > wrote: > > > Hi all, > > > > I?m evaluating Keycloak as IAM for one open source project [1], so far, > > I?ve tested it successfully on a minikube (local) Kubernetes cluster and > I > > want to run it in on a real cluster. > > > > The real cluster (created by Gardener [2]) is running on AWS and the > > access to the Keycloak is exposed through an Ingress controller [3]. > > We?ve also installed ?cert-manager? for automated certificates management > > of Let?s Encrypt issued certificates. > > > > So far so good, but when I try to login to the ?Admin Console? I get the > > following error: > > ?We're sorry... HTTPS required? > > > > In the logs of the pod, there is the following warning: > > ?WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, > > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6, > > error=ssl_required? > > > > As far as I understand, the Let?s Encrypt certificated is trusted by the > > browsers and it appears to be trusted by the OpenJDK also [4]. > > Then what should be done in order to access the Admin Console? > > > > Last but not least, we are using jboss/keycloak:latest image (I know that > > we should be using some stable version like 4.0.0, but it appears that > the > > issue is not related to the image version). > > > > Regards, > > Yordan Pavlov > > > > [1] ProMART: https://github.com/promart-io | https://www.promart.io/ > > [2] Gardener: https://github.com/gardener > > [3] Keycloak: > > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com > > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757 > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bruno at abstractj.org Mon Jun 25 11:42:29 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 25 Jun 2018 12:42:29 -0300 Subject: [keycloak-user] Keycloak Proxy Rename Message-ID: <20180625154229.GA17717@abstractj.org> Good afternoon, We are considering to transfer or fork the keycloak-proxy[1] to Keycloak organization. In order to accomplish that, I've been working with Rohith updating some of its dependencies[2]. While discussing with our team, we reached the conclusion that call it a proxy could potentially increase the scope of the project and also give people the wrong idea. Because would be expected things like load balancing, rate limiting, and other features. That's not what we want right now. I would like to gather some feedback from the community before we move forward. So please vote on the following Doodle: https://doodle.com/poll/gux626ktscgpr96t Also, feel free to suggest other names and it will be included. [1] - https://github.com/gambol99/keycloak-proxy [2] - https://issues.jboss.org/browse/KEYCLOAK-7265 -- abstractj From vandana0242 at gmail.com Mon Jun 25 11:57:20 2018 From: vandana0242 at gmail.com (vandana thota) Date: Mon, 25 Jun 2018 10:57:20 -0500 Subject: [keycloak-user] Needs to know wether the doc info is part of SSO or not Message-ID: https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/jboss-adapter.html Does any one knows the section 4.2.1.2 is a part of single sign on configuration ? Thanks. From sblanc at redhat.com Mon Jun 25 12:16:37 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 25 Jun 2018 18:16:37 +0200 Subject: [keycloak-user] Needs to know wether the doc info is part of SSO or not In-Reply-To: References: Message-ID: Not sure I understand your question, could you elaborate ? On Mon, Jun 25, 2018 at 5:57 PM, vandana thota wrote: > https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/ > java/jboss-adapter.html > > Does any one knows the section 4.2.1.2 is a part of single sign on > configuration ? > > > Thanks. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From vandana0242 at gmail.com Mon Jun 25 12:27:35 2018 From: vandana0242 at gmail.com (vandana thota) Date: Mon, 25 Jun 2018 11:27:35 -0500 Subject: [keycloak-user] Needs to know wether the doc info is part of SSO or not In-Reply-To: References: Message-ID: We are trying to have single sign on configuration by using keycloak , external IDP , Wildfly , keycloak-saml-adapters, Application deployed on wildfly instance We have added and external identity provider on keycloak. After this I could see a tab which is realated to this IDP and I gave the name for the tab as Sampleapp-saml on keycloak user interface page right side. When I clik on that tab Sampleapp-saml , its redirecting to External IDP user interface page ( Login page ) After I enter the credentails its going to keycloak page. But here we have to get the app what we configured in external IDP . For this do we need to do any configurations on keycloak and wildfly , application deployed on wildfly instance Installed keycloak saml adapaters on wildfly server , we have choosen saml adapter cuz our external IDP is followinf SAML 2.0 standards. https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/jboss-adapter.html Does any one knows the section 4.2.1.2 is a part of single sign on configuration ? On Mon, Jun 25, 2018 at 11:16 AM Sebastien Blanc wrote: > Not sure I understand your question, could you elaborate ? > > On Mon, Jun 25, 2018 at 5:57 PM, vandana thota > wrote: > >> >> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/jboss-adapter.html >> >> Does any one knows the section 4.2.1.2 is a part of single sign on >> configuration ? >> >> >> Thanks. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From corentin.dupont at gmail.com Mon Jun 25 12:28:47 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Mon, 25 Jun 2018 18:28:47 +0200 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: Ok, I see the "claim_token" parameter in the request. I guess you can retrieve those claims in a javascript rule, from the evaluation context. By the way, I still cannot figure out where is the "account management console", where user can manager users access (as per the release notes)?? On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva wrote: > The new form of obtaining entitlements relies solely on the token endpoint > just like when you are obtaining access tokens using other OAuth2 grant > types. With that in mind the new format of the request should be a HTTP > POST + parameters. Check this documentation [1] for more details. > > Regarding pushing claims to your policies, there is a specific HTTP > parameter that you can use to pass a Base64 encoded JSON with the claims > you want to push. > > [1] https://www.keycloak.org/docs/latest/authorization_ > services/index.html#_service_obtaining_permissions > > > On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> Thanks Pedro, I went through the pull request. >> I'm not sure how to modify my entitlement requests? >> For example I have: >> curl -X POST -H "Content-Type: application/json" -H "Authorization: >> Bearer $TOKEN" -d '{ >> "permissions" : [ >> { >> "resource_set_name" : "Sensors", >> "scopes" : [ >> "sensors:update" >> ] >> } >> ] >> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" >> >> This call has been moved to uma-2, right? >> Can I add pushed claims to this call? What I'm imagining is: >> >> curl -X POST -H "Content-Type: application/json" -H "Authorization: >> Bearer $TOKEN" -d '{ >> "permissions" : [ >> { >> "resource_set_name" : "Sensors", >> "scopes" : [ >> "sensors:update" >> ] >> } >> ], >> claims: ["owner": "cdupont"] >> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" >> >> In this example, I would like to push the owner of the sensor >> ("cdupont"), which I take from our own database before calling the API. >> >> Sorry about the questions, maybe I should just wait that the >> documentation is merged :) >> >> >> >> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva >> wrote: >> >>> Hi, >>> >>> We have a few changes to docs that were not released because the PR [1] >>> was not merged on time. But you can check about pushed claims (if you are >>> using our adapters) here [2]. >>> >>> Regards. >>> Pedro igor >>> >>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>> ces/index.html#_enforcer_claim_information_point >>> >>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> Hi guys, >>>> I'm playing with the new version of Keycloak ( >>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>> >>>> I have some questions: >>>> - where is the "account management console"? >>>> - How to use pushed claims? Which APIs are affected? >>>> >>>> Thanks! >>>> Corentin >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From vandana0242 at gmail.com Mon Jun 25 12:40:11 2018 From: vandana0242 at gmail.com (vandana thota) Date: Mon, 25 Jun 2018 11:40:11 -0500 Subject: [keycloak-user] Needs to know wether the doc info is part of SSO or not In-Reply-To: References: Message-ID: Hello Sebastien Blanc, *Do you able to understand or able to connect the dots about what I'm trying to explain ?* *Thanks.* On Mon, Jun 25, 2018 at 11:27 AM vandana thota wrote: > We are trying to have single sign on configuration by using keycloak , > external IDP , Wildfly , keycloak-saml-adapters, Application deployed on > wildfly instance > > We have added and external identity provider on keycloak. > > After this I could see a tab which is realated to this IDP and I gave > the name for the tab as Sampleapp-saml on keycloak user interface page > right side. > > When I clik on that tab Sampleapp-saml , its redirecting to External > IDP user interface page ( Login page ) After I enter the credentails its > going to keycloak page. But here we have to get the app what we > configured in external IDP . For this do we need to do any > configurations on keycloak and wildfly , application deployed on wildfly > instance > > Installed keycloak saml adapaters on wildfly server , we have choosen > saml adapter cuz our external IDP is followinf SAML 2.0 standards. > > > > https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/jboss-adapter.html > > Does any one knows the section 4.2.1.2 is a part of single sign on > configuration ? > > > > > > > > > > > > On Mon, Jun 25, 2018 at 11:16 AM Sebastien Blanc > wrote: > >> Not sure I understand your question, could you elaborate ? >> >> On Mon, Jun 25, 2018 at 5:57 PM, vandana thota >> wrote: >> >>> >>> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/jboss-adapter.html >>> >>> Does any one knows the section 4.2.1.2 is a part of single sign on >>> configuration ? >>> >>> >>> Thanks. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> From sblanc at redhat.com Mon Jun 25 12:52:25 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 25 Jun 2018 18:52:25 +0200 Subject: [keycloak-user] Needs to know wether the doc info is part of SSO or not In-Reply-To: References: Message-ID: Sorry not sure I could connect all the dots but : 1. Have you followed this https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-identity-providers ? 2. And I have you configured your client in keycloak ? https://www.keycloak.org/docs/latest/server_admin/index.html#saml-clients On Mon, Jun 25, 2018 at 6:40 PM, vandana thota wrote: > Hello Sebastien Blanc, > > *Do you able to understand or able to connect the dots about what I'm > trying to explain ?* > > > *Thanks.* > > On Mon, Jun 25, 2018 at 11:27 AM vandana thota > wrote: > >> We are trying to have single sign on configuration by using keycloak , >> external IDP , Wildfly , keycloak-saml-adapters, Application deployed on >> wildfly instance >> >> We have added and external identity provider on keycloak. >> >> After this I could see a tab which is realated to this IDP and I >> gave the name for the tab as Sampleapp-saml on keycloak user interface >> page right side. >> >> When I clik on that tab Sampleapp-saml , its redirecting to External >> IDP user interface page ( Login page ) After I enter the credentails its >> going to keycloak page. But here we have to get the app what we >> configured in external IDP . For this do we need to do any >> configurations on keycloak and wildfly , application deployed on wildfly >> instance >> >> Installed keycloak saml adapaters on wildfly server , we have choosen >> saml adapter cuz our external IDP is followinf SAML 2.0 standards. >> >> >> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/ >> java/jboss-adapter.html >> >> Does any one knows the section 4.2.1.2 is a part of single sign on >> configuration ? >> >> >> >> >> >> >> >> >> >> >> >> On Mon, Jun 25, 2018 at 11:16 AM Sebastien Blanc >> wrote: >> >>> Not sure I understand your question, could you elaborate ? >>> >>> On Mon, Jun 25, 2018 at 5:57 PM, vandana thota >>> wrote: >>> >>>> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/ >>>> java/jboss-adapter.html >>>> >>>> Does any one knows the section 4.2.1.2 is a part of single sign on >>>> configuration ? >>>> >>>> >>>> Thanks. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> From vandana0242 at gmail.com Mon Jun 25 13:44:59 2018 From: vandana0242 at gmail.com (vandana thota) Date: Mon, 25 Jun 2018 12:44:59 -0500 Subject: [keycloak-user] Needs to know wether the doc info is part of SSO or not In-Reply-To: References: Message-ID: Yes followed those two docs . https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-identity-providers https://www.keycloak.org/docs/latest/server_admin/index.html#saml-clients Thanks. On Mon, Jun 25, 2018 at 11:52 AM Sebastien Blanc wrote: > Sorry not sure I could connect all the dots but : > > 1. Have you followed this > https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-identity-providers > ? > 2. And I have you configured your client in keycloak ? > https://www.keycloak.org/docs/latest/server_admin/index.html#saml-clients > > > > On Mon, Jun 25, 2018 at 6:40 PM, vandana thota > wrote: > >> Hello Sebastien Blanc, >> >> *Do you able to understand or able to connect the dots about what I'm >> trying to explain ?* >> >> >> *Thanks.* >> >> On Mon, Jun 25, 2018 at 11:27 AM vandana thota >> wrote: >> >>> We are trying to have single sign on configuration by using keycloak , >>> external IDP , Wildfly , keycloak-saml-adapters, Application deployed on >>> wildfly instance >>> >>> We have added and external identity provider on keycloak. >>> >>> After this I could see a tab which is realated to this IDP and I >>> gave the name for the tab as Sampleapp-saml on keycloak user interface >>> page right side. >>> >>> When I clik on that tab Sampleapp-saml , its redirecting to External >>> IDP user interface page ( Login page ) After I enter the credentails its >>> going to keycloak page. But here we have to get the app what we >>> configured in external IDP . For this do we need to do any >>> configurations on keycloak and wildfly , application deployed on wildfly >>> instance >>> >>> Installed keycloak saml adapaters on wildfly server , we have choosen >>> saml adapter cuz our external IDP is followinf SAML 2.0 standards. >>> >>> >>> >>> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/jboss-adapter.html >>> >>> Does any one knows the section 4.2.1.2 is a part of single sign on >>> configuration ? >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Mon, Jun 25, 2018 at 11:16 AM Sebastien Blanc >>> wrote: >>> >>>> Not sure I understand your question, could you elaborate ? >>>> >>>> On Mon, Jun 25, 2018 at 5:57 PM, vandana thota >>>> wrote: >>>> >>>>> >>>>> https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/jboss-adapter.html >>>>> >>>>> Does any one knows the section 4.2.1.2 is a part of single sign on >>>>> configuration ? >>>>> >>>>> >>>>> Thanks. >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> > From vandana0242 at gmail.com Mon Jun 25 15:20:05 2018 From: vandana0242 at gmail.com (vandana thota) Date: Mon, 25 Jun 2018 14:20:05 -0500 Subject: [keycloak-user] Keycloak doubts securing WAR via SAML subsystem Message-ID: Hello All, >From the below doc I have few doubts : https://www.keycloak.org/docs/2.5/securing_apps/topics/saml/java/saml-jboss-adapter.html 1st doubt : I wanna take this option "Securing WARs via Keycloak SAML Subsystem" we need to configure this instance's .xml file ... >From above content which is given in document . I did not get this thing from the lines " The secure-deployment name attribute identifies the WAR you want to secure. Its value is the module-name defined in web.xml with .war appended." Do I have to put like this "sample.war" or "sample.war" Sample.war is the deoplyment file which I have deployed on wildfly instance . ################ >From the below lines which is mentioned in the doc , I have few doubts "You do not have to crack open a WAR to secure it with Keycloak. Alternatively, you can externally secure it via the Keycloak SAML Adapter Subsystem. While you don?t have to specify KEYCLOAK-SAML as an auth-method, you still have to define the security-constraints in web.xml. You do not, however, have to create a WEB-INF/keycloak-saml.xml file. This metadata is instead defined within the XML in your server?sdomain.xml or standalone.xml subsystem configuration section." (2nd doubt) (2)do I have to define security-constraints in web.xml ? (2.a) :in that case there is no need to create keycloak-saml.xml file ? (2.b)If I have to create keycloak-saml.xml file from where and what content needs to be in this keycloak-saml.xml file . (3rd doubt) (3)Which metadata is is already defined in standalone.xml file of wildfly instance ? (3.a)As its already defined there is no need to define security-constraints in web.xml? (3.b)there is no need to create the keycloak.xml file under WEB-INF folder Thanks, Vandana From vandana0242 at gmail.com Mon Jun 25 16:23:20 2018 From: vandana0242 at gmail.com (vandana thota) Date: Mon, 25 Jun 2018 15:23:20 -0500 Subject: [keycloak-user] Why and what are the files under installation tab of client tab in keycloak Message-ID: What are these files used for and why ? These files are under the installation tab of client tab in keycloak user interface page . 1)SAML Metadata IDPSSO Descriptor. 2)Keycloak SAML adapter-saml.xml 3)SAML Metadata SPSSODescriptor 4)keycloak SAML Wildfly/ Jboss Subsystem 5)Mod auth Mellon files From lists at merit.unu.edu Tue Jun 26 03:49:28 2018 From: lists at merit.unu.edu (lists) Date: Tue, 26 Jun 2018 09:49:28 +0200 Subject: [keycloak-user] brokered-login only In-Reply-To: <000401d40c89$c36695c0$4a33c140$@gmail.com> References: <000401d40c89$c36695c0$4a33c140$@gmail.com> Message-ID: Hi Peter, On 25-6-2018 15:38, pkboucher801 at gmail.com wrote: > You will need auto-linking of IDP to internal account as well, so they won't > be asked for their password in order to approve linking their Keycloak > account to the IDP. Regarding this auto-linking: I understand what you mean. Are you talking about this: https://github.com/ohioit/keycloak-link-idp-with-user Or is this functionality implemented in keycloak nowadays? (since the plugin above appears to be unmaintained...) MJ From scoady at redhat.com Tue Jun 26 05:05:30 2018 From: scoady at redhat.com (Stephen Coady) Date: Tue, 26 Jun 2018 10:05:30 +0100 Subject: [keycloak-user] Using the Keycloak js adapter in a Mobile App Message-ID: Hi, I am currently trying to use the Keycloak JS adapter to login on a mobile device. We were using the cordova adapter but had to change to the default as with local development using Openshift this line: https://github.com/keycloak/keycloak-js-bower/blob/master/dist/keycloak.js#L1289 was causing us issues and we could not redirect to the app. My question is this: is there a way, or a way planned, to handle the code returned from login with the redirectUri in a mobile view? Currently it looks as though I will have to parse the returned token myself and then login using whatever details it provides me with. Any help at all would be greatly appreciated. Thank you. -- STEPHEN COADY ASSOCIATE SOFTWARE ENGINEER Red Hat Communications House, Cork Road Waterford City, Ireland X91NY33 scoady at redhat.com IM: scoady From stier at fzi.de Tue Jun 26 05:35:34 2018 From: stier at fzi.de (Christian Stier) Date: Tue, 26 Jun 2018 09:35:34 +0000 Subject: [keycloak-user] Group-based permissions for resources In-Reply-To: References: <4847e9d891c4412cb19b2c1c0dcd6ac8@fzi.de> Message-ID: <93205dee9d3b473dbf0cf4a1c8f7066d@fzi.de> Hi Pedro, thank you for the helpful example and extended documentation on GitHub. My understanding is that this would rely on trusting the client?s claim that she is actually accessing the resource with the actual resource. In your example, it would rely on userA pushing the claim userB when she tries to access the resource /api/userB/salary. For now I am implementing option 2) as this also offers the benefit of enabling a later refinement of access rights per organization on the Keycloak platform and in connected clients. Best regards Christian From: Pedro Igor Silva Sent: Friday, June 22, 2018 4:31 PM To: Christian Stier Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Group-based permissions for resources You should be able to push arbitrary claims to your policies such as the request URI. Your policy could check if {organization} is among the groups the user is a member of. A single policy could serve for this purpose. I've added more information about this in docs, the PR is about to be merged. I'm also working with a quickstart that shows how to solve a similar problem. Something like "access to /api/{user}/salary is only allowed if current user is {user}". On Fri, Jun 22, 2018 at 5:09 AM, Christian Stier > wrote: Dear all, I am in the process of implementing an authorization solution for the REST API of an application using Keycloak/OIDC. The application manages resources based on their association with user groups. Its simplified path schema is similar to /{organization}/{resourcename}. All users of an organization should be allowed to access its resources. My current approach is to map organizations to Keycloak user groups. 1) Is it possible to define an authorization policy in Keycloak that handles group-based authorization for a single resource defined for the path /{organization}/{resourcename}? My idea here was to check if the organization path of an URL matches a scope of the calling client that is mapped from its group memberships. I looked into JS policy examples and the Evaluation API but I did not see a way to check against path parameters. 2) Or: Do I have to (programmatically) create separate resource/policy pairs for each organization to support this type of group-based authorization? Thanks for any pointers and input. Best regards Christian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7656 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180626/338c467e/attachment.bin From THOMAS.PEETERS at Hvw-Capac.fgov.be Tue Jun 26 05:53:56 2018 From: THOMAS.PEETERS at Hvw-Capac.fgov.be (PEETERS.THOMAS (ICT)) Date: Tue, 26 Jun 2018 09:53:56 +0000 Subject: [keycloak-user] Keycloak 3.4.x client-url and SSO questions In-Reply-To: <14C92FB32B792D4BA0514728C09286B817E1792C@ounas.hermes.dom> References: <14C92FB32B792D4BA0514728C09286B817E1792C@ounas.hermes.dom> Message-ID: <14C92FB32B792D4BA0514728C09286B817E18A7F@ounas.hermes.dom> One of the issues was rather easily resolved. I forgot about being able to implicitly inject an authenticationSuccessHandler in the Spring security application context. The one from Spring Security will do just fine with property "alwaysUseDefaultTargetUrl" set to true. The most pressing issue for us now is being able to logout all SSO applications with one logout. So a logout in SSO application_A should cause the other SSO applications to prompt to the Keycloak login url upon the next request. Right now we have to wait for the browser to expire its session naturally for that to happen. This appears to be harder.. Unless I'm missing something again. T -----Oorspronkelijk bericht----- Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens PEETERS.THOMAS (ICT) Verzonden: vrijdag 22 juni 2018 13:13 Aan: keycloak-user at lists.jboss.org Onderwerp: [keycloak-user] Keycloak 3.4.x client-url and SSO questions Hey all, While implementing a Keycloak based secure application set (3 internal web applications) with Spring-Security, I?ve come upon some details that I can?t seem to find an adequate answer to. Our environment and implementations: The security layer is implemented on the front-end only (for now). JBoss EAP 6.4, JSF 2.1 Mojarra with RichFaces 4, Spring 3.2.18, Spring-security 3.2.10, Keycloak-spring-security-adapter 3.4.1 (same as the Keycloak server being used). What we?ve got working: 2 applications with SSL and SSO. Both redirect to the Keycloak login page. When we log in to app1 we?re also logged in in app2, so that?s good. What we want but can?t seem to achieve: ? Log out of app1 --> refresh of app2 should redirect to the Keycloak login page. At this point it seems that the user credentials remain active as long as the browser session remains active. ? After successful login from the Keycloak login page always redirect to the application welcome page (index.xhtml for instance). Use case: A user is working in one of our secured applications, has its browser session ended and clicks on some kind of link. The application correctly redirects this user to the Keycloak login page. The user correctly logs in and gets taken back to where he/she was. However, when this is an AJAX kind-of request the user sees plain XML when taken back the application. To avoid this I would like to always redirect to the welcome page of the application when the user logs in through the Keycloak login page. I can?t seem to find a way to do this. ? Logout doesn?t always work well. Sometimes the Spring AntPathRequestMatcher doesn?t correctly match our logout pattern (/sso/logout**). Therefore we?ve provided an alternative that we?ve found in the documentation in the form of: ?https:///auth/realms//protocol/openid-connect/logout?redirect_uri= However this doesn?t always work either. There are situations, depending on invalid rights for certain application parts where this never logs out a user. We?ve got a Spring-security application context in XML that is roughly the same as the one found in the documentation. And a keycloak.json file that looks like this: { "realm": "", "auth-server-url": "/auth", "ssl-required": "all", "truststore": "", "truststore-password":"", "resource": "", "public-client": true, "always-refresh-token": true } Due to the large number of Keycloak releases and accompanied configuration changes it?s really hard for us to find relevant information. When we first started by creating a POC we used the most recent Keycloak version (3.4.1-Final). A lot of information that is not old appears to be outdated. Just an observation. Thanks for reading. Klik hier voor onze disclaimer Cliquez ici pour notre disclaimer Klicken Sie hier f?r unseren Disclaimer _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user Klik hier voor onze disclaimer Cliquez ici pour notre disclaimer Klicken Sie hier f?r unseren Disclaimer From lrozenblyum at gmail.com Tue Jun 26 06:16:38 2018 From: lrozenblyum at gmail.com (Leonid Rozenblyum) Date: Tue, 26 Jun 2018 13:16:38 +0300 Subject: [keycloak-user] username to be used for importing users Message-ID: Hello! We're using 2 keycloak instances. SP -> Keycloak (broker) -> Keycloak (Identity provider) How can we configure the broker to create user names equal to the original username from keycloak (Idp)? Now the new users inside the broker receive a G-.... (long meaningless string) username during the first log-in. So if user logs in through Idp with login: 'hello' we would like user 'hello' be created in the broker Thank you for advice. From slaskawi at redhat.com Tue Jun 26 07:53:58 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Tue, 26 Jun 2018 13:53:58 +0200 Subject: [keycloak-user] Keycloak on Kubernetes - HTTPS required In-Reply-To: References: Message-ID: Hey Meissa, The more I think about this issue, the more I'm convinced that disabling SSL is the easiest approach. In most of the scenarios you're operating within your own Namespace so you can trust it. Please give me some time to experiment with different options and hopefully I will be able to give you some better guidance. Thanks, Sebastian On Mon, Jun 25, 2018 at 5:04 PM Meissa M'baye Sakho wrote: > Sebastien, > I'm trying to use Kubernetes TLS Client side authentication with keycloak > ona cloud environment called Apprenda (based on kubernetes and docker). > > I can't manage to make it work and I don't know if the problem is from my > ingress configuration or from the nginx configuration. > In regard to the bug described below: > https://github.com/kubernetes/ingress-nginx/issues/2287 > I seems like it's from the nginx configuration. But I'm not sure. > > My ingress configuration is the following: > > apiVersion: extensions/v1beta1 > kind: Ingress > metadata: > namespace: opengie-proto > name: keycloak-opengie-proto-ssl > labels: > app: keycloak-opengie-proto > annotations: > nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" > nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret" > nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3" > nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: > "true" > spec: > rules: > - host: keycloak-opengie-ssl.proto.paas.eclair.local > http: > paths: > - path: / > backend: > serviceName: keycloak-opengie-proto > servicePort: https > tls: > - hosts: > - keycloak-opengie-ssl.proto.paas.eclair.local > > Is there something strange that you're seeing in my configuration? > Could you give me some hints in the nginx configuration that I have to pay > attention? > thanks, > Meissa > > > 2018-06-21 13:18 GMT+02:00 Sebastian Laskawiec : > >> I'm an expert on Ingress (I usually work with Routes on OCP) but it >> probably depends on the Ingress configuration. >> >> If I'm not mistaken, the default Ingress configuration terminates TLS and >> sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not >> unencrypted HTTP request. >> >> I think you have a couple of options how to solve it: >> - Use Pass-through TLS termination (this simply forwards encrypted (HTTPS) >> traffic to the Pod, without termination). A similar configuration to this >> one: >> https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351 >> - Use a Load Balancer Service to access Keycloak (the final result will be >> the same as in the previous solution - a Pod will get HTTPS traffic) >> - Turn "Require SLL" option in the "Realm Settings". But please remember >> to >> always use properly configured ingress in front of Keycloak. Otherwise you >> might compromise it!!! >> >> Thanks, >> Sebastian >> >> On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan >> wrote: >> >> > Hi all, >> > >> > I?m evaluating Keycloak as IAM for one open source project [1], so far, >> > I?ve tested it successfully on a minikube (local) Kubernetes cluster >> and I >> > want to run it in on a real cluster. >> > >> > The real cluster (created by Gardener [2]) is running on AWS and the >> > access to the Keycloak is exposed through an Ingress controller [3]. >> > We?ve also installed ?cert-manager? for automated certificates >> management >> > of Let?s Encrypt issued certificates. >> > >> > So far so good, but when I try to login to the ?Admin Console? I get the >> > following error: >> > ?We're sorry... HTTPS required? >> > >> > In the logs of the pod, there is the following warning: >> > ?WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, >> > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6, >> > error=ssl_required? >> > >> > As far as I understand, the Let?s Encrypt certificated is trusted by the >> > browsers and it appears to be trusted by the OpenJDK also [4]. >> > Then what should be done in order to access the Admin Console? >> > >> > Last but not least, we are using jboss/keycloak:latest image (I know >> that >> > we should be using some stable version like 4.0.0, but it appears that >> the >> > issue is not related to the image version). >> > >> > Regards, >> > Yordan Pavlov >> > >> > [1] ProMART: https://github.com/promart-io | https://www.promart.io/ >> > [2] Gardener: https://github.com/gardener >> > [3] Keycloak: >> > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com >> > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757 >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From c.otano at ibermatica.com Tue Jun 26 08:13:22 2018 From: c.otano at ibermatica.com (=?iso-8859-1?Q?Ota=F1o_Pavo=2C_Cesar?=) Date: Tue, 26 Jun 2018 12:13:22 +0000 Subject: [keycloak-user] Kerberos authentication in Windows Message-ID: Hi, I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings. But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login." Aditional information: ? Keycloak is installed in Windows Server 2012. ? Command to create keytabfile: ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL -mapUser Keycloak at SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT ? Configuration KRB5.ini located in c:\windows [domain_realm] .sanbox.local = SANBOX.LOCAL sanbox.local = SANBOX.LOCAL [libdefaults] default_realm = SANBOX.LOCAL permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] SANBOX.LOCAL = { kdc = sb-ad.sanbox.local admin_server = sb-ad.sanbox.local default_domain = SANBOX.LOCAL } ? Kerberos Integration: Allow Kerberos authentication: YES Kerberos Realm SANBOX.LOCAL Server Principal HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL KeyTab C:/keycloak.keytab Debug YES Use Kerberos For Password Authentication YES Regards Cesar AVISO LEGAL El contenido de este mensaje de correo electr?nico, incluidos los ficheros adjuntos, es confidencial y est? protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents. From psilva at redhat.com Tue Jun 26 08:42:13 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 26 Jun 2018 09:42:13 -0300 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: Yeah, you can access those claims in a JS policy. Regarding the "account management console" take a look here: https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_authorization_api_aapi . On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont wrote: > Ok, I see the "claim_token" parameter in the request. > I guess you can retrieve those claims in a javascript rule, from the > evaluation context. > > By the way, I still cannot figure out where is the "account management > console", where user can manager users access (as per the release notes)?? > > On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva > wrote: > >> The new form of obtaining entitlements relies solely on the token >> endpoint just like when you are obtaining access tokens using other OAuth2 >> grant types. With that in mind the new format of the request should be a >> HTTP POST + parameters. Check this documentation [1] for more details. >> >> Regarding pushing claims to your policies, there is a specific HTTP >> parameter that you can use to pass a Base64 encoded JSON with the claims >> you want to push. >> >> [1] https://www.keycloak.org/docs/latest/authorization_servi >> ces/index.html#_service_obtaining_permissions >> >> >> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> Thanks Pedro, I went through the pull request. >>> I'm not sure how to modify my entitlement requests? >>> For example I have: >>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>> Bearer $TOKEN" -d '{ >>> "permissions" : [ >>> { >>> "resource_set_name" : "Sensors", >>> "scopes" : [ >>> "sensors:update" >>> ] >>> } >>> ] >>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" >>> >>> This call has been moved to uma-2, right? >>> Can I add pushed claims to this call? What I'm imagining is: >>> >>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>> Bearer $TOKEN" -d '{ >>> "permissions" : [ >>> { >>> "resource_set_name" : "Sensors", >>> "scopes" : [ >>> "sensors:update" >>> ] >>> } >>> ], >>> claims: ["owner": "cdupont"] >>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" >>> >>> In this example, I would like to push the owner of the sensor >>> ("cdupont"), which I take from our own database before calling the API. >>> >>> Sorry about the questions, maybe I should just wait that the >>> documentation is merged :) >>> >>> >>> >>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva >>> wrote: >>> >>>> Hi, >>>> >>>> We have a few changes to docs that were not released because the PR [1] >>>> was not merged on time. But you can check about pushed claims (if you are >>>> using our adapters) here [2]. >>>> >>>> Regards. >>>> Pedro igor >>>> >>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>> ces/index.html#_enforcer_claim_information_point >>>> >>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> Hi guys, >>>>> I'm playing with the new version of Keycloak ( >>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>> >>>>> I have some questions: >>>>> - where is the "account management console"? >>>>> - How to use pushed claims? Which APIs are affected? >>>>> >>>>> Thanks! >>>>> Corentin >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > From dominique.arnou at cnieg.fr Tue Jun 26 08:46:01 2018 From: dominique.arnou at cnieg.fr (Dominique ARNOU) Date: Tue, 26 Jun 2018 12:46:01 +0000 Subject: [keycloak-user] Kerberos authentication in Windows In-Reply-To: References: Message-ID: Hi Your server principal would be HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL, not HTTPS/... Dominique -----Message d'origine----- De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de Ota?o Pavo, Cesar Envoy??: mardi 26 juin 2018 14:13 ??: keycloak-user at lists.jboss.org Objet?: [keycloak-user] Kerberos authentication in Windows Hi, I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings. But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login." Aditional information: ? Keycloak is installed in Windows Server 2012. ? Command to create keytabfile: ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL -mapUser Keycloak at SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT ? Configuration KRB5.ini located in c:\windows [domain_realm] .sanbox.local = SANBOX.LOCAL sanbox.local = SANBOX.LOCAL [libdefaults] default_realm = SANBOX.LOCAL permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] SANBOX.LOCAL = { kdc = sb-ad.sanbox.local admin_server = sb-ad.sanbox.local default_domain = SANBOX.LOCAL } ? Kerberos Integration: Allow Kerberos authentication: YES Kerberos Realm SANBOX.LOCAL Server Principal HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL KeyTab C:/keycloak.keytab Debug YES Use Kerberos For Password Authentication YES Regards Cesar AVISO LEGAL El contenido de este mensaje de correo electr?nico, incluidos los ficheros adjuntos, es confidencial y est? protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From msakho at redhat.com Tue Jun 26 09:26:18 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 26 Jun 2018 15:26:18 +0200 Subject: [keycloak-user] Keycloak on Kubernetes - HTTPS required In-Reply-To: References: Message-ID: I have some additionnal input that could help; when I change my ingress configuration by switching from https service (exposed to port 8443) to https (https), it works. The certificate is beeing presented. I'm getting a 502 bad gateway from the nginx otherwise. Maybe this will speaks to you. apiVersion: extensions/v1beta1 kind: Ingress metadata: namespace: opengie-proto name: keycloak-opengie-proto-ssl labels: app: keycloak-opengie-proto annotations: nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret" nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3" nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" spec: rules: - host: keycloak-opengie-ssl.proto.paas.eclair.local http: paths: - path: / backend: serviceName: keycloak-opengie-proto *servicePort: http <------- this value works* tls: - hosts: - keycloak-opengie-ssl.proto.paas.eclair.local 2018-06-26 13:53 GMT+02:00 Sebastian Laskawiec : > Hey Meissa, > > The more I think about this issue, the more I'm convinced that disabling > SSL is the easiest approach. In most of the scenarios you're operating > within your own Namespace so you can trust it. > > Please give me some time to experiment with different options and > hopefully I will be able to give you some better guidance. > > Thanks, > Sebastian > > On Mon, Jun 25, 2018 at 5:04 PM Meissa M'baye Sakho > wrote: > >> Sebastien, >> I'm trying to use Kubernetes TLS Client side authentication with keycloak >> ona cloud environment called Apprenda (based on kubernetes and docker). >> >> I can't manage to make it work and I don't know if the problem is from my >> ingress configuration or from the nginx configuration. >> In regard to the bug described below: >> https://github.com/kubernetes/ingress-nginx/issues/2287 >> I seems like it's from the nginx configuration. But I'm not sure. >> >> My ingress configuration is the following: >> >> apiVersion: extensions/v1beta1 >> kind: Ingress >> metadata: >> namespace: opengie-proto >> name: keycloak-opengie-proto-ssl >> labels: >> app: keycloak-opengie-proto >> annotations: >> nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" >> nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret" >> nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3" >> nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: >> "true" >> spec: >> rules: >> - host: keycloak-opengie-ssl.proto.paas.eclair.local >> http: >> paths: >> - path: / >> backend: >> serviceName: keycloak-opengie-proto >> servicePort: https >> tls: >> - hosts: >> - keycloak-opengie-ssl.proto.paas.eclair.local >> >> Is there something strange that you're seeing in my configuration? >> Could you give me some hints in the nginx configuration that I have to >> pay attention? >> thanks, >> Meissa >> >> >> 2018-06-21 13:18 GMT+02:00 Sebastian Laskawiec : >> >>> I'm an expert on Ingress (I usually work with Routes on OCP) but it >>> probably depends on the Ingress configuration. >>> >>> If I'm not mistaken, the default Ingress configuration terminates TLS and >>> sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not >>> unencrypted HTTP request. >>> >>> I think you have a couple of options how to solve it: >>> - Use Pass-through TLS termination (this simply forwards encrypted >>> (HTTPS) >>> traffic to the Pod, without termination). A similar configuration to this >>> one: https://github.com/kubernetes/ingress-nginx/issues/1947# >>> issue-290639351 >>> - Use a Load Balancer Service to access Keycloak (the final result will >>> be >>> the same as in the previous solution - a Pod will get HTTPS traffic) >>> - Turn "Require SLL" option in the "Realm Settings". But please remember >>> to >>> always use properly configured ingress in front of Keycloak. Otherwise >>> you >>> might compromise it!!! >>> >>> Thanks, >>> Sebastian >>> >>> On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan >>> wrote: >>> >>> > Hi all, >>> > >>> > I?m evaluating Keycloak as IAM for one open source project [1], so far, >>> > I?ve tested it successfully on a minikube (local) Kubernetes cluster >>> and I >>> > want to run it in on a real cluster. >>> > >>> > The real cluster (created by Gardener [2]) is running on AWS and the >>> > access to the Keycloak is exposed through an Ingress controller [3]. >>> > We?ve also installed ?cert-manager? for automated certificates >>> management >>> > of Let?s Encrypt issued certificates. >>> > >>> > So far so good, but when I try to login to the ?Admin Console? I get >>> the >>> > following error: >>> > ?We're sorry... HTTPS required? >>> > >>> > In the logs of the pod, there is the following warning: >>> > ?WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR, >>> > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6, >>> > error=ssl_required? >>> > >>> > As far as I understand, the Let?s Encrypt certificated is trusted by >>> the >>> > browsers and it appears to be trusted by the OpenJDK also [4]. >>> > Then what should be done in order to access the Admin Console? >>> > >>> > Last but not least, we are using jboss/keycloak:latest image (I know >>> that >>> > we should be using some stable version like 4.0.0, but it appears that >>> the >>> > issue is not related to the image version). >>> > >>> > Regards, >>> > Yordan Pavlov >>> > >>> > [1] ProMART: https://github.com/promart-io | https://www.promart.io/ >>> > [2] Gardener: https://github.com/gardener >>> > [3] Keycloak: >>> > https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com >>> > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757 >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> From danneville at benefex.co.uk Tue Jun 26 11:19:54 2018 From: danneville at benefex.co.uk (Dan Neville) Date: Tue, 26 Jun 2018 15:19:54 +0000 Subject: [keycloak-user] RESET_PASSWORD_ERROR incorrect clientId Message-ID: Hello, I am currently experiencing some issues with resetting credentials via Keycloak. I've experienced this with both 3.4.0 and 4.0.0. We have the "account" client disabled because we do not want a user to have access to changing any of their details other than the password as we saw here http://lists.jboss.org/pipermail/keycloak-user/2017-September/011873.html. We have another two clients "web" and "mobile" which we use. When we request a reset with client_id set to "web" (http://localhost/auth/realms/my-realm/login-actions/reset-credentials?client_id=web&tab_id=qiXxI3vZsS4) an email is sent, I click on the link and I can correctly reset my password. However when I reset with client_id set to "mobile" (https://localhost/auth/realms/my-realm/login-actions/reset-credentials?client_id=mobile&tab_id=x1Vo0t9PD4o) an email is sent, I click on the link and I get a page which says "Login requester not availble" and the log line seen is: 14:25:42,543 WARN [org.keycloak.events] (default task-70) type=RESET_PASSWORD_ERROR, realmId=my-realm, clientId=account, userId=d4486f3c-ac49-49da-aecf-8898d80f59b7, ipAddress=X.X.X.X, error=client_not_found, reason=loginRequesterNotEnabledMessage, auth_method=openid-connect, token_id=1c9a2709-2902-496b-9e2c-90cdb4404374, action=reset-credentials, response_type=code, redirect_uri=http://localhost/auth/realms/my-realm/account/, remember_me=false, code_id=7ac6953f-a943-473c-b333-e526202c9793, response_mode=query In the log line I can see that it is trying to use the "account" client id which is disabled, so I understand this is why I'm getting the error. However I'm not sure why it is trying to use the "account" client id. What reasons could there be for the client_id with "mobile" acting differently? Many Thanks Dan [Benefex Logo] Dan Neville Senior Backend Engineer hellobenefex.com [https://s3-eu-west-1.amazonaws.com/commsmedia-bucket/images/benefex/social+LinkedIn.png] [Twitter] Benefex Ltd, Mountbatten House, , Southampton, SO15 2JU. Registered Number: 04768546 As the sender of this email, we hope that you are the intended addressee and that you are having a nice day. Please take a moment to note that this message may contain information that is confidential or privileged and exempt from disclosure under applicable law. If this wasn't meant for your eyes, please do take the time to let us know and delete this message from all data storage systems. You should also note that the disclosure or copying of this email, or the use of its contents, is prohibited. Thank you! This message has been scanned for malware by Websense. www.websense.com From jeremy.giberson at privoro.com Tue Jun 26 12:23:23 2018 From: jeremy.giberson at privoro.com (Jeremy Giberson) Date: Tue, 26 Jun 2018 16:23:23 +0000 Subject: [keycloak-user] 3.4.3.Final Resolve java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration in custom authenticator Message-ID: <17CB30C0-01CE-4B2B-9F9F-B5624CAEACD0@privoro.com> Hello, I?m wondering how I can resolve the error: "Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration? being thrown in my custom authenticator. This started occurring after we added the dependency " keycloak-authz-client? to our project so we can utilize the AuthzClient class. I?m hoping to utilize the hot deployment option of moving my compiled jar into the deployments folder. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3880 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180626/c538c37b/attachment.bin From psilva at redhat.com Tue Jun 26 12:38:11 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 26 Jun 2018 13:38:11 -0300 Subject: [keycloak-user] 3.4.3.Final Resolve java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration in custom authenticator In-Reply-To: <17CB30C0-01CE-4B2B-9F9F-B5624CAEACD0@privoro.com> References: <17CB30C0-01CE-4B2B-9F9F-B5624CAEACD0@privoro.com> Message-ID: Maybe we are missing the library as a runtime library (not only compile if you just added it to your project) ? On Tue, Jun 26, 2018 at 1:23 PM, Jeremy Giberson < jeremy.giberson at privoro.com> wrote: > Hello, > I?m wondering how I can resolve the error: "Uncaught server error: > java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration? > being thrown in my custom authenticator. This started occurring after we > added the dependency " > keycloak-authz-client? to our project so we can utilize the AuthzClient > class. > > I?m hoping to utilize the hot deployment option of moving my compiled jar > into the deployments folder. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jeremy.giberson at privoro.com Tue Jun 26 12:47:49 2018 From: jeremy.giberson at privoro.com (Jeremy Giberson) Date: Tue, 26 Jun 2018 16:47:49 +0000 Subject: [keycloak-user] 3.4.3.Final Resolve java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration in custom authenticator In-Reply-To: References: <17CB30C0-01CE-4B2B-9F9F-B5624CAEACD0@privoro.com> Message-ID: <9579FC34-5332-47AF-AD3F-0FE6BBD94AF5@privoro.com> Sorry for the remedial question ? but what would be the best method to accomplish that? (Keycloak is the first and only java dev stack in our ecosystem so I?m a fish out of water). Im currently exploring making a ?fat? jar. I?ve seen a few articles suggesting different maven plugins to accomplish this. But is this the best means? Seems like this would include all the dependences rather than just the one I?m missing. If you have any guidance it would be greatly appreciated. > On Jun 26, 2018, at 9:38 AM, Pedro Igor Silva wrote: > > Maybe we are missing the library as a runtime library (not only compile if you just added it to your project) ? > > On Tue, Jun 26, 2018 at 1:23 PM, Jeremy Giberson > wrote: > Hello, > I?m wondering how I can resolve the error: "Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration? being thrown in my custom authenticator. This started occurring after we added the dependency " > keycloak-authz-client? to our project so we can utilize the AuthzClient class. > > I?m hoping to utilize the hot deployment option of moving my compiled jar into the deployments folder. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3880 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180626/20b908ec/attachment.bin From psilva at redhat.com Tue Jun 26 13:31:50 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 26 Jun 2018 14:31:50 -0300 Subject: [keycloak-user] 3.4.3.Final Resolve java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration in custom authenticator In-Reply-To: <9579FC34-5332-47AF-AD3F-0FE6BBD94AF5@privoro.com> References: <17CB30C0-01CE-4B2B-9F9F-B5624CAEACD0@privoro.com> <9579FC34-5332-47AF-AD3F-0FE6BBD94AF5@privoro.com> Message-ID: No problem. The keycloak-authz-client has only a few deps which are basically those already available on the server. If you don't want a fat jar you could have a META-INF/jboss-deployment-strucuture.xml referencing the modules you want to have available to your deployment. Just make sure to set up the keycloak-authz-client on the server, you can use this module definition [1]. [1] https://github.com/pedroigor/keycloak/blob/6d8a3f7a8b644ebd6b09000c5ec5670e3906caeb/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/add-ons/keycloak/org/keycloak/keycloak-authz-client/main/module.xml On Tue, Jun 26, 2018 at 1:47 PM, Jeremy Giberson < jeremy.giberson at privoro.com> wrote: > Sorry for the remedial question ? but what would be the best method to > accomplish that? (Keycloak is the first and only java dev stack in our > ecosystem so I?m a fish out of water). > > Im currently exploring making a ?fat? jar. I?ve seen a few articles > suggesting different maven plugins to accomplish this. But is this the best > means? Seems like this would include all the dependences rather than just > the one I?m missing. > > If you have any guidance it would be greatly appreciated. > > > On Jun 26, 2018, at 9:38 AM, Pedro Igor Silva wrote: > > Maybe we are missing the library as a runtime library (not only compile if > you just added it to your project) ? > > On Tue, Jun 26, 2018 at 1:23 PM, Jeremy Giberson < > jeremy.giberson at privoro.com> wrote: > >> Hello, >> I?m wondering how I can resolve the error: "Uncaught server error: >> java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration? >> being thrown in my custom authenticator. This started occurring after we >> added the dependency " >> keycloak-authz-client? to our project so we can utilize the AuthzClient >> class. >> >> I?m hoping to utilize the hot deployment option of moving my compiled jar >> into the deployments folder. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From gary.schulte at opengov.com Tue Jun 26 17:19:05 2018 From: gary.schulte at opengov.com (Gary Schulte) Date: Tue, 26 Jun 2018 14:19:05 -0700 Subject: [keycloak-user] UMA 2.0 permissions for service client owned resources Message-ID: Hello all, I have some criteria for resource scope sharing that I am trying to reconcile. We are using keycloak to protect data resources. The data resources are created with a corresponding keycloak resource and scopes. These resources are logically owned by the resource creator, but we want to have the resources technically owned by the service client for a couple reasons: * resources may be created by CS and "transitioned" to users * resources created by users who leave the organization should not be orphaned To accomplish this we have an owner scope which is a proxy for the actual resource ownership, and the service client actually owns all of the resources. However, we want to allow users to share scopes dynamically. We are looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this sharing, and intend to continue to use policies for our administrative RBAC scenarios. In testing, I have been able to grant and revoke permissions using the permission ticketing for service-client-owned resources. However when I attempt to use the evaluation console to verify the behavior, I get a 500 error (and no logging on the keycloak side): {"error":"server_error","error_description":"Error while evaluating permissions."} Are UMA 2.0 permissions for service client owned resources a supported use case? TIA Gary Schulte From CDollar at rydin.com Tue Jun 26 17:19:32 2018 From: CDollar at rydin.com (Chris S. Dollar) Date: Tue, 26 Jun 2018 21:19:32 +0000 Subject: [keycloak-user] Brokered logins only? In-Reply-To: References: <002701d406fc$13c8f7d0$3b5ae770$@gmail.com> <000f01d40b1d$52280aa0$f6781fe0$@gmail.com>, Message-ID: I'm doing some experimenting with using keycloak with an external IdP, and get results similar to yours: - with the external IdP configured, by default the user is presented with the normal KC login form, and to the right of that is a link that can be clicked to be taken to the IdP's login form. - if you add the 'kc_idp_hint' with the correct alias of your IdP then you can bypass the page with the KC login form and IdP link, and instead go straight to the IdP's form. But there's one more thing you can do. Go to the Authentication settings area for your realm, and choose the "Browser" flow. Under that you'll see the entry for "Identity Provider Redirector", and it will have an "Actions" menu with a "Config" option. Choose that, and set the default IdP value there to the alias you used when you defined the IdP, same as you use when setting the kc_idp_hint. After making that change I no longer see the KC login form, even without setting kc_idp_hint. I'm always redirected to the IdP login page, which sounds like the behavior you're after. Hope this helps! Chris ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of mj Sent: Sunday, June 24, 2018 11:17:38 AM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Brokered logins only? Wow I just noticed your question, after I posted *exactly* the same question. I guess that means that I should also not expect a reply... :-) MJ On 06/23/2018 08:09 PM, pkboucher801 at gmail.com wrote: > Am I asking on the wrong list? > > Is this question uninteresting? Too easy? Too hard? > > -----Original Message----- > From: pkboucher801 at gmail.com [mailto:pkboucher801 at gmail.com] > Sent: Monday, June 18, 2018 8:01 AM > To: keycloak-user at lists.jboss.org > Subject: Brokered logins only? > > Any way (other than a custom theme that enforces it in the UI) to allow only > brokered logins to a realm? > > For reasons beyond my control, the user's password is the same in the IDP as > it is in KC (they point at the same OU in LDAP), but the IDP has been > configured with a particular 2FA method that is not supported by KC. So the > problem is that if the users login with username/password submission on the > KC login page, they can bypass the IDP's 2FA. > > We can set the IDP as the default, but kc_idp_hint as a blank value will > bring up the KC login page. > > Maybe there's a way to adjust the flows so that brokered login works, but > username/password submission on the KC login page fails (or is not even > offered)? > > Maybe setup pre-configured OTPs on the accounts, so that the users can't get > past there? (this would be a bad, confusing UX) > > Any other ideas? > > Regards, > Peter K. Boucher > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From gary.schulte at opengov.com Tue Jun 26 20:20:49 2018 From: gary.schulte at opengov.com (Gary Schulte) Date: Tue, 26 Jun 2018 17:20:49 -0700 Subject: [keycloak-user] UMA 2.0 permissions for service client owned resources In-Reply-To: References: Message-ID: Another interesting data point, if I create a uma permission ticket for a service-client-owned resource, it breaks not only the authorization evaluation for that resource, but all authorization evaluations - until I delete the permission ticket. On Tue, Jun 26, 2018 at 2:19 PM, Gary Schulte wrote: > Hello all, > > I have some criteria for resource scope sharing that I am trying to > reconcile. We are using keycloak to protect data resources. The data > resources are created with a corresponding keycloak resource and scopes. > These resources are logically owned by the resource creator, but we want to > have the resources technically owned by the service client for a couple > reasons: > > * resources may be created by CS and "transitioned" to users > * resources created by users who leave the organization should not be > orphaned > > To accomplish this we have an owner scope which is a proxy for the actual > resource ownership, and the service client actually owns all of the > resources. > > However, we want to allow users to share scopes dynamically. We are > looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this > sharing, and intend to continue to use policies for our administrative RBAC > scenarios. > > In testing, I have been able to grant and revoke permissions using the > permission ticketing for service-client-owned resources. However when I > attempt to use the evaluation console to verify the behavior, I get a 500 > error (and no logging on the keycloak side): > > {"error":"server_error","error_description":"Error while evaluating > permissions."} > > Are UMA 2.0 permissions for service client owned resources a supported use > case? > > TIA > > Gary Schulte > -- Gary Schulte I Software Engineer OpenGov 505-750-4279 gary.schulte at opengov.com www.opengov.com Silicon Valley | Washington DC From alvaro.martin at bluetab.net Wed Jun 27 02:07:16 2018 From: alvaro.martin at bluetab.net (Alvaro Martin) Date: Wed, 27 Jun 2018 08:07:16 +0200 Subject: [keycloak-user] Mapping LDAP group-roles to Keycloak Message-ID: Hi, We have defined a set of fine-grain roles to secure endpoints on a backend application. We wanted to assign different set of roles to users. To avoid having to assign roles one-by-one to each user we have created groups and we have mapped roles to them (groups will work as profiles here) . Then we have assigned users to groups. This worked well. Now we want to create this setup in a LDAP and configure user federation. We can map LDAP roles to keycloak roles and LDAP groups to keycloak groups. We also even import group users to keycloak. But we don?t know how to transfer LDAP group-roles to keycloak group role-mappings. We haven?t found a mapper for this. Is there any way to do it? Thanks in advance, *?lvaro Mart?n Garc?a*[image: bluetab.net] alvaro.martin at bluetab.net +34 91 457 16 97 +34 687 398 622t From c.otano at ibermatica.com Wed Jun 27 02:37:08 2018 From: c.otano at ibermatica.com (=?iso-8859-1?Q?Ota=F1o_Pavo=2C_Cesar?=) Date: Wed, 27 Jun 2018 06:37:08 +0000 Subject: [keycloak-user] keycloak-user Digest, Vol 54, Issue 41 In-Reply-To: References: Message-ID: Hi Dominique, There is an error in the description of the ktpass command. the command is really: ktpass -out c:\keycloak.keytab -princ HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL -mapUser Keycloak at SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT Regards ------------------------------ Message: 5 Date: Tue, 26 Jun 2018 12:46:01 +0000 From: Dominique ARNOU Subject: Re: [keycloak-user] Kerberos authentication in Windows To: Ota?o Pavo, Cesar , "keycloak-user at lists.jboss.org" Message-ID: Content-Type: text/plain; charset="iso-8859-1" Hi Your server principal would be HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL, not HTTPS/... Dominique -----Message d'origine----- De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de Ota?o Pavo, Cesar Envoy??: mardi 26 juin 2018 14:13 ??: keycloak-user at lists.jboss.org Objet?: [keycloak-user] Kerberos authentication in Windows Hi, I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings. But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login." Aditional information: ? Keycloak is installed in Windows Server 2012. ? Command to create keytabfile: ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL -mapUser Keycloak at SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT ? Configuration KRB5.ini located in c:\windows [domain_realm] .sanbox.local = SANBOX.LOCAL sanbox.local = SANBOX.LOCAL [libdefaults] default_realm = SANBOX.LOCAL permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] SANBOX.LOCAL = { kdc = sb-ad.sanbox.local admin_server = sb-ad.sanbox.local default_domain = SANBOX.LOCAL } ? Kerberos Integration: Allow Kerberos authentication: YES Kerberos Realm SANBOX.LOCAL Server Principal HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL KeyTab C:/keycloak.keytab Debug YES Use Kerberos For Password Authentication YES Regards Cesar AVISO LEGAL El contenido de este mensaje de correo electr?nico, incluidos los ficheros adjuntos, es confidencial y est? protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents. From lists at merit.unu.edu Wed Jun 27 02:51:43 2018 From: lists at merit.unu.edu (mj) Date: Wed, 27 Jun 2018 08:51:43 +0200 Subject: [keycloak-user] Brokered logins only? In-Reply-To: References: <002701d406fc$13c8f7d0$3b5ae770$@gmail.com> <000f01d40b1d$52280aa0$f6781fe0$@gmail.com> Message-ID: <8aeec617-92c9-97aa-c6c8-d805d28509fe@merit.unu.edu> Hi Chris, Thanks for the suggestions. I guess those apply perfectly when using only *one* brokered IdP. What we're after: Creating a web-sso-solution for a global institute, which is composed out of 3 (4, 5 in the future) independent sub-institutes. Each has their own IdP (saml2 or oidc) setup. We would like to allow these sub-institutes access to certain websites, like a global common intranet, some financial system, etc. We hope that keycloak could help us achieve that, as an identity broker with all 3-5 sub-institutes added as brokered IdPs. We would then configure that global intranet to authenticate to the brokered keycloak realm, and voila: all sub-institutes can logon with their own credentials. AT least, that's what we hope it could do for us. But the point is: we cannot configure kc_idp_hint, because we require our users to choose their own sub-institute upon login. So, we need the keycloak login form, with multiple brokered IdP's, and we don't think we would *ever* need a username/password field on the login form. Is our use-case an unusual one..? As it seems so unlogical to us, to present a username/password box by default, for a brokered realm configuration. MJ On 06/26/2018 11:19 PM, Chris S. Dollar wrote: > I'm doing some experimenting with using keycloak with an external IdP, > and get results similar to yours: > > - with the external IdP configured, by default the user is presented > with the normal KC login form, and to the right of that is a link that > can be clicked to be taken to the IdP's login form. > > - if you add the 'kc_idp_hint' with the correct alias of your IdP then > you can bypass the page with the KC login form and IdP link, and instead > go straight to the IdP's form. > > But there's one more thing you can do. Go to the Authentication settings > area for your realm, and choose the "Browser" flow. Under that you'll > see the entry for "Identity Provider Redirector", and it will have an > "Actions" menu with a "Config" option. Choose that, and set the default > IdP value there to the alias you used when you defined the IdP, same as > you use when setting the kc_idp_hint. > > After making that change I no longer see the KC login form, even without > setting kc_idp_hint. I'm always redirected to the IdP login page, which > sounds like the behavior you're after. > > Hope this helps! > Chris > From fbernard at appstud.com Wed Jun 27 02:53:03 2018 From: fbernard at appstud.com (Florian Bernard) Date: Wed, 27 Jun 2018 06:53:03 +0000 Subject: [keycloak-user] Keycloak always create user when use exchange_token grant_type Message-ID: Hello, We try to implement the following use case?: We have a Realm and a Client that allow users to login with the rest api /auth/realms/{Realm}/protocol/openid-connect/token (from a mobile application). Users should be able to login with a Facebook token by using the same rest api but with token-exchange grant_type only if a keycloak user already exists and if it?s linked with Facebook identity provider. Problem: if a user that does not exist in Keycloak exchange a Facebook token, it?ll be automatically created by keycloak and an access_token is return. We try to modify First Login Flow in Identity provider configuration, but it does not work. How we can prevent keycloak to create user and return an error if there is no keycloak user linked to the facebook token? Thanks in advance, Florian From mposolda at redhat.com Wed Jun 27 05:23:36 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 27 Jun 2018 11:23:36 +0200 Subject: [keycloak-user] brokered-login only In-Reply-To: References: <000401d40c89$c36695c0$4a33c140$@gmail.com> Message-ID: Not yet in Keycloak OOTB. But at least JIRA created - https://issues.jboss.org/browse/KEYCLOAK-7720 ;) Marek On 26/06/18 09:49, lists wrote: > Hi Peter, > > On 25-6-2018 15:38, pkboucher801 at gmail.com wrote: >> You will need auto-linking of IDP to internal account as well, so they won't >> be asked for their password in order to approve linking their Keycloak >> account to the IDP. > Regarding this auto-linking: I understand what you mean. Are you talking > about this: > > https://github.com/ohioit/keycloak-link-idp-with-user > > Or is this functionality implemented in keycloak nowadays? (since the > plugin above appears to be unmaintained...) > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From corentin.dupont at gmail.com Wed Jun 27 05:29:04 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 27 Jun 2018 11:29:04 +0200 Subject: [keycloak-user] Fwd: Keycloak 4 In-Reply-To: References: Message-ID: OK, interesting: I didn't know about this console :) I can access it with my "test" user, but I don't see the "My Resources" menu entry (see screenshot). I created some resources owned by that user (using the API). But they don't show up. What did I missed? On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva wrote: > Yeah, you can access those claims in a JS policy. > > Regarding the "account management console" take a look here: > https://www.keycloak.org/docs/latest/authorization_ser > vices/index.html#_service_authorization_api_aapi. > > On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> Ok, I see the "claim_token" parameter in the request. >> I guess you can retrieve those claims in a javascript rule, from the >> evaluation context. >> >> By the way, I still cannot figure out where is the "account management >> console", where user can manager users access (as per the release notes)?? >> >> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva >> wrote: >> >>> The new form of obtaining entitlements relies solely on the token >>> endpoint just like when you are obtaining access tokens using other OAuth2 >>> grant types. With that in mind the new format of the request should be a >>> HTTP POST + parameters. Check this documentation [1] for more details. >>> >>> Regarding pushing claims to your policies, there is a specific HTTP >>> parameter that you can use to pass a Base64 encoded JSON with the claims >>> you want to push. >>> >>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>> ces/index.html#_service_obtaining_permissions >>> >>> >>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> Thanks Pedro, I went through the pull request. >>>> I'm not sure how to modify my entitlement requests? >>>> For example I have: >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>> Bearer $TOKEN" -d '{ >>>> "permissions" : [ >>>> { >>>> "resource_set_name" : "Sensors", >>>> "scopes" : [ >>>> "sensors:update" >>>> ] >>>> } >>>> ] >>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" >>>> >>>> This call has been moved to uma-2, right? >>>> Can I add pushed claims to this call? What I'm imagining is: >>>> >>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>> Bearer $TOKEN" -d '{ >>>> "permissions" : [ >>>> { >>>> "resource_set_name" : "Sensors", >>>> "scopes" : [ >>>> "sensors:update" >>>> ] >>>> } >>>> ], >>>> claims: ["owner": "cdupont"] >>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" >>>> >>>> In this example, I would like to push the owner of the sensor >>>> ("cdupont"), which I take from our own database before calling the API. >>>> >>>> Sorry about the questions, maybe I should just wait that the >>>> documentation is merged :) >>>> >>>> >>>> >>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> We have a few changes to docs that were not released because the PR >>>>> [1] was not merged on time. But you can check about pushed claims (if you >>>>> are using our adapters) here [2]. >>>>> >>>>> Regards. >>>>> Pedro igor >>>>> >>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>> ces/index.html#_enforcer_claim_information_point >>>>> >>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> Hi guys, >>>>>> I'm playing with the new version of Keycloak ( >>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>> >>>>>> I have some questions: >>>>>> - where is the "account management console"? >>>>>> - How to use pushed claims? Which APIs are affected? >>>>>> >>>>>> Thanks! >>>>>> Corentin >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot from 2018-06-27 11-17-38.png Type: image/png Size: 165461 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180627/79dd6577/attachment-0001.png From corentin.dupont at gmail.com Wed Jun 27 05:29:54 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 27 Jun 2018 11:29:54 +0200 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: PS. screenshot of the user account console (not showing "My resources") On Wed, Jun 27, 2018 at 11:29 AM, Corentin Dupont wrote: > OK, interesting: I didn't know about this console :) > I can access it with my "test" user, but I don't see the "My Resources" > menu entry (see screenshot). > I created some resources owned by that user (using the API). But they > don't show up. > What did I missed? > > On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva > wrote: > >> Yeah, you can access those claims in a JS policy. >> >> Regarding the "account management console" take a look here: >> https://www.keycloak.org/docs/latest/authorization_ser >> vices/index.html#_service_authorization_api_aapi. >> >> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> Ok, I see the "claim_token" parameter in the request. >>> I guess you can retrieve those claims in a javascript rule, from the >>> evaluation context. >>> >>> By the way, I still cannot figure out where is the "account management >>> console", where user can manager users access (as per the release notes)?? >>> >>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva >>> wrote: >>> >>>> The new form of obtaining entitlements relies solely on the token >>>> endpoint just like when you are obtaining access tokens using other OAuth2 >>>> grant types. With that in mind the new format of the request should be a >>>> HTTP POST + parameters. Check this documentation [1] for more details. >>>> >>>> Regarding pushing claims to your policies, there is a specific HTTP >>>> parameter that you can use to pass a Base64 encoded JSON with the claims >>>> you want to push. >>>> >>>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>>> ces/index.html#_service_obtaining_permissions >>>> >>>> >>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> Thanks Pedro, I went through the pull request. >>>>> I'm not sure how to modify my entitlement requests? >>>>> For example I have: >>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>> Bearer $TOKEN" -d '{ >>>>> "permissions" : [ >>>>> { >>>>> "resource_set_name" : "Sensors", >>>>> "scopes" : [ >>>>> "sensors:update" >>>>> ] >>>>> } >>>>> ] >>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup >>>>> " >>>>> >>>>> This call has been moved to uma-2, right? >>>>> Can I add pushed claims to this call? What I'm imagining is: >>>>> >>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>> Bearer $TOKEN" -d '{ >>>>> "permissions" : [ >>>>> { >>>>> "resource_set_name" : "Sensors", >>>>> "scopes" : [ >>>>> "sensors:update" >>>>> ] >>>>> } >>>>> ], >>>>> claims: ["owner": "cdupont"] >>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup >>>>> " >>>>> >>>>> In this example, I would like to push the owner of the sensor >>>>> ("cdupont"), which I take from our own database before calling the API. >>>>> >>>>> Sorry about the questions, maybe I should just wait that the >>>>> documentation is merged :) >>>>> >>>>> >>>>> >>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> We have a few changes to docs that were not released because the PR >>>>>> [1] was not merged on time. But you can check about pushed claims (if you >>>>>> are using our adapters) here [2]. >>>>>> >>>>>> Regards. >>>>>> Pedro igor >>>>>> >>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>>> ces/index.html#_enforcer_claim_information_point >>>>>> >>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>>> corentin.dupont at gmail.com> wrote: >>>>>> >>>>>>> Hi guys, >>>>>>> I'm playing with the new version of Keycloak ( >>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>>> >>>>>>> I have some questions: >>>>>>> - where is the "account management console"? >>>>>>> - How to use pushed claims? Which APIs are affected? >>>>>>> >>>>>>> Thanks! >>>>>>> Corentin >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot from 2018-06-27 11-14-58.png Type: image/png Size: 137571 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180627/5acfc3c2/attachment-0001.png From mposolda at redhat.com Wed Jun 27 05:32:52 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 27 Jun 2018 11:32:52 +0200 Subject: [keycloak-user] Mapping LDAP group-roles to Keycloak In-Reply-To: References: Message-ID: <2f2e8ee4-8fd3-8573-42b1-70c69d1801d9@redhat.com> On 27/06/18 08:07, Alvaro Martin wrote: > Hi, > > We have defined a set of fine-grain roles to secure endpoints on a backend > application. We wanted to assign different set of roles to users. To avoid > having to assign roles one-by-one to each user we have created groups and > we have mapped roles to them (groups will work as profiles here) . Then we > have assigned users to groups. This worked well. > > Now we want to create this setup in a LDAP and configure user federation. > We can map LDAP roles to keycloak roles and LDAP groups to keycloak groups. > We also even import group users to keycloak. But we don?t know how to > transfer LDAP group-roles to keycloak group role-mappings. We haven?t found > a mapper for this. Is there any way to do it?' No, not yet... You will need to manually create group-role mappings in LDAP though. Marek > > Thanks in advance, > > *?lvaro Mart?n Garc?a*[image: bluetab.net] > alvaro.martin at bluetab.net > > +34 91 457 16 97 > > +34 687 398 622t > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From THOMAS.PEETERS at Hvw-Capac.fgov.be Wed Jun 27 06:06:10 2018 From: THOMAS.PEETERS at Hvw-Capac.fgov.be (PEETERS.THOMAS (ICT)) Date: Wed, 27 Jun 2018 10:06:10 +0000 Subject: [keycloak-user] Backchannel logout with SSL Message-ID: <14C92FB32B792D4BA0514728C09286B817E18B31@ounas.hermes.dom> Hey all, One of our requirements for SSO is that when one SSO application in the SSO realm gets a logout request, that it logs out all the other applications in the same SSO realm. For that, I'm assuming 'backchannel logout' is what we need. We've configured an "admin url" in the clients configuration, using https. But this throws an exception in Keycloaks Undertow subsystem. When using http instead of https we get an error in our client application telling us that we need SSL. (PreAuthActionsHandler in the Keycloak adapter). SSL is configured in our client (JBoss 6.4 EAP standalone.xml) and in Keycloak standalone.xml. All https authentication request/response from/to the Keycloak server and our JBoss client seems to work. The exception is as follows: KC-SERVICES0057: Logout for client '****' failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.keycloak.connections.httpclient.DefaultHttpClientFactory$1.postText(DefaultHttpClientFactory.java:70) at org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:243) at org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:187) at org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:142) at org.keycloak.protocol.oidc.OIDCLoginProtocol.backchannelLogout(OIDCLoginProtocol.java:266) at org.keycloak.services.managers.AuthenticationManager.backchannelLogoutClientSession(AuthenticationManager.java:331) at org.keycloak.services.managers.AuthenticationManager.lambda$backchannelLogoutAll$0(AuthenticationManager.java:242) at java.util.HashMap$Values.forEach(HashMap.java:972) at java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080) at org.keycloak.services.managers.AuthenticationManager.backchannelLogoutAll(AuthenticationManager.java:241) at org.keycloak.services.managers.AuthenticationManager.backchannelLogout(AuthenticationManager.java:203) at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:208) at org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logoutToken(LogoutEndpoint.java:198) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 92 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 98 more Setup: JBoss EAP 6.4, Keycloak-spring-security-adapter 3.4.1.Final, Keycloak 3.4.1.Final. Klik hier voor onze disclaimer Cliquez ici pour notre disclaimer Klicken Sie hier f?r unseren Disclaimer From c.otano at ibermatica.com Wed Jun 27 07:29:49 2018 From: c.otano at ibermatica.com (=?iso-8859-1?Q?Ota=F1o_Pavo=2C_Cesar?=) Date: Wed, 27 Jun 2018 11:29:49 +0000 Subject: [keycloak-user] Kerberos authentication in Windows Message-ID: Hi, I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings. But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login." After enabling -Dsun.security.krb5.debug=true and -Dsun.security.spenego.degug=true and change Kerberos authentication from required to alternative, the server log is the following: 13:17:06,116 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (defaul t task-17) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP C onfiguration: {serverPrincipal=[HTTPS/facultativoskeycloak.sanbox.local at SANBOX.L OCAL], pagination=[true], fullSyncPeriod=[-1], connectionPooling=[true], usersDn =[dc=sanbox,dc=local], cachePolicy=[DEFAULT], useKerberosForPasswordAuthenticati on=[true], importEnabled=[true], enabled=[true], bindDn=[CN=keycloak,CN=Users,DC =sanbox,DC=local], usernameLDAPAttribute=[cn], changedSyncPeriod=[-1], lastSync= [1530011208], vendor=[ad], uuidLDAPAttribute=[objectGUID], allowKerberosAuthenti cation=[true], connectionUrl=[ldap://sb-ad.sanbox.local:389], syncRegistrations= [false], authType=[simple], debug=[true], searchScope=[2], useTruststoreSpi=[lda psOnly], keyTab=[C:\\keycloak.keytab], kerberosRealm=[SANBOX.LOCAL], priority=[0 ], userObjectClasses=[person, organizationalPerson, user], rdnLDAPAttribute=[cn] , editMode=[WRITABLE], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: [] 13:17:06,135 INFO [stdout] (default task-17) Debug is true storeKey true useTi cketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\\keycloak.keytab refreshKrb5Config is false principal is HTTP S/facultativoskeycloak.sanbox.local at SANBOX.LOCAL tryFirstPass is false useFirstP ass is false storePass is false clearPass is false 13:17:06,138 INFO [stdout] (default task-17) principal is HTTPS/facultativoskey cloak.sanbox.local at SANBOX.LOCAL 13:17:06,139 INFO [stdout] (default task-17) Will use keytab 13:17:06,140 ERROR [stderr] (default task-17) [LoginContext]: login success 13:17:06,142 INFO [stdout] (default task-17) Commit Succeeded 13:17:06,142 INFO [stdout] (default task-17) 13:17:06,143 ERROR [stderr] (default task-17) [LoginContext]: commit success 13:17:06,150 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL 13:17:06,151 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL 13:17:06,153 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL 13:17:06,154 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL 13:17:06,157 INFO [stdout] (default task-17) Entered SpNegoContext.acceptSecCon text with state=STATE_NEW 13:17:06,158 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: re ceiving token = a0 6b 30 69 a0 30 30 2e 06 0a 2b 06 01 04 01 82 37 02 02 0a 06 0 9 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b 06 01 04 01 82 37 02 02 1e a2 35 04 33 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 b2 08 e2 06 00 06 00 2d 00 00 00 05 00 05 00 28 00 00 00 06 03 80 25 00 00 00 0f 53 42 2d 4 7 49 53 41 4e 42 4f 58 13:17:06,160 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10 13:17:06,162 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2 13:17:06,164 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2 13:17:06,164 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30 13:17:06,165 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mech Token 13:17:06,165 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: re ceived token of type = SPNEGO NegTokenInit 13:17:06,166 INFO [stdout] (default task-17) SpNegoContext: negotiated mechanis m = 1.2.840.113554.1.2.2 13:17:06,166 INFO [stdout] (default task-17) The underlying mechanism context h as not been initialized 13:17:06,168 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: me chanism wanted = 1.2.840.113554.1.2.2 13:17:06,170 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: ne gotiated result = ACCEPT_INCOMPLETE 13:17:06,172 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: se nding token of type = SPNEGO NegTokenTarg 13:17:06,172 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: se nding token = a1 14 30 12 a0 03 0a 01 01 a1 0b 06 09 2a 86 48 86 f7 12 01 02 02 13:17:06,173 INFO [stdout] (default task-17) [Krb5LoginModule]: Enter ing logout 13:17:06,174 INFO [stdout] (default task-17) [Krb5LoginModule]: logge d out Subject 13:17:06,175 ERROR [stderr] (default task-17) [LoginContext]: logout success Aditional information: +Keycloak is installed in Windows Server 2012. +Command to create keytabfile: ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL -mapUser Keycloak at SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT +Configuration KRB5.ini located in c:\windows [domain_realm] .sanbox.local = SANBOX.LOCAL sanbox.local = SANBOX.LOCAL [libdefaults] default_realm = SANBOX.LOCAL permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] SANBOX.LOCAL = { kdc = sb-ad.sanbox.local admin_server = sb-ad.sanbox.local default_domain = SANBOX.LOCAL } +Kerberos Integration: Allow Kerberos authentication: YES Kerberos Realm SANBOX.LOCAL Server Principal HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL KeyTab C:/keycloak.keytab Debug YES Use Kerberos For Password Authentication YES Regards AVISO LEGAL El contenido de este mensaje de correo electr?nico, incluidos los ficheros adjuntos, es confidencial y est? protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents. From Jana.Neujahr at gisa.de Wed Jun 27 08:55:32 2018 From: Jana.Neujahr at gisa.de (Neujahr, Jana) Date: Wed, 27 Jun 2018 12:55:32 +0000 Subject: [keycloak-user] Why does error page always use base theme? Message-ID: Dear Keycloak users, my task is to style the custom keycloak theme. But I found some strange behavior for which cannot find a solution. I'm using Keycloak 4 beta. For the error pages ("We're sorry..." "Page not found"...) Keycloak always uses the base/keycloak theme, not my custom one... These are the steps I tried: ? In the Admin Console, I added custom theme to all possible areas (Login, Account...) ? added error.ftl, info.ftl and others to the custom theme in folder "login" ? ensured that "template.ftl" from the same folder is used in all these FTLs: <#import "template.ftl" as layout> ? created an own login.css with specific overwriting styles (which is already used in login?pages successfully) ? added login.css to theme.properties: styles=node_modules/patternfly/dist/css/patternfly.css node_modules/patternfly/dist/css/patternfly-additions.css lib/zocial/zocial.css css/login.css But in the error page always the base/keycloak css is used. I ensured that with altering the base css -> then it worked with the error page. What to do to make Keycloak take my custom theme for errors? I'd appreciate any help! Kindly yours Jana Treffen Sie GISA auf folgenden Veranstaltungen! 06.-07.09.2018 PraxisForum Digitale Prozesse - GoBD & P?fungen, Leipzig 11.-12.09.2018 Jahreskongress der Energieforen: Energiemarkt der Zukunft, Leipzig 23.-24.10.2018 metering days 2018, Fulda 15.11.018 BEMD-Jahreskongress 2018, Mannheim Aufsichtsratsvorsitzender: Norbert Rotter Gesch?ftsf?hrung: Michael Kr?ger Sitz der Gesellschaft: Halle/Saale Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 UST-ID-Nr. DE 158253683 Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Empf?nger sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte gesch?tzt. Die GISA GmbH haftet ausdr?cklich nicht f?r den Inhalt und die Vollst?ndigkeit von E-Mails und den gegebenenfalls daraus entstehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zul?ssig - nicht f?r die hieraus entstehenden Sch?den. From psilva at redhat.com Wed Jun 27 09:36:45 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Jun 2018 10:36:45 -0300 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: Think we are missing this in docs :) You need to enable "User-Managed Access" in Realm Settings (General tab). On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont wrote: > OK, interesting: I didn't know about this console :) > I can access it with my "test" user, but I don't see the "My Resources" > menu entry (see screenshot). > I created some resources owned by that user (using the API). But they > don't show up. > What did I missed? > > On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva > wrote: > >> Yeah, you can access those claims in a JS policy. >> >> Regarding the "account management console" take a look here: >> https://www.keycloak.org/docs/latest/authorization_ser >> vices/index.html#_service_authorization_api_aapi. >> >> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> Ok, I see the "claim_token" parameter in the request. >>> I guess you can retrieve those claims in a javascript rule, from the >>> evaluation context. >>> >>> By the way, I still cannot figure out where is the "account management >>> console", where user can manager users access (as per the release notes)?? >>> >>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva >>> wrote: >>> >>>> The new form of obtaining entitlements relies solely on the token >>>> endpoint just like when you are obtaining access tokens using other OAuth2 >>>> grant types. With that in mind the new format of the request should be a >>>> HTTP POST + parameters. Check this documentation [1] for more details. >>>> >>>> Regarding pushing claims to your policies, there is a specific HTTP >>>> parameter that you can use to pass a Base64 encoded JSON with the claims >>>> you want to push. >>>> >>>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>>> ces/index.html#_service_obtaining_permissions >>>> >>>> >>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> Thanks Pedro, I went through the pull request. >>>>> I'm not sure how to modify my entitlement requests? >>>>> For example I have: >>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>> Bearer $TOKEN" -d '{ >>>>> "permissions" : [ >>>>> { >>>>> "resource_set_name" : "Sensors", >>>>> "scopes" : [ >>>>> "sensors:update" >>>>> ] >>>>> } >>>>> ] >>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup >>>>> " >>>>> >>>>> This call has been moved to uma-2, right? >>>>> Can I add pushed claims to this call? What I'm imagining is: >>>>> >>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>> Bearer $TOKEN" -d '{ >>>>> "permissions" : [ >>>>> { >>>>> "resource_set_name" : "Sensors", >>>>> "scopes" : [ >>>>> "sensors:update" >>>>> ] >>>>> } >>>>> ], >>>>> claims: ["owner": "cdupont"] >>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup >>>>> " >>>>> >>>>> In this example, I would like to push the owner of the sensor >>>>> ("cdupont"), which I take from our own database before calling the API. >>>>> >>>>> Sorry about the questions, maybe I should just wait that the >>>>> documentation is merged :) >>>>> >>>>> >>>>> >>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> We have a few changes to docs that were not released because the PR >>>>>> [1] was not merged on time. But you can check about pushed claims (if you >>>>>> are using our adapters) here [2]. >>>>>> >>>>>> Regards. >>>>>> Pedro igor >>>>>> >>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>>> ces/index.html#_enforcer_claim_information_point >>>>>> >>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>>> corentin.dupont at gmail.com> wrote: >>>>>> >>>>>>> Hi guys, >>>>>>> I'm playing with the new version of Keycloak ( >>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>>> >>>>>>> I have some questions: >>>>>>> - where is the "account management console"? >>>>>>> - How to use pushed claims? Which APIs are affected? >>>>>>> >>>>>>> Thanks! >>>>>>> Corentin >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > From psilva at redhat.com Wed Jun 27 09:45:29 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Jun 2018 10:45:29 -0300 Subject: [keycloak-user] Keycloak always create user when use exchange_token grant_type In-Reply-To: References: Message-ID: During the exchange of an external token to an internal token if the user is not federated it will be always created. You can create a RFE in JIRA describing your requirements in more details and we'll see/discuss how we can support that. Regards. Pedro Igor On Wed, Jun 27, 2018 at 3:53 AM, Florian Bernard wrote: > Hello, > We try to implement the following use case : > We have a Realm and a Client that allow users to login with the rest > api /auth/realms/{Realm}/protocol/openid-connect/token (from a mobile > application). > Users should be able to login with a Facebook token by using the same > rest api but with token-exchange grant_type only if a keycloak user already > exists and if it?s linked with Facebook identity provider. > Problem: if a user that does not exist in Keycloak exchange a Facebook > token, it?ll be automatically created by keycloak and an access_token is > return. > We try to modify First Login Flow in Identity provider configuration, > but it does not work. > How we can prevent keycloak to create user and return an error if > there is no keycloak user linked to the facebook token? > > Thanks in advance, > Florian > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Jun 27 09:52:02 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Jun 2018 10:52:02 -0300 Subject: [keycloak-user] UMA 2.0 permissions for service client owned resources In-Reply-To: References: Message-ID: This is a scenario we don't support and we need to handle this properly instead of throwing those errors. Currently, user-managed access is based on users granting access to their resources whe these users are set as the resource owner. Could you open a RFE in JIRA with more details about your use case ? Regards. Pedro Igor On Tue, Jun 26, 2018 at 9:20 PM, Gary Schulte wrote: > Another interesting data point, if I create a uma permission ticket for a > service-client-owned resource, it breaks not only the authorization > evaluation for that resource, but all authorization evaluations - until I > delete the permission ticket. > > On Tue, Jun 26, 2018 at 2:19 PM, Gary Schulte > wrote: > > > Hello all, > > > > I have some criteria for resource scope sharing that I am trying to > > reconcile. We are using keycloak to protect data resources. The data > > resources are created with a corresponding keycloak resource and scopes. > > These resources are logically owned by the resource creator, but we want > to > > have the resources technically owned by the service client for a couple > > reasons: > > > > * resources may be created by CS and "transitioned" to users > > * resources created by users who leave the organization should not be > > orphaned > > > > To accomplish this we have an owner scope which is a proxy for the actual > > resource ownership, and the service client actually owns all of the > > resources. > > > > However, we want to allow users to share scopes dynamically. We are > > looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this > > sharing, and intend to continue to use policies for our administrative > RBAC > > scenarios. > > > > In testing, I have been able to grant and revoke permissions using the > > permission ticketing for service-client-owned resources. However when I > > attempt to use the evaluation console to verify the behavior, I get a 500 > > error (and no logging on the keycloak side): > > > > {"error":"server_error","error_description":"Error while evaluating > > permissions."} > > > > Are UMA 2.0 permissions for service client owned resources a supported > use > > case? > > > > TIA > > > > Gary Schulte > > > > > > -- > > Gary Schulte I Software Engineer > > OpenGov > > 505-750-4279 > > gary.schulte at opengov.com > > www.opengov.com > > Silicon Valley > -122.2121292,15z/data=!4m2!3m1!1s0x0:0xb84d4c3f06ecd893> > | Washington DC > +Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1! > 1s0x89b7b7cf85e25661:0x932fc62149d9247f> > > +Washington,+DC+20009/@38.915617,-77.0474907,17z/data=!3m1!4b1!4m2!3m1! > 1s0x89b7b7cf85e25661:0x932fc62149d9247f> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From CDollar at rydin.com Wed Jun 27 10:44:56 2018 From: CDollar at rydin.com (Chris S. Dollar) Date: Wed, 27 Jun 2018 14:44:56 +0000 Subject: [keycloak-user] Brokered logins only? In-Reply-To: <8aeec617-92c9-97aa-c6c8-d805d28509fe@merit.unu.edu> References: <002701d406fc$13c8f7d0$3b5ae770$@gmail.com> <000f01d40b1d$52280aa0$f6781fe0$@gmail.com> , <8aeec617-92c9-97aa-c6c8-d805d28509fe@merit.unu.edu> Message-ID: Hi MJ, I should mention that I don't work for Keycloak or Redhat... I'm just an end-user. That said, no, I don't think your use case is all that unusual. IMO you should be able to do exactly what you want with KC, but not right OOTB. On the UI side, you'll have to modify the login page template to remove the KC username/pass inputs. And you'll also likely want to define some sort of a custom user storage provider that will not allow local KC logins, etc. I know that sounds like a lot of effort, but it really shouldn't be too bad. The KC documentation and examples explain the user storage stuff pretty well, and what you'd actually need to implement to deny local logins should be simple. I recently implemented a custom user storage provider for KC, and was amazed at how easy the process was. I've not tried modifying any of the KC themes or forms yet, but I will get into that soon. Good luck with your project! Chris ________________________________ From: mj Sent: Wednesday, June 27, 2018 12:51:43 AM To: Chris S. Dollar; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Brokered logins only? Hi Chris, Thanks for the suggestions. I guess those apply perfectly when using only *one* brokered IdP. What we're after: Creating a web-sso-solution for a global institute, which is composed out of 3 (4, 5 in the future) independent sub-institutes. Each has their own IdP (saml2 or oidc) setup. We would like to allow these sub-institutes access to certain websites, like a global common intranet, some financial system, etc. We hope that keycloak could help us achieve that, as an identity broker with all 3-5 sub-institutes added as brokered IdPs. We would then configure that global intranet to authenticate to the brokered keycloak realm, and voila: all sub-institutes can logon with their own credentials. AT least, that's what we hope it could do for us. But the point is: we cannot configure kc_idp_hint, because we require our users to choose their own sub-institute upon login. So, we need the keycloak login form, with multiple brokered IdP's, and we don't think we would *ever* need a username/password field on the login form. Is our use-case an unusual one..? As it seems so unlogical to us, to present a username/password box by default, for a brokered realm configuration. MJ On 06/26/2018 11:19 PM, Chris S. Dollar wrote: > I'm doing some experimenting with using keycloak with an external IdP, > and get results similar to yours: > > - with the external IdP configured, by default the user is presented > with the normal KC login form, and to the right of that is a link that > can be clicked to be taken to the IdP's login form. > > - if you add the 'kc_idp_hint' with the correct alias of your IdP then > you can bypass the page with the KC login form and IdP link, and instead > go straight to the IdP's form. > > But there's one more thing you can do. Go to the Authentication settings > area for your realm, and choose the "Browser" flow. Under that you'll > see the entry for "Identity Provider Redirector", and it will have an > "Actions" menu with a "Config" option. Choose that, and set the default > IdP value there to the alias you used when you defined the IdP, same as > you use when setting the kc_idp_hint. > > After making that change I no longer see the KC login form, even without > setting kc_idp_hint. I'm always redirected to the IdP login page, which > sounds like the behavior you're after. > > Hope this helps! > Chris > From vandana0242 at gmail.com Wed Jun 27 11:01:00 2018 From: vandana0242 at gmail.com (vandana thota) Date: Wed, 27 Jun 2018 10:01:00 -0500 Subject: [keycloak-user] How to resolve ERR_CONNECTION_TIMED_OUT Message-ID: When I was tryin to open the keycloak admin console Im gettting below error . How to resolve it This site can?t be reached - ERR_CONNECTION_TIMED_OUT From corentin.dupont at gmail.com Wed Jun 27 11:21:28 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 27 Jun 2018 17:21:28 +0200 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: That's great, I was able to "share" a resource in my account console. As a keycloak admin, where to see all the sharings performed by users? Also, how to take into account this sharing in permission evaluation? Should I write specific policies to take into resource sharing? For instance, I have a javascript policy to authorize the resource owner to access his resource. Should I write a "is shared with you" policy? On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva wrote: > Think we are missing this in docs :) > > You need to enable "User-Managed Access" in Realm Settings (General tab). > > On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> OK, interesting: I didn't know about this console :) >> I can access it with my "test" user, but I don't see the "My Resources" >> menu entry (see screenshot). >> I created some resources owned by that user (using the API). But they >> don't show up. >> What did I missed? >> >> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva >> wrote: >> >>> Yeah, you can access those claims in a JS policy. >>> >>> Regarding the "account management console" take a look here: >>> https://www.keycloak.org/docs/latest/authorization_ser >>> vices/index.html#_service_authorization_api_aapi. >>> >>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> Ok, I see the "claim_token" parameter in the request. >>>> I guess you can retrieve those claims in a javascript rule, from the >>>> evaluation context. >>>> >>>> By the way, I still cannot figure out where is the "account management >>>> console", where user can manager users access (as per the release notes)?? >>>> >>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> The new form of obtaining entitlements relies solely on the token >>>>> endpoint just like when you are obtaining access tokens using other OAuth2 >>>>> grant types. With that in mind the new format of the request should be a >>>>> HTTP POST + parameters. Check this documentation [1] for more details. >>>>> >>>>> Regarding pushing claims to your policies, there is a specific HTTP >>>>> parameter that you can use to pass a Base64 encoded JSON with the claims >>>>> you want to push. >>>>> >>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>>>> ces/index.html#_service_obtaining_permissions >>>>> >>>>> >>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> Thanks Pedro, I went through the pull request. >>>>>> I'm not sure how to modify my entitlement requests? >>>>>> For example I have: >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>>> Bearer $TOKEN" -d '{ >>>>>> "permissions" : [ >>>>>> { >>>>>> "resource_set_name" : "Sensors", >>>>>> "scopes" : [ >>>>>> "sensors:update" >>>>>> ] >>>>>> } >>>>>> ] >>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>> waziup" >>>>>> >>>>>> This call has been moved to uma-2, right? >>>>>> Can I add pushed claims to this call? What I'm imagining is: >>>>>> >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>>> Bearer $TOKEN" -d '{ >>>>>> "permissions" : [ >>>>>> { >>>>>> "resource_set_name" : "Sensors", >>>>>> "scopes" : [ >>>>>> "sensors:update" >>>>>> ] >>>>>> } >>>>>> ], >>>>>> claims: ["owner": "cdupont"] >>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>> waziup" >>>>>> >>>>>> In this example, I would like to push the owner of the sensor >>>>>> ("cdupont"), which I take from our own database before calling the API. >>>>>> >>>>>> Sorry about the questions, maybe I should just wait that the >>>>>> documentation is merged :) >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> We have a few changes to docs that were not released because the PR >>>>>>> [1] was not merged on time. But you can check about pushed claims (if you >>>>>>> are using our adapters) here [2]. >>>>>>> >>>>>>> Regards. >>>>>>> Pedro igor >>>>>>> >>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>>>> ces/index.html#_enforcer_claim_information_point >>>>>>> >>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>> >>>>>>>> Hi guys, >>>>>>>> I'm playing with the new version of Keycloak ( >>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>>>> >>>>>>>> I have some questions: >>>>>>>> - where is the "account management console"? >>>>>>>> - How to use pushed claims? Which APIs are affected? >>>>>>>> >>>>>>>> Thanks! >>>>>>>> Corentin >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From fbernard at appstud.com Wed Jun 27 11:45:10 2018 From: fbernard at appstud.com (Florian Bernard) Date: Wed, 27 Jun 2018 15:45:10 +0000 Subject: [keycloak-user] Keycloak always create user when use exchange_token grant_type In-Reply-To: References: Message-ID: <08358180-112B-4626-9C99-99A7DD3D9E70@appstud.com> Hi Pedro, Ok, thanks for your answer. Regards, Florian From: Pedro Igor Silva Date: Wednesday 27 June 2018 at 15:45 To: Florian Bernard Cc: keycloak-user Subject: Re: [keycloak-user] Keycloak always create user when use exchange_token grant_type During the exchange of an external token to an internal token if the user is not federated it will be always created. You can create a RFE in JIRA describing your requirements in more details and we'll see/discuss how we can support that. Regards. Pedro Igor On Wed, Jun 27, 2018 at 3:53 AM, Florian Bernard > wrote: Hello, We try to implement the following use case : We have a Realm and a Client that allow users to login with the rest api /auth/realms/{Realm}/protocol/openid-connect/token (from a mobile application). Users should be able to login with a Facebook token by using the same rest api but with token-exchange grant_type only if a keycloak user already exists and if it?s linked with Facebook identity provider. Problem: if a user that does not exist in Keycloak exchange a Facebook token, it?ll be automatically created by keycloak and an access_token is return. We try to modify First Login Flow in Identity provider configuration, but it does not work. How we can prevent keycloak to create user and return an error if there is no keycloak user linked to the facebook token? Thanks in advance, Florian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ian at ianduffy.ie Wed Jun 27 11:53:06 2018 From: ian at ianduffy.ie (Ian Duffy) Date: Wed, 27 Jun 2018 16:53:06 +0100 Subject: [keycloak-user] Keycloak 4.0.0.Final Implicit flow response is different to 3.4.3.Final Message-ID: Hi All, In Keycloak 3.4.3.final when I used the implicit flow the URL fragment path contained: - session_state - access_token - id_token - token_type - expires_in - not-before-policy in Keycloak 4.0.0.Final I'm only seeing: - session_state - id_token - access_token Why is this? Is there configuration missing or is this a bug? Thanks, Ian. From federico.facca at martel-innovate.com Wed Jun 27 11:54:21 2018 From: federico.facca at martel-innovate.com (Federico Michele Facca) Date: Wed, 27 Jun 2018 17:54:21 +0200 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: hi corentin, long time! On 27 June 2018 at 17:21, Corentin Dupont wrote: > That's great, I was able to "share" a resource in my account console. > As a keycloak admin, where to see all the sharings performed by users? > that's not possible in ui, you can anyhow run a query to the api. > > Also, how to take into account this sharing in permission evaluation? > Should I write specific policies to take into resource sharing? > For instance, I have a javascript policy to authorize the resource owner to > access his resource. > Should I write a "is shared with you" policy? > > > no, you don't :) UMA policies (so resource sharing by user) have priority on any other admin defined policy. Pedro can correct me if I am wrong :) Cheers, Fede > > > > On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva > wrote: > > > Think we are missing this in docs :) > > > > You need to enable "User-Managed Access" in Realm Settings (General tab). > > > > On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont < > > corentin.dupont at gmail.com> wrote: > > > >> OK, interesting: I didn't know about this console :) > >> I can access it with my "test" user, but I don't see the "My Resources" > >> menu entry (see screenshot). > >> I created some resources owned by that user (using the API). But they > >> don't show up. > >> What did I missed? > >> > >> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva > >> wrote: > >> > >>> Yeah, you can access those claims in a JS policy. > >>> > >>> Regarding the "account management console" take a look here: > >>> https://www.keycloak.org/docs/latest/authorization_ser > >>> vices/index.html#_service_authorization_api_aapi. > >>> > >>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < > >>> corentin.dupont at gmail.com> wrote: > >>> > >>>> Ok, I see the "claim_token" parameter in the request. > >>>> I guess you can retrieve those claims in a javascript rule, from the > >>>> evaluation context. > >>>> > >>>> By the way, I still cannot figure out where is the "account management > >>>> console", where user can manager users access (as per the release > notes)?? > >>>> > >>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva > >>>> wrote: > >>>> > >>>>> The new form of obtaining entitlements relies solely on the token > >>>>> endpoint just like when you are obtaining access tokens using other > OAuth2 > >>>>> grant types. With that in mind the new format of the request should > be a > >>>>> HTTP POST + parameters. Check this documentation [1] for more > details. > >>>>> > >>>>> Regarding pushing claims to your policies, there is a specific HTTP > >>>>> parameter that you can use to pass a Base64 encoded JSON with the > claims > >>>>> you want to push. > >>>>> > >>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi > >>>>> ces/index.html#_service_obtaining_permissions > >>>>> > >>>>> > >>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < > >>>>> corentin.dupont at gmail.com> wrote: > >>>>> > >>>>>> Thanks Pedro, I went through the pull request. > >>>>>> I'm not sure how to modify my entitlement requests? > >>>>>> For example I have: > >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: > >>>>>> Bearer $TOKEN" -d '{ > >>>>>> "permissions" : [ > >>>>>> { > >>>>>> "resource_set_name" : "Sensors", > >>>>>> "scopes" : [ > >>>>>> "sensors:update" > >>>>>> ] > >>>>>> } > >>>>>> ] > >>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ > >>>>>> waziup" > >>>>>> > >>>>>> This call has been moved to uma-2, right? > >>>>>> Can I add pushed claims to this call? What I'm imagining is: > >>>>>> > >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: > >>>>>> Bearer $TOKEN" -d '{ > >>>>>> "permissions" : [ > >>>>>> { > >>>>>> "resource_set_name" : "Sensors", > >>>>>> "scopes" : [ > >>>>>> "sensors:update" > >>>>>> ] > >>>>>> } > >>>>>> ], > >>>>>> claims: ["owner": "cdupont"] > >>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ > >>>>>> waziup" > >>>>>> > >>>>>> In this example, I would like to push the owner of the sensor > >>>>>> ("cdupont"), which I take from our own database before calling the > API. > >>>>>> > >>>>>> Sorry about the questions, maybe I should just wait that the > >>>>>> documentation is merged :) > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva < > psilva at redhat.com> > >>>>>> wrote: > >>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> We have a few changes to docs that were not released because the PR > >>>>>>> [1] was not merged on time. But you can check about pushed claims > (if you > >>>>>>> are using our adapters) here [2]. > >>>>>>> > >>>>>>> Regards. > >>>>>>> Pedro igor > >>>>>>> > >>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 > >>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi > >>>>>>> ces/index.html#_enforcer_claim_information_point > >>>>>>> > >>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < > >>>>>>> corentin.dupont at gmail.com> wrote: > >>>>>>> > >>>>>>>> Hi guys, > >>>>>>>> I'm playing with the new version of Keycloak ( > >>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) > >>>>>>>> > >>>>>>>> I have some questions: > >>>>>>>> - where is the "account management console"? > >>>>>>>> - How to use pushed claims? Which APIs are affected? > >>>>>>>> > >>>>>>>> Thanks! > >>>>>>>> Corentin > >>>>>>>> _______________________________________________ > >>>>>>>> keycloak-user mailing list > >>>>>>>> keycloak-user at lists.jboss.org > >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >>> > >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Dr. FEDERICO MICHELE FACCA* *Head of Martel Lab* 0041 78 807 58 38 *Martel Innovate* - Professional support for innovation projects Click to download our innovators' insights! Follow Us on Twitter From psilva at redhat.com Wed Jun 27 12:01:50 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Jun 2018 13:01:50 -0300 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: On Wed, Jun 27, 2018 at 12:21 PM, Corentin Dupont wrote: > That's great, I was able to "share" a resource in my account console. > As a keycloak admin, where to see all the sharings performed by users? > We don't have this in admin console. The user-managed policies are hidden in the admin console, the reason being to avoid admins changing them without user consent. This was a tuff decision and I'm open to discuss different ideas if you think differently. > > Also, how to take into account this sharing in permission evaluation? > Should I write specific policies to take into resource sharing? > For instance, I have a javascript policy to authorize the resource owner > to access his resource. > Should I write a "is shared with you" policy? > If you do that, you are just defining a regular policy it will not be enough to let the user manage permissions via My Resources. This is how you could achieve the "sharing" functionality before the latest changes to UMA. However, we have also introduced a Policy API to the Protection API. From this API you are able to create additional "user-managed" permissions and still have your users able to manage them via My Resources. Documentation is also updated in upstream/master. This API basically allows you to define additional permissions to a user's resource such as using roles, groups, clients or even conditions using JS. > > > > > > On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva > wrote: > >> Think we are missing this in docs :) >> >> You need to enable "User-Managed Access" in Realm Settings (General tab). >> >> On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> OK, interesting: I didn't know about this console :) >>> I can access it with my "test" user, but I don't see the "My Resources" >>> menu entry (see screenshot). >>> I created some resources owned by that user (using the API). But they >>> don't show up. >>> What did I missed? >>> >>> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva >>> wrote: >>> >>>> Yeah, you can access those claims in a JS policy. >>>> >>>> Regarding the "account management console" take a look here: >>>> https://www.keycloak.org/docs/latest/authorization_ser >>>> vices/index.html#_service_authorization_api_aapi. >>>> >>>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> Ok, I see the "claim_token" parameter in the request. >>>>> I guess you can retrieve those claims in a javascript rule, from the >>>>> evaluation context. >>>>> >>>>> By the way, I still cannot figure out where is the "account management >>>>> console", where user can manager users access (as per the release notes)?? >>>>> >>>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> The new form of obtaining entitlements relies solely on the token >>>>>> endpoint just like when you are obtaining access tokens using other OAuth2 >>>>>> grant types. With that in mind the new format of the request should be a >>>>>> HTTP POST + parameters. Check this documentation [1] for more details. >>>>>> >>>>>> Regarding pushing claims to your policies, there is a specific HTTP >>>>>> parameter that you can use to pass a Base64 encoded JSON with the claims >>>>>> you want to push. >>>>>> >>>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>>>>> ces/index.html#_service_obtaining_permissions >>>>>> >>>>>> >>>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>>>>> corentin.dupont at gmail.com> wrote: >>>>>> >>>>>>> Thanks Pedro, I went through the pull request. >>>>>>> I'm not sure how to modify my entitlement requests? >>>>>>> For example I have: >>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>>>> Bearer $TOKEN" -d '{ >>>>>>> "permissions" : [ >>>>>>> { >>>>>>> "resource_set_name" : "Sensors", >>>>>>> "scopes" : [ >>>>>>> "sensors:update" >>>>>>> ] >>>>>>> } >>>>>>> ] >>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>>> waziup" >>>>>>> >>>>>>> This call has been moved to uma-2, right? >>>>>>> Can I add pushed claims to this call? What I'm imagining is: >>>>>>> >>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>>>> Bearer $TOKEN" -d '{ >>>>>>> "permissions" : [ >>>>>>> { >>>>>>> "resource_set_name" : "Sensors", >>>>>>> "scopes" : [ >>>>>>> "sensors:update" >>>>>>> ] >>>>>>> } >>>>>>> ], >>>>>>> claims: ["owner": "cdupont"] >>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>>> waziup" >>>>>>> >>>>>>> In this example, I would like to push the owner of the sensor >>>>>>> ("cdupont"), which I take from our own database before calling the API. >>>>>>> >>>>>>> Sorry about the questions, maybe I should just wait that the >>>>>>> documentation is merged :) >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva >>>>>> > wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> We have a few changes to docs that were not released because the PR >>>>>>>> [1] was not merged on time. But you can check about pushed claims (if you >>>>>>>> are using our adapters) here [2]. >>>>>>>> >>>>>>>> Regards. >>>>>>>> Pedro igor >>>>>>>> >>>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>>>>> ces/index.html#_enforcer_claim_information_point >>>>>>>> >>>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi guys, >>>>>>>>> I'm playing with the new version of Keycloak ( >>>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>>>>> >>>>>>>>> I have some questions: >>>>>>>>> - where is the "account management console"? >>>>>>>>> - How to use pushed claims? Which APIs are affected? >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> Corentin >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From psilva at redhat.com Wed Jun 27 12:02:55 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Jun 2018 13:02:55 -0300 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: +1 On Wed, Jun 27, 2018 at 12:54 PM, Federico Michele Facca < federico.facca at martel-innovate.com> wrote: > hi corentin, > > long time! > > On 27 June 2018 at 17:21, Corentin Dupont > wrote: > >> That's great, I was able to "share" a resource in my account console. >> As a keycloak admin, where to see all the sharings performed by users? >> > > that's not possible in ui, you can anyhow run a query to the api. > > >> >> Also, how to take into account this sharing in permission evaluation? >> Should I write specific policies to take into resource sharing? >> For instance, I have a javascript policy to authorize the resource owner >> to >> access his resource. >> Should I write a "is shared with you" policy? >> >> >> > no, you don't :) UMA policies (so resource sharing by user) have priority > on any other admin defined policy. > > Pedro can correct me if I am wrong :) > > Cheers, > Fede > > >> >> >> >> On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva >> wrote: >> >> > Think we are missing this in docs :) >> > >> > You need to enable "User-Managed Access" in Realm Settings (General >> tab). >> > >> > On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont < >> > corentin.dupont at gmail.com> wrote: >> > >> >> OK, interesting: I didn't know about this console :) >> >> I can access it with my "test" user, but I don't see the "My Resources" >> >> menu entry (see screenshot). >> >> I created some resources owned by that user (using the API). But they >> >> don't show up. >> >> What did I missed? >> >> >> >> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva >> >> wrote: >> >> >> >>> Yeah, you can access those claims in a JS policy. >> >>> >> >>> Regarding the "account management console" take a look here: >> >>> https://www.keycloak.org/docs/latest/authorization_ser >> >>> vices/index.html#_service_authorization_api_aapi. >> >>> >> >>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < >> >>> corentin.dupont at gmail.com> wrote: >> >>> >> >>>> Ok, I see the "claim_token" parameter in the request. >> >>>> I guess you can retrieve those claims in a javascript rule, from the >> >>>> evaluation context. >> >>>> >> >>>> By the way, I still cannot figure out where is the "account >> management >> >>>> console", where user can manager users access (as per the release >> notes)?? >> >>>> >> >>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva > > >> >>>> wrote: >> >>>> >> >>>>> The new form of obtaining entitlements relies solely on the token >> >>>>> endpoint just like when you are obtaining access tokens using other >> OAuth2 >> >>>>> grant types. With that in mind the new format of the request should >> be a >> >>>>> HTTP POST + parameters. Check this documentation [1] for more >> details. >> >>>>> >> >>>>> Regarding pushing claims to your policies, there is a specific HTTP >> >>>>> parameter that you can use to pass a Base64 encoded JSON with the >> claims >> >>>>> you want to push. >> >>>>> >> >>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi >> >>>>> ces/index.html#_service_obtaining_permissions >> >>>>> >> >>>>> >> >>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >> >>>>> corentin.dupont at gmail.com> wrote: >> >>>>> >> >>>>>> Thanks Pedro, I went through the pull request. >> >>>>>> I'm not sure how to modify my entitlement requests? >> >>>>>> For example I have: >> >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >> >>>>>> Bearer $TOKEN" -d '{ >> >>>>>> "permissions" : [ >> >>>>>> { >> >>>>>> "resource_set_name" : "Sensors", >> >>>>>> "scopes" : [ >> >>>>>> "sensors:update" >> >>>>>> ] >> >>>>>> } >> >>>>>> ] >> >>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >> >>>>>> waziup" >> >>>>>> >> >>>>>> This call has been moved to uma-2, right? >> >>>>>> Can I add pushed claims to this call? What I'm imagining is: >> >>>>>> >> >>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >> >>>>>> Bearer $TOKEN" -d '{ >> >>>>>> "permissions" : [ >> >>>>>> { >> >>>>>> "resource_set_name" : "Sensors", >> >>>>>> "scopes" : [ >> >>>>>> "sensors:update" >> >>>>>> ] >> >>>>>> } >> >>>>>> ], >> >>>>>> claims: ["owner": "cdupont"] >> >>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >> >>>>>> waziup" >> >>>>>> >> >>>>>> In this example, I would like to push the owner of the sensor >> >>>>>> ("cdupont"), which I take from our own database before calling the >> API. >> >>>>>> >> >>>>>> Sorry about the questions, maybe I should just wait that the >> >>>>>> documentation is merged :) >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva < >> psilva at redhat.com> >> >>>>>> wrote: >> >>>>>> >> >>>>>>> Hi, >> >>>>>>> >> >>>>>>> We have a few changes to docs that were not released because the >> PR >> >>>>>>> [1] was not merged on time. But you can check about pushed claims >> (if you >> >>>>>>> are using our adapters) here [2]. >> >>>>>>> >> >>>>>>> Regards. >> >>>>>>> Pedro igor >> >>>>>>> >> >>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >> >>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >> >>>>>>> ces/index.html#_enforcer_claim_information_point >> >>>>>>> >> >>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >> >>>>>>> corentin.dupont at gmail.com> wrote: >> >>>>>>> >> >>>>>>>> Hi guys, >> >>>>>>>> I'm playing with the new version of Keycloak ( >> >>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >> >>>>>>>> >> >>>>>>>> I have some questions: >> >>>>>>>> - where is the "account management console"? >> >>>>>>>> - How to use pushed claims? Which APIs are affected? >> >>>>>>>> >> >>>>>>>> Thanks! >> >>>>>>>> Corentin >> >>>>>>>> _______________________________________________ >> >>>>>>>> keycloak-user mailing list >> >>>>>>>> keycloak-user at lists.jboss.org >> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>> >> >>>>> >> >>>> >> >>> >> >> >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > *Dr. FEDERICO MICHELE FACCA* > *Head of Martel Lab* > 0041 78 807 58 38 > *Martel Innovate* - Professional > support for innovation projects > Click to download our innovators' insights! > > Follow Us on Twitter > From psilva at redhat.com Wed Jun 27 12:03:42 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Jun 2018 13:03:42 -0300 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: Federico is actually the father of the Policy API :) On Wed, Jun 27, 2018 at 1:01 PM, Pedro Igor Silva wrote: > > > On Wed, Jun 27, 2018 at 12:21 PM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> That's great, I was able to "share" a resource in my account console. >> As a keycloak admin, where to see all the sharings performed by users? >> > > We don't have this in admin console. The user-managed policies are hidden > in the admin console, the reason being to avoid admins changing them > without user consent. This was a tuff decision and I'm open to discuss > different ideas if you think differently. > > >> >> Also, how to take into account this sharing in permission evaluation? >> Should I write specific policies to take into resource sharing? >> For instance, I have a javascript policy to authorize the resource owner >> to access his resource. >> Should I write a "is shared with you" policy? >> > > If you do that, you are just defining a regular policy it will not be > enough to let the user manage permissions via My Resources. This is how you > could achieve the "sharing" functionality before the latest changes to UMA. > > However, we have also introduced a Policy API to the Protection API. From > this API you are able to create additional "user-managed" permissions and > still have your users able to manage them via My Resources. Documentation > is also updated in upstream/master. > > This API basically allows you to define additional permissions to a user's > resource such as using roles, groups, clients or even conditions using JS. > > >> >> >> >> >> >> On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva >> wrote: >> >>> Think we are missing this in docs :) >>> >>> You need to enable "User-Managed Access" in Realm Settings (General tab). >>> >>> On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> OK, interesting: I didn't know about this console :) >>>> I can access it with my "test" user, but I don't see the "My Resources" >>>> menu entry (see screenshot). >>>> I created some resources owned by that user (using the API). But they >>>> don't show up. >>>> What did I missed? >>>> >>>> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> Yeah, you can access those claims in a JS policy. >>>>> >>>>> Regarding the "account management console" take a look here: >>>>> https://www.keycloak.org/docs/latest/authorization_ser >>>>> vices/index.html#_service_authorization_api_aapi. >>>>> >>>>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> Ok, I see the "claim_token" parameter in the request. >>>>>> I guess you can retrieve those claims in a javascript rule, from the >>>>>> evaluation context. >>>>>> >>>>>> By the way, I still cannot figure out where is the "account >>>>>> management console", where user can manager users access (as per the >>>>>> release notes)?? >>>>>> >>>>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva >>>>>> wrote: >>>>>> >>>>>>> The new form of obtaining entitlements relies solely on the token >>>>>>> endpoint just like when you are obtaining access tokens using other OAuth2 >>>>>>> grant types. With that in mind the new format of the request should be a >>>>>>> HTTP POST + parameters. Check this documentation [1] for more details. >>>>>>> >>>>>>> Regarding pushing claims to your policies, there is a specific HTTP >>>>>>> parameter that you can use to pass a Base64 encoded JSON with the claims >>>>>>> you want to push. >>>>>>> >>>>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>>>>>> ces/index.html#_service_obtaining_permissions >>>>>>> >>>>>>> >>>>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>> >>>>>>>> Thanks Pedro, I went through the pull request. >>>>>>>> I'm not sure how to modify my entitlement requests? >>>>>>>> For example I have: >>>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>>>>> Bearer $TOKEN" -d '{ >>>>>>>> "permissions" : [ >>>>>>>> { >>>>>>>> "resource_set_name" : "Sensors", >>>>>>>> "scopes" : [ >>>>>>>> "sensors:update" >>>>>>>> ] >>>>>>>> } >>>>>>>> ] >>>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>>>> waziup" >>>>>>>> >>>>>>>> This call has been moved to uma-2, right? >>>>>>>> Can I add pushed claims to this call? What I'm imagining is: >>>>>>>> >>>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>>>>> Bearer $TOKEN" -d '{ >>>>>>>> "permissions" : [ >>>>>>>> { >>>>>>>> "resource_set_name" : "Sensors", >>>>>>>> "scopes" : [ >>>>>>>> "sensors:update" >>>>>>>> ] >>>>>>>> } >>>>>>>> ], >>>>>>>> claims: ["owner": "cdupont"] >>>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>>>> waziup" >>>>>>>> >>>>>>>> In this example, I would like to push the owner of the sensor >>>>>>>> ("cdupont"), which I take from our own database before calling the API. >>>>>>>> >>>>>>>> Sorry about the questions, maybe I should just wait that the >>>>>>>> documentation is merged :) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva < >>>>>>>> psilva at redhat.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> We have a few changes to docs that were not released because the >>>>>>>>> PR [1] was not merged on time. But you can check about pushed claims (if >>>>>>>>> you are using our adapters) here [2]. >>>>>>>>> >>>>>>>>> Regards. >>>>>>>>> Pedro igor >>>>>>>>> >>>>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>>>>>> ces/index.html#_enforcer_claim_information_point >>>>>>>>> >>>>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi guys, >>>>>>>>>> I'm playing with the new version of Keycloak ( >>>>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>>>>>> >>>>>>>>>> I have some questions: >>>>>>>>>> - where is the "account management console"? >>>>>>>>>> - How to use pushed claims? Which APIs are affected? >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> Corentin >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From Manfred.Schenk at iosb.fraunhofer.de Wed Jun 27 12:15:09 2018 From: Manfred.Schenk at iosb.fraunhofer.de (Schenk, Manfred) Date: Wed, 27 Jun 2018 16:15:09 +0000 Subject: [keycloak-user] Is there any update on https://issues.jboss.org/browse/KEYCLOAK-2940 ? In-Reply-To: References: Message-ID: Thanks for your reply. Would it be possible to use the current backchannel logout with own clients or is there something that prevents this? I?ve already looked inside the source code but have not found the correct location where this logout is handled, yet. Regards, Manfred -- Manfred Schenk, Fraunhofer IOSB Informationsmanagement und Leittechnik Fraunhoferstra?e 1,76131 Karlsruhe, Germany Telefon +49 721 6091-391 mailto:Manfred.Schenk at iosb.fraunhofer.de http://www.iosb.fraunhofer.de Von: Stian Thorgersen Gesendet: Montag, 25. Juni 2018 13:41 An: Schenk, Manfred Cc: keycloak-user Betreff: Re: [keycloak-user] Is there any update on https://issues.jboss.org/browse/KEYCLOAK-2940 ? At the moment that one isn't a priority to us. A community contribution would be more than welcome though. On Fri, 22 Jun 2018 at 18:10, Schenk, Manfred > wrote: Does anyone have information about https://issues.jboss.org/browse/KEYCLOAK-2940 ? Is there something planned for the near future or will we have to wait for years before this will be implemented? Some kind of roadmap could be helpful. Regards, Manfred -- Manfred Schenk, Fraunhofer IOSB Informationsmanagement und Leittechnik Fraunhoferstra?e 1,76131 Karlsruhe, Germany Telefon +49 721 6091-391 mailto:Manfred.Schenk at iosb.fraunhofer.de http://www.iosb.fraunhofer.de _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From corentin.dupont at gmail.com Wed Jun 27 13:25:48 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 27 Jun 2018 19:25:48 +0200 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: On Wed, Jun 27, 2018 at 6:01 PM, Pedro Igor Silva wrote: > > > On Wed, Jun 27, 2018 at 12:21 PM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> That's great, I was able to "share" a resource in my account console. >> As a keycloak admin, where to see all the sharings performed by users? >> > > We don't have this in admin console. The user-managed policies are hidden > in the admin console, the reason being to avoid admins changing them > without user consent. This was a tuff decision and I'm open to discuss > different ideas if you think differently. > Yeah it's arguable :) Keycloak Admin can "impersonate" a user so I'd say they already have access to that user sharings? Furthermore, it hides a bit the information, making this feature less discoverable. Putting all the sharings in one place might make things more clear. > > >> >> Also, how to take into account this sharing in permission evaluation? >> Should I write specific policies to take into resource sharing? >> For instance, I have a javascript policy to authorize the resource owner >> to access his resource. >> Should I write a "is shared with you" policy? >> > > If you do that, you are just defining a regular policy it will not be > enough to let the user manage permissions via My Resources. This is how you > could achieve the "sharing" functionality before the latest changes to UMA. > > However, we have also introduced a Policy API to the Protection API. From > this API you are able to create additional "user-managed" permissions and > still have your users able to manage them via My Resources. Documentation > is also updated in upstream/master. > > This API basically allows you to define additional permissions to a user's > resource such as using roles, groups, clients or even conditions using JS. > Some questions: - A resource owner doesn't necessarily have permission to all the scopes on his own resource, it still depends on the policies, right? For instance, a resource owner could "view" his resource, but not "delete" it. - when a resource is shared by the owner with another user, he can share any scope, right? Regardless if he effectively have permission on that scope. When the recipient will make a permission request, Keycloak will first check that the original owner have permission. The permission is granted by transitivity, at run time. So, as a owner I can share a resource with a user with the "delete" scope, but the recipient user might not effectively obtain permission when requesting, if I don't actually have permission. - Is there a way to control which resources/scopes can be shared? For example, I'm OK if a resource owner can delete his own resource, but I don't want that he could transmit that privilege to another user. - silly question, can you share a shared resource? What about ownership transfer? Cheers Corentin > > >> >> >> >> >> >> On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva >> wrote: >> >>> Think we are missing this in docs :) >>> >>> You need to enable "User-Managed Access" in Realm Settings (General tab). >>> >>> On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> OK, interesting: I didn't know about this console :) >>>> I can access it with my "test" user, but I don't see the "My Resources" >>>> menu entry (see screenshot). >>>> I created some resources owned by that user (using the API). But they >>>> don't show up. >>>> What did I missed? >>>> >>>> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> Yeah, you can access those claims in a JS policy. >>>>> >>>>> Regarding the "account management console" take a look here: >>>>> https://www.keycloak.org/docs/latest/authorization_ser >>>>> vices/index.html#_service_authorization_api_aapi. >>>>> >>>>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> Ok, I see the "claim_token" parameter in the request. >>>>>> I guess you can retrieve those claims in a javascript rule, from the >>>>>> evaluation context. >>>>>> >>>>>> By the way, I still cannot figure out where is the "account >>>>>> management console", where user can manager users access (as per the >>>>>> release notes)?? >>>>>> >>>>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva >>>>>> wrote: >>>>>> >>>>>>> The new form of obtaining entitlements relies solely on the token >>>>>>> endpoint just like when you are obtaining access tokens using other OAuth2 >>>>>>> grant types. With that in mind the new format of the request should be a >>>>>>> HTTP POST + parameters. Check this documentation [1] for more details. >>>>>>> >>>>>>> Regarding pushing claims to your policies, there is a specific HTTP >>>>>>> parameter that you can use to pass a Base64 encoded JSON with the claims >>>>>>> you want to push. >>>>>>> >>>>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>>>>>> ces/index.html#_service_obtaining_permissions >>>>>>> >>>>>>> >>>>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>> >>>>>>>> Thanks Pedro, I went through the pull request. >>>>>>>> I'm not sure how to modify my entitlement requests? >>>>>>>> For example I have: >>>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>>>>> Bearer $TOKEN" -d '{ >>>>>>>> "permissions" : [ >>>>>>>> { >>>>>>>> "resource_set_name" : "Sensors", >>>>>>>> "scopes" : [ >>>>>>>> "sensors:update" >>>>>>>> ] >>>>>>>> } >>>>>>>> ] >>>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>>>> waziup" >>>>>>>> >>>>>>>> This call has been moved to uma-2, right? >>>>>>>> Can I add pushed claims to this call? What I'm imagining is: >>>>>>>> >>>>>>>> curl -X POST -H "Content-Type: application/json" -H "Authorization: >>>>>>>> Bearer $TOKEN" -d '{ >>>>>>>> "permissions" : [ >>>>>>>> { >>>>>>>> "resource_set_name" : "Sensors", >>>>>>>> "scopes" : [ >>>>>>>> "sensors:update" >>>>>>>> ] >>>>>>>> } >>>>>>>> ], >>>>>>>> claims: ["owner": "cdupont"] >>>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>>>> waziup" >>>>>>>> >>>>>>>> In this example, I would like to push the owner of the sensor >>>>>>>> ("cdupont"), which I take from our own database before calling the API. >>>>>>>> >>>>>>>> Sorry about the questions, maybe I should just wait that the >>>>>>>> documentation is merged :) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva < >>>>>>>> psilva at redhat.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> We have a few changes to docs that were not released because the >>>>>>>>> PR [1] was not merged on time. But you can check about pushed claims (if >>>>>>>>> you are using our adapters) here [2]. >>>>>>>>> >>>>>>>>> Regards. >>>>>>>>> Pedro igor >>>>>>>>> >>>>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>>>>>> ces/index.html#_enforcer_claim_information_point >>>>>>>>> >>>>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi guys, >>>>>>>>>> I'm playing with the new version of Keycloak ( >>>>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>>>>>> >>>>>>>>>> I have some questions: >>>>>>>>>> - where is the "account management console"? >>>>>>>>>> - How to use pushed claims? Which APIs are affected? >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> Corentin >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From pkboucher801 at gmail.com Wed Jun 27 14:07:45 2018 From: pkboucher801 at gmail.com (pkboucher801 at gmail.com) Date: Wed, 27 Jun 2018 14:07:45 -0400 Subject: [keycloak-user] brokered-login only In-Reply-To: References: <000401d40c89$c36695c0$4a33c140$@gmail.com> Message-ID: <000701d40e41$c02fd3d0$408f7b70$@gmail.com> Hi MJ, Not that I'm not affiliated with https://github.com/ohioit/keycloak-link-idp-with-user . You could use it, but you would have to make some tweaks to get it to work with the newer Keycloak. Note also that I'm not affiliated with Keycloak, either, but the question of whether to just tweak the theme to remove the username and password, or do what Marek describes in the quoted text below, depends on your use case, in my opinion. Is it just for convenience and reduced confusion that you want to prevent showing the username and password form to the users and show them instead only buttons for the available brokered login methods? If so, then a theme change would probably be fine. Would it be a violation of your security policy if a hacker users used fiddler or somesuch to tweak what the browser sends in order to login anyway with a username and password, even though you didn't include that form on your login Freemarker page? Then you'll probably want to change the flow itself as Marek suggests, to block that from happening. > If you need to just override themes, you may not need to override > authentication flow. But if you need to override UsernamePassword > Authenticator and change the implementation, so that it doesn't allow > to login with username/password at all, then you will need to add this > authenticator implementation into new browser authentication flow. > Maybe instead of overriding UsernamePassword authenticator, it's > easier to create new implementation of authenticator, which will just > show the Freemarker form with links to brokers (No username/password). > In that case you will also need to create new authentication flow and > add that new authenticator implementation to it. > > Marek Regards, Peter -----Original Message----- From: lists [mailto:lists at merit.unu.edu] Sent: Tuesday, June 26, 2018 3:49 AM To: keycloak-user at lists.jboss.org Cc: pkboucher801 at gmail.com Subject: Re: [keycloak-user] brokered-login only Hi Peter, On 25-6-2018 15:38, pkboucher801 at gmail.com wrote: > You will need auto-linking of IDP to internal account as well, so they > won't be asked for their password in order to approve linking their > Keycloak account to the IDP. Regarding this auto-linking: I understand what you mean. Are you talking about this: https://github.com/ohioit/keycloak-link-idp-with-user Or is this functionality implemented in keycloak nowadays? (since the plugin above appears to be unmaintained...) MJ From gary.schulte at opengov.com Wed Jun 27 17:07:43 2018 From: gary.schulte at opengov.com (Gary Schulte) Date: Wed, 27 Jun 2018 14:07:43 -0700 Subject: [keycloak-user] UMA 2.0 permissions for service client owned resources In-Reply-To: References: Message-ID: Created https://issues.jboss.org/browse/KEYCLOAK-7726 Thx On Wed, Jun 27, 2018 at 6:52 AM, Pedro Igor Silva wrote: > This is a scenario we don't support and we need to handle this properly > instead of throwing those errors. > > Currently, user-managed access is based on users granting access to their > resources whe these users are set as the resource owner. Could you open a > RFE in JIRA with more details about your use case ? > > Regards. > Pedro Igor > > > On Tue, Jun 26, 2018 at 9:20 PM, Gary Schulte > wrote: > >> Another interesting data point, if I create a uma permission ticket for a >> service-client-owned resource, it breaks not only the authorization >> evaluation for that resource, but all authorization evaluations - until I >> delete the permission ticket. >> >> On Tue, Jun 26, 2018 at 2:19 PM, Gary Schulte >> wrote: >> >> > Hello all, >> > >> > I have some criteria for resource scope sharing that I am trying to >> > reconcile. We are using keycloak to protect data resources. The data >> > resources are created with a corresponding keycloak resource and scopes. >> > These resources are logically owned by the resource creator, but we >> want to >> > have the resources technically owned by the service client for a couple >> > reasons: >> > >> > * resources may be created by CS and "transitioned" to users >> > * resources created by users who leave the organization should not be >> > orphaned >> > >> > To accomplish this we have an owner scope which is a proxy for the >> actual >> > resource ownership, and the service client actually owns all of the >> > resources. >> > >> > However, we want to allow users to share scopes dynamically. We are >> > looking at upgrading to keycloak 4.0 and UMA 2.0 to accomplish this >> > sharing, and intend to continue to use policies for our administrative >> RBAC >> > scenarios. >> > >> > In testing, I have been able to grant and revoke permissions using the >> > permission ticketing for service-client-owned resources. However when I >> > attempt to use the evaluation console to verify the behavior, I get a >> 500 >> > error (and no logging on the keycloak side): >> > >> > {"error":"server_error","error_description":"Error while evaluating >> > permissions."} >> > >> > Are UMA 2.0 permissions for service client owned resources a supported >> use >> > case? >> > >> > TIA >> > >> > Gary Schulte >> > >> > From vandana0242 at gmail.com Wed Jun 27 17:08:22 2018 From: vandana0242 at gmail.com (vandana) Date: Wed, 27 Jun 2018 14:08:22 -0700 (MST) Subject: [keycloak-user] Keycloak & Okta In-Reply-To: References: Message-ID: <1530133702128-0.post@n6.nabble.com> Hello Need help for this . Can you able to let us know how to do this 1)We have configured the keycloak for the sample-wildfly-app on the OKTA by provinding the SSO url as Single Sign On URLhttp://xxxx:18000/auth/realms/master/broker/saml/endpoint 2) Then downloaded the metadata from the okta for the app " Sample-Wildfly-App) 3)Imported the metadata into keycloak as a new identity provider . 4) On the keycloak page we could see a tab that metadata was imported in the form of a tab 5) After we click on the tab samlsample on the keycloak page ,its redirecting to OKTA page 6)We have entered the credentials on okta page , but its redirecting to keycloak as an error page (PFA- Instead of this error page we have to see the application which we deployed on the wildfly instance . Note : Our app url is this http:/xxxx:18050/sample/. Also Where we have to mention this app url so that we can have that page after we enter the credentials on okta page. -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From vandana0242 at gmail.com Wed Jun 27 17:36:43 2018 From: vandana0242 at gmail.com (vandana thota) Date: Wed, 27 Jun 2018 16:36:43 -0500 Subject: [keycloak-user] keycloak | Wildfly Message-ID: Hello Does any one knows the blow process : If yes can you able to tell us how to set up the broker in keycloak for keycloak final 4.0.0.0 version . 1. Set up a client for your application in Keycloak 2. Set up a broker in Keycloak that points to Okta and sets that as the automatic delegate. This means no keycloak login screen would be shown and it would delegate directly to Okta for authentication. 3. Log into Okta 4. Get to Okta app screen. 5. Click on app link 6. App redirects to Keycloak for authentication 7. Keycloak redirects automatically to Okta 8. Okta sees you are already logged in 9. Redirects back to Keycloak 10. Creates SAML assertion or OIDC token for client Thanks, Vandana From edill at anaconda.com Wed Jun 27 20:21:06 2018 From: edill at anaconda.com (Eric Dill) Date: Wed, 27 Jun 2018 20:21:06 -0400 Subject: [keycloak-user] Multiple logins from different IPs Message-ID: Hi, Searching through the mailing list, the docs and JIRA, I've been able to find some previous conversations on the mailing list and a closed Jira ticket around the same user being able to simultaneously be logged in from two (or more) different IP addresses. The comment last year was > We don't have this supported OOTB, but likely we should as it's quite popular use-case though It's been a bit over a year since that was posted to the mailing list. I wonder if this capability is now supported out of the box? The other piece of advice last year was that > For now, you will need to implement custom Authenticator If this capability does not exist out of the box, are there any available examples of doing this as a plug-in? Thanks for the great project :-D Best, Eric -- Eric D. Dill, PhD Senior Solutions Architect From pulkitsrivastavajd at gmail.com Thu Jun 28 02:50:25 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Thu, 28 Jun 2018 12:20:25 +0530 Subject: [keycloak-user] Keycloak DB connection reset Message-ID: Hi, I am using keycloak with AWS MySQL RDS instance. The problem i am facing is that after some time, the db connection is reset and i have to restart keycloak server to make db connection again. It wasn't a problem till the time i was using keycloak's inmemory H2 DB. Please help. Thanks, Pulkit From sthorger at redhat.com Thu Jun 28 04:08:00 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 28 Jun 2018 10:08:00 +0200 Subject: [keycloak-user] Why does error page always use base theme? In-Reply-To: References: Message-ID: That depends on what error page you are referring to. As long as the URL of the error page includes the realm it will use the login theme for that realm. Otherwise it will fallback to the login theme of the master realm. You can try this out by creating a new realm called test. Use the base theme for this. Afterwards open: http://localhost:8080/auth/realms/master/nosdf That should use the Keycloak them. Then open: http://localhost:8080/auth/realms/test/nosdf That will use the base theme. On Wed, 27 Jun 2018 at 14:57, Neujahr, Jana wrote: > Dear Keycloak users, > > my task is to style the custom keycloak theme. But I found some strange > behavior for which cannot find a solution. I'm using Keycloak 4 beta. For > the error pages ("We're sorry..." "Page not found"...) Keycloak always uses > the base/keycloak theme, not my custom one... > > These are the steps I tried: > > ? In the Admin Console, I added custom theme to all possible areas > (Login, Account...) > > ? added error.ftl, info.ftl and others to the custom theme in folder > "login" > > ? ensured that "template.ftl" from the same folder is used in all > these FTLs: <#import "template.ftl" as layout> > > ? created an own login.css with specific overwriting styles (which > is already used in login?pages successfully) > > ? added login.css to theme.properties: > styles=node_modules/patternfly/dist/css/patternfly.css > node_modules/patternfly/dist/css/patternfly-additions.css > lib/zocial/zocial.css css/login.css > > But in the error page always the base/keycloak css is used. I ensured that > with altering the base css -> then it worked with the error page. > > What to do to make Keycloak take my custom theme for errors? > > I'd appreciate any help! > > Kindly yours > Jana > > > Treffen Sie GISA auf folgenden Veranstaltungen! > 06.-07.09.2018 PraxisForum Digitale Prozesse - GoBD & P?fungen, Leipzig > 11.-12.09.2018 Jahreskongress der Energieforen: Energiemarkt der Zukunft, > Leipzig > 23.-24.10.2018 metering days 2018, Fulda > 15.11.018 BEMD-Jahreskongress 2018, Mannheim > > > > Aufsichtsratsvorsitzender: Norbert Rotter > Gesch?ftsf?hrung: Michael Kr?ger > Sitz der Gesellschaft: Halle/Saale > Registergericht: Amtsgericht Stendal | Handelsregister-Nr. HRB 208414 > UST-ID-Nr. DE 158253683 > > Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte > Informationen. Wenn Sie nicht der richtige Empf?nger sind oder diese E-Mail > irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte > Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. > Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte > gesch?tzt. Die GISA GmbH haftet ausdr?cklich nicht f?r den Inhalt und die > Vollst?ndigkeit von E-Mails und den gegebenenfalls daraus entstehenden > Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese > E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit > gesetzlich zul?ssig - nicht f?r die hieraus entstehenden Sch?den. > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ds at escalon.de Thu Jun 28 04:14:39 2018 From: ds at escalon.de (- -) Date: Thu, 28 Jun 2018 10:14:39 +0200 (CEST) Subject: [keycloak-user] Kerberos authentication in Windows In-Reply-To: References: Message-ID: <1485493396.7500.1530173679680@email.1und1.de> From lists at merit.unu.edu Thu Jun 28 04:20:39 2018 From: lists at merit.unu.edu (mj) Date: Thu, 28 Jun 2018 10:20:39 +0200 Subject: [keycloak-user] brokered-login only In-Reply-To: <000701d40e41$c02fd3d0$408f7b70$@gmail.com> References: <000401d40c89$c36695c0$4a33c140$@gmail.com> <000701d40e41$c02fd3d0$408f7b70$@gmail.com> Message-ID: Hi Peter, On 06/27/2018 08:07 PM, pkboucher801 at gmail.com wrote: > Is it just for convenience and reduced confusion that you want to > prevent showing the username and password form to the users and show > them instead only buttons for the available brokered login methods? > If so, then a theme change would probably be fine. Yes, that's the reason. > Would it be a violation of your security policy if a hacker users > used fiddler or somesuch to tweak what the browser sends in order to > login anyway with a username and password, even though you didn't > include that form on your login Freemarker page? Then you'll > probably want to change the flow itself as Marek suggests, to block > that from happening.That was not our primary concern. Thanks for all the pointers in this thread. We will edit the template. However.. We still feel that a checkbox like "Disallow direct user/pass logins for this realm" would be a good feature. :-) MJ From ds at escalon.de Thu Jun 28 04:58:42 2018 From: ds at escalon.de (Dietrich Schulten) Date: Thu, 28 Jun 2018 10:58:42 +0200 (CEST) Subject: [keycloak-user] Kerberos authentication in Windows In-Reply-To: References: Message-ID: <978914235.8500.1530176322312@email.1und1.de> From gambol99 at gmail.com Thu Jun 28 06:25:45 2018 From: gambol99 at gmail.com (gambol) Date: Thu, 28 Jun 2018 11:25:45 +0100 Subject: [keycloak-user] Authorization Services - Admin Console Message-ID: Hiya I'm guessing this isn't possible yet but just in case, is it possible to provide fine-grain controls over the creation of local accounts. At the moment we have a project whom we to gave the ability to control membership of one or more groups via "User Policy" in authorization services. We would like them to be able to "create" a user as well, but retain the above limitation. At the moment this doesn't look like its possible as the only way to get the "Add User" button is to add the "manage-users" role from "realm-management" .. This unfortunately gives the access to do anything they want with the users .. adding a group, delete etc etc Are there any plan's to extend the scopes available under the Users resource type? .. Rohith From yuriy.yunikov at vgs.io Thu Jun 28 06:27:06 2018 From: yuriy.yunikov at vgs.io (Yuriy Yunikov) Date: Thu, 28 Jun 2018 13:27:06 +0300 Subject: [keycloak-user] Static API keys (long lived access tokens) Message-ID: Hi everyone, We have a need to issue static access token from Keycloak which wouldn't change and have no expiry but can be revoked. From what I've seen so far Keycloak can only issue offline token for refresh token, but not for access tokens. Is there any way to achieve this? Regards, Yuriy From psilva at redhat.com Thu Jun 28 08:45:53 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 28 Jun 2018 09:45:53 -0300 Subject: [keycloak-user] Authorization Services - Admin Console In-Reply-To: References: Message-ID: You are not the first one to indicate this limitation. We need to plan a review fine-grained admin permissions and discuss what we want or not to support. There are some known limitations and I think the idea behind the implementation would be to check how people would use this functionality. Based on all feedback we are receiving from community, I think we can start looking at improving this functionality. There is https://issues.jboss.org/browse/KEYCLOAK-6127, which I think is related wth your problem. If so, feel free to push more details. Regards. Pedro Igor On Thu, Jun 28, 2018 at 7:25 AM, gambol wrote: > Hiya > > I'm guessing this isn't possible yet but just in case, is it possible to > provide fine-grain controls over the creation of local accounts. At the > moment we have a project whom we to gave the ability to control membership > of one or more groups via "User Policy" in authorization services. We would > like them to be able to "create" a user as well, but retain the above > limitation. At the moment this doesn't look like its possible as the only > way to get the "Add User" button is to add the "manage-users" role from > "realm-management" .. This unfortunately gives the access to do anything > they want with the users .. adding a group, delete etc etc > > Are there any plan's to extend the scopes available under the Users > resource type? .. > > Rohith > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Thu Jun 28 09:03:41 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 28 Jun 2018 10:03:41 -0300 Subject: [keycloak-user] Keycloak 4 In-Reply-To: References: Message-ID: On Wed, Jun 27, 2018 at 2:25 PM, Corentin Dupont wrote: > > > On Wed, Jun 27, 2018 at 6:01 PM, Pedro Igor Silva > wrote: > >> >> >> On Wed, Jun 27, 2018 at 12:21 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> That's great, I was able to "share" a resource in my account console. >>> As a keycloak admin, where to see all the sharings performed by users? >>> >> >> We don't have this in admin console. The user-managed policies are hidden >> in the admin console, the reason being to avoid admins changing them >> without user consent. This was a tuff decision and I'm open to discuss >> different ideas if you think differently. >> > > Yeah it's arguable :) Keycloak Admin can "impersonate" a user so I'd say > they already have access to that user sharings? > Furthermore, it hides a bit the information, making this feature less > discoverable. Putting all the sharings in one place might make things more > clear. > Admins still have access to these sharings via API. But yeah, they are hidden from Admin Console. > > >> >> >>> >>> Also, how to take into account this sharing in permission evaluation? >>> Should I write specific policies to take into resource sharing? >>> For instance, I have a javascript policy to authorize the resource owner >>> to access his resource. >>> Should I write a "is shared with you" policy? >>> >> >> If you do that, you are just defining a regular policy it will not be >> enough to let the user manage permissions via My Resources. This is how you >> could achieve the "sharing" functionality before the latest changes to UMA. >> >> However, we have also introduced a Policy API to the Protection API. From >> this API you are able to create additional "user-managed" permissions and >> still have your users able to manage them via My Resources. Documentation >> is also updated in upstream/master. >> >> This API basically allows you to define additional permissions to a >> user's resource such as using roles, groups, clients or even conditions >> using JS. >> > > Some questions: > - A resource owner doesn't necessarily have permission to all the scopes > on his own resource, it still depends on the policies, right? > For instance, a resource owner could "view" his resource, but not "delete" > it. > Yes, the behavior is the same as before. Evaluation of permissions for a resource will consider any policy gorverning access to resources regardless if the requester is the owner or not. > > - when a resource is shared by the owner with another user, he can share > any scope, right? Regardless if he effectively have permission on that > scope. > When the recipient will make a permission request, Keycloak will first > check that the original owner have permission. > The permission is granted by transitivity, at run time. > So, as a owner I can share a resource with a user with the "delete" scope, > but the recipient user might not effectively obtain permission when > requesting, if I don't actually have permission. > I see your point. But as it stands today, owners can grant any scope (regardless if they have permissions or not) associated with a resource. Are suggesting to hide the scopes the owner is not granted so they can not grant these scopes to others ? > > - Is there a way to control which resources/scopes can be shared? > For example, I'm OK if a resource owner can delete his own resource, but I > don't want that he could transmit that privilege to another user. > There isn't. What we support is a enable/disable swtich on the resource that tells if a resource should allow user-managed access. There is nothing like that to scopes .... Not sure if this wtich switch on resources is what you are asking. So, for scopes we would need something similar ... > > - silly question, can you share a shared resource? What about ownership > transfer? > Nope. I would suggest to not support that until we have more people asking and string requirements that justify such thing. Tks. > > Cheers > Corentin > > > > >> >> >>> >>> >>> >>> >>> >>> On Wed, Jun 27, 2018 at 3:36 PM, Pedro Igor Silva >>> wrote: >>> >>>> Think we are missing this in docs :) >>>> >>>> You need to enable "User-Managed Access" in Realm Settings (General >>>> tab). >>>> >>>> On Wed, Jun 27, 2018 at 6:20 AM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> OK, interesting: I didn't know about this console :) >>>>> I can access it with my "test" user, but I don't see the "My >>>>> Resources" menu entry (see screenshot). >>>>> I created some resources owned by that user (using the API). But they >>>>> don't show up. >>>>> What did I missed? >>>>> >>>>> On Tue, Jun 26, 2018 at 2:42 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> Yeah, you can access those claims in a JS policy. >>>>>> >>>>>> Regarding the "account management console" take a look here: >>>>>> https://www.keycloak.org/docs/latest/authorization_ser >>>>>> vices/index.html#_service_authorization_api_aapi. >>>>>> >>>>>> On Mon, Jun 25, 2018 at 1:28 PM, Corentin Dupont < >>>>>> corentin.dupont at gmail.com> wrote: >>>>>> >>>>>>> Ok, I see the "claim_token" parameter in the request. >>>>>>> I guess you can retrieve those claims in a javascript rule, from the >>>>>>> evaluation context. >>>>>>> >>>>>>> By the way, I still cannot figure out where is the "account >>>>>>> management console", where user can manager users access (as per the >>>>>>> release notes)?? >>>>>>> >>>>>>> On Fri, Jun 22, 2018 at 7:09 PM, Pedro Igor Silva >>>>>> > wrote: >>>>>>> >>>>>>>> The new form of obtaining entitlements relies solely on the token >>>>>>>> endpoint just like when you are obtaining access tokens using other OAuth2 >>>>>>>> grant types. With that in mind the new format of the request should be a >>>>>>>> HTTP POST + parameters. Check this documentation [1] for more details. >>>>>>>> >>>>>>>> Regarding pushing claims to your policies, there is a specific HTTP >>>>>>>> parameter that you can use to pass a Base64 encoded JSON with the claims >>>>>>>> you want to push. >>>>>>>> >>>>>>>> [1] https://www.keycloak.org/docs/latest/authorization_servi >>>>>>>> ces/index.html#_service_obtaining_permissions >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Jun 22, 2018 at 12:09 PM, Corentin Dupont < >>>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>>> >>>>>>>>> Thanks Pedro, I went through the pull request. >>>>>>>>> I'm not sure how to modify my entitlement requests? >>>>>>>>> For example I have: >>>>>>>>> curl -X POST -H "Content-Type: application/json" -H >>>>>>>>> "Authorization: Bearer $TOKEN" -d '{ >>>>>>>>> "permissions" : [ >>>>>>>>> { >>>>>>>>> "resource_set_name" : "Sensors", >>>>>>>>> "scopes" : [ >>>>>>>>> "sensors:update" >>>>>>>>> ] >>>>>>>>> } >>>>>>>>> ] >>>>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>>>>> waziup" >>>>>>>>> >>>>>>>>> This call has been moved to uma-2, right? >>>>>>>>> Can I add pushed claims to this call? What I'm imagining is: >>>>>>>>> >>>>>>>>> curl -X POST -H "Content-Type: application/json" -H >>>>>>>>> "Authorization: Bearer $TOKEN" -d '{ >>>>>>>>> "permissions" : [ >>>>>>>>> { >>>>>>>>> "resource_set_name" : "Sensors", >>>>>>>>> "scopes" : [ >>>>>>>>> "sensors:update" >>>>>>>>> ] >>>>>>>>> } >>>>>>>>> ], >>>>>>>>> claims: ["owner": "cdupont"] >>>>>>>>> }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/ >>>>>>>>> waziup" >>>>>>>>> >>>>>>>>> In this example, I would like to push the owner of the sensor >>>>>>>>> ("cdupont"), which I take from our own database before calling the API. >>>>>>>>> >>>>>>>>> Sorry about the questions, maybe I should just wait that the >>>>>>>>> documentation is merged :) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Jun 22, 2018 at 4:37 PM, Pedro Igor Silva < >>>>>>>>> psilva at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> We have a few changes to docs that were not released because the >>>>>>>>>> PR [1] was not merged on time. But you can check about pushed claims (if >>>>>>>>>> you are using our adapters) here [2]. >>>>>>>>>> >>>>>>>>>> Regards. >>>>>>>>>> Pedro igor >>>>>>>>>> >>>>>>>>>> [1] https://github.com/keycloak/keycloak-documentation/pull/402 >>>>>>>>>> [2] https://www.keycloak.org/docs/latest/authorization_servi >>>>>>>>>> ces/index.html#_enforcer_claim_information_point >>>>>>>>>> >>>>>>>>>> On Wed, Jun 20, 2018 at 10:04 AM, Corentin Dupont < >>>>>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi guys, >>>>>>>>>>> I'm playing with the new version of Keycloak ( >>>>>>>>>>> https://www.keycloak.org/docs/latest/release_notes/index.html) >>>>>>>>>>> >>>>>>>>>>> I have some questions: >>>>>>>>>>> - where is the "account management console"? >>>>>>>>>>> - How to use pushed claims? Which APIs are affected? >>>>>>>>>>> >>>>>>>>>>> Thanks! >>>>>>>>>>> Corentin >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From vandana0242 at gmail.com Thu Jun 28 10:29:19 2018 From: vandana0242 at gmail.com (vandana thota) Date: Thu, 28 Jun 2018 09:29:19 -0500 Subject: [keycloak-user] Forbidden error on keycloak Message-ID: We are configuring the single sign on configuration for the application whcih we deployed on wildfly instance by using keycloak , okta, application on wildfly instance. I could add or import the External IDP Metadata in keyckloak under the tab add identity provider . Could see a tab ( Saml-sample app) on keycloak page . Case 1 When I click on tab ( Saml-sample app) on keycloak it's redirecting to okta page and I gave the crednetials and after that its redirecting to keycloak and showing this error Forbidden You don't have access to the requested resource. Go to the home page ? PFA What needs to done in order to acihieve the single sign on configuration for the application which we deployed on wildfly instance ? Do We have to configure anything on application side Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: forbidden.PNG Type: image/png Size: 16338 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180628/357faa78/attachment.png From gambol99 at gmail.com Thu Jun 28 10:40:04 2018 From: gambol99 at gmail.com (gambol) Date: Thu, 28 Jun 2018 15:40:04 +0100 Subject: [keycloak-user] Authorization Services - Admin Console In-Reply-To: References: Message-ID: Hi Pedro Much appreciated on the info :-) .. for now we will live without it, but good to know things are on the roadmap Rohith On Thu, Jun 28, 2018 at 1:45 PM Pedro Igor Silva wrote: > You are not the first one to indicate this limitation. We need to plan a > review fine-grained admin permissions and discuss what we want or not to > support. > > There are some known limitations and I think the idea behind the > implementation would be to check how people would use this functionality. > Based on all feedback we are receiving from community, I think we can start > looking at improving this functionality. > > There is https://issues.jboss.org/browse/KEYCLOAK-6127, which I think is > related wth your problem. If so, feel free to push more details. > > Regards. > Pedro Igor > > On Thu, Jun 28, 2018 at 7:25 AM, gambol wrote: > >> Hiya >> >> I'm guessing this isn't possible yet but just in case, is it possible to >> provide fine-grain controls over the creation of local accounts. At the >> moment we have a project whom we to gave the ability to control membership >> of one or more groups via "User Policy" in authorization services. We >> would >> like them to be able to "create" a user as well, but retain the above >> limitation. At the moment this doesn't look like its possible as the only >> way to get the "Add User" button is to add the "manage-users" role from >> "realm-management" .. This unfortunately gives the access to do anything >> they want with the users .. adding a group, delete etc etc >> >> Are there any plan's to extend the scopes available under the Users >> resource type? .. >> >> Rohith >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From a.lamers at first8.nl Thu Jun 28 10:48:05 2018 From: a.lamers at first8.nl (Arjan Lamers) Date: Thu, 28 Jun 2018 16:48:05 +0200 Subject: [keycloak-user] SAML Advice assertion with signature Message-ID: <12CA6AFF-159E-4DBD-97DE-52838E47E96E@first8.nl> Hi, We are running KeyCloak 3.4.3-Final for a client and are running into trouble with an identity provider (the dutch eHerkenning) that is using SAML Advice tags. We were running an older version of KeyCloak and recently that identity provider started to use tags in their responses. We found https://issues.jboss.org/browse/KEYCLOAK-5644, adding support for the Advice tag and that made us upgrade to 3.4.3. However, this patch does not seem to be complete. The patch there ignores the Advice tag when parsing the document. This is fine. However, in our case, the Advice contains two Assertions, both of which are signed (have a Signature tag). The document verification seems to also validate these signatures. This is a problem, since we do not have the keys for these advices, hence the validation fails. We have been advised to fully ignore the Advice tag, including the underlying signatures. I am not a SAML expert but that feels a bit wrong. Any thoughts on that? However, if we do want to go down this road, we would probably patch this in org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(Document signedDoc, final KeyLocator locator) by skipping over nodes that have an ?Advice? parent. Would that be an appropriate approach? Would you be interested in such a patch? Met vriendelijke groet, Arjan Lamers Software Architect +31 (0)6 23 82 24 05 a.lamers at first8.nl https://www.first8.nl Linkedin https://www.linkedin.com/in/arjanl Kerkenbos 1059b 6546 BB Nijmegen Bekijk hier de algemene voorwaarden van Conclusion From vandana0242 at gmail.com Thu Jun 28 15:54:25 2018 From: vandana0242 at gmail.com (vandana thota) Date: Thu, 28 Jun 2018 14:54:25 -0500 Subject: [keycloak-user] Facing issue after having keycloak SAML adapter keycloak-saml.xml content into wildfly instance.xml file Message-ID: As per this doc https://www.keycloak.org/docs/2.5/securing_apps/topics/saml/java/jboss-adapter/securing_wars.html I have installed the file from keycloak --client --.>Insatllation tab--> keycloak SAML Adapter Keycloak-Saml.xml. Copied this file content to wildfly instance's .xml file and Im seeing the below error . 515: | 516: | 517: | ^^^^ Illegal to have multiple roots (start tag in epilog?) | | 518: | 519: | 520: | | The primary underlying error message was: | > Illegal to have multiple roots (start tag in epilog?). | > at [row,col {unknown-source}]: [517,9] Thanks, From rafaelweingartner at gmail.com Thu Jun 28 18:35:55 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 28 Jun 2018 19:35:55 -0300 Subject: [keycloak-user] Error while building inside a container Message-ID: Hello, Keycloak community, I am trying to build Keycloak 4.0.0Final, but I keep getting the following error: Results : > Tests in error: > > JavascriptAdapterTest.org.keycloak.testsuite.adapter.javascript.JavascriptAdapterTest > ? Runtime > > DemoFilterServletAdapterTest.org.keycloak.testsuite.adapter.servlet.DemoFilterServletAdapterTest > ? Runtime > > DemoServletsAdapterTest.org.keycloak.testsuite.adapter.servlet.DemoServletsAdapterTest > ? Runtime > > Tests run: 1703, Failures: 0, Errors: 3, Skipped: 247 > I am not understanding it. Has someone here seen something similar? I am running the build inside a docker container, can this be the problem? Can I be missing some dependency or something else? I am using a Debian 8.11, Java 8_171 and maven 3.5.4. When I try to build using a bare server, everything works. -- Rafael Weing?rtner From jpperata at gmail.com Thu Jun 28 20:33:17 2018 From: jpperata at gmail.com (Juan Pablo Perata) Date: Thu, 28 Jun 2018 21:33:17 -0300 Subject: [keycloak-user] Issue when two user federation providers are deployed Message-ID: Hi, I have been facing an issue with having two user federation providers deployed on the same keycloak instance. When both are deployed, one of them appears as not visible from the admin console. I created this issue when I explain better the situation: https://issues.jboss.org/browse/KEYCLOAK-7735?_sscc=t It seems to be a bug but cannot confirm that. I appreciate if someone faced something similar or points out something I do not see. Regards, Juan From jpperata at gmail.com Thu Jun 28 20:36:20 2018 From: jpperata at gmail.com (Juan Pablo Perata) Date: Thu, 28 Jun 2018 21:36:20 -0300 Subject: [keycloak-user] Issue when two user federation providers are deployed In-Reply-To: References: Message-ID: Hi, I have been facing an issue with having two user federation providers deployed on the same keycloak instance. When both are deployed, one of them appears as not visible from the admin console. I created this issue when I explain better the situation: https://issues.jboss.org/browse/KEYCLOAK-7735?_sscc=t It seems to be a bug but cannot confirm that. I appreciate if someone faced something similar or points out something I do not see. Regards, Juan From pulkitsrivastavajd at gmail.com Fri Jun 29 01:16:37 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Fri, 29 Jun 2018 10:46:37 +0530 Subject: [keycloak-user] Keycloak DB connection reset In-Reply-To: References: Message-ID: Hey, My membership was expired. I have re-enabled it. So, if i have missed any update on this, please revert. Thanks, Pulkit On Thu, Jun 28, 2018 at 12:20 PM Pulkit Srivastava < pulkitsrivastavajd at gmail.com> wrote: > Hi, > I am using keycloak with AWS MySQL RDS instance. The problem i am facing > is that after some time, the db connection is reset and i have to restart > keycloak server to make db connection again. > It wasn't a problem till the time i was using keycloak's inmemory H2 DB. > Please help. > > Thanks, > Pulkit > From henning.waack at codecentric.de Fri Jun 29 02:29:31 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Fri, 29 Jun 2018 08:29:31 +0200 Subject: [keycloak-user] Get all users for a given client with consent In-Reply-To: References: Message-ID: Hey guys, any input on this? Appreciate it! :) Thanks Henning 2018-06-25 13:35 GMT+02:00 Henning Waack : > Hi. > > Is it possible to get a list of all users who have given their consent for > a specific client? I am working with KC 4.0 (and Spring Boot 2.0). > > Thanks & greetings > > Henning > -- ----------- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From lrozenblyum at gmail.com Fri Jun 29 02:40:13 2018 From: lrozenblyum at gmail.com (Leonid Rozenblyum) Date: Fri, 29 Jun 2018 09:40:13 +0300 Subject: [keycloak-user] username to be used for importing users In-Reply-To: References: Message-ID: I was able to achieve the goal by setting up the broker in such a way: 1) Edit identity provider: NameID Policy Format, select 'unspecified' 2) Edit every client representing Service Provider application, select 'Name id format': username I wonder whether this approach is fine, especailly if we use not keycloak as a 3'd party provider. Is it something generic for SAML2.0 or very specific for keycloak? According to doc http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html The supported formats for nameid are - Email address - X.509 subject name - Windows domain qualified name - Kerberos principal name - Entity identifier - Persistent identifier - Transient identifier Is username something additional? On Tue, Jun 26, 2018 at 1:16 PM Leonid Rozenblyum wrote: > Hello! > We're using 2 keycloak instances. > SP -> Keycloak (broker) -> Keycloak (Identity provider) > > How can we configure the broker to create user names equal to the original > username from keycloak (Idp)? Now the new users inside the broker receive a > G-.... (long meaningless string) > username during the first log-in. > > So if user logs in through Idp with login: 'hello' we would like user > 'hello' be created in the broker > > Thank you for advice. > From shaik.salam at tcs.com Fri Jun 29 03:25:15 2018 From: shaik.salam at tcs.com (Shaik Salam) Date: Fri, 29 Jun 2018 12:55:15 +0530 Subject: [keycloak-user] Keycloak Server boot has failed in an unrecoverable manner In-Reply-To: References: Message-ID: Hi, We have installed docker on linux operating system in vm and running keycloak server as container. Tying to restart server(ex: ./bin.standalone.sh) but boot is failed due to following port conflicts. Could you please let us know is any modifications needed on ports or interface's ip address for respective files(ex: standalone.xml,host.xml etc). Please provide suitable solution and in which files modification needs to do, to rectify following errors and find log file for more information. Thanks in advance. 11:10:48,087 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.undertow.listener.default: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.default: Address already in use /127.0.0.1:8080 at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 11:10:48,325 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.management.http.extensible: org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: java.net.BindException: Address already in use /127.0.0.1:9990 at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:340) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 11:10:48,388 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.undertow.listener.https: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.https: Address already in use /127.0.0.1:8443 at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) failure description: { "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "java.net.BindException: Address already in use /127.0.0.1:9990"}, "WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => { "Services that were unable to start:" => ["org.wildfly.management.http.extensible.shutdown"], "Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"] } } 11:10:49,024 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => { "Services that were unable to start:" => [ "jboss.deployment.discovery.\"keycloak-server.war\"", "jboss.deployment.unit.\"keycloak-server.war\".component.\"com.sun.faces.config.ConfigureListener\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.faces.webapp.FacetTag\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.ScriptFreeTLV\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.filters.KeycloakSessionServletFilter\".START", "jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.listeners.KeycloakSessionDestroyListener\".START", "jboss.deployment.unit.\"keycloak-server.war\".deploymentCompleteService", "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service", "jboss.undertow.deployment.default-server.default-host./auth" ], "Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"] }} BR Salam =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you From kanhaiya at xinperformance.com Fri Jun 29 03:58:32 2018 From: kanhaiya at xinperformance.com (Kanhaiya Ora) Date: Fri, 29 Jun 2018 13:28:32 +0530 Subject: [keycloak-user] How to use Keycloak in CakePHP Application Message-ID: Hi Developers, I am PHP Developer. I am begineer with keycloak so can you help me for how to setup Keycloak with *CakePHP* application. I don't found any proper documentation for how to configure a Keycloak with PHP Application. If i am using Keycloak REST API for configure a Keycloak with PHP Application then we want to use a Keycloak Admin as a REST API server. If you have any proper documentation and video tutorial for configure a Keycloak with PHP Application. so please send me link, so i can start work on Keycloak with my application. Thanks in Advance. -- *Kanhaiya Ora* *Sr. Software DeveloperXin Performance* E:kanhaiya at xinperformance.com T: +91 9755518055 W: xinperformance.com From K.Buler at adbglobal.com Fri Jun 29 04:21:41 2018 From: K.Buler at adbglobal.com (Karol Buler) Date: Fri, 29 Jun 2018 10:21:41 +0200 Subject: [keycloak-user] x509 - serial number as a HEX Message-ID: Hi Everybody, is there any possibility to get Serial Number field from certificate in x509 authentication flow as a HEX value instead of Integer. I've set the x509 Direct Grant authentication flow to take Serial Number as a username, and I've expected that there will be a HEX value, which I see in certificate, but I've got Integer representation of it in my User Storage Federation's classes. Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED. Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions. From pnalyvayko at agi.com Fri Jun 29 10:31:10 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Fri, 29 Jun 2018 14:31:10 +0000 Subject: [keycloak-user] x509 - serial number as a HEX In-Reply-To: References: Message-ID: Hi Karol, AFAIK, by default x509 authentication in KC uses a decimal representation when mapping the serial number to a user identity. As a temp workaround, you can try augmenting the DN field and then configure the x509 auth to use the regular expression identity extractor to get the value. My $.02 cents --Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Karol Buler [K.Buler at adbglobal.com] Sent: Friday, June 29, 2018 4:21 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] x509 - serial number as a HEX Hi Everybody, is there any possibility to get Serial Number field from certificate in x509 authentication flow as a HEX value instead of Integer. I've set the x509 Direct Grant authentication flow to take Serial Number as a username, and I've expected that there will be a HEX value, which I see in certificate, but I've got Integer representation of it in my User Storage Federation's classes. Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED. Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Sat Jun 30 06:30:50 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 30 Jun 2018 13:30:50 +0300 Subject: [keycloak-user] Get all users for a given client with consent In-Reply-To: References: Message-ID: <1530354650.18192.3.camel@acutus.pro> Hi Henning, sorry for late response, I assume that by "getting a list of all users with consent for a specific client" you mean exposing this list over REST API (correct me if I'm wrong). For this, you will need to implement a custom REST endpoint using Realm Resource SPI [1] that will execute a single JPA query: select consent from UserConsentEntity consent where consent.clientId = :clientId then convert the results to a list of UserConsentRepresentation's and return it. If you want to see the list in the admin GUI, you'll also have to implement a GUI theme. Please remember that by default custom REST resources are public, so you'll need to implement proper access control. Examples that might be helpful here:- examples/providers/rest: a minimal example of custom REST resource;- examples/providers/domain-extension: an advanced example that (among other) demonstrates interacting with the JPA layer; unfortunately, it is not maintained, and the authorization code is broken at the moment [2];- BeerCloak [3]: a more complete and complex example that is maintained and working. Currently, authorization is implemented in a pre-3.2.0 way (but should still work in 4.0.0). I'm going to port it to post-3.2.0 soon (that means, fine-grained permissions), so stay tuned;- examples/themes - if you're looking to extending the GUI. See also:org.keycloak.models.jpa.entities.UserConsentEntityorg.keycloak.rep resentations.idm.UserConsentRepresentationorg.keycloak.services.resourc es.admin.UserResource::getConsents()org.keycloak.models.jpa.JpaUserProv ider::getConsents() Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic + 42 (022) 888-30-71 E-mail:?info at acutus.pro [1] https://www.keycloak.org/docs/latest/server_development/index.html# _extensions_rest[2] https://issues.jboss.org/browse/KEYCLOAK-5927[3] https://github.com/dteleguin/beercloak > Hey guys, any input on this? Appreciate it! :) > > Thanks > > Henning > > 2018-06-25 13:35 GMT+02:00 Henning Waack e>: > > > Hi. > > > > Is it possible to get a list of all users who have given their > > consent for > > a specific client? I am working with KC 4.0 (and Spring Boot 2.0). > > > > Thanks & greetings > > > > Henning > > > > From shawn at victz.com Sat Jun 30 10:17:14 2018 From: shawn at victz.com (Shawn Fu Sheng) Date: Sat, 30 Jun 2018 22:17:14 +0800 Subject: [keycloak-user] KEYCLOAK-7237 : Redirect URI is adding port zero to the url In-Reply-To: <6AF83FD5-8B8E-4E50-B3B7-66025C0B3A37@victz.com> References: <6AF83FD5-8B8E-4E50-B3B7-66025C0B3A37@victz.com> Message-ID: Dear keycloak team, I encountered redirect_uri error. Found same issue logged at below JIRA, just want to check any work around? Anyone can help? Thank you in advance. KEYCLOAK-7237 2018-06-30 11:34:13,996 WARN [org.keycloak.events] (default task-8) type=LOGIN_ERROR, realmId=Victz, clientId=portal, userId=null, ipAddress=175.156.168.158, error=invalid_redirect_uri, redirect_uri=https://www.mydomain.com:0/home I am using apache http reverse proxy running on centos7, wildly 10, keycloak 3.4.3. has also tried in below environment but same error. Tried in wildly 10, wildly 11, jboss 7.1 Keycloak 3.4.3 as well as keycloak 4.0 Also tried shutdown apache http and access directly to http://www.mydomain.com:8080/home , but seems return_uri automatically been converted to https with port 0. Please see below standalone.xml, tried removed below config in red but no luck. Rds, Shawn