From mariopeck41 at gmail.com  Tue May  1 12:00:01 2018
From: mariopeck41 at gmail.com (Mario Peck)
Date: Tue, 1 May 2018 12:00:01 -0400
Subject: [keycloak-user] Keycloak on Wildfly 12 running EE8
Message-ID: <CACjuZm0bL5nZvmX7+YeThi-zbRDBuCtVWsXF-BQ_Hv1QTu8NAw@mail.gmail.com>

Did anyone have any success running the Keycloak Elytron Adapter for
Wildfly on Wildfly 12 running in EE8 mode (ee8.preview.mode=true)? It is
not working for me. Anyone?

From ryans at jlab.org  Tue May  1 14:19:15 2018
From: ryans at jlab.org (Ryan Slominski)
Date: Tue, 1 May 2018 14:19:15 -0400 (EDT)
Subject: [keycloak-user] Multiple User Storage Providers
In-Reply-To: <693589230.7249496.1525198713523.JavaMail.zimbra@jlab.org>
References: <8942680.9172683.1518184309737.JavaMail.zimbra@jlab.org>
	<2f94a4b7-9702-36df-3fa9-6975d2097482@redhat.com>
	<450417951.9188272.1518187585618.JavaMail.zimbra@jlab.org>
Message-ID: <730244595.7249628.1525198755593.JavaMail.zimbra@jlab.org>

Hi Marek,
  I'm looking for comments and suggestions on integrating multiple Kerberos realms into a single Keycloak realm (SSO namespace).  I initially overlooked the possibility of using identity provider brokering, but I'm not 100% sure that's the best option.  Here is a summary of ways I've discovered so far:

1. Use identity provider brokering.  However, automatically linking accounts without prompting users to authenticate is not supported (https://issues.jboss.org/browse/KEYCLOAK-7270).  This kind-of defeats the purpose as users end up having to provide both credentials to create the link and login.
2. Create a new custom user storage provider.  Looks very complicated and fragile.  Any examples of this to look at?  Would this even work with SPNEGO for either or only for one?  
3. Figure out what the heck configuring a Keycloak realm with multiple user storage providers and ordering them is supposed to do.  Still very confused as why you can configure it.  If Keycloak tried one and then tried the next if the first failed that would be great (account lockout from incorrect password count threshold would need to be set high on first one, but probably fine).
4. Use client-side multi-tenancy.  Each client can choose which Keycloak realm to authenticate to.  Each Keycloak realm has a different Kerberos realm in a one-to-one mapping.  This creates a complicated logic burden on clients and must be duplicated on all clients, and SSO token generated would vary based on actual realm chosen as opposed to having a single universal SSO token for the domain.
5. Use Kerberos Cross-Realm trusts.  Probably works, but Jira suggests this is untested (https://issues.jboss.org/browse/KEYCLOAK-3842).  This is not a great option in our case because we only trust users from the other realm on the web, not on workstations or anywhere else and don't want to change what "anyone with an account" means, and introduce extra risk requiring assigning users to a new group and relying on group authorization.
6. Instead of Keycloak just use mod_auth_kerb and SSSD (https://www.freeipa.org/page/Web_App_Authentication).  A hack integration, but might be easier.

What have others done?  Thoughts?  Suggestions?  None of these options are great.

Thanks,

Ryan

----- Original Message -----
From: "Ryan Slominski" <ryans at jlab.org>
To: "Marek Posolda" <mposolda at redhat.com>
Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Friday, February 9, 2018 9:46:25 AM
Subject: Re: [keycloak-user] Multiple User Storage Providers

Thanks Marek,
    I am using 3.4.3, but the two Kerberos realms are not configured in a cross realm trust (I want the web apps in one specific Keycloak realm to trust either realm, but that trust shouldn't be universal and System Admins don't want to trust other realms for Workstation logins and cross realm trust would require new authorization considerations as it changes what "anyone with an account" means).  Is cross realm trusts the only way to do what I'm after?

Ryan

----- Original Message -----
From: "Marek Posolda" <mposolda at redhat.com>
To: "Ryan Slominski" <ryans at jlab.org>, "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Friday, February 9, 2018 9:04:56 AM
Subject: Re: [keycloak-user] Multiple User Storage Providers

Hi,

which Keycloak version are you using? In 3.4.3, we added support for the 
scenario when the kerberos realms are in trust with each other (hence 
you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could 
you try with 3.4.3 and see if it helps? Otherwise please create JIRA 
with the steps to reproduce and ideally with server.log (with DEBUG 
option enabled on LDAP storage providers and with DEBUG logging 
described in "Troubleshooting" section of our Kerberos documentation).

Thanks,
Marek

Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a):
> Hi Keycloak users,
>     I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak.  I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG.  The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms.  For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work.  Only the first one used.  What are other people doing to handle this?  Creating a custom User Storage Provider?  Client side multitenancy?  Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)?
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICBA&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=9_qBWrxq5tF_Bbe0PAmmj-8rJvJEqkjkYTpziWQCTcU&s=jJplqt7pC9jx8uJECGPSSPspXnqit8NW_PCQsYQLpug&e=
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=ufW-OP9-MV3Q3mSloIGuJcHrBSGg7qKIebHqnDymvHw&s=6VMy3ja1363CkFlvHEdMpai2wE-QjiEQb3T7eh5nDNE&e=

From luke at code-house.org  Tue May  1 17:19:06 2018
From: luke at code-house.org (luke at code-house.org)
Date: Tue, 1 May 2018 23:19:06 +0200
Subject: [keycloak-user] User Attributes security and organization
In-Reply-To: <CA+T+PjEmyvEMG6Pfjgi6w+AswB6iqHJSiHBi+pG1PVB3QPGf1g@mail.gmail.com>
References: <CA+T+PjGi8K_ADVSRr4c_iL0b3Bse9fkZKh-8zS5texCTA0YG1Q@mail.gmail.com>
	<6E660D0C-5D83-43FA-8C6E-B39EE5F8C1A9@code-house.org>
	<CA+T+PjEmyvEMG6Pfjgi6w+AswB6iqHJSiHBi+pG1PVB3QPGf1g@mail.gmail.com>
Message-ID: <A96C003D-CAF7-452E-8056-217B3E86DAF7@code-house.org>

Hey Eric,
FormAction is one of elements which can be plugged into registration flow, where user enters its credentials and might also enter attributes. Default theme from keycloak does not allow to specify any attributes, but these still can be appended with sequence of cURL requests. FormAction I implemented allows to control that.
After user is registered and logged in his actions are subject of other elements in Keycloak which are not extensible at this moment.
From what I see AccountRestService <https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java#L187> is still possible to exploit in the way you described. There is no way to solve that with existing SPI that I know.

I would suggest reporting that in JIRA. Without presence in backlog it will never get a traction.

Kind regards,
Lukasz

> On 1 May 2018, at 04:51, Eric B <ebenzacar at gmail.com> wrote:
> 
> Hi Lukasz,
> 
> Thanks for the extension.  I took a quick look at it, and I think it should be able to help me out.  I wonder if I need to be concerned about keycloak API accesses that need to be secured as well, since your FormAction is clearly a UI related thing.  I haven't had a chance to look at the API yet, however, and/or if there is something I would need to do along that line as well.
> 
> Thanks!
> 
> Eric
> 
> 
> On Mon, Apr 30, 2018 at 11:00 AM, <luke at code-house.org <mailto:luke at code-house.org>> wrote:
> Hey Eric,
> Currently there is no validation nor extension in Keycloak itself which could control these things. I don?t know Keycloak internals well enough to say if there is a way to configure that via federation or any other mechanism. Given that keycloak keeps copy of user records I would expect that some attributes are not backed by federated system. In the end, point of having Keycloak is sometimes to enrich user model.
> 
> I wrote a simple extension (FormAction) which can be plugged into registration flow in order to build blacklist/whitelist policy. You can check it out here: https://github.com/apifocal/apifocal-id/tree/master/keycloak/extension/attributes <https://github.com/apifocal/apifocal-id/tree/master/keycloak/extension/attributes>.
> Feel free to submit issues on GitHub if you find any bug or gap to be filled in.
> 
> Cheers,
> Lukasz
> 
>> On 20 Apr 2018, at 19:53, Eric B <ebenzacar at gmail.com <mailto:ebenzacar at gmail.com>> wrote:
>> 
>> I just starting working with KeyCloak (3.4.3) and have been looking at the
>> user attributes and trying to determine how I can leverage some custom
>> attributes for my different clients.  Two things in particular stand out
>> when I look at the user attributes:
>> 
>> 1) there is no mapping/assignment of attributes per client
>> 2) there is no security assignment on the attributes (ex: what can be
>> self-administered, what is read-only, what is visible to the client, etc)
>> 
>> This becomes an issue when a user logs into the admin panel.  Once he is
>> logged in, he can essentially post a form with any attributes defined and
>> these will automatically be persisted in the KeyCloak DB.  While I'm not
>> concerned about CSRF, I am concerned about a malicious user trying to
>> explode by DB by submitting an extraneous number of attributes that KC will
>> persist.
>> 
>> Additionally, if I want to use a user attribute to specify some read-only
>> information about a user, if the user knows the attribute name, he can
>> override it via a form post.  So essentially, I have no way to secure the
>> attributes.
>> 
>> In a similar vein, I am a bit taken aback that all attributes are
>> associated to the user only and cannot be assigned to a client.  I would
>> like to be able to specify some client-specific attributes, and have KC
>> automatically filter the attributes available to a client token
>> accordingly.  Is this not feasible?
>> 
>> Are either of these functionalities implementable through some form of
>> customization, or are they on the roadmap for a future version?
>> 
>> Thanks,
>> 
>> Eric
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 


From ebenzacar at gmail.com  Wed May  2 00:01:27 2018
From: ebenzacar at gmail.com (Eric B)
Date: Wed, 2 May 2018 00:01:27 -0400
Subject: [keycloak-user] User Attributes security and organization
In-Reply-To: <A96C003D-CAF7-452E-8056-217B3E86DAF7@code-house.org>
References: <CA+T+PjGi8K_ADVSRr4c_iL0b3Bse9fkZKh-8zS5texCTA0YG1Q@mail.gmail.com>
	<6E660D0C-5D83-43FA-8C6E-B39EE5F8C1A9@code-house.org>
	<CA+T+PjEmyvEMG6Pfjgi6w+AswB6iqHJSiHBi+pG1PVB3QPGf1g@mail.gmail.com>
	<A96C003D-CAF7-452E-8056-217B3E86DAF7@code-house.org>
Message-ID: <CA+T+PjHHKTP6b_9NWpv_137JsHNwD64F70-_7dMdxd4zOjyvGw@mail.gmail.com>

Thanks Lukasz,

Good point.  I created a ticket here:
https://issues.jboss.org/browse/KEYCLOAK-7271

This is a big security concern for me.  It means that I can't user the
attributes for anything that I would want to ensure don't get changed by a
user.  It also means that an attacker can use the attributes to spam the
DB.  I'll have to see if there is anything I can hack around the system.

Thanks,

Eric

On Tue, May 1, 2018 at 5:19 PM, <luke at code-house.org> wrote:

> Hey Eric,
> FormAction is one of elements which can be plugged into registration flow,
> where user enters its credentials and might also enter attributes. Default
> theme from keycloak does not allow to specify any attributes, but these
> still can be appended with sequence of cURL requests. FormAction I
> implemented allows to control that.
> After user is registered and logged in his actions are subject of other
> elements in Keycloak which are not extensible at this moment.
> From what I see AccountRestService
> <https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java#L187> is
> still possible to exploit in the way you described. There is no way to
> solve that with existing SPI that I know.
>
> I would suggest reporting that in JIRA. Without presence in backlog it
> will never get a traction.
>
> Kind regards,
> Lukasz
>
>
> On 1 May 2018, at 04:51, Eric B <ebenzacar at gmail.com> wrote:
>
> Hi Lukasz,
>
> Thanks for the extension.  I took a quick look at it, and I think it
> should be able to help me out.  I wonder if I need to be concerned about
> keycloak API accesses that need to be secured as well, since your
> FormAction is clearly a UI related thing.  I haven't had a chance to look
> at the API yet, however, and/or if there is something I would need to do
> along that line as well.
>
> Thanks!
>
> Eric
>
>
> On Mon, Apr 30, 2018 at 11:00 AM, <luke at code-house.org> wrote:
>
>> Hey Eric,
>> Currently there is no validation nor extension in Keycloak itself which
>> could control these things. I don?t know Keycloak internals well enough to
>> say if there is a way to configure that via federation or any other
>> mechanism. Given that keycloak keeps copy of user records I would expect
>> that some attributes are not backed by federated system. In the end, point
>> of having Keycloak is sometimes to enrich user model.
>>
>> I wrote a simple extension (FormAction) which can be plugged into
>> registration flow in order to build blacklist/whitelist policy. You can
>> check it out here: https://github.com/apifocal/apifocal-id/tree/master/
>> keycloak/extension/attributes.
>> Feel free to submit issues on GitHub if you find any bug or gap to be
>> filled in.
>>
>> Cheers,
>> Lukasz
>>
>> On 20 Apr 2018, at 19:53, Eric B <ebenzacar at gmail.com> wrote:
>>
>> I just starting working with KeyCloak (3.4.3) and have been looking at the
>> user attributes and trying to determine how I can leverage some custom
>> attributes for my different clients.  Two things in particular stand out
>> when I look at the user attributes:
>>
>> 1) there is no mapping/assignment of attributes per client
>> 2) there is no security assignment on the attributes (ex: what can be
>> self-administered, what is read-only, what is visible to the client, etc)
>>
>> This becomes an issue when a user logs into the admin panel.  Once he is
>> logged in, he can essentially post a form with any attributes defined and
>> these will automatically be persisted in the KeyCloak DB.  While I'm not
>> concerned about CSRF, I am concerned about a malicious user trying to
>> explode by DB by submitting an extraneous number of attributes that KC
>> will
>> persist.
>>
>> Additionally, if I want to use a user attribute to specify some read-only
>> information about a user, if the user knows the attribute name, he can
>> override it via a form post.  So essentially, I have no way to secure the
>> attributes.
>>
>> In a similar vein, I am a bit taken aback that all attributes are
>> associated to the user only and cannot be assigned to a client.  I would
>> like to be able to specify some client-specific attributes, and have KC
>> automatically filter the attributes available to a client token
>> accordingly.  Is this not feasible?
>>
>> Are either of these functionalities implementable through some form of
>> customization, or are they on the roadmap for a future version?
>>
>> Thanks,
>>
>> Eric
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>

From cheesiangcs at gmail.com  Wed May  2 01:25:11 2018
From: cheesiangcs at gmail.com (CS CHONG)
Date: Wed, 2 May 2018 13:25:11 +0800
Subject: [keycloak-user] Configure granted consents to not persistent
Message-ID: <42589CB0-81F7-4E55-A633-B0D139DE9F12@gmail.com>

Hi, 

Are we able to force user to confirm consent after every login ?

In another words, user will need to confirm consent for a particular client every time when they login. 


I understand that Keycloak has introduced "Persistent grants? in released 1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>, which user doesn't need to confirm consent for particular client more times.

I couldn?t found any similar solutions from KC documentation, or KC forum. I would greatly appreciate it if you kindly give me some
 hints.

Regards,
CS

From sr.misc at gmail.com  Wed May  2 01:29:56 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Wed, 02 May 2018 05:29:56 +0000
Subject: [keycloak-user] Keycloak REST API (send-verify-email) using CURL
In-Reply-To: <CABiaesTQ2RpQuKR+ORf5d=oLrMqNHtnZgRidPrrZazoWaD2QEA@mail.gmail.com>
References: <CABiaesTQ2RpQuKR+ORf5d=oLrMqNHtnZgRidPrrZazoWaD2QEA@mail.gmail.com>
Message-ID: <CABiaesQwTExgsaFPmqJC9F7DVV-qggCUCesiMTM4rdm6Aq7d-Q@mail.gmail.com>

 Hi all,

I'm able to use master realm for invoking the REST APIs but any other Realm
doesn't work.

I have checked the roles and other settings. But it is still not working.

curl -d "client_id=admin-cli" -d "username=admin" -d "password=admin" -d
"grant_type=password" "
http://localhost:8080/auth/realms/master/protocol/openid-connect/token"
curl -H "Authorization: Bearer eyJh........MY3g" "
http://localhost:8080/auth/admin/realms/master/users"

above works

curl -d "client_id=admin-cli" -d "username=testuser1" -d
"password=testpass1" -d "grant_type=password" "
http://localhost:8080/auth/realms/testrealm/protocol/openid-connect/token"
curl -H "Authorization: Bearer eyJh........VIQz" "
http://localhost:8080/auth/admin/realms/testrealm/users"

but with testrealm, it doesn't work.

any input?

Regards,
SR

On Fri, Apr 27, 2018 at 8:14 AM, Sachin Rastogi <sr.misc at gmail.com> wrote:

> Hi all,
>
> I am trying to invoke Keycloak REST API (send-verify-email) from
> https://www.keycloak.org/docs-api/3.4/rest-api/index.html on Windows
> using CURL
>
> curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d
> "client_id=admin-cli" -d "username=xxxxx" -d "password=xxxxx" -d
> "grant_type=password" "
> http://localhost:8080/auth/realms/master/protocol/openid-connect/token"
>
> I get the token from above request which I use in the following request as
> follow:-
>
> curl -X PUT -H "Authorization: bearer eyJhb......f2jYzaA"
> http://localhost:8080/auth/admin/TestRealm/users/dummy1/send-verify-email
>
> Neither the user (dummy1) get the verification email nor above request
> return any response. Please advise what am I doing wrong here.
>
> Regards,
> SR
>

From pinguwien at gmail.com  Wed May  2 03:53:20 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Wed, 2 May 2018 09:53:20 +0200
Subject: [keycloak-user] Multiple User Storage Providers
In-Reply-To: <730244595.7249628.1525198755593.JavaMail.zimbra@jlab.org>
References: <8942680.9172683.1518184309737.JavaMail.zimbra@jlab.org>
	<2f94a4b7-9702-36df-3fa9-6975d2097482@redhat.com>
	<450417951.9188272.1518187585618.JavaMail.zimbra@jlab.org>
	<730244595.7249628.1525198755593.JavaMail.zimbra@jlab.org>
Message-ID: <5188f408-be80-ccc2-81e7-c7b86283395e@gmail.com>

Hi Ryan,

here a few thoughts and suggestions from my side:

For a customer, I implemented a kc 3.4.3 custom user storage provider 
for his "old" applicationdb, together with 2 Kerberos-using ldap 
providers which I added via admin page. This works very well, so-far, so 
what exactly does not work with your providers and priority?! Why is 
"only the first one used"? What you mention in 3., is the "normal" way 
to go in keycloak(*)

That said, there are several examples on github here: 
https://github.com/keycloak/keycloak/tree/master/examples which are a 
great starting point.

(*) Might have something to do with this:

In the scenario I mentioned, it's possible that the usernames are not as 
unique as they should be. There's a john.doe in ldap1 and a john.doe in 
ldap2, different companies etc..

So, keycloaks "normal" flow is: look in provider 1 -> username matches? 
great! Password matches? Nope! -> send error!

we had the requirement to use a multi-password approach, which was quite 
easy to setup with a custom authenticator which does it like this:

look in provider 1 -> username matches? great! password matches? nope! 
-> go over all the ldaps of the realm and search for same username -> 
yep, there's one -> match pw -> ok, login!

Feel free to reach out if that might be the problem.



Am 01.05.18 um 20:19 schrieb Ryan Slominski:
> Hi Marek,
>    I'm looking for comments and suggestions on integrating multiple Kerberos realms into a single Keycloak realm (SSO namespace).  I initially overlooked the possibility of using identity provider brokering, but I'm not 100% sure that's the best option.  Here is a summary of ways I've discovered so far:
> 
> 1. Use identity provider brokering.  However, automatically linking accounts without prompting users to authenticate is not supported (https://issues.jboss.org/browse/KEYCLOAK-7270).  This kind-of defeats the purpose as users end up having to provide both credentials to create the link and login.
> 2. Create a new custom user storage provider.  Looks very complicated and fragile.  Any examples of this to look at?  Would this even work with SPNEGO for either or only for one?
> 3. Figure out what the heck configuring a Keycloak realm with multiple user storage providers and ordering them is supposed to do.  Still very confused as why you can configure it.  If Keycloak tried one and then tried the next if the first failed that would be great (account lockout from incorrect password count threshold would need to be set high on first one, but probably fine).
> 4. Use client-side multi-tenancy.  Each client can choose which Keycloak realm to authenticate to.  Each Keycloak realm has a different Kerberos realm in a one-to-one mapping.  This creates a complicated logic burden on clients and must be duplicated on all clients, and SSO token generated would vary based on actual realm chosen as opposed to having a single universal SSO token for the domain.
> 5. Use Kerberos Cross-Realm trusts.  Probably works, but Jira suggests this is untested (https://issues.jboss.org/browse/KEYCLOAK-3842).  This is not a great option in our case because we only trust users from the other realm on the web, not on workstations or anywhere else and don't want to change what "anyone with an account" means, and introduce extra risk requiring assigning users to a new group and relying on group authorization.
> 6. Instead of Keycloak just use mod_auth_kerb and SSSD (https://www.freeipa.org/page/Web_App_Authentication).  A hack integration, but might be easier.
> 
> What have others done?  Thoughts?  Suggestions?  None of these options are great.
> 
> Thanks,
> 
> Ryan
> 
> ----- Original Message -----
> From: "Ryan Slominski" <ryans at jlab.org>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Friday, February 9, 2018 9:46:25 AM
> Subject: Re: [keycloak-user] Multiple User Storage Providers
> 
> Thanks Marek,
>      I am using 3.4.3, but the two Kerberos realms are not configured in a cross realm trust (I want the web apps in one specific Keycloak realm to trust either realm, but that trust shouldn't be universal and System Admins don't want to trust other realms for Workstation logins and cross realm trust would require new authorization considerations as it changes what "anyone with an account" means).  Is cross realm trusts the only way to do what I'm after?
> 
> Ryan
> 
> ----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Ryan Slominski" <ryans at jlab.org>, "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Friday, February 9, 2018 9:04:56 AM
> Subject: Re: [keycloak-user] Multiple User Storage Providers
> 
> Hi,
> 
> which Keycloak version are you using? In 3.4.3, we added support for the
> scenario when the kerberos realms are in trust with each other (hence
> you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could
> you try with 3.4.3 and see if it helps? Otherwise please create JIRA
> with the steps to reproduce and ideally with server.log (with DEBUG
> option enabled on LDAP storage providers and with DEBUG logging
> described in "Troubleshooting" section of our Kerberos documentation).
> 
> Thanks,
> Marek
> 
> Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a):
>> Hi Keycloak users,
>>      I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak.  I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG.  The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms.  For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work.  Only the first one used.  What are other people doing to handle this?  Creating a custom User Storage Provider?  Client side multitenancy?  Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)?
>>
>> Thanks,
>>
>> Ryan
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICBA&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=9_qBWrxq5tF_Bbe0PAmmj-8rJvJEqkjkYTpziWQCTcU&s=jJplqt7pC9jx8uJECGPSSPspXnqit8NW_PCQsYQLpug&e=
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=ufW-OP9-MV3Q3mSloIGuJcHrBSGg7qKIebHqnDymvHw&s=6VMy3ja1363CkFlvHEdMpai2wE-QjiEQb3T7eh5nDNE&e=
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From uo67113 at gmail.com  Wed May  2 04:38:53 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 2 May 2018 10:38:53 +0200
Subject: [keycloak-user] Environment variable configuration for SAML general
	adapter config
Message-ID: <CACp70MkeA4ur63MkVenC+huHQD82W2niSV+0ee-u92TWxQVGWg@mail.gmail.com>

Hello there,

I can see that for the Java OpenID adapter [1] this is possible via env prefix,
e.g. ${env.MY_ENVIRONMENT_VARIABLE} In the other hand for the SAML one [2]
only system properties are allowed.

Would it be feasible to implement it? Do you think that it would be worth
to open a feature request for this [3]?

Thanks in advance,

Luis


[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_java_adapter_config
[2]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-general-config
[3] https://issues.jboss.org/browse/KEYCLOAK

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From contact at pushrbx.net  Wed May  2 05:05:07 2018
From: contact at pushrbx.net (Thomas)
Date: Wed, 02 May 2018 10:05:07 +0100
Subject: [keycloak-user] Question regarding User Client Role mapper
Message-ID: <16320191e26.cb022ab4434670.585568427534130062@pushrbx.net>

Hi all,



I have a question regarding the user client role mapper: How can I map the first role from the list of client roles to a field named "role" in the id token?

I've got that far that I create a mapper but it only returns a "[]" string. Obviously I've already mapped the user to some client roles before I tried to get the token.



Thanks,

Thomas





From eivind at jotta.no  Wed May  2 05:15:09 2018
From: eivind at jotta.no (Eivind Larsen)
Date: Wed, 2 May 2018 05:15:09 -0400
Subject: [keycloak-user] Client Registration performance
Message-ID: <CAF4REn7C_8XY+NtiPBYV+20dssYGYewDM2bUMC+2+9F8VmAQmA@mail.gmail.com>

Hello Keycloak Users!

We are planning on using the Client Registration flow for setting up
clients on login.
This is mainly to more clearly identify each individual device a user
has logged in with.

Are there anyone using this feature in production with a large number
of clients?
With our current stats, we would probably end up with a few million
clients by the end of the year.

1. Will this scale well with the way Keycloak works?
2. If a user loses their device, how should a full revoke & logout be performed?
3. Is there an alternative approach to give each user more control
over their device and session?

Thanks,
Eivind Larsen

From stephen_montgomery at persistent.com  Wed May  2 06:39:31 2018
From: stephen_montgomery at persistent.com (Stephen Montgomery)
Date: Wed, 2 May 2018 10:39:31 +0000
Subject: [keycloak-user] User Attribute Search
In-Reply-To: <603DAA1F-6E7C-4DA5-9D07-42A96D2B88F5@aepona.com>
References: <603DAA1F-6E7C-4DA5-9D07-42A96D2B88F5@aepona.com>
Message-ID: <8C9DFCB6-0363-4855-BB43-CC1865C5F8F1@persistent.co.in>


Hi,
I can see Keycloak has a GET /admin/realms/{realm}/users with a ?search? query parameter that offers LIKE type query on username, first/last name, email attributes only - https://www.keycloak.org/docs-api/3.4/rest-api/index.html#_users_resource.

We?d like to be able to search for users that have particular application-defined attributes (that we define as Keycloak user attributes - https://www.keycloak.org/docs/3.3/server_admin/topics/users/attributes.html) eg we have attributes for notifications/timezones etc:

critical_notification_channel       EMAIL##SMS
language              UK English
major_notification_channel        EMAIL##SMS
minor_notification_channel        EMAIL##SMS
time_zone          GMT

Is this possible to eg, search for those users that have attributes major_notification_channel = ?SMS? and in GMT timezone?

If not, any plans to implement a change request to offer an enhanced query?

Thanks,
Stephen

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.

From mposolda at redhat.com  Wed May  2 06:54:43 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 2 May 2018 12:54:43 +0200
Subject: [keycloak-user] Multiple User Storage Providers
In-Reply-To: <730244595.7249628.1525198755593.JavaMail.zimbra@jlab.org>
References: <8942680.9172683.1518184309737.JavaMail.zimbra@jlab.org>
	<2f94a4b7-9702-36df-3fa9-6975d2097482@redhat.com>
	<450417951.9188272.1518187585618.JavaMail.zimbra@jlab.org>
	<730244595.7249628.1525198755593.JavaMail.zimbra@jlab.org>
Message-ID: <3d7ffb95-31c1-063d-d494-bec93292ba79@redhat.com>

I don't have any good suggestion for it besides what you mentioned. 
Especially considering that Cross-Realm trust is not an option for you.

I think you should be able to achieve this, but you will need to do some 
customizations (maybe in both the default "browser" authentication flow 
as you need to detect correct identityProvider based on Kerberos ream 
and not sure if parameter "kc_idp_hint" is enough for your usecase. Also 
in the first-broker-login flow as I mentioned in the JIRA). Or with some 
tweaks on clients as you pointed.

Marek

On 01/05/18 20:19, Ryan Slominski wrote:
> Hi Marek,
>    I'm looking for comments and suggestions on integrating multiple Kerberos realms into a single Keycloak realm (SSO namespace).  I initially overlooked the possibility of using identity provider brokering, but I'm not 100% sure that's the best option.  Here is a summary of ways I've discovered so far:
>
> 1. Use identity provider brokering.  However, automatically linking accounts without prompting users to authenticate is not supported (https://issues.jboss.org/browse/KEYCLOAK-7270).  This kind-of defeats the purpose as users end up having to provide both credentials to create the link and login.
> 2. Create a new custom user storage provider.  Looks very complicated and fragile.  Any examples of this to look at?  Would this even work with SPNEGO for either or only for one?
> 3. Figure out what the heck configuring a Keycloak realm with multiple user storage providers and ordering them is supposed to do.  Still very confused as why you can configure it.  If Keycloak tried one and then tried the next if the first failed that would be great (account lockout from incorrect password count threshold would need to be set high on first one, but probably fine).
> 4. Use client-side multi-tenancy.  Each client can choose which Keycloak realm to authenticate to.  Each Keycloak realm has a different Kerberos realm in a one-to-one mapping.  This creates a complicated logic burden on clients and must be duplicated on all clients, and SSO token generated would vary based on actual realm chosen as opposed to having a single universal SSO token for the domain.
> 5. Use Kerberos Cross-Realm trusts.  Probably works, but Jira suggests this is untested (https://issues.jboss.org/browse/KEYCLOAK-3842).  This is not a great option in our case because we only trust users from the other realm on the web, not on workstations or anywhere else and don't want to change what "anyone with an account" means, and introduce extra risk requiring assigning users to a new group and relying on group authorization.
> 6. Instead of Keycloak just use mod_auth_kerb and SSSD (https://www.freeipa.org/page/Web_App_Authentication).  A hack integration, but might be easier.
>
> What have others done?  Thoughts?  Suggestions?  None of these options are great.
>
> Thanks,
>
> Ryan
>
> ----- Original Message -----
> From: "Ryan Slominski" <ryans at jlab.org>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Friday, February 9, 2018 9:46:25 AM
> Subject: Re: [keycloak-user] Multiple User Storage Providers
>
> Thanks Marek,
>      I am using 3.4.3, but the two Kerberos realms are not configured in a cross realm trust (I want the web apps in one specific Keycloak realm to trust either realm, but that trust shouldn't be universal and System Admins don't want to trust other realms for Workstation logins and cross realm trust would require new authorization considerations as it changes what "anyone with an account" means).  Is cross realm trusts the only way to do what I'm after?
>
> Ryan
>
> ----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Ryan Slominski" <ryans at jlab.org>, "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Friday, February 9, 2018 9:04:56 AM
> Subject: Re: [keycloak-user] Multiple User Storage Providers
>
> Hi,
>
> which Keycloak version are you using? In 3.4.3, we added support for the
> scenario when the kerberos realms are in trust with each other (hence
> you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could
> you try with 3.4.3 and see if it helps? Otherwise please create JIRA
> with the steps to reproduce and ideally with server.log (with DEBUG
> option enabled on LDAP storage providers and with DEBUG logging
> described in "Troubleshooting" section of our Kerberos documentation).
>
> Thanks,
> Marek
>
> Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a):
>> Hi Keycloak users,
>>      I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak.  I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG.  The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms.  For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work.  Only the first one used.  What are other people doing to handle this?  Creating a custom User Storage Provider?  Client side multitenancy?  Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)?
>>
>> Thanks,
>>
>> Ryan
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICBA&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=9_qBWrxq5tF_Bbe0PAmmj-8rJvJEqkjkYTpziWQCTcU&s=jJplqt7pC9jx8uJECGPSSPspXnqit8NW_PCQsYQLpug&e=
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=ufW-OP9-MV3Q3mSloIGuJcHrBSGg7qKIebHqnDymvHw&s=6VMy3ja1363CkFlvHEdMpai2wE-QjiEQb3T7eh5nDNE&e=



From ryans at jlab.org  Wed May  2 10:41:36 2018
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 2 May 2018 10:41:36 -0400 (EDT)
Subject: [keycloak-user] Multiple User Storage Providers
In-Reply-To: <645209709.7544566.1525272071202.JavaMail.zimbra@jlab.org>
References: <8942680.9172683.1518184309737.JavaMail.zimbra@jlab.org>
	<2f94a4b7-9702-36df-3fa9-6975d2097482@redhat.com>
	<450417951.9188272.1518187585618.JavaMail.zimbra@jlab.org>
	<730244595.7249628.1525198755593.JavaMail.zimbra@jlab.org>
	<5188f408-be80-ccc2-81e7-c7b86283395e@gmail.com>
Message-ID: <1895878794.7544780.1525272096881.JavaMail.zimbra@jlab.org>

Hey Dominik,
   Now I understand: the multiple user storage providers is for when you have multiple database of **unique** usernames.  In my case I have two databases and one is a subset of the other (100% duplicates) and there is a one-to-one match of usernames/email addresses.  In other words the company has an LDAP database and the department has its own database with a subset of global users so we can enforce a separate unique password for some "special" systems.  However, on the web either password should work.  It sounds like the custom authenticator might be a good option.  Would SPNEGO still work for either (the example doesn't show an API for dealing with that)?

Thanks,

Ryan

----- Original Message -----
From: "Dominik Guhr" <pinguwien at gmail.com>
To: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Wednesday, May 2, 2018 3:53:20 AM
Subject: Re: [keycloak-user] Multiple User Storage Providers

Hi Ryan,

here a few thoughts and suggestions from my side:

For a customer, I implemented a kc 3.4.3 custom user storage provider 
for his "old" applicationdb, together with 2 Kerberos-using ldap 
providers which I added via admin page. This works very well, so-far, so 
what exactly does not work with your providers and priority?! Why is 
"only the first one used"? What you mention in 3., is the "normal" way 
to go in keycloak(*)

That said, there are several examples on github here: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_keycloak_tree_master_examples&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=bPuihQi6FebCvHuJGaT1rDWdzTD42bMpITuAcUq9ugI&s=rVRfGKour9FxxtowmX-BextsQy1Mftw7plhn2paK_44&e=  which are a 
great starting point.

(*) Might have something to do with this:

In the scenario I mentioned, it's possible that the usernames are not as 
unique as they should be. There's a john.doe in ldap1 and a john.doe in 
ldap2, different companies etc..

So, keycloaks "normal" flow is: look in provider 1 -> username matches? 
great! Password matches? Nope! -> send error!

we had the requirement to use a multi-password approach, which was quite 
easy to setup with a custom authenticator which does it like this:

look in provider 1 -> username matches? great! password matches? nope! 
-> go over all the ldaps of the realm and search for same username -> 
yep, there's one -> match pw -> ok, login!

Feel free to reach out if that might be the problem.

From pkaimakis at omilia.com  Wed May  2 11:52:45 2018
From: pkaimakis at omilia.com (Pavlos Kaimakis)
Date: Wed, 2 May 2018 18:52:45 +0300
Subject: [keycloak-user] Keycloak DB - field and table description
Message-ID: <76C55D96-B927-4D3F-8395-91AD98833201@omilia.com>

Hi there,

I've been trying (unfortunately in vain) to find in the documentation some information regarding the database the keycloak tool is using. 
More specifically, I am interested in finding :
a)a list of all the tables it contains along a short description of what their purpose is and 
b)what fields (columns) these tables have

Can anybody help me out with this or at least point me to a document outlining the above?

Thanks in advance

Pavlos
Pavlos Kaimakis
Systems Engineer
| t: +30.2106930664
| e: pkaimakis at omilia.com
| w: www.omilia.com














From teo.salv at gmail.com  Wed May  2 12:46:16 2018
From: teo.salv at gmail.com (Matteo Salvetti)
Date: Wed, 2 May 2018 18:46:16 +0200
Subject: [keycloak-user] Can I pass a principal with rest template if I'm
 using an async task wiht Spring Boot and Keycloak?
Message-ID: <CAEDMdVjQQBySmnALG2=gt7Y_TK42hRX52FXK8gRyeMTD6dFoSg@mail.gmail.com>

Hi all,

I'm using Spring Boot and Keycloak to develop a web-app. Then I wrote a
scheduled task where I'm using the KeycloakRestTemplate to ask some data to
another app, as you can see below:

    @Override
    @Scheduled(cron="0 50 09 * * MON-FRI")
    public void concludiCommessa() {

        try {
            FDto[] ftts = new
ObjectMapper().readValue(restTemplate.getForEntity(URI.create(MY_URL),
String.class).getBody(), FDto[].class);

             ..............................
            }
        } catch (RestClientException | IOException e) {
        }
    }

If I run it on the server I have the following error:

2018-04-18 09:50:00.067 ERROR 2503 --- [pool-8-thread-1]
o.s.s.s.TaskUtils$LoggingErrorHandler    : Unexpected error occurred
in scheduled task.

java.lang.IllegalStateException: Cannot set authorization header
because there is no authenticated principal
    at org.keycloak.adapters.springsecurity.client.KeycloakClientRequestFactory.getKeycloakSecurityContext(KeycloakClientRequestFactory.java:70)
~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
    at org.keycloak.adapters.springsecurity.client.KeycloakClientRequestFactory.postProcessHttpRequest(KeycloakClientRequestFactory.java:55)
~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
    at org.springframework.http.client.HttpComponentsClientHttpRequestFactory.createRequest(HttpComponentsClientHttpRequestFactory.java:207)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at org.springframework.http.client.support.HttpAccessor.createRequest(HttpAccessor.java:85)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:656)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:636)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:336)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at it.edile.service.api.ApiServiceImpl.concludiCommessa(ApiServiceImpl.java:287)
~[classes/:0.0.1-SNAPSHOT]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.8.0_161]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[na:1.8.0_161]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[na:1.8.0_161]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_161]
    at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:65)
~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:81)
[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[na:1.8.0_161]
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_161]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
[na:1.8.0_161]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
[na:1.8.0_161]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[na:1.8.0_161]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[na:1.8.0_161]
    at java.lang.Thread.run(Thread.java:748) [na:1.8.0_161]

Why?

How can I pass a principal if I'm using an async task?

This is my security configuration:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
    auth.authenticationProvider(keycloakAuthenticationProvider());
}

@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}

@Bean
@Scope(ConfigurableBeanFactory.SCOPE_SINGLETON)
public KeycloakRestTemplate keycloakRestTemplate() {
    return new KeycloakRestTemplate(keycloakClientRequestFactory);
}

@Bean
public KeycloakConfigResolver keycloakConfigResolver() {
    return new KeycloakSpringBootConfigResolver();
}

 This is my keycloak properties:

#######################################
#             KEYCLOAK                #
#######################################
keycloak.realm=MY_REALM
keycloak.auth-server-url=MY_URL/auth
keycloak.ssl-required=external
keycloak.resource=EdilGest
keycloak.credentials.jwt.client-key-password=PWD
keycloak.credentials.jwt.client-keystore-file=classpath:CLIENT.jks
keycloak.credentials.jwt.client-keystore-password=PWD
keycloak.use-resource-role-mappings=true
keycloak.principal-attribute=preferred_username

I'm also trying to use the Service Account now, but it doesn't work at the
moment... Reading here:
https://www.keycloak.org/docs/latest/server_admin/index.html#_service_accounts

I have to send a request like:

POST /auth/realms/demo/protocol/openid-connect/token
    Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
    Content-Type: application/x-www-form-urlencoded

    grant_type=client_credentials

to keycloak, but how can I send it using Spring? and how can I set the jks
instead of client and secret?


My security config

onfiguration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@KeycloakConfiguration
public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public KeycloakClientRequestFactory keycloakClientRequestFactory;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);

        http
            .httpBasic()
            .disable();

        http
        .authorizeRequests()
            .antMatchers("/webjars/**").permitAll()
            .antMatchers("/resources/**").permitAll()
            .anyRequest().hasAuthority("......")
        .and()
        .logout()
            .logoutUrl("/logout")
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
            .permitAll()
            .logoutSuccessUrl(mux)
            .invalidateHttpSession(true);

    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(keycloakAuthenticationProvider());
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new
SessionRegistryImpl());
    }

    @Bean
    @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
    public KeycloakRestTemplate keycloakRestTemplate() {
        return new KeycloakRestTemplate(keycloakClientRequestFactory);
    }

    @Bean
    public KeycloakConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Bean
    public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(KeycloakAuthenticationProcessingFilter
filter) {
        FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean
keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter
filter) {
        FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
           .ignoring()
           .antMatchers("/resources/**", "/static/**", "/css/**",
"/js/**", "/images/**", "/webjars/**");
    }

}


If you want, please take a look here:
https://stackoverflow.com/questions/49900124/can-i-pass-a-principal-with-rest-template-if-im-using-an-async-task-wiht-spring

From pinguwien at gmail.com  Wed May  2 13:12:29 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Wed, 2 May 2018 19:12:29 +0200
Subject: [keycloak-user] Can I pass a principal with rest template if
 I'm using an async task wiht Spring Boot and Keycloak?
In-Reply-To: <CAEDMdVjQQBySmnALG2=gt7Y_TK42hRX52FXK8gRyeMTD6dFoSg@mail.gmail.com>
References: <CAEDMdVjQQBySmnALG2=gt7Y_TK42hRX52FXK8gRyeMTD6dFoSg@mail.gmail.com>
Message-ID: <95044467-8228-b8a5-013f-74c4e06cb3ee@gmail.com>

Hi Matteo,

to use @async etc. together with keycloak, you want to use another 
strategy for your securitycontextholder in spring. Spring uses a 
ThreadLocal SecurityContextHolder per default, which gets lost when 
you're executing an asynchronous task and thus spawn a new thread, by 
using @async, or @scheduled or s.th. similar.

For an example securityconfig, please have a look at my demo's config 
located here: 
https://github.com/Pinguwien/guestbook-backend/blob/master/src/main/java/de/codecentric/demo/guestbook/infrastructure/environment/spring/config/SecurityConfig.java

my related blogposts are in german, the one regarding communication and 
@async is available at 
https://blog.codecentric.de/2017/09/keycloak-und-spring-security-teil-3-kommunikation-via-keycloakresttemplate/

I have it on my list for months now to translate them to english, but... 
well, work work work work work ;-)

Hope that helps!

Best regards,
Dominik

Am 02.05.18 um 18:46 schrieb Matteo Salvetti:
> Hi all,
> 
> I'm using Spring Boot and Keycloak to develop a web-app. Then I wrote a
> scheduled task where I'm using the KeycloakRestTemplate to ask some data to
> another app, as you can see below:
> 
>      @Override
>      @Scheduled(cron="0 50 09 * * MON-FRI")
>      public void concludiCommessa() {
> 
>          try {
>              FDto[] ftts = new
> ObjectMapper().readValue(restTemplate.getForEntity(URI.create(MY_URL),
> String.class).getBody(), FDto[].class);
> 
>               ..............................
>              }
>          } catch (RestClientException | IOException e) {
>          }
>      }
> 
> If I run it on the server I have the following error:
> 
> 2018-04-18 09:50:00.067 ERROR 2503 --- [pool-8-thread-1]
> o.s.s.s.TaskUtils$LoggingErrorHandler    : Unexpected error occurred
> in scheduled task.
> 
> java.lang.IllegalStateException: Cannot set authorization header
> because there is no authenticated principal
>      at org.keycloak.adapters.springsecurity.client.KeycloakClientRequestFactory.getKeycloakSecurityContext(KeycloakClientRequestFactory.java:70)
> ~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
>      at org.keycloak.adapters.springsecurity.client.KeycloakClientRequestFactory.postProcessHttpRequest(KeycloakClientRequestFactory.java:55)
> ~[keycloak-spring-security-adapter-3.4.2.Final.jar:3.4.2.Final]
>      at org.springframework.http.client.HttpComponentsClientHttpRequestFactory.createRequest(HttpComponentsClientHttpRequestFactory.java:207)
> ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
>      at org.springframework.http.client.support.HttpAccessor.createRequest(HttpAccessor.java:85)
> ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
>      at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:656)
> ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
>      at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:636)
> ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
>      at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:336)
> ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
>      at it.edile.service.api.ApiServiceImpl.concludiCommessa(ApiServiceImpl.java:287)
> ~[classes/:0.0.1-SNAPSHOT]
>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[na:1.8.0_161]
>      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[na:1.8.0_161]
>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[na:1.8.0_161]
>      at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_161]
>      at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:65)
> ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
>      at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
> ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
>      at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:81)
> [spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
>      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> [na:1.8.0_161]
>      at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_161]
>      at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> [na:1.8.0_161]
>      at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> [na:1.8.0_161]
>      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> [na:1.8.0_161]
>      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> [na:1.8.0_161]
>      at java.lang.Thread.run(Thread.java:748) [na:1.8.0_161]
> 
> Why?
> 
> How can I pass a principal if I'm using an async task?
> 
> This is my security configuration:
> 
> @Autowired
> public void configureGlobal(AuthenticationManagerBuilder auth) {
>      auth.authenticationProvider(keycloakAuthenticationProvider());
> }
> 
> @Bean
> @Override
> protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
>      return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
> }
> 
> @Bean
> @Scope(ConfigurableBeanFactory.SCOPE_SINGLETON)
> public KeycloakRestTemplate keycloakRestTemplate() {
>      return new KeycloakRestTemplate(keycloakClientRequestFactory);
> }
> 
> @Bean
> public KeycloakConfigResolver keycloakConfigResolver() {
>      return new KeycloakSpringBootConfigResolver();
> }
> 
>   This is my keycloak properties:
> 
> #######################################
> #             KEYCLOAK                #
> #######################################
> keycloak.realm=MY_REALM
> keycloak.auth-server-url=MY_URL/auth
> keycloak.ssl-required=external
> keycloak.resource=EdilGest
> keycloak.credentials.jwt.client-key-password=PWD
> keycloak.credentials.jwt.client-keystore-file=classpath:CLIENT.jks
> keycloak.credentials.jwt.client-keystore-password=PWD
> keycloak.use-resource-role-mappings=true
> keycloak.principal-attribute=preferred_username
> 
> I'm also trying to use the Service Account now, but it doesn't work at the
> moment... Reading here:
> https://www.keycloak.org/docs/latest/server_admin/index.html#_service_accounts
> 
> I have to send a request like:
> 
> POST /auth/realms/demo/protocol/openid-connect/token
>      Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
>      Content-Type: application/x-www-form-urlencoded
> 
>      grant_type=client_credentials
> 
> to keycloak, but how can I send it using Spring? and how can I set the jks
> instead of client and secret?
> 
> 
> My security config
> 
> onfiguration
> @EnableWebSecurity
> @EnableGlobalMethodSecurity(prePostEnabled=true)
> @KeycloakConfiguration
> public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
> 
>      @Autowired
>      public KeycloakClientRequestFactory keycloakClientRequestFactory;
> 
>      @Override
>      protected void configure(HttpSecurity http) throws Exception {
>          super.configure(http);
> 
>          http
>              .httpBasic()
>              .disable();
> 
>          http
>          .authorizeRequests()
>              .antMatchers("/webjars/**").permitAll()
>              .antMatchers("/resources/**").permitAll()
>              .anyRequest().hasAuthority("......")
>          .and()
>          .logout()
>              .logoutUrl("/logout")
>              .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET"))
>              .permitAll()
>              .logoutSuccessUrl(mux)
>              .invalidateHttpSession(true);
> 
>      }
> 
>      @Autowired
>      public void configureGlobal(AuthenticationManagerBuilder auth) {
>          auth.authenticationProvider(keycloakAuthenticationProvider());
>      }
> 
>      @Bean
>      @Override
>      protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
>          return new RegisterSessionAuthenticationStrategy(new
> SessionRegistryImpl());
>      }
> 
>      @Bean
>      @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
>      public KeycloakRestTemplate keycloakRestTemplate() {
>          return new KeycloakRestTemplate(keycloakClientRequestFactory);
>      }
> 
>      @Bean
>      public KeycloakConfigResolver keycloakConfigResolver() {
>          return new KeycloakSpringBootConfigResolver();
>      }
> 
>      @Bean
>      public FilterRegistrationBean
> keycloakAuthenticationProcessingFilterRegistrationBean(KeycloakAuthenticationProcessingFilter
> filter) {
>          FilterRegistrationBean registrationBean = new
> FilterRegistrationBean(filter);
>          registrationBean.setEnabled(false);
>          return registrationBean;
>      }
> 
>      @Bean
>      public FilterRegistrationBean
> keycloakPreAuthActionsFilterRegistrationBean(KeycloakPreAuthActionsFilter
> filter) {
>          FilterRegistrationBean registrationBean = new
> FilterRegistrationBean(filter);
>          registrationBean.setEnabled(false);
>          return registrationBean;
>      }
> 
>      @Override
>      public void configure(WebSecurity web) throws Exception {
>          web
>             .ignoring()
>             .antMatchers("/resources/**", "/static/**", "/css/**",
> "/js/**", "/images/**", "/webjars/**");
>      }
> 
> }
> 
> 
> If you want, please take a look here:
> https://stackoverflow.com/questions/49900124/can-i-pass-a-principal-with-rest-template-if-im-using-an-async-task-wiht-spring
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From ryans at jlab.org  Wed May  2 13:29:55 2018
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 2 May 2018 13:29:55 -0400 (EDT)
Subject: [keycloak-user] Switch User enhancement - How best to modify
	Browser Flow
Message-ID: <679741364.7593479.1525282195144.JavaMail.zimbra@jlab.org>

Hi Keycloak Users,
    I'm looking for suggestions on ways to configure a Keycloak realm to allow Kerberos SPNEGO, but at the same time also allow switching users.  I've made some suggestions to the existing enhancement JIRA here:

https://issues.jboss.org/browse/KEYCLOAK-1727

I'd like to consider a "continue as $username" button in the event SPNEGO worked instead of automatically returning successful login.  I'm looking at the Authentication API and Browser Flow docs:

https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi

Perhaps we could create a "Check if SPNEGO Worked and Prompt to Confirm" Authenticator and assign it an Execution Requirement of "Required", and configure the Browser Login flow to include the new Authenticator after the Kerberos Execution, but before the Forms subflow.  The logic in the new Authentictor might look like:

if(SPNEGO worked) {
  // Show special form with button labeled "Continue as $username" beside a regular username/password form.  This way user can choose to switch users or just continue as the OS user.
else {
  // Continue with regular form subflow as usual.
}

Does the Authenticator API support this?

Thanks,

Ryan

From sthorger at redhat.com  Wed May  2 13:56:21 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 2 May 2018 19:56:21 +0200
Subject: [keycloak-user] Keycloak 4.0.0.Beta2 released
Message-ID: <CAJgngAeHFLLCN1p+d9xjDdJchV+fK0Eqjrc5cQZBw5t5Cz8A2A@mail.gmail.com>

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
Highlights
Pushed Claims

With pushed claims it is now possible for clients to push additional claims
to have them used by policies when evaluating permissions.
Resource Attributes

It is now possible to define attributes on resources in order to have them
used by policies when evaluating permissions.
Spring Boot 2 support

We now have support for Spring Boot 2.
Instagram identity provider

Thanks to hguerrero <https://github.com/hguerrero> it is now easy to enable
login with Instagram.
Slovak translation

Thanks to Joe32 <https://github.com/Joe32> we now have Slovak translations.
More...

The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta2>
.
Upgrading

Before you upgrade remember to backup your database and check the upgrade
guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
anything that may have changed.

From pinguwien at gmail.com  Wed May  2 14:06:48 2018
From: pinguwien at gmail.com (Dominik Guhr)
Date: Wed, 2 May 2018 20:06:48 +0200
Subject: [keycloak-user] Switch User enhancement - How best to modify
 Browser Flow
In-Reply-To: <679741364.7593479.1525282195144.JavaMail.zimbra@jlab.org>
References: <679741364.7593479.1525282195144.JavaMail.zimbra@jlab.org>
Message-ID: <728cd744-3c79-e147-2706-0482df13d6b3@gmail.com>

Hi Ryan,

we handled this with a specific querystring (&login=manual), which is 
checked by our custom authenticator and then stops the spnego login 
execution, so keycloak falls back to the normal browserform. Use-Case 
was simply "logout and login as another user", so we didn't want an 
extra interrupt of the auto-login process for convenience of most users. 
Instead, the user has to manually "log out" and then does not get 
automatically re-loggeed in as himself (as per spnego  ticket), but can 
login as another user.

But(!) not important if you use your solution or something similar to 
mine, keep in mind that your spnego/kerberosticket is active in the 
whole(!) browser. So, when you have more than one tab with the same 
application or another one of the same realm open, 1 with autologin, 1 
with a manually logged in other user, keycloak throws a already 
authenticated-exception ("you're logged in as another user...).

We had this error coming up quite often in the dev-environments, which 
were all clients in one realm first. After a little talk here, I used 
one realm per environment (say local, dev, qa, ...) as a workaround. 
There's no simple fix from the keycloak side I think, because that's 
just the way the ticketing at spnego/kerberos works as how I understand.

Best regards,
Dominik


Am 02.05.18 um 19:29 schrieb Ryan Slominski:
> Hi Keycloak Users,
>      I'm looking for suggestions on ways to configure a Keycloak realm to allow Kerberos SPNEGO, but at the same time also allow switching users.  I've made some suggestions to the existing enhancement JIRA here:
> 
> https://issues.jboss.org/browse/KEYCLOAK-1727
> 
> I'd like to consider a "continue as $username" button in the event SPNEGO worked instead of automatically returning successful login.  I'm looking at the Authentication API and Browser Flow docs:
> 
> https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
> 
> Perhaps we could create a "Check if SPNEGO Worked and Prompt to Confirm" Authenticator and assign it an Execution Requirement of "Required", and configure the Browser Login flow to include the new Authenticator after the Kerberos Execution, but before the Forms subflow.  The logic in the new Authentictor might look like:
> 
> if(SPNEGO worked) {
>    // Show special form with button labeled "Continue as $username" beside a regular username/password form.  This way user can choose to switch users or just continue as the OS user.
> else {
>    // Continue with regular form subflow as usual.
> }
> 
> Does the Authenticator API support this?
> 
> Thanks,
> 
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From ebenzacar at gmail.com  Wed May  2 14:25:56 2018
From: ebenzacar at gmail.com (Eric B)
Date: Wed, 2 May 2018 14:25:56 -0400
Subject: [keycloak-user] Enabling comments in a JSON file?
Message-ID: <CA+T+PjF2rmV8g_h=ibM+t9dLtk5o8g65EV99nKonU34HB9rb4g@mail.gmail.com>

I'd like to add comments to an adapter JSON configuration file to help
document my configuration.  However, Keycloak throws an exception when
trying to parse the file:

14:11:53,804 DEBUG [org.keycloak.adapters.jaas.BearerTokenLoginModule]
(default task-15) Unable to find or parse file classpath:/keycloak.json due
to com.fasterxml.jackson.core.JsonParseException: Unexpected character ('/'
(code 47)): maybe a (non-standard) comment? (not recognized as one since
Feature 'ALLOW_COMMENTS' not enabled for parser)
 at [Source: java.util.zip.ZipFile$ZipFileInflaterInputStream at 3f9359f3;
line: 1, column: 2]: java.lang.RuntimeException:
com.fasterxml.jackson.core.JsonParseException: Unexpected character ('/'
(code 47)): maybe a (non-standard) comment? (not recognized as one since
Feature 'ALLOW_COMMENTS' not enabled for parser)
 at [Source: java.util.zip.ZipFile$ZipFileInflaterInputStream at 3f9359f3;
line: 1, column: 2]
at
org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:162)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:151)
at
org.keycloak.adapters.jaas.AbstractKeycloakLoginModule.resolveDeployment(AbstractKeycloakLoginModule.java:103)
at
org.keycloak.adapters.jaas.AbstractKeycloakLoginModule.initialize(AbstractKeycloakLoginModule.java:83)


Looking through the code, I see that the Keycloak JSON parser is
created/defined as:

org.keycloak.adapters.KeycloakDeploymentBuilder:

public static AdapterConfig loadAdapterConfig(InputStream is) {
    ObjectMapper mapper = new ObjectMapper(new
SystemPropertiesJsonParserFactory());
    mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
    AdapterConfig adapterConfig;
    try {
        adapterConfig = mapper.readValue(is, AdapterConfig.class);
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
    return adapterConfig;
}



Is there anyway I can configure the mapper to allow comments?  ie: I'm
looking to set:
   SystemPropertiesJsonParserFactory:enable(JsonParser.Feature.
ALLOW_COMMENTS);


But without DependencyInjection, I'm not sure how I can override the
factory definition cleanly, without having to resort to some ugly hacks
(ex: AspectJ, etc).

I'm guessing there might be a way to define a custom
KeycloakDeploymentBuilder, but I can't figure out how to configure that (if
it even exists).

Is there any chance to override/modify these settings?

Thanks,

Eric

From rabdill at umn.edu  Wed May  2 14:50:43 2018
From: rabdill at umn.edu (Richard Abdill)
Date: Wed, 2 May 2018 13:50:43 -0500
Subject: [keycloak-user] Prompting user to select "active" group
Message-ID: <CADk+9r0L4rxkDZfA4yZaT2AkO49Vo922Kg1+BScNiqXmKus2qg@mail.gmail.com>

Hi all, kind of a peculiar question for the group: We currently have a
login system set up with Keycloak in which users can successfully log in
and have their group membership imported via SSSD. The unusual part is what
needs to happen next: If a user is a member of multiple groups, we need to
present a prompt for the user to select a single group to use for this
particular session. For example, if a user is a member of groups "alpha,"
"secondary," and "seven," we want to ask them which group they're going to
be "in" for this session, and then send along only *that* group in the
assertion, rather than all of them, as it's doing now.

We're trying to figure out a way to accomplish this, and I thought it'd be
best to check with the community to see if anyone has dealt with a similar
issue or happened to know about a package that does something like this.
I'm guessing a custom post-login flow is what's needed, but does anyone
have any thoughts?

Best,
Rich

From ebenzacar at gmail.com  Wed May  2 16:41:44 2018
From: ebenzacar at gmail.com (Eric B)
Date: Wed, 2 May 2018 16:41:44 -0400
Subject: [keycloak-user] Confused about backchannel logout with a Java
	adapter
Message-ID: <CA+T+PjF-YKtXNf5w9+V=DLGXjmLfsuFcAzhugJXDa4vHO-5uSQ@mail.gmail.com>

I was trying to understand the flow of a backchannel logout from my web
application.

I find the documentation confusing.  The documentation for logging out (
https://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/logout.html
) says:


You can log out of a web application in multiple ways. For Java EE servlet
containers, you can call HttpServletRequest.logout(). For other browser
applications, you can redirect the browser to
http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri,
which logs you out if you have an SSO session with your browser.

The documentation for the Admin URL configuration (
https://www.keycloak.org/docs/3.4/securing_apps/#admin-url-configuration)
says:

For example the way backchannel logout works is:
1. User sends logout request from one application
2. The application sends logout request to Keycloak
3. The Keycloak server invalidates the user session
4. The Keycloak server then sends a backchannel request to application with
an admin url that are associated with the session
5. When an application receives the logout request it invalidates the
corresponding HTTP session



So from my understanding, either:

   1. calling HttpServletRequest.logout() is supposed to magically send a
   request to Keycloak (obviously not possible).
   2. a GET to
   http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
   should magically detect the clientId and send a request to the appropriate
   backchannel (doesn't happen either).


I've tried sending the GET to the logout endpoint with an access_token, but
that doesn't make any difference either.

What am I misunderstanding from this documentation?  How am I supposed to
code the logout?

Thanks,

Eric

From jdennis at redhat.com  Wed May  2 18:41:54 2018
From: jdennis at redhat.com (John Dennis)
Date: Wed, 2 May 2018 18:41:54 -0400
Subject: [keycloak-user] Enabling comments in a JSON file?
In-Reply-To: <CA+T+PjF2rmV8g_h=ibM+t9dLtk5o8g65EV99nKonU34HB9rb4g@mail.gmail.com>
References: <CA+T+PjF2rmV8g_h=ibM+t9dLtk5o8g65EV99nKonU34HB9rb4g@mail.gmail.com>
Message-ID: <174293bf-3cc4-6621-dd04-efe1f1af664c@redhat.com>

On 05/02/2018 02:25 PM, Eric B wrote:
> I'd like to add comments to an adapter JSON configuration file to help
> document my configuration.  However, Keycloak throws an exception when
> trying to parse the file:

Which is correct, JSON does not allow comments.


-- 
John

From ebenzacar at gmail.com  Wed May  2 19:55:35 2018
From: ebenzacar at gmail.com (Eric B)
Date: Wed, 02 May 2018 23:55:35 +0000
Subject: [keycloak-user] Enabling comments in a JSON file?
In-Reply-To: <174293bf-3cc4-6621-dd04-efe1f1af664c@redhat.com>
References: <CA+T+PjF2rmV8g_h=ibM+t9dLtk5o8g65EV99nKonU34HB9rb4g@mail.gmail.com>
	<174293bf-3cc4-6621-dd04-efe1f1af664c@redhat.com>
Message-ID: <CA+T+PjHyyG_hC1ER=a_WSB7vOatufZ+L=Q3v4bu3M3XYmYGFCA@mail.gmail.com>

On Wed, May 2, 2018, 6:41 PM John Dennis, <jdennis at redhat.com> wrote:

> On 05/02/2018 02:25 PM, Eric B wrote:
> > I'd like to add comments to an adapter JSON configuration file to help
> > document my configuration.  However, Keycloak throws an exception when
> > trying to parse the file:
>
> Which is correct, JSON does not allow comments.


I stand corrected then.  Thanks for pointing that out John.  I was under
the impression that comments were allowed, hence the ability to enable them
in the mapper.

Thanks,

Eric

From lahari.guntha at tcs.com  Thu May  3 01:30:10 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Thu, 3 May 2018 05:30:10 +0000
Subject: [keycloak-user] "An Unexpected Server Error occurs" when clicking
	on list Users
Message-ID: <1525325410414.11826@tcs.com>



Hi All,


I am using Keycloak  of version 3.3.0.Final.


I have deployed keycloak as a container. I have LDAP integrated with my Keycloak. So I get all the users from LDAP.




When I go to "Users" > "View All Users"  It is throwing me an Error saying that


"An unexpected Server Error has Occurred"



[cid:6fd4b1a9-1df7-4d27-9e52-2497a5ed8fcc]?


Did any one face the same Issue???


How can I resolve this Issue??


Thanks & Regards,

Lahari.

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedImage.png
Type: image/png
Size: 23977 bytes
Desc: pastedImage.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180503/977c5743/attachment-0001.png 

From subodhcjoshi82 at gmail.com  Thu May  3 02:23:47 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 3 May 2018 11:53:47 +0530
Subject: [keycloak-user] "An Unexpected Server Error occurs" when
 clicking on list Users
In-Reply-To: <1525325410414.11826@tcs.com>
References: <1525325410414.11826@tcs.com>
Message-ID: <CAFss9rodxb4hbgmh-fC=9r4zgi5i3Un1F9ASKmx5mteBG5pPdg@mail.gmail.com>

Can you please check server.log file and tell the exact exception you are
getting ?
You can find server.log here -> *keycloak/standalone/log*

On Thu, May 3, 2018 at 11:00 AM, Lahari Guntha <lahari.guntha at tcs.com>
wrote:

>
>
> Hi All,
>
>
> I am using Keycloak  of version 3.3.0.Final.
>
>
> I have deployed keycloak as a container. I have LDAP integrated with my
> Keycloak. So I get all the users from LDAP.
>
>
>
>
> When I go to "Users" > "View All Users"  It is throwing me an Error saying
> that
>
>
> "An unexpected Server Error has Occurred"
>
>
>
> [cid:6fd4b1a9-1df7-4d27-9e52-2497a5ed8fcc]?
>
>
> Did any one face the same Issue???
>
>
> How can I resolve this Issue??
>
>
> Thanks & Regards,
>
> Lahari.
>
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From lahari.guntha at tcs.com  Thu May  3 02:52:52 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Thu, 3 May 2018 06:52:52 +0000
Subject: [keycloak-user] "An Unexpected Server Error occurs" when
 clicking on list Users
In-Reply-To: <CAFss9rodxb4hbgmh-fC=9r4zgi5i3Un1F9ASKmx5mteBG5pPdg@mail.gmail.com>
References: <1525325410414.11826@tcs.com>,
	<CAFss9rodxb4hbgmh-fC=9r4zgi5i3Un1F9ASKmx5mteBG5pPdg@mail.gmail.com>
Message-ID: <1525330372635.12605@tcs.com>

?Hi Subodh,


I got my Issue resolved. It was because of an Issue from LDAP configuration.  "Bind Credential" was wrongly provided. When I have given the correct value for the "Bind Credential" then the issue got resolved.



Thanks and Regards,

Lahari G


________________________________
From: Subodh Joshi <subodhcjoshi82 at gmail.com>
Sent: 03 May 2018 11:53
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] "An Unexpected Server Error occurs" when clicking on list Users

Can you please check server.log file and tell the exact exception you are getting ?
You can find server.log here -> keycloak/standalone/log

On Thu, May 3, 2018 at 11:00 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:


Hi All,


I am using Keycloak  of version 3.3.0.Final.


I have deployed keycloak as a container. I have LDAP integrated with my Keycloak. So I get all the users from LDAP.




When I go to "Users" > "View All Users"  It is throwing me an Error saying that


"An unexpected Server Error has Occurred"



[cid:6fd4b1a9-1df7-4d27-9e52-2497a5ed8fcc]?


Did any one face the same Issue???


How can I resolve this Issue??


Thanks & Regards,

Lahari.

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



--
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in<mailto:subodh1_joshi82 at yahoo.co.in>
http://www.trendsinnews.com

From teo.salv at gmail.com  Thu May  3 04:32:35 2018
From: teo.salv at gmail.com (Matteo Salvetti)
Date: Thu, 3 May 2018 10:32:35 +0200
Subject: [keycloak-user] Help Communicate between apps with a scheduled task
Message-ID: <CAEDMdVjCfeP2xm7GLZrrrsp8smB4nz19i_RuVeSoUaeZHmAwog@mail.gmail.com>

Hi all,

I need to executed some code inside a scheduled task using Spring Boot.
Inside this task I have to contact another web-app in order to retrieve
some information.

Both of them use Keycloak.

The problem is that when that task starts, I have the error: Cannot set
authorization header because there is no authenticated principal

Why?

How can I communicate between app using keycloak auth without do a login?
I mean, how can I run a task autocamatically?
Becuase if I call manually that method it works

Thank you!

From uo67113 at gmail.com  Thu May  3 06:20:08 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Thu, 3 May 2018 12:20:08 +0200
Subject: [keycloak-user] SAML2. Keycloak How to check if a user has been
	authenticated?
In-Reply-To: <CACp70M=_HVq6y+FEvb-VXp5pnKB6MhSN-Ob2gQc-5=rYyBTWzg@mail.gmail.com>
References: <CACp70M=_HVq6y+FEvb-VXp5pnKB6MhSN-Ob2gQc-5=rYyBTWzg@mail.gmail.com>
Message-ID: <CACp70MmxOMyCRN=gP727R3CL+tk6joDy91HnuBjODoAqjQouNw@mail.gmail.com>

Hello there,

I could not see the forest but the trees. Just simply ask the HttpSession
for:

((org.keycloak.adapters.saml.SamlSession)session.getAttribute("org.keycloak.adapters.saml.SamlSession")).getPrincipal()

Cheers,

Luis






2018-04-30 19:26 GMT+02:00 Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>:

> Hello there,
>
> I am using the SAML Java Servlet Filter adapter [1] (4.0.0.CR1-SNAPSHOT)
> in apache tomcat 9 [2]. Is there a way to know is the user has been
> authenticated?
>
> The thing is that the good and old HttpServletRequest.getUserPrincipal()
> [3] returns the principal (SAMLPrincipal) when there is a
> <security-constraint> declared for the url-pattern that matches the request.
>
> The purpose of this is to implement the "anonymous navigation" in some of
> our applications.  Nowadays in some of our applications like this one
> https://phonebook.cern.ch/phonebook we do something like this:
>
> 1. User can navigate through the application
>
> 2. Sign-in link redirect the user to /secure/sso triggering the
> redirection to the IdP
>
> 3. The application makes use of the weblogic.security.Security.getCurrentSubject()
> [4] to check if the user has been logged in.
>
> Any thoughts on this?
>
> Thanks in advance,
>
> Luis
>
>
> [1] https://www.keycloak.org/docs/latest/securing_apps/index.
> html#java-servlet-filter-adapter
>
> [2] https://tomcat.apache.org/download-90.cgi
>
> [3] https://tomcat.apache.org/tomcat-9.0-doc/servletapi/
> javax/servlet/http/HttpServletRequest.html#getUserPrincipal--
>
> [4] https://docs.oracle.com/cd/E68505_01/wls/WLAPI/
> weblogic/security/Security.html#getCurrentSubject()
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From eivind at jotta.no  Thu May  3 09:01:44 2018
From: eivind at jotta.no (Eivind Larsen)
Date: Thu, 3 May 2018 09:01:44 -0400
Subject: [keycloak-user] User session administration
Message-ID: <CAF4REn4OsnHQWF-ReOAAG7yxGACt76DrUx=u-eqfZs+EwRRKpA@mail.gmail.com>

Hi Keycloak Users!

We are setting up apps and services to use Keycloak for managing
logins and sessions.

To let users manage their own devices and their login sessions, we
want to display session information on our settings webpage (that we
already have).

I can see there is a session listing in the Keycloak Administration
GUI, and I found the API call:

GET /auth/admin/realms/{realmName}/users/{userId}/sessions

Which should list all the sessions of the given user.

This call seem to require some set of admin privileges, while ideally
the user? token itself would have access to listing his/her _own_
sessions only,?with the ability to revoke their own grants.

Is there any way to do this with Keycloak?


Best regards,


Eivind Larsen


From francky.vens at tpv-tech.com  Thu May  3 10:01:05 2018
From: francky.vens at tpv-tech.com (Francky Vens)
Date: Thu, 3 May 2018 14:01:05 +0000
Subject: [keycloak-user] Brute Force Detection
Message-ID: <26682A067FC509428B94B106D13E7D412F94B99B@HUSZSEXBE001.tpvision.com>

Hi,

I have a question about how to visualize the brute force detection.  Currently we are using the REST API command "get admin/realms/{realm}/attack-detection/brute-force/users/{userId}"
In this command,  {realm} and {userId} are mandatory attributes.
Hence, you need to know the userId upfront before you can check if that user account is under attack or not.
Is my interpretation correct?
I find this strange.  I would expect to get back a list of users who are under attack instead of having to check one by one.
Or am I missing something?

Current keycloak version: 3.4.3

Kind Regards,
Francky

From pkaimakis at omilia.com  Thu May  3 11:18:16 2018
From: pkaimakis at omilia.com (Pavlos Kaimakis)
Date: Thu, 3 May 2018 18:18:16 +0300
Subject: [keycloak-user] Keycloak DB - field and table description
In-Reply-To: <1525343330.8800.1.camel@gmail.com>
References: <76C55D96-B927-4D3F-8395-91AD98833201@omilia.com>
	<1525343330.8800.1.camel@gmail.com>
Message-ID: <C521D03D-BB74-4B5A-A30F-BA0A63E7B12F@omilia.com>

Hello Domenico,

Thanks for your prompt answer. I suppose through the link you sent me I can put together a list of tables and columns of the database.
Nonetheless, there?s no description of what each table and its columns actually are and what purpose they serve ( I would expect that to be a comment in the xml, but I?m afraid that isn?t the case).
If I?m not mistaken, you are saying this info is not available, right?
If I am mistaken (I hope I am :) ), where can I find this or at least do you know whom I can contact?

BRs

Pavlos Kaimakis
Systems Engineer
| t: +30.2106930664
| e: pkaimakis at omilia.com
| w: www.omilia.com













> On 3 May 2018, at 13:28, Domenico Briganti <briganti.domenico at gmail.com> wrote:
> 
> Hi Pavlos, 
>  you can start from https://github.com/keycloak/keycloak/tree/4.0.0.Bet
> a1/model/jpa/src/main/resources/META-INF that contains all LiquiBase
> instructions to create the database (you can also run only Liquibase to
> create just the database).
> I do not think it's present a more detailed documentation.
> 
> Regards,
> Domenico
> 
> 
> 
> Il giorno mer, 02/05/2018 alle 18.52 +0300, Pavlos Kaimakis ha scritto:
>> Hi there,
>> 
>> I've been trying (unfortunately in vain) to find in the documentation
>> some information regarding the database the keycloak tool is using. 
>> More specifically, I am interested in finding :
>> a)a list of all the tables it contains along a short description of
>> what their purpose is and 
>> b)what fields (columns) these tables have
>> 
>> Can anybody help me out with this or at least point me to a document
>> outlining the above?
>> 
>> Thanks in advance
>> 
>> Pavlos
>> Pavlos Kaimakis
>> Systems Engineer
>>> t: +30.2106930664
>>> e: pkaimakis at omilia.com
>>> w: www.omilia.com
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user


From triton.oidc at gmail.com  Thu May  3 11:53:22 2018
From: triton.oidc at gmail.com (triton oidc)
Date: Thu, 3 May 2018 15:53:22 +0000
Subject: [keycloak-user] Multiple audience from auth endpoint
Message-ID: <CAGE7c6Cch6YyPRcZjYev4xPYLi-B95otvCJ9D6YnbCj9c-UG9g@mail.gmail.com>

Hi,

I saw a feature for KC to handle multiple audiences.

https://issues.jboss.org/browse/KEYCLOAK-5791

I'd like to test this feature in my POC.

I saw that i can use ScriptBasedOIDCProtocolMapper

but didn't found any clear way to do it.

Currently when i ask for a code
the first query looks like :

https://imyserver:9443/auth/realms/GreenAirlines/protocol/openid-connect/auth?client_id=greenairlines-secure&redirect_uri=https://mywebapp/callback&response_type=code&scope=openid
email profile

By default the audience equals the clientID
Is there a parameter that i can add in the query to ask for an additional
audience ?

If the documentation was somewhere and i didn't found it, i'm really sorry

Thanks for any tips

Amaury

From polochepu at gmail.com  Thu May  3 12:09:49 2018
From: polochepu at gmail.com (paolo lizarazu)
Date: Thu, 03 May 2018 16:09:49 +0000
Subject: [keycloak-user] Keycloak DB - field and table description
In-Reply-To: <C521D03D-BB74-4B5A-A30F-BA0A63E7B12F@omilia.com>
References: <76C55D96-B927-4D3F-8395-91AD98833201@omilia.com>
	<1525343330.8800.1.camel@gmail.com>
	<C521D03D-BB74-4B5A-A30F-BA0A63E7B12F@omilia.com>
Message-ID: <CA+UhoAH7voaPPW9tCpWz=JQZu8F0r1J5OjjewvD6Hu89S3QL4Q@mail.gmail.com>

well I think you can found all the information about the tables and its
columns but no descriptions about the purpose of each one.

El jue., 3 de may. de 2018 a la(s) 11:23, Pavlos Kaimakis <
pkaimakis at omilia.com> escribi?:

> Hello Domenico,
>
> Thanks for your prompt answer. I suppose through the link you sent me I
> can put together a list of tables and columns of the database.
> Nonetheless, there?s no description of what each table and its columns
> actually are and what purpose they serve ( I would expect that to be a
> comment in the xml, but I?m afraid that isn?t the case).
> If I?m not mistaken, you are saying this info is not available, right?
> If I am mistaken (I hope I am :) ), where can I find this or at least do
> you know whom I can contact?
>
> BRs
>
> Pavlos Kaimakis
> Systems Engineer
> | t: +30.2106930664 <+30%2021%200693%200664>
> | e: pkaimakis at omilia.com
> | w: www.omilia.com
>
>
>
>
>
>
>
>
>
>
>
>
>
> > On 3 May 2018, at 13:28, Domenico Briganti <briganti.domenico at gmail.com>
> wrote:
> >
> > Hi Pavlos,
> >  you can start from https://github.com/keycloak/keycloak/tree/4.0.0.Bet
> > a1/model/jpa/src/main/resources/META-INF that contains all LiquiBase
> > instructions to create the database (you can also run only Liquibase to
> > create just the database).
> > I do not think it's present a more detailed documentation.
> >
> > Regards,
> > Domenico
> >
> >
> >
> > Il giorno mer, 02/05/2018 alle 18.52 +0300, Pavlos Kaimakis ha scritto:
> >> Hi there,
> >>
> >> I've been trying (unfortunately in vain) to find in the documentation
> >> some information regarding the database the keycloak tool is using.
> >> More specifically, I am interested in finding :
> >> a)a list of all the tables it contains along a short description of
> >> what their purpose is and
> >> b)what fields (columns) these tables have
> >>
> >> Can anybody help me out with this or at least point me to a document
> >> outlining the above?
> >>
> >> Thanks in advance
> >>
> >> Pavlos
> >> Pavlos Kaimakis
> >> Systems Engineer
> >>> t: +30.2106930664 <+30%2021%200693%200664>
> >>> e: pkaimakis at omilia.com
> >>> w: www.omilia.com
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From c.majeri at gmail.com  Fri May  4 02:51:52 2018
From: c.majeri at gmail.com (Chervine Majeri)
Date: Fri, 04 May 2018 06:51:52 +0000
Subject: [keycloak-user] Swagger json reference
Message-ID: <CAB8J2R5M-=2b2qcFY4mwwfE3aVgXOfRjWCBjO5r6vTcM_dhJFQ@mail.gmail.com>

Hello keycloak users,

I can't figure out how to generate the swagger json files that are
mentioned there :
https://blog.keycloak.org/2015/09/having-fun-with-rest-api-documentation.html

I tried running that specific goal multiple times, but it always only gives
me HTML.

Swagger output would be more useful for writing my own clients in various
languages, and more comfortable than parsing through HTML.

Does anyone know how to get it?

Thanks.

From Manfred.Schenk at iosb.fraunhofer.de  Fri May  4 05:52:03 2018
From: Manfred.Schenk at iosb.fraunhofer.de (Schenk, Manfred)
Date: Fri, 4 May 2018 09:52:03 +0000
Subject: [keycloak-user] Confused about backchannel logout with a
	Java	adapter
In-Reply-To: <CA+T+PjF-YKtXNf5w9+V=DLGXjmLfsuFcAzhugJXDa4vHO-5uSQ@mail.gmail.com>
References: <CA+T+PjF-YKtXNf5w9+V=DLGXjmLfsuFcAzhugJXDa4vHO-5uSQ@mail.gmail.com>
Message-ID: <E1282C0B6D2B6940B528596BD272E63E749BFEEC@ms3mbx3.ms3.corp>

My understanding is:

>From the view point of the Web-Application it would be sufficient to call HttpServletRequest.logout(). But since this Web-Application is running within a SSO environment it would be nice to also inform the SSO provider about the logout. The provider will distribute this logout events to all registered clients, then.


So you have to do several things in your web-application:
1) provide some UI-interface for logout (e.g. a Logout Button)
2) this UI-Interface should call HttpServletRequest.logout() (to end the session in the current web-application) and also signal the logout tot he SSO provider.
3) The web-application should handle incoming logout requests from the SSO-provider (user has logged out within another application) by calling HttpServletRequest.logout() to end the current session

The confusion might be that two different aspects of logout are mixed here: the logout of the local session and the logout signalling of the SSO-session.


I hope I explained it correctly.

Regards,
Manfred


-- 
Manfred Schenk, Fraunhofer IOSB
Informationsmanagement und Leittechnik
Fraunhoferstra?e 1,76131 Karlsruhe, Germany
Telefon +49 721 6091-391
mailto:Manfred.Schenk at iosb.fraunhofer.de
http://www.iosb.fraunhofer.de

-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Eric B
Gesendet: Mittwoch, 2. Mai 2018 22:42
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Confused about backchannel logout with a Java adapter

I was trying to understand the flow of a backchannel logout from my web application.

I find the documentation confusing.  The documentation for logging out ( https://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/logout.html
) says:


You can log out of a web application in multiple ways. For Java EE servlet containers, you can call HttpServletRequest.logout(). For other browser applications, you can redirect the browser to http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri,
which logs you out if you have an SSO session with your browser.

The documentation for the Admin URL configuration (
https://www.keycloak.org/docs/3.4/securing_apps/#admin-url-configuration)
says:

For example the way backchannel logout works is:
1. User sends logout request from one application 2. The application sends logout request to Keycloak 3. The Keycloak server invalidates the user session 4. The Keycloak server then sends a backchannel request to application with an admin url that are associated with the session 5. When an application receives the logout request it invalidates the corresponding HTTP session



So from my understanding, either:

   1. calling HttpServletRequest.logout() is supposed to magically send a
   request to Keycloak (obviously not possible).
   2. a GET to
   http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
   should magically detect the clientId and send a request to the appropriate
   backchannel (doesn't happen either).


I've tried sending the GET to the logout endpoint with an access_token, but that doesn't make any difference either.

What am I misunderstanding from this documentation?  How am I supposed to code the logout?

Thanks,

Eric
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From nicocsgamer at gmail.com  Fri May  4 05:59:34 2018
From: nicocsgamer at gmail.com (Nicolas Buisson)
Date: Fri, 4 May 2018 11:59:34 +0200
Subject: [keycloak-user] Hardware sizing
Message-ID: <CAGfqWzy_qzbPMADH2dnZLZkvrU8pNvukKGrZuoZXthhZ1rVtNw@mail.gmail.com>

Hi,

I would like to estimate the hardware requirement for a production cluster.
I'm planning to deploy the cluster over AWS on two Availability zones (DC).
The topology consists in a load balancer, 2 VMs for keycloak cluster, 2 VMs
for Infinispan cluster, and 1 AWS RDS instance running MySQL/PostgreSQL.

In term of figures I'm expecting to store 300k active users, and a load of
around 2 sign-in/s at peak.

I made some researches but only found the minimal hardware requirements in
the official documentation or unrelated/vague benchmarks.

Regards,
Nicolas.

From madaras_adrian at yahoo.com  Fri May  4 07:09:44 2018
From: madaras_adrian at yahoo.com (Adrian Madaras)
Date: Fri, 4 May 2018 11:09:44 +0000 (UTC)
Subject: [keycloak-user] OpenId logout not working as it should
References: <1118267359.4203146.1525432184463.ref@mail.yahoo.com>
Message-ID: <1118267359.4203146.1525432184463@mail.yahoo.com>

Hi Keycloak team,? ? ? ? ? ? ? ?????We are using Keycloak 3.4.3.Final for a while now with both SAML and OpenId clients. We have encountered a possible bug in your code and we need advice from your side on how to proceed. The problem occurs if we are logged in into multiple SAML and OpenId clients and when we want to log out from 1 OpenId client. The following happens:? Authenticate against a SAML client? Authenticate against an OpenId Client? The SAML client has ?Logout Service POST Binding URL? and ?Logout Service Redirect Binding URL? configured with a link. -> this is business requirement from our customers as their clients do not send a redirect url in the SAML Logout Request? Logout from OpenId Client with correct redirect url for that OpenId Client -> at this point we are being redirected to the SAML Client page (one from previously logged in) and NO logout happens.
Desired solution is to be logged out from all clients and redirected to the link that we specify in the redirect_uri of the auth/realms/<realm>/protocol/openid-connect/logout request.
Thanks,
Adrian


From blaz.divjak at 3fs.si  Fri May  4 08:13:58 2018
From: blaz.divjak at 3fs.si (=?UTF-8?B?Qmxhxb4gRGl2amFr?=)
Date: Fri, 4 May 2018 14:13:58 +0200
Subject: [keycloak-user] User data export
Message-ID: <CAE=iF+SDppmK=is3TNyGrVBAwtyXQyXKENZrgySZ-VV9efuTAA@mail.gmail.com>

Hi,

In order to comply with GDPR regulations in 2018 user has to have an option
to export his user data.

How did you tackle this in Keycloak?

Is there a way to export all user data in Keycloak?

Keycloak's admin REST API offers required functionality but can the same be
achieved with user's credentials?

Best regards,

Blaz

From contact at pushrbx.net  Fri May  4 08:49:10 2018
From: contact at pushrbx.net (Thomas)
Date: Fri, 04 May 2018 13:49:10 +0100
Subject: [keycloak-user] Question regarding User Client Role mapper
In-Reply-To: <16320191e26.cb022ab4434670.585568427534130062@pushrbx.net>
References: <16320191e26.cb022ab4434670.585568427534130062@pushrbx.net>
Message-ID: <1632b32f641.b5fd233f290520.2367868236662788163@pushrbx.net>

Hi,



I've solved this issue on my own, with trial and error and reading the source code of keycloak on github.

The solution is a script mapper with the following javascript code (feel free to mod it):


function logic() { var f = realm.getClients(); var currentClient = null; for (var i = 0; i &lt; f.size(); i++) { // here replace rolemaptest with your client name. if (f.get(i).getClientId() == "rolemaptest") { currentClient = f.get(i); break; } } if (currentClient === null) { return "cant find current client"; } // getClientRoleMappings returns a Set object which needs to be converted to an array. Otherwise it just returns a list of nulls, dunno why var userRolesInClient = user.getClientRoleMappings(currentClient).toArray(); //var userRolesInClient = user.getRoleMappings().toArray(); if (userRolesInClient.length === 0) { return ""; } return userRolesInClient[0].getName(); } logic()  ?


Cheers,
Thomas





---- On Wed, 02 May 2018 10:05:07 +0100 Thomas &lt;contact at pushrbx.net&gt; wrote ----




Hi all, 







I have a question regarding the user client role mapper: How can I map the first role from the list of client roles to a field named "role" in the id token? 



I've got that far that I create a mapper but it only returns a "[]" string. Obviously I've already mapped the user to some client roles before I tried to get the token. 







Thanks, 



Thomas 









_______________________________________________ 

keycloak-user mailing list 

keycloak-user at lists.jboss.org 

https://lists.jboss.org/mailman/listinfo/keycloak-user 







From valsarajpv at gmail.com  Fri May  4 09:34:37 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 4 May 2018 19:04:37 +0530
Subject: [keycloak-user] Help problem with Bad request
Message-ID: <CAOA-0XuDrx0kS88usS7v2uShCxBVJi3NOJxZ=r87d9zgDx=XKA@mail.gmail.com>

Hi,

When user clicks login, redirected to Keycloak login page & then after
successful login, user comes back to application with 400 error page.
Server log shows following:

> [Server:node-00] 13:40:00,709 WARN
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-30) state
> parameter invalid


My application conf is:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="appWEB.war">
    <realm>demo</realm>
    <resource>app</resource>
    <public-client>true</public-client>
    <auth-server-url>http://localhost:8180/auth</auth-server-url>
    <ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>

Application URL is https://localhost:8443/app & redirect_url is
https://localhost:8443/app/private.jsf.

When I use http, it works. But the error comes when I use same with https.
Any thoughts?


Thanks,

Valsaraj Viswanathan

From adrien.desbiaux at gmail.com  Fri May  4 10:55:50 2018
From: adrien.desbiaux at gmail.com (Adrien Desbiaux)
Date: Fri, 04 May 2018 14:55:50 +0000
Subject: [keycloak-user] Error with Infinispan
Message-ID: <CAKuevKPBV=e_c1Ah1mC=nT5deJHj6MCTZ06CUm5wO6oCV2t1cA@mail.gmail.com>

Hello there,

I am not a pro of JAVA neither all JBoss tools :/

But I just did follow the tutorial on how to setup Infinispan and KC and I
end up having this error:

Caused by: java.lang.ClassNotFoundException:
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory from
[Module "org.wildfly.clustering.service" from local module loader @7a0ac6e3
(finder: local module finder @71be98f5 (roots:
/opt/jboss/keycloak-3.4.3.Final/modules,/opt/jboss/keycloak-3.4.3.Final/modules/system/layers/keycloak,/opt/jboss/keycloak-3.4.3.Final/modules/system/layers/base))]

My Infinispan cluster is up, everything looks fine on its side via the
admin console.

I am running KC and Infinispan in Domain mode.

Do you have any thoughts on what could be the reasons for the class to not
be found?

Thanks in advance for your direction.

Cheers,

From yuriy.yunikov at verygood.systems  Fri May  4 08:40:49 2018
From: yuriy.yunikov at verygood.systems (Yuriy Yunikov)
Date: Fri, 04 May 2018 12:40:49 +0000
Subject: [keycloak-user] Accounts linking on multiple identity providers
 returns "Invalid username or password"
Message-ID: <CAC9TNOd=7oMw2RAuSeg=Ddm-vJpxmVoXE3aW7wAxrw17t7n6RA@mail.gmail.com>

In our setup we have 2 identity providers set up (further I refer as
*custom_idp* and *google*), *custom_idp* of them is a default one and has
browser authentication to "Identity Provider Redirector" set.

The goal is the following:
- When user is logged in via *custom_idp*, KeyCloak should authenticate
user successfully
- When user is logged in via *google* KeyCloak should link existing account
created with *custom_idp* and just add another identity provider to a user.
After that user should be authenticated successfully.

Considering that user is already created in *custom_idp*, login *google*
via option *kc_idp_hint=google* gives an error "Invalid username or
password".

Here is the debug log from server:
[org.keycloak.broker.oidc.OIDCIdentityProvider] (default task-7) GOOGLE
userInfoUrl: https://www.googleapis.com/plus/v1/people/me/openIdConnect
2018-05-04 11:23:15,589 DEBUG [org.keycloak.social.user_profile_dump]
(default task-7) User Profile JSON Data for provider google: {...}
...
[org.keycloak.services.resources.IdentityBrokerService] (default task-7)
Federated user not found for provider 'google' and broker username
'yuriy.yunikov at test' . Redirecting to flow for firstBrokerLogin
2018-05-04 11:23:15,593 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-7)
RESET FLOW
...
2018-05-04 11:23:15,804 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-12)
execution is processed
2018-05-04 11:23:15,805 WARN  [org.keycloak.services] (default task-12)
KC-SERVICES0013: Failed authentication:
org.keycloak.authentication.AuthenticationFlowException
at
org.keycloak.keycloak-services//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:856)
at
org.keycloak.keycloak-services//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)
at
org.keycloak.keycloak-services//org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:286)

Here is a line which specifies what is happening:
"Federated user not found for provider 'google' and broker username
'yuriy.yunikov at test' . Redirecting to flow for firstBrokerLogin"

With configuration added as an attachment I expect KeyCloak to link
accounts and login, however this doesn't happening.

I've tried to switch IDP's vice versa, and tried to reproduce in opposite
way but it's still the same issue, so it doesn't look like IDP
configuration issue to me.

I've seen this issues happened to other users but there is not solution to
fix it:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Force-Keycloak-to-use-external-IdP-as-authentication-mechanism-td2747.html

Please let me know if I'm wrong, but this doesn't look like correct
behavior to me. Any ideas?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: idp_config.png
Type: image/png
Size: 170216 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180504/f4acc574/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: first_broker_login.png
Type: image/png
Size: 245075 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180504/f4acc574/attachment-0003.png 

From lapth82 at gmail.com  Sat May  5 04:50:24 2018
From: lapth82 at gmail.com (Lap Tran)
Date: Sat, 5 May 2018 15:50:24 +0700
Subject: [keycloak-user] KeyCloak integrate with external Idp get an
	infinity loop.
Message-ID: <CALPyNwB0N8YYc=oHkDOnTE0kgzrrEFXtDjTRnky=3CsN5SKbPg@mail.gmail.com>

 Hi,

I am integrating OpenAM 10.1 vs KeyCloak 3.4.3.
I used SAML v2 for this integration.
My application and KeyCloak SAML Adapter are deployed on WildFly 11.

The intergration does not work as my expectation, please see below steps:
1) When I access to my application first time, KeyCloak SAML Adapter is
triggered and bring me to OpenAM Login page
2) I complete my login from OpenAM Login page
3) Browser bring me back to my application after login, I see the saml
response sent back to my application (I debug KeyCloak 3.4.3 code for this)
4) KeyCloak analyzes that saml response and then redirect to the first link
(in step 1#)

As my expectation, after step 4, the Browser has to bring me back to the
first link with authenticated status, then I can access my application from
now. But it does not work like that.

5) Browser bring me to the OpenAM Idp link again, but the login page is not
displayed
6) Browser bring me back to the application link again ... then I have a
infinity loop of step 5 - 6 from this time

It seems we have a bug in KeyCloak for SAML integration.

Any idea, please share me a work around to fix this bug ?


Regards,

Lap Tran
mailto:lapth82 at gmail.com

From valsarajpv at gmail.com  Mon May  7 03:16:38 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Mon, 7 May 2018 12:46:38 +0530
Subject: [keycloak-user] Help problem with Bad request
In-Reply-To: <CAOA-0XuDrx0kS88usS7v2uShCxBVJi3NOJxZ=r87d9zgDx=XKA@mail.gmail.com>
References: <CAOA-0XuDrx0kS88usS7v2uShCxBVJi3NOJxZ=r87d9zgDx=XKA@mail.gmail.com>
Message-ID: <CAOA-0XvHYv6CUXa=BJjr=VsKSGXEQuu3fT6w9Ng8UKOt6mOC9g@mail.gmail.com>

 Hi,

This issue is only if connection is HTTPS. The same application works in
HTTP. Is there any additional settings required if application URL is HTTPS
& Keycloak URL is HTTP?

Thanks!


On Fri, May 4, 2018 at 7:04 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

> Hi,
>
> When user clicks login, redirected to Keycloak login page & then after
> successful login, user comes back to application with 400 error page.
> Server log shows following:
>
>> [Server:node-00] 13:40:00,709 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator]
>> (default task-30) state parameter invalid
>
>
> My application conf is:
> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
> <secure-deployment name="appWEB.war">
>     <realm>demo</realm>
>     <resource>app</resource>
>     <public-client>true</public-client>
>     <auth-server-url>http://localhost:8180/auth</auth-server-url>
>     <ssl-required>EXTERNAL</ssl-required>
> </secure-deployment>
> </subsystem>
>
> Application URL is https://localhost:8443/app & redirect_url is
> https://localhost:8443/app/private.jsf.
>
> When I use http, it works. But the error comes when I use same with https.
> Any thoughts?
>
>
> Thanks,
>
> Valsaraj Viswanathan
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From valsarajpv at gmail.com  Mon May  7 03:19:16 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Mon, 7 May 2018 12:49:16 +0530
Subject: [keycloak-user] Principal name is showing different after switching
	to KC
Message-ID: <CAOA-0XtW7k0Rk5BK-kxTk_jXd-CQQADxxHxFyaFak+tiFjfUFA@mail.gmail.com>

Hi,

UserPrincipal.getName showing cb3634be-e0e1-479e-aec9-0cb38c8a0468 like
this after switching to Keyclock. LDAP uid was showing when we were using
LDAP. After syncing users from LDAP to KC, when the application code checks
user principal name, it shows this.

Any thoughts?

Thanks,

Valsaraj Viswanathan

From lahari.guntha at tcs.com  Mon May  7 06:21:34 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Mon, 7 May 2018 10:21:34 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <CAPZw1G41zU9MYFpDiB=QhnEx4OQS+03yPEJAA2eW1hBLvfN7zw@mail.gmail.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
	<1522213483195.38672@tcs.com> <1522732009031.20269@tcs.com>
	<CAPZw1G4hFMEHJ1+3cPeTKTKa8z-jdCTFn1nHEV-WdeeqGQyoRg@mail.gmail.com>
	<1523338962307.3970@tcs.com>,
	<CAPZw1G41zU9MYFpDiB=QhnEx4OQS+03yPEJAA2eW1hBLvfN7zw@mail.gmail.com>
Message-ID: <1525688494185.73604@tcs.com>

Hi Simon,


Please find the below configuration on the LDAP side:


User DN :uid=test,ou=users,dc=example,dc=com

Group DN: cn=testgroup,ou=groups,dc=example,dc=com?


While  integrating JIRA with LDAP we have the below configuration:


[cid:1ef7f51c-9752-492f-b7b1-63f898a8f525]



Here the user groups are getting properly synced.


For the configuration on Keycloak side please find the attached screenshots.


But  still the groups are not syncing properly. i.e Whenever a  user is added  in a group in LDAP..that particular groups the user is present in not getting reflected in keycloak.


Could you please suggest us what  configuration we are missing??


Thanks and Regards,

Lahari G

________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 10 April 2018 12:07
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

It's hard to tell you whether to change or not without knowing what your LDAP setup looks like..

the next  thing i would check is where the relationship between the user and the group is stored.  Group and User will both have a membership attribute.  make sure you are selecting the the correct membership LDAP attribute for the chosen DN.



On Tue, Apr 10, 2018 at 6:42 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:
Hi Simon,


I have selected the " LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE" for my 'user groups retrieve strategy'. Using this the User-Group mapping is done only for the first time..i.e if the user is added or removed from any group it is not getting reflected in keycloak .


I cannot select "LOAD_GROUPS_BY_ MEMBER_ATTRIBUTE_RECURSIVELY" because it is only suitable for "Active Directory" and we are using openLDAP .


Should I change the configuration??


Thanks & Regards,

Lahari

?

________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>
Sent: 09 April 2018 20:50
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Group-Mapping

have you checked the 'user groups retrieve strategy' on the mappers config is correct for your need?

otherwise it might only sync on first time and not when LDAP attributes etc change.

On Tue, Apr 3, 2018 at 6:06 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>> wrote:
Hi  All,

Could you please check the procedure I followed?? What are the further changes to be done for the groups to sync into keycloak??

Thanks & Regards,
Lahari G
________________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org><mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org><mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>>> on behalf of Lahari  Guntha
Sent: 28 March 2018 10:34
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Group-Mapping

Hi Simon,


We have our keycloak in  standalone configuration. I have my keycloak running as a docker container. I loged into the container and manually changed the standalone.xml....and then restarted the server using the below command:


docker exec {CONTAINER} /opt/jboss/keycloak/bin/jboss-cli.sh --connect "reload"


I have all my users synced to Keycloak. Now I have an entry of a user "User1" in keycloak. This user is not present in any group in LDAP...Now I added the user "User1" in one of the group in LDAP....now since I have set the "Eviction rate"......I should get the updated group of the user that the user is recently added to in Keycloak UI when I check the "GroupMappings" for that particular user....


Why am I not able to see the groups that the user were added to even after setting the eviction time??


Should I login into any of the application that is integrated with SSO so that I get the User with their proper groups???


Thanks & Regards,

Lahari G?


________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>
Sent: 27 March 2018 14:13
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Group-Mapping

if standalone-ha.xml is changed then a restart is necessary.

Simon.




On Tue, Mar 27, 2018 at 6:27 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>>> wrote:
?Hi,


Do we ?need to reload the keycloak server after changing the standalone.xml???


Thanks & Regards,

Lahari G


________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>>
Sent: 23 March 2018 20:40
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>
Subject: Re: [keycloak-user] Group-Mapping

if you are referring to the standard entry

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
 </local-cache>


then LRU means least recently used.  so it will cache 10,000 users and evict the least recently used when cache limit is reached.  obviously this will only evict users if you have greater than 10,000 in your system.  So in my case i changed to the following

I simply added the expiration value to the existing local-cache entry for users

<local-cache name="users">
                    <eviction max-entries="10000" strategy="LRU"/>
                    <expiration max-idle="1200000"/>
 </local-cache>

which will additionally expire entries after 20 minutes.


full explanation can be found here https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem


On Fri, Mar 23, 2018 at 1:46 PM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>>>> wrote:
???Hi,


Thanks Simon.


Does setting "Cache Policy" to "No Cache"  option under "User Federation"  makes any sense in this case?? as shown below?


[cid:69b609f1-3662-4933-b316-29896ba797fe]


Could someone explain the "Eviction" policy for user cache??

What exactly will happen???

?


Thanks & Regards,

Lahari G




________________________________
From: Simon Payne <simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com><mailto:simonpayne58 at gmail.com<mailto:simonpayne58 at gmail.com>>>>>
Sent: 16 March 2018 19:06
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>>
Subject: Re: [keycloak-user] Group-Mapping

hi, we recently experienced similar and found it to be user cache.  there is a setting in the ldap config which allows you to specify the cache value.  however, i found this to take no effect and eventually set a hard eviction rate to the configuration in the standalone-ha.xml for user cache.



On Fri, Mar 16, 2018 at 11:48 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com><mailto:lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>>>>>> wrote:
Hi All,



We are using keycloak of version 3.3.0.CR2.

I have my Keycloak integrated with LDAP.

I have configured  many applications to have SSO with Keycloak. I have done all the configuration to have LDAP integration with Keycloak. I have also configured Group mappers so that groups from LDAP are also synced to LDAP.

eg:

Users in LDAP:  "user1"

Groups in LDAP:  "group1","group2"


When i login into one of my application that is configured to have SSO with keycloak with user "user1" that is present in group "group1"...that user entry gets shown in  the Keycloak UI page and we can also see the groups mapped to it.


Now I add the user "user1" into another group "group2"...

But now the newly added group is not reflected when click on User> Group Mapping.


Why Is this happening??


What is the solution to continuously sync the users with the groups they are present in/added newly automatically????


Thanks,

Lahari
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedImage.png
Type: image/png
Size: 20286 bytes
Desc: pastedImage.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180507/dc02c2f9/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Keycloakldapconfig.JPG
Type: image/jpeg
Size: 70702 bytes
Desc: Keycloakldapconfig.JPG
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180507/dc02c2f9/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloakldapconfig1.JPG
Type: image/jpeg
Size: 42708 bytes
Desc: keycloakldapconfig1.JPG
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180507/dc02c2f9/attachment-0003.jpe 

From uo67113 at gmail.com  Mon May  7 07:50:09 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Mon, 7 May 2018 13:50:09 +0200
Subject: [keycloak-user] Principal name is showing different after
 switching to KC
In-Reply-To: <CAOA-0XtW7k0Rk5BK-kxTk_jXd-CQQADxxHxFyaFak+tiFjfUFA@mail.gmail.com>
References: <CAOA-0XtW7k0Rk5BK-kxTk_jXd-CQQADxxHxFyaFak+tiFjfUFA@mail.gmail.com>
Message-ID: <CACp70Mkc=_8SW+7PFRxoAkoGQYOMh_NQBJ81+tNA0VMup++U+g@mail.gmail.com>

Hello Valsaraj,

I am not sure what your scenario is. Me, I am using a client java adapter
[1] for my tomcat applications. In my keycloak configuration file I have
something like:

<PrincipalNameMapping policy="FROM_ATTRIBUTE" attribute="
http://schemas.xmlsoap.org/claims/CommonName"/>

This tells keycloak which attribute use for the Principal.getName(). I
guess that for your scenario must be something equivalent.

Hope it helps,

Luis



[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#java-adapters-2






2018-05-07 9:19 GMT+02:00 valsaraj pv <valsarajpv at gmail.com>:

> Hi,
>
> UserPrincipal.getName showing cb3634be-e0e1-479e-aec9-0cb38c8a0468 like
> this after switching to Keyclock. LDAP uid was showing when we were using
> LDAP. After syncing users from LDAP to KC, when the application code checks
> user principal name, it shows this.
>
> Any thoughts?
>
> Thanks,
>
> Valsaraj Viswanathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From mwaki011 at gmail.com  Mon May  7 08:28:07 2018
From: mwaki011 at gmail.com (Mike Wakim)
Date: Mon, 07 May 2018 12:28:07 +0000
Subject: [keycloak-user] Non-Ascii characters in email
Message-ID: <CAJKiPVBej4Hk3U=j77u+CR4wEdpung37b+nUrbytKwxm=NJ4sw@mail.gmail.com>

Hello,

Keycloak currently doesn't allow users to have Non-Ascii characters in
their emails. Was this decision made to be compliant with a certain
standard? If so, can you please let me know which one?

Is it possible to override this behavior and to allow Non-Ascii characters
in emails?

Thank you,

Mike

From luke at code-house.org  Mon May  7 09:07:06 2018
From: luke at code-house.org (=?UTF-8?Q?=C5=81ukasz_Dywicki?=)
Date: Mon, 7 May 2018 15:07:06 +0200
Subject: [keycloak-user] User Attributes security and organization
In-Reply-To: <CA+T+PjHHKTP6b_9NWpv_137JsHNwD64F70-_7dMdxd4zOjyvGw@mail.gmail.com>
References: <CA+T+PjGi8K_ADVSRr4c_iL0b3Bse9fkZKh-8zS5texCTA0YG1Q@mail.gmail.com>
	<6E660D0C-5D83-43FA-8C6E-B39EE5F8C1A9@code-house.org>
	<CA+T+PjEmyvEMG6Pfjgi6w+AswB6iqHJSiHBi+pG1PVB3QPGf1g@mail.gmail.com>
	<A96C003D-CAF7-452E-8056-217B3E86DAF7@code-house.org>
	<CA+T+PjHHKTP6b_9NWpv_137JsHNwD64F70-_7dMdxd4zOjyvGw@mail.gmail.com>
Message-ID: <CAKsTGA5PwvUtLxQqaP0jsu28+X-Au=C0h-PR8-C5sB1xjjDnVQ@mail.gmail.com>

Hey Eric,
Issue you refered doesn't exist. Can you check what happened? I would
like to watch it progress too.

Cheers,
Lukasz

2018-05-02 6:01 GMT+02:00 Eric B <ebenzacar at gmail.com>:
> Thanks Lukasz,
>
> Good point.  I created a ticket here:
> https://issues.jboss.org/browse/KEYCLOAK-7271
>
> This is a big security concern for me.  It means that I can't user the
> attributes for anything that I would want to ensure don't get changed by a
> user.  It also means that an attacker can use the attributes to spam the DB.
> I'll have to see if there is anything I can hack around the system.
>
> Thanks,
>
> Eric
>
> On Tue, May 1, 2018 at 5:19 PM, <luke at code-house.org> wrote:
>>
>> Hey Eric,
>> FormAction is one of elements which can be plugged into registration flow,
>> where user enters its credentials and might also enter attributes. Default
>> theme from keycloak does not allow to specify any attributes, but these
>> still can be appended with sequence of cURL requests. FormAction I
>> implemented allows to control that.
>> After user is registered and logged in his actions are subject of other
>> elements in Keycloak which are not extensible at this moment.
>> From what I see AccountRestService is still possible to exploit in the way
>> you described. There is no way to solve that with existing SPI that I know.
>>
>> I would suggest reporting that in JIRA. Without presence in backlog it
>> will never get a traction.
>>
>> Kind regards,
>> Lukasz
>>
>>
>> On 1 May 2018, at 04:51, Eric B <ebenzacar at gmail.com> wrote:
>>
>> Hi Lukasz,
>>
>> Thanks for the extension.  I took a quick look at it, and I think it
>> should be able to help me out.  I wonder if I need to be concerned about
>> keycloak API accesses that need to be secured as well, since your FormAction
>> is clearly a UI related thing.  I haven't had a chance to look at the API
>> yet, however, and/or if there is something I would need to do along that
>> line as well.
>>
>> Thanks!
>>
>> Eric
>>
>>
>> On Mon, Apr 30, 2018 at 11:00 AM, <luke at code-house.org> wrote:
>>>
>>> Hey Eric,
>>> Currently there is no validation nor extension in Keycloak itself which
>>> could control these things. I don?t know Keycloak internals well enough to
>>> say if there is a way to configure that via federation or any other
>>> mechanism. Given that keycloak keeps copy of user records I would expect
>>> that some attributes are not backed by federated system. In the end, point
>>> of having Keycloak is sometimes to enrich user model.
>>>
>>> I wrote a simple extension (FormAction) which can be plugged into
>>> registration flow in order to build blacklist/whitelist policy. You can
>>> check it out here:
>>> https://github.com/apifocal/apifocal-id/tree/master/keycloak/extension/attributes.
>>> Feel free to submit issues on GitHub if you find any bug or gap to be
>>> filled in.
>>>
>>> Cheers,
>>> Lukasz
>>>
>>> On 20 Apr 2018, at 19:53, Eric B <ebenzacar at gmail.com> wrote:
>>>
>>> I just starting working with KeyCloak (3.4.3) and have been looking at
>>> the
>>> user attributes and trying to determine how I can leverage some custom
>>> attributes for my different clients.  Two things in particular stand out
>>> when I look at the user attributes:
>>>
>>> 1) there is no mapping/assignment of attributes per client
>>> 2) there is no security assignment on the attributes (ex: what can be
>>> self-administered, what is read-only, what is visible to the client, etc)
>>>
>>> This becomes an issue when a user logs into the admin panel.  Once he is
>>> logged in, he can essentially post a form with any attributes defined and
>>> these will automatically be persisted in the KeyCloak DB.  While I'm not
>>> concerned about CSRF, I am concerned about a malicious user trying to
>>> explode by DB by submitting an extraneous number of attributes that KC
>>> will
>>> persist.
>>>
>>> Additionally, if I want to use a user attribute to specify some read-only
>>> information about a user, if the user knows the attribute name, he can
>>> override it via a form post.  So essentially, I have no way to secure the
>>> attributes.
>>>
>>> In a similar vein, I am a bit taken aback that all attributes are
>>> associated to the user only and cannot be assigned to a client.  I would
>>> like to be able to specify some client-specific attributes, and have KC
>>> automatically filter the attributes available to a client token
>>> accordingly.  Is this not feasible?
>>>
>>> Are either of these functionalities implementable through some form of
>>> customization, or are they on the roadmap for a future version?
>>>
>>> Thanks,
>>>
>>> Eric
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>>
>


From valsarajpv at gmail.com  Mon May  7 09:23:22 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Mon, 7 May 2018 18:53:22 +0530
Subject: [keycloak-user] Principal name is showing different after
 switching to KC
In-Reply-To: <CACp70Mkc=_8SW+7PFRxoAkoGQYOMh_NQBJ81+tNA0VMup++U+g@mail.gmail.com>
References: <CAOA-0XtW7k0Rk5BK-kxTk_jXd-CQQADxxHxFyaFak+tiFjfUFA@mail.gmail.com>
	<CACp70Mkc=_8SW+7PFRxoAkoGQYOMh_NQBJ81+tNA0VMup++U+g@mail.gmail.com>
Message-ID: <CAOA-0Xvc4V6z7QL96tV79t9aPFkrpA_6jO=wXFf7DDgaB9wF-A@mail.gmail.com>

Hi Luis,

Thanks for reply. U am using OpenIDConnect for my client  and there is
nothing like this shown:
https://www.keycloak.org/docs/latest/securing_apps/index.html#_jboss_adapter
.
I am getting principal name as ID field that shows when you search in KC
admin page. Is there any way to get name instead of id ( cb3634be-e0e1-479e-
aec9-0cb38c8a0468 )?

Thanks!

On Mon, May 7, 2018 at 5:20 PM, Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
wrote:

> Hello Valsaraj,
>
> I am not sure what your scenario is. Me, I am using a client java adapter
> [1] for my tomcat applications. In my keycloak configuration file I have
> something like:
>
> <PrincipalNameMapping policy="FROM_ATTRIBUTE" attribute="
> http://schemas.xmlsoap.org/claims/CommonName"/>
>
> This tells keycloak which attribute use for the Principal.getName(). I
> guess that for your scenario must be something equivalent.
>
> Hope it helps,
>
> Luis
>
>
>
> [1]
> https://www.keycloak.org/docs/latest/securing_apps/index.
> html#java-adapters-2
>
>
>
>
>
>
> 2018-05-07 9:19 GMT+02:00 valsaraj pv <valsarajpv at gmail.com>:
>
> > Hi,
> >
> > UserPrincipal.getName showing cb3634be-e0e1-479e-aec9-0cb38c8a0468 like
> > this after switching to Keyclock. LDAP uid was showing when we were using
> > LDAP. After syncing users from LDAP to KC, when the application code
> checks
> > user principal name, it shows this.
> >
> > Any thoughts?
> >
> > Thanks,
> >
> > Valsaraj Viswanathan
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From matthew.broadhead at nbmlaw.co.uk  Tue May  8 06:01:28 2018
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Tue, 8 May 2018 12:01:28 +0200
Subject: [keycloak-user] run code at login
Message-ID: <1d04ecae-56de-f1f2-f3e9-f1cad798d929@nbmlaw.co.uk>

i am using TomEE 7.0.3.? i am trying to execute code when the user first 
authenticates in order to log the ip address and username.? i tried 
implementing @WebListener public class SessionListener implements 
HttpSessionListener
but the session is created before the redirect to the login system so 
KeycloakPrincipal<KeycloakSecurityContext> is not available at that point.

From ntle at castortech.com  Tue May  8 09:46:51 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Tue, 8 May 2018 09:46:51 -0400
Subject: [keycloak-user] KC 3.4.3 Final: Remove group from policy always
	failed with NPE
Message-ID: <CAJVRZt9cvXgYjTGFhSax1ecfA1ERMnGbgtBdfup4=1D=4AtFyg@mail.gmail.com>

Hello,

I'm using the admin-client to remove a group from group policy but it
always fail with NPE. Here is my code:

GroupRepresentation group =
realm.groups().group(groupUuid).toRepresentation();
String policyUuid = groupPolicies.get(0).getId();
GroupPolicyResource polRes =
client.authorization().policies().group().findById(policyUuid);
GroupPolicyRepresentation policy = polRes.toRepresentation();
policy.removeGroup(group.getPath()); //TODO: not sure why it always fail
here with NPE
polRes.update(policy);

I'm using the test suite as guideline:
https://github.com/pedroigor/keycloak/blob/1e1de85685bb5d5f180f510630cd7133f8a35375/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/GroupPolicyManagementTest.java

Hope to get some help here.

Thai

From nicocsgamer at gmail.com  Tue May  8 10:27:41 2018
From: nicocsgamer at gmail.com (Nicolas Buisson)
Date: Tue, 8 May 2018 16:27:41 +0200
Subject: [keycloak-user] GDPR
Message-ID: <CAGfqWzxFvKabBj59c8hB0ZrcpR8UPLLDPehXgiWasLo9X5GaMg@mail.gmail.com>

Hi,

Any information regarding compliancy of Keycloak against GDPR?

Thanks,
Nicolas.

From okrasz_news at o2.pl  Tue May  8 10:35:26 2018
From: okrasz_news at o2.pl (Marcin Okraszewski)
Date: Tue, 08 May 2018 14:35:26 +0000
Subject: [keycloak-user] Support for automatic IdP selection
Message-ID: <CAFrnd4-WSymxFuE9KLS0SvWEUoyv4gyYQH-=0gnuJAjyftM30w@mail.gmail.com>

 Hi,
I went through documentation and a bit of experiments, but I have a trouble
to figure out if my use case would be doable with Keycloak.

I need to authenticate some users with password, but some with external
SAML IdP. The decision whether to use IdP and which one, would need to be
based on the domain of the email address (email is a login). Is it possible
to select identity provider based on domain of user email address?

When user logs in with external SAML IdP, I would like to assign groups of
the user based on an SAML attribute value. Basically, this comes down to
allow a user to manage user-group assignment in their system, while
group-role would be within Keycloak. Is it supported by Keycloak?

We also use vanity domains to distinguish tenants (a user might have access
to multiple tenants). We have tens of thousands of tenants. Is it possible
to avoid registration of SP/client app for every single tenant (vanity
domain)? I?m not bound to any SSO protocol here. The OpenID Connect seems
to be closest, as it allows wildcards in path part of client URL, but
unfortunately not in domain part.

Thank you for help,
Marcin

From Enrique.Canocarballar at ge.com  Tue May  8 10:49:03 2018
From: Enrique.Canocarballar at ge.com (Cano Carballar, Enrique (GE Power))
Date: Tue, 8 May 2018 14:49:03 +0000
Subject: [keycloak-user] GDPR
In-Reply-To: <CAGfqWzxFvKabBj59c8hB0ZrcpR8UPLLDPehXgiWasLo9X5GaMg@mail.gmail.com>
References: <CAGfqWzxFvKabBj59c8hB0ZrcpR8UPLLDPehXgiWasLo9X5GaMg@mail.gmail.com>
Message-ID: <BE88DFB4-3C2D-416D-B866-4A7FFF128AEB@ge.com>

Just to clarify, software products are not GDPR compliant, companies and organisations are.
But software products can be designed and developed with elements mentioned in the GDPR, such as security by default or security by design, in mind. This is to help companies and organisations be compliant with GDPR.

Regards

Enrique

On 08/05/2018, 15:27, "keycloak-user-bounces at lists.jboss.org on behalf of Nicolas Buisson" <keycloak-user-bounces at lists.jboss.org on behalf of nicocsgamer at gmail.com> wrote:

    Hi,
    
    Any information regarding compliancy of Keycloak against GDPR?
    
    Thanks,
    Nicolas.
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6150 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180508/96453ddb/attachment.bin 

From psilva at redhat.com  Tue May  8 11:56:23 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 8 May 2018 12:56:23 -0300
Subject: [keycloak-user] KC 3.4.3 Final: Remove group from policy always
 failed with NPE
In-Reply-To: <CAJVRZt9cvXgYjTGFhSax1ecfA1ERMnGbgtBdfup4=1D=4AtFyg@mail.gmail.com>
References: <CAJVRZt9cvXgYjTGFhSax1ecfA1ERMnGbgtBdfup4=1D=4AtFyg@mail.gmail.com>
Message-ID: <CAJrcDBcicvFvzVTOOOFUTK4=81hDWWVyyXYgBM8=z08H1VctKQ@mail.gmail.com>

Hi,

Could you open a JIRA and attach the stacktrace, please ? Once you do that,
I'll check what is happening.

Regards.
Pedro Igor

On Tue, May 8, 2018 at 10:46 AM, Nhut Thai Le <ntle at castortech.com> wrote:

> Hello,
>
> I'm using the admin-client to remove a group from group policy but it
> always fail with NPE. Here is my code:
>
> GroupRepresentation group =
> realm.groups().group(groupUuid).toRepresentation();
> String policyUuid = groupPolicies.get(0).getId();
> GroupPolicyResource polRes =
> client.authorization().policies().group().findById(policyUuid);
> GroupPolicyRepresentation policy = polRes.toRepresentation();
> policy.removeGroup(group.getPath()); //TODO: not sure why it always fail
> here with NPE
> polRes.update(policy);
>
> I'm using the test suite as guideline:
> https://github.com/pedroigor/keycloak/blob/1e1de85685bb5d5f180f510630cd71
> 33f8a35375/testsuite/integration-arquillian/tests/base/src/test/java/org/
> keycloak/testsuite/admin/client/authorization/
> GroupPolicyManagementTest.java
>
> Hope to get some help here.
>
> Thai
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ntle at castortech.com  Tue May  8 12:33:26 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Tue, 8 May 2018 12:33:26 -0400
Subject: [keycloak-user] KC 3.4.3 Final: Remove group from policy always
 failed with NPE
In-Reply-To: <CAJrcDBcicvFvzVTOOOFUTK4=81hDWWVyyXYgBM8=z08H1VctKQ@mail.gmail.com>
References: <CAJVRZt9cvXgYjTGFhSax1ecfA1ERMnGbgtBdfup4=1D=4AtFyg@mail.gmail.com>
	<CAJrcDBcicvFvzVTOOOFUTK4=81hDWWVyyXYgBM8=z08H1VctKQ@mail.gmail.com>
Message-ID: <CAJVRZt8wr2QuBhrMzT6E3P-g5bTQ3bidZfCa0qphL+Tfwn+k9A@mail.gmail.com>

I opened the ticket:

https://issues.jboss.org/browse/KEYCLOAK-7322

Thai

On Tue, May 8, 2018 at 11:56 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> Could you open a JIRA and attach the stacktrace, please ? Once you do
> that, I'll check what is happening.
>
> Regards.
> Pedro Igor
>
> On Tue, May 8, 2018 at 10:46 AM, Nhut Thai Le <ntle at castortech.com> wrote:
>
>> Hello,
>>
>> I'm using the admin-client to remove a group from group policy but it
>> always fail with NPE. Here is my code:
>>
>> GroupRepresentation group =
>> realm.groups().group(groupUuid).toRepresentation();
>> String policyUuid = groupPolicies.get(0).getId();
>> GroupPolicyResource polRes =
>> client.authorization().policies().group().findById(policyUuid);
>> GroupPolicyRepresentation policy = polRes.toRepresentation();
>> policy.removeGroup(group.getPath()); //TODO: not sure why it always fail
>> here with NPE
>> polRes.update(policy);
>>
>> I'm using the test suite as guideline:
>> https://github.com/pedroigor/keycloak/blob/1e1de85685bb5d5f1
>> 80f510630cd7133f8a35375/testsuite/integration-arquillian/tests/base/src/
>> test/java/org/keycloak/testsuite/admin/client/
>> authorization/GroupPolicyManagementTest.java
>>
>> Hope to get some help here.
>>
>> Thai
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From sr.misc at gmail.com  Tue May  8 13:20:10 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Tue, 8 May 2018 19:20:10 +0200
Subject: [keycloak-user] Keycloak freezes for more than 40 seconds after
	checking state cookie
Message-ID: <CABiaesR-WpJc3Q=M+7AZ7tbr35-2OGHhhycE8Jw=VMrKeamXLQ@mail.gmail.com>

Hi all,

We are using Keycloak 3.4.3 on Windows 10. We are using user created in
Keycloak database.

But after providing the login credentials, Keycloak freezes for more than
40 seconds at following points.

2018-05-08 19:11:24.679 DEBUG 15900 --- [0.0-8445-exec-5]
o.k.adapters.OAuthRequestAuthenticator   : checking state cookie for after
code
2018-05-08 19:11:24.679 DEBUG 15900 --- [0.0-8445-exec-5]
o.k.adapters.OAuthRequestAuthenticator   : ** reseting application state
cookie
2018-05-08 19:12:10.775 DEBUG 15900 --- [0.0-8445-exec-5]
o.k.adapters.OAuthRequestAuthenticator   : Verifying tokens

Keycloak and browser both are local.

Please advise, what could be the potential cause for this freeze.

Also, is there any performance optimization guide for Keycloak. Please
guide.

Regards,
SR

From palermo at pobox.com  Tue May  8 15:33:52 2018
From: palermo at pobox.com (Bruno Palermo)
Date: Tue, 8 May 2018 16:33:52 -0300
Subject: [keycloak-user] Custom registration attributes
Message-ID: <05eb01d3e703$80862730$81927590$@pobox.com>

Hi,

I would like to track the source of users using user attributes.

It's possible to pass query parameters  like: utm_source, utm_medium,
utm_campaing and add them as custom attributes?

How can I access query parameters on a custom provider?

Thanks,
Bruno


From jonas.matser at knmi.nl  Wed May  9 04:10:17 2018
From: jonas.matser at knmi.nl (Matser, Jonas (KNMI))
Date: Wed, 9 May 2018 08:10:17 +0000
Subject: [keycloak-user] Automatic rebuilding of jboss/keycloak on Docker
	Hub not working
Message-ID: <15bb201ee18c4866a5c4fdf0ed13ccae@knmi.nl>

Hi,

It seems that, unlike the other jboss images on Docker Hub, jboss/keycloak doesn't rebuild when it's parent image updates.

For example, 3.4.3.Final is a build from 4 months ago, even though centos:7, jboss/base and jboss/base-jdk have been updated as recent as 25 days ago.

I emailed docker at jboss.org<mailto:docker at jboss.org>, and Marek Goldmann suggested asking on this mailing list. He supposed it might be a misconfiguration, since images are normally rebuild on parent update.

Thanks in advance. Kind regards,

Jonas Matser

From pajeet.mugabe at gmail.com  Wed May  9 05:21:16 2018
From: pajeet.mugabe at gmail.com (Pajeet Mugabe)
Date: Wed, 9 May 2018 11:21:16 +0200
Subject: [keycloak-user] (no subject)
Message-ID: <CAEAFLktqw9A0c3p=oEMkuKEqodQpusVeqdbFHUEUM=pme7CyEw@mail.gmail.com>

Hi,
Is there any way to reset keycloak user password via REST call without
administrator privileges? I mean the situation when user himself changes
his password  from my custom app (so I need REST endpoint). Assigning
manage-users role to users is not an option as it violates security issues
in my case.

Thanks,
Pajeet

From cschollar at ska.ac.za  Wed May  9 05:28:02 2018
From: cschollar at ska.ac.za (Christopher Schollar)
Date: Wed, 9 May 2018 11:28:02 +0200
Subject: [keycloak-user] Mapping claims and assertions from second
	identity provider
In-Reply-To: <CAJH=P4vbfXBGjgy1d_ECGyvZkhWCK_mrXoGERzkuF1dkPKO6Eg@mail.gmail.com>
References: <CAJH=P4vbfXBGjgy1d_ECGyvZkhWCK_mrXoGERzkuF1dkPKO6Eg@mail.gmail.com>
Message-ID: <CAJH=P4vs06qSyOC+agVOJPyz+H1NNrB_P82DVoxbeJUrZghi7g@mail.gmail.com>

Hi

I am trying to map assertions from 2 identity providers. I have users who
need to log in using their gmail accounts, but I would like to allow them
to have a "verified" github account linked to it. I get the users names,
emails and other info straight form google and need their github login name
from github.

I have successfully linked both identity providers, but the assertion
mapping only happens for whichever identity provider I use to first create
the account.  What I would like is for the mapper to run for both identity
providers. Is there a way to run mappers from each identity provider as it
is added to a user profile?

Thanks
Christopher

From luke at code-house.org  Wed May  9 06:36:33 2018
From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=)
Date: Wed, 9 May 2018 12:36:33 +0200
Subject: [keycloak-user] Custom registration attributes
In-Reply-To: <05eb01d3e703$80862730$81927590$@pobox.com>
References: <05eb01d3e703$80862730$81927590$@pobox.com>
Message-ID: <ba9a8fc7-ee11-438e-0e8e-1bc64594ed97@code-house.org>

Hey Bruno,
You can pass additional attributes via registration form. You just need
to add additional form fields with "user.attributes.<XYZ>". In your case
you would need to copy them into hidden inputs.
Keycloak user will then have <XYZ> attribute with value sent over form.


Kind regards,
Lukasz
--
Code-House
http://code-house.org

On 08.05.2018 21:33, Bruno Palermo wrote:
> Hi,
> 
> I would like to track the source of users using user attributes.
> 
> It's possible to pass query parameters  like: utm_source, utm_medium,
> utm_campaing and add them as custom attributes?
> 
> How can I access query parameters on a custom provider?
> 
> Thanks,
> Bruno
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From ryans at jlab.org  Wed May  9 15:14:10 2018
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 9 May 2018 15:14:10 -0400 (EDT)
Subject: [keycloak-user] layers.conf missing breaks build
Message-ID: <1370444629.8710907.1525893250282.JavaMail.zimbra@jlab.org>

Hi Keycloak users,
  I attempted the maven build of keycloak using the README.md instructions (https://github.com/keycloak/keycloak) and noticed the build fails (1) because tests fail and (2) because it turns out a file named "layers.conf" must be created in the modules directory.  I got past the first issue by using the maven argument "-DskipTests" (looks like something to do with Docker).  Should the README.md be updated or maybe the build process should be updated to automatically create this layers.conf file.  Here is some more info:

https://developer.jboss.org/message/962140

https://issues.jboss.org/browse/KEYCLOAK-5185

Ryan


From valsarajpv at gmail.com  Thu May 10 04:35:18 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 10 May 2018 14:05:18 +0530
Subject: [keycloak-user] How to periodically sync roles from LDAP to Keycloak
Message-ID: <CAOA-0Xv=S=8Hwv0R-6mNtFaRNgY5-hFinkM4JCyqa_VF0NT9Gw@mail.gmail.com>

Hi,

I am migrating LDAP based application to Keycloak. LDAP contains users &
roles. I am able to sync users in periodic manner from LDAP. But using
role-ldap-mapper , I can sync by clicking Sync button. Is there any option
to automatically sync roles like LDAP?

Thanks,

Valsaraj Viswanathan

From valsarajpv at gmail.com  Thu May 10 04:43:06 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 10 May 2018 14:13:06 +0530
Subject: [keycloak-user] How to associate roles to users based on client
Message-ID: <CAOA-0XsDahEHjZ1axdLr5C8aak2pW5F5E8_TfLwBPBixY9cXWA@mail.gmail.com>

Hi,

I would like to know how to associate roles to users based on client. For
example, if we have 2 client applications using a Keycloak server. Both the
applications have their set of users which are synced into Keyclock. All
users are shown together under Users page of KC. Similarly we can load
roles also. I wonder how to associate these application (client) specific
roles to only the users related to that client?

What currently I do is select user and go to Role Mappongs & choose Client
Roles & then set from available roles. I am looking for something like auto
sync for user which also does this role mapping as well.
Please share your thoughts.

Thanks,

Valsaraj Viswanathan

From simonpayne58 at gmail.com  Thu May 10 05:14:36 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Thu, 10 May 2018 10:14:36 +0100
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <1525688494185.73604@tcs.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
	<1522213483195.38672@tcs.com> <1522732009031.20269@tcs.com>
	<CAPZw1G4hFMEHJ1+3cPeTKTKa8z-jdCTFn1nHEV-WdeeqGQyoRg@mail.gmail.com>
	<1523338962307.3970@tcs.com>
	<CAPZw1G41zU9MYFpDiB=QhnEx4OQS+03yPEJAA2eW1hBLvfN7zw@mail.gmail.com>
	<1525688494185.73604@tcs.com>
Message-ID: <CAPZw1G73i+spg988znfC7xJCKi_R-HuTGFu5_7HeojokA8xQdA@mail.gmail.com>

Hi Lahari, i would suggest to try the LDAP group DN as
ou=groups,dc=example,dc=com rather than  cn=testgroup,
ou=groups,dc=example,dc=com

here you need to specify the group tree.

regards,

Simon.



On Mon, May 7, 2018 at 11:21 AM, Lahari Guntha <lahari.guntha at tcs.com>
wrote:

>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From simonpayne58 at gmail.com  Thu May 10 05:25:43 2018
From: simonpayne58 at gmail.com (Simon Payne)
Date: Thu, 10 May 2018 10:25:43 +0100
Subject: [keycloak-user] user spi
Message-ID: <CAPZw1G5nxmaW9d5+bKeo77br6y3isqXc0kc9x0JN=aar6FncQA@mail.gmail.com>

I would like to create an spi implementation to allow custom group / role
mapper, but authenticate using standard ldap user federation.

this custom mapping would involve a connection to a separate DB, which has
already been populated by internal tooling and would identify the user
using the same unique reference.

I can find example for altering the user storage, but not groups / role
mappings where standard user federation has been used.

is this possible?


many thanks

Simon.

From cschollar at ska.ac.za  Thu May 10 06:42:00 2018
From: cschollar at ska.ac.za (Christopher Schollar)
Date: Thu, 10 May 2018 12:42:00 +0200
Subject: [keycloak-user] Mapping claims and assertions from second identity
	provide
Message-ID: <CAJH=P4sb7Sj7BU4Gfzwo5-My179PYNNdiKsfE939V1KAPvCQrg@mail.gmail.com>

Hi

I am trying to map assertions from 2 identity providers. I have users who
need to log in using their gmail accounts, but I would like to allow them
to have a "verified" github account linked to it. I get the users names,
emails and other info straight from google and need their github login name
from github.

I have successfully linked both identity providers, but the assertion
mapping only happens for whichever identity provider I use to first create
the account. If i use github first I get the github username and if I use
gmail I get the details from there.  What I would like is for the mapper to
run for both identity providers. Is there a way to run mappers from each
identity provider as it is added to a user profile?

Thanks

From lahari.guntha at tcs.com  Thu May 10 08:48:17 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Thu, 10 May 2018 12:48:17 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <CAPZw1G73i+spg988znfC7xJCKi_R-HuTGFu5_7HeojokA8xQdA@mail.gmail.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
	<1522213483195.38672@tcs.com> <1522732009031.20269@tcs.com>
	<CAPZw1G4hFMEHJ1+3cPeTKTKa8z-jdCTFn1nHEV-WdeeqGQyoRg@mail.gmail.com>
	<1523338962307.3970@tcs.com>
	<CAPZw1G41zU9MYFpDiB=QhnEx4OQS+03yPEJAA2eW1hBLvfN7zw@mail.gmail.com>
	<1525688494185.73604@tcs.com>,
	<CAPZw1G73i+spg988znfC7xJCKi_R-HuTGFu5_7HeojokA8xQdA@mail.gmail.com>
Message-ID: <1525956497800.9251@tcs.com>

Hi Simon,


We have tried that. We updated the configuration of group DN in keycloak as ou=groups,dc=example,dc=com.

But still the groups are not getting synced properly.


May I know whether am missing any configuration any where else??


Thanks and Regards,

Lahari G

________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 10 May 2018 14:44
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

Hi Lahari, i would suggest to try the LDAP group DN as ou=groups,dc=example,dc=com rather than  cn=testgroup,ou=groups,dc=example,dc=com

here you need to specify the group tree.

regards,

Simon.



On Mon, May 7, 2018 at 11:21 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



From valsarajpv at gmail.com  Thu May 10 09:18:13 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 10 May 2018 18:48:13 +0530
Subject: [keycloak-user] Client secret not provided in request
Message-ID: <CAOA-0XvnhP_QCxaJh1F4hs6w2LLrB7sqdjJHeqw_X8T7AFdOFA@mail.gmail.com>

Hi,

I am facing following issue after changing Access Type to confidential for
server-side client. It was working fine with public type.

Here is my adapter setting:

> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
> <secure-deployment name="appWEB.war">
>     <realm>demo</realm>
>     <resource>app</resource>
>     <public-client>true</public-client>
>     <auth-server-url>http://localhost:8180/auth</auth-server-url>
>     <ssl-required>EXTERNAL</ssl-required>
>     <principal-attribute>preferred_username</principal-attribute>
>     <use-resource-role-mappings>true</use-resource-role-mappings>
>             <credential
> name="secret">b35f1121-93a4-4483-a70a-0048b95fd250</credential>
> </secure-deployment>
> </subsystem>


Here is the error found in log during login:

> [Server:node-00] 17:29:06,924 ERROR
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6) failed
> to turn code into token

[Server:-node-00] 17:29:06,924 ERROR
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6) status
> from server: 400

[Server:node-00] 17:29:06,924 ERROR
> [org.keycloak.adapters.OAuthRequestAuthenticator]
> {"error":"unauthorized_client","error_description":"Client secret not
> provided in request"}


Any thoughts?

Thanks,
Valsaraj Viswanathan

From evan at visualicandy.com  Thu May 10 18:15:19 2018
From: evan at visualicandy.com (Evan Clark)
Date: Thu, 10 May 2018 18:15:19 -0400
Subject: [keycloak-user] 400 error email test connection behind nginx proxy
Message-ID: <5AF4C477.6090707@visualicandy.com>

I am attempting to setup the email notifications through keycloak and am

getting a 400 error when I attempt to test connection. I looked at an

older post and made sure my admin user has an email assigned to them.

However, no matter which realm we use, test or master the same error

occurs. The Debug output doesn't produce any useful either. We are

running behind nginx with ssl termination.

From palermo at pobox.com  Thu May 10 18:59:11 2018
From: palermo at pobox.com (Bruno Palermo)
Date: Thu, 10 May 2018 19:59:11 -0300
Subject: [keycloak-user] Custom registration attributes
In-Reply-To: <6b37db88-c954-f76f-8c57-ecc42075aa45@code-house.org>
References: <05eb01d3e703$80862730$81927590$@pobox.com>
	<ba9a8fc7-ee11-438e-0e8e-1bc64594ed97@code-house.org>
	<mail.190d738f-9164-4ed9-82f1-9cc416f66753@storage.wm.amazon.com>
	<mail.190d738f-9164-4ed9-82f1-9cc416f66753@storage.wm.amazon.com>
	<010001634a3babbc-151dfed7-1059-485c-94e2-0c10037aa8e2-000000@email.amazonses.com>
	<6b37db88-c954-f76f-8c57-ecc42075aa45@code-house.org>
Message-ID: <001601d3e8b2$84ac3f60$8e04be20$@pobox.com>

Lukasz,

I thought on something similar, but if the users don't go directly to the registration page the parameters gets lost.

I will run some tests and try.

Thanks for the help!

-----Original Message-----
From: ?ukasz Dywicki <luke at code-house.org> 
Sent: quinta-feira, 10 de maio de 2018 19:48
To: Bruno Palermo <bruno at bpic.io>
Subject: Re: [keycloak-user] Custom registration attributes

Hi Bruno,
Not an advice, but just an idea - you could do that with custom javascript injected into theme. This will be simplest thing to do which will move things from query string (visible to browser) to custom form fields. It's not reliable at all, but easy to get.

I took a look on code and form parameters are passed around in few places BUT your user who gets redirected do not submit any form per say making it impossible to fill in any hidden fields.
When someone visits your custom registration page its brower sends GET with text/html or similar content type, while form parameters are usually available with application/x-form-url-encoded.

Maybe there is someone from the team to answer, this is just my custom rant which can be completely wrong.

Cheers,
Lukasz
--
Code-House
http://code-house.org


On 10.05.2018 15:26, Bruno Palermo wrote:
> Lukasz,
> 
> Yes I know that.
> 
> But what I'm trying to achieve is for those attributes to be pre-filled with query parameters.
> 
> Thanks,
> Bruno
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org 
> <keycloak-user-bounces at lists.jboss.org> On Behalf Of Lukasz Dywicki
> Sent: quarta-feira, 9 de maio de 2018 07:37
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Custom registration attributes
> 
> Hey Bruno,
> You can pass additional attributes via registration form. You just need to add additional form fields with "user.attributes.<XYZ>". In your case you would need to copy them into hidden inputs.
> Keycloak user will then have <XYZ> attribute with value sent over form.
> 
> Kind regards,
> Lukasz
> --
> Code-House
> http://code-house.org
> 
> On 08.05.2018 21:33, Bruno Palermo wrote:
>> Hi,
>>
>> I would like to track the source of users using user attributes.
>>
>> It's possible to pass query parameters  like: utm_source, utm_medium, 
>> utm_campaing and add them as custom attributes?
>>
>> How can I access query parameters on a custom provider?
>>
>> Thanks,
>> Bruno
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 



From mevans at aconex.com  Fri May 11 02:06:15 2018
From: mevans at aconex.com (Matt Evans)
Date: Fri, 11 May 2018 06:06:15 +0000
Subject: [keycloak-user] Mapping SAML response elements to OIDC token claims
Message-ID: <ME2PR01MB2804A44BA6D2201DADC6CC19A99F0@ME2PR01MB2804.ausprd01.prod.outlook.com>

Hi

Is it possible to map SAML response elements from an IDP response to claims in the OIDC information? We're specifically looking to be able to extract the AuthenticatingAuthority, which I can see is returned in the AuthnContext element, but I'm not sure if the Attribute name or Friendly Attribute name in the SAML mapper will look for those.

Thanks

Matt

From evan at visualicandy.com  Fri May 11 09:05:51 2018
From: evan at visualicandy.com (Evan Clark)
Date: Fri, 11 May 2018 09:05:51 -0400
Subject: [keycloak-user] 400 error behind nginx reverse proxy
Message-ID: <5AF5952F.5000204@visualicandy.com>

I am attempting to setup the email notifications through keycloak and am

getting a 400 error when I attempt to test connection. I looked at an

older post and made sure my admin user has an email assigned to them.

However, no matter which realm we use, test or master the same error

occurs. The Debug output doesn't produce any useful either. We are

running behind nginx with ssl termination.

From cschollar at ska.ac.za  Fri May 11 10:41:21 2018
From: cschollar at ska.ac.za (Christopher Schollar)
Date: Fri, 11 May 2018 16:41:21 +0200
Subject: [keycloak-user] keycloak api interfaces
Message-ID: <CAJH=P4uDda40c=2kLJqRNoLaHfhFiBntNdrg05tFW6T=0QiDrg@mail.gmail.com>

Hi guys

I was wondering if you can suggest any libraries which utilise the keycloak
api. I am interested in seeing how people solve common issues like creating
admins for groups, assigning roles etc. I could go through the effort of
writing my own code, but I was wondering if there are any efforts that you
would suggest I look at.

Thanks
Chris

From valsarajpv at gmail.com  Fri May 11 14:02:31 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 11 May 2018 23:32:31 +0530
Subject: [keycloak-user] keycloak api interfaces
In-Reply-To: <CAJH=P4uDda40c=2kLJqRNoLaHfhFiBntNdrg05tFW6T=0QiDrg@mail.gmail.com>
References: <CAJH=P4uDda40c=2kLJqRNoLaHfhFiBntNdrg05tFW6T=0QiDrg@mail.gmail.com>
Message-ID: <CAOA-0XuDhRhUHq2f5aqFeYmaHJf9RyzaosHJzLTFPdXHB5O=Gw@mail.gmail.com>

Me too looking the same!

On Fri 11 May, 2018, 8:19 PM Christopher Schollar, <cschollar at ska.ac.za>
wrote:

> Hi guys
>
> I was wondering if you can suggest any libraries which utilise the keycloak
> api. I am interested in seeing how people solve common issues like creating
> admins for groups, assigning roles etc. I could go through the effort of
> writing my own code, but I was wondering if there are any efforts that you
> would suggest I look at.
>
> Thanks
> Chris
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ntle at castortech.com  Fri May 11 14:56:33 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Fri, 11 May 2018 14:56:33 -0400
Subject: [keycloak-user] keycloak api interfaces
In-Reply-To: <CAOA-0XuDhRhUHq2f5aqFeYmaHJf9RyzaosHJzLTFPdXHB5O=Gw@mail.gmail.com>
References: <CAJH=P4uDda40c=2kLJqRNoLaHfhFiBntNdrg05tFW6T=0QiDrg@mail.gmail.com>
	<CAOA-0XuDhRhUHq2f5aqFeYmaHJf9RyzaosHJzLTFPdXHB5O=Gw@mail.gmail.com>
Message-ID: <CAJVRZt9MpHUOjje_DrpZHT1dDrsWNrZqW4sJHds+34DkYFj0Ww@mail.gmail.com>

I'm using the admin-client, no doc yet but i'm using the test suit to build
my wrapper:
https://github.com/pedroigor/keycloak/tree/1e1de85685bb5d5f180f510630cd7133f8a35375/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client

On Fri, May 11, 2018 at 2:02 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

> Me too looking the same!
>
> On Fri 11 May, 2018, 8:19 PM Christopher Schollar, <cschollar at ska.ac.za>
> wrote:
>
> > Hi guys
> >
> > I was wondering if you can suggest any libraries which utilise the
> keycloak
> > api. I am interested in seeing how people solve common issues like
> creating
> > admins for groups, assigning roles etc. I could go through the effort of
> > writing my own code, but I was wondering if there are any efforts that
> you
> > would suggest I look at.
> >
> > Thanks
> > Chris
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From federico.facca at martel-innovate.com  Fri May 11 15:18:01 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Fri, 11 May 2018 21:18:01 +0200
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
Message-ID: <CAOxz=rMh-s6a1fPQiRzLOq9vBCdEsgwV+oanTsitR8s-cvc+MQ@mail.gmail.com>

As per request of Pedro, I am moving the discussion to user.

PS: a PR for adding requester in the permission was landed

On 11 May 2018 at 18:04, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca <
> federico.facca at martel-innovate.com> wrote:
>
>> Hi Pedro,
>>
>> Thanks a lot for your quick reply.
>>
>> On 11 May 2018, at 13:52, Pedro Igor Silva <psilva at redhat.com> wrote:
>>
>>>
>>>
>> We don't have API documented, something we should improve in the future.
>>
>> We have a quickstart that can help you to achieve what you want. See
>> https://github.com/keycloak/keycloak-quickstarts/tree/
>> latest/app-authz-uma-photoz.
>>
>> If you look this method:
>>
>>     https://github.com/keycloak/keycloak-quickstarts/blob/late
>> st/app-authz-uma-photoz/photoz-restful-api/src/main/java/
>> org/keycloak/example/photoz/album/AlbumService.java#L100
>>
>>
>> I have been looking at the methods, and actually learned from the exact
>> example you refer to.
>>
>>
>> You will see that we are using the Permission Endpoint (the endpoint
>> responsible for managing permission tickets) to obtain all resources
>> *shared* with a specific user. In our AuthZ Java Client we have this method:
>>
>>     https://github.com/keycloak/keycloak/blob/master/authz/cli
>> ent/src/main/java/org/keycloak/authorization/client/resource
>> /PermissionResource.java#L162
>>
>> Which allows you to query for permission tickets using different filters.
>>
>>
>> Maybe my examples were not clear enough. For question 2:
>>
>>
>> Suppose that user "test" owns resource A and he want to see (like in the
>> my account interface) a table with all the active and pending permissions
>> including the identifier of the user that made the request.
>>
>> Shared resources->
>>
>> Resource A user B scope read, write
>>
>> Pending requests->
>>
>> Resource A user C scope read
>>
>>
>> With the following query:
>>
>> curl --request GET \
>>   --url 'http://127.0.0.1:8080/auth/realms/master/authz/protection/
>> permission?returnNames=true&owner=test' \
>>   --header 'authorization: Bearer xxx'
>>
>> I get a list of the permissions (where granted = true are the authorised
>> ones and granted = false the pending ones):
>>
>> [
>>     {
>>         "id": "08dccaed-6dbb-47aa-a87c-55b35a6f2523",
>>         "owner": "567c20ad-7d42-4908-bb53-af26c64534e7",
>>         "resource": "218091a8-e5fc-460c-a306-a3a76775c784",
>>         "scope": "65e40351-bce4-4e3f-825d-7bca9d78d12e",
>>         "granted": true,
>>         "scopeName": "read",
>>         "resourceName": "8910"
>>     },
>>     {
>>         "id": ?xxxx",
>>         "owner": "567c20ad-7d42-4908-bb53-af26c64534e7",
>>         "resource": "218091a8-e5fc-460c-a306-a3a76775c784",
>>         "scope": "65e40351-bce4-4e3f-825d-7bca9d78d12e",
>>         "granted": false,
>>         "scopeName": "read",
>>         "resourceName": "8910"
>>     }
>> ]
>>
>> so the result does not allow me to know who was the ?requester? (which I
>> don?t know apriori since the query is about all potential requesters)
>>
>
>>
>> so my idea was that when you use returnNames=true parameter you could add
>> as well the requester, e.g.:
>>
>>     {
>>         "id": "08dccaed-6dbb-47aa-a87c-55b35a6f2523",
>>         "owner": "567c20ad-7d42-4908-bb53-af26c64534e7",
>>         "resource": "218091a8-e5fc-460c-a306-a3a76775c784",
>>         "scope": "65e40351-bce4-4e3f-825d-7bca9d78d12e",
>>         "granted": true,
>>         "scopeName": "read",
>>         "resourceName": ?8910?,
>>         ?requester?:?xxxxx?,
>> ?requesterName?:?test?
>>     },
>>
>
> I see now. We are really missing *requester* in the response. Not sure why
> it is not there already ....
>
> Created https://issues.jboss.org/browse/KEYCLOAK-7337.
>
>
>>
>>
>>
>>
>> The type PermissionResource also provides methods for CRUD permission
>> tickets.
>>
>> Note that this API is targeted for resource servers and part of the
>> Protection API.
>>
>>
>>
>> We realised that by trying to create resources and seeing that using user
>> authentication you get 500 error while using client authentication it works
>> (even though UMA specs is not limiting the access to that).
>> We found out by testing also that the permission endpoint works also with
>> user access tokens.
>>
>
> Yeah, as long as the access token is granted with uma_protection scope.
>
>
>>
>> Now the first question was how to ?share? directly a resource with a user.
>>
>> Currently using the API, supposing I am user A and I want to access a
>> resource Z from user B, we proceed as follow (i hope is the correct way?
>> any correction or guidance will be appreciated):
>>
>> 1.  We create a permission request on the API (to get the ticket). E.g.
>> read resource x
>>
>> 2.  We use the ticket to ask for a rtp token using a user token.
>>
>> curl --request POST \
>>   --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-con
>> nect/token \
>>   --header 'Authorization: Bearer xxx' \
>>   --header 'Content-Type: application/x-www-form-urlencoded' \
>>   --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-
>> ticket&ticket=xxxx'
>>
>> If the user has already access, then he gets the rtp, if not he gets:
>>
>> {
>>     "error": "access_denied",
>>     "error_description": "request_submitted"
>> }
>>
>> Only in this moment the permission ticket i created at step 1 appears in
>> the list of permissions. (I am not sure this is the intended behaviour
>> though).
>>
>
> Yeah, that is the expected behavior. But you can also use a request
> parameter to tell to the token endpoint that you don't want to submit an
> authorization request. See https://www.keycloak.org/
> docs/latest/authorization_services/index.html#_service_authorization_aat.
>
>
>>
>> Then is up to the owner to authorise access (via API we can do that by
>> updating the permission and set granted to true)
>>
>> Now let?s suppose that I am the owner of the resource A, and I want to
>> authorise directly (without the user asking access to the resource A)
>> the user Z to access it. How can I do that? At the time being I could not
>> figure it out.
>>
>
> Similar to the update method, you can use the create method to create
> permissions. Is that what you are looking for ? See org.keycloak.testsuite.
> authz.PermissionManagementTest#testCreatePermissionTicketWithResourceName.
>
>
>>
>> Also, out of curiosity is there are a way i can list all resources i can
>> access thanks either to UMA permission or policies?
>> That would be very handful.
>>
>
> You can do that by asking all permissions. See https://www.keycloak.org/
> docs/latest/authorization_services/index.html#_service_
> obtaining_permissions.
>
> There is an cURL example there similar to this:
>
> curl -X POST \
>   http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
>   -H "Authorization: Bearer ${access_token}" \
>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
>
>
> In the example above you are basically, saying that you want a RPT for any
> resource/scope granted to the user as a result of evaluating permissions
> associated with resources which the either the user or resource server is
> the owner. But yeah, depending on how many resources you will get a huge
> RPT which can take some time to be issued.
>
>
>>
>> Suppose that you have an API that with GET /resources list you all the
>> resources, there should be a way to filter the returned resources
>> only based on the one you can access. This could be done easily if you
>> could get a list of the resources you can access. Otherwise,
>> you would need for each resource returned in the list to generate a query
>> asking if the user x can access the specific resource. Not very
>> scalable.
>>
>
> We don't have anything for data protection. You are not the first with
> this requirement but I did not spend time thinking about this capability
> yet. If you want to open a JIRA and start some discussion there I'm glad to
> move this forward.
>
>
>>
>> Thanks!
>> Federico
>>
>>
>>
>>>
>>> In our understanding, to obtain 2. we should some how retrieve the
>>> Requester from the TicketStore and attach the information to the response
>>> (but this would "break" the UMA standard, as anyhow parameters as
>>> "returnNames=true" do, so maybe when the request is using
>>> "returnNames=true"
>>> we could attach as well the requester name and it).
>>>
>>> For 1, we have no clear ideas, if not adding "requester" as well in the
>>> ticket creation.
>>>
>>> Any hint would be highly appreciated, so that we can work up some
>>> implementation to provide both features.
>>>
>>> Thanks,
>>> Federico
>>>
>>> --
>>> *Dr. FEDERICO MICHELE FACCA*
>>> *Head of Martel Lab*
>>> 0041 78 807 58 38
>>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>>> support for innovation projects
>>> Click to download our innovators' insights!
>>> <https://www.martel-innovate.com/premium-content/>
>>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> *Dr. FEDERICO MICHELE FACCA*
>> *Head of Martel Lab*
>> 0041 78 807 58 38
>> *Martel Innovate* <https://www.martel-innovate.com>  -  Professional
>> support for innovation projects
>> Click to download our innovators' insights!
>> <https://www.martel-innovate.com/premium-content/>
>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>
>>
>


-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From federico.facca at martel-innovate.com  Fri May 11 17:43:41 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Fri, 11 May 2018 23:43:41 +0200
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
Message-ID: <CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>

Hi,

On 11 May 2018 at 18:04, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca <
> federico.facca at martel-innovate.com> wrote:
>
>>
>> Now the first question was how to ?share? directly a resource with a user.
>>
>> Currently using the API, supposing I am user A and I want to access a
>> resource Z from user B, we proceed as follow (i hope is the correct way?
>> any correction or guidance will be appreciated):
>>
>> 1.  We create a permission request on the API (to get the ticket). E.g.
>> read resource x
>>
>> 2.  We use the ticket to ask for a rtp token using a user token.
>>
>> curl --request POST \
>>   --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-con
>> nect/token \
>>   --header 'Authorization: Bearer xxx' \
>>   --header 'Content-Type: application/x-www-form-urlencoded' \
>>   --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-
>> ticket&ticket=xxxx'
>>
>> If the user has already access, then he gets the rtp, if not he gets:
>>
>> {
>>     "error": "access_denied",
>>     "error_description": "request_submitted"
>> }
>>
>> Only in this moment the permission ticket i created at step 1 appears in
>> the list of permissions. (I am not sure this is the intended behaviour
>> though).
>>
>
> Yeah, that is the expected behavior. But you can also use a request
> parameter to tell to the token endpoint that you don't want to submit an
> authorization request. See https://www.keycloak.org/
> docs/latest/authorization_services/index.html#_service_authorization_aat.
>
>
>>
>> Then is up to the owner to authorise access (via API we can do that by
>> updating the permission and set granted to true)
>>
>> Now let?s suppose that I am the owner of the resource A, and I want to
>> authorise directly (without the user asking access to the resource A)
>> the user Z to access it. How can I do that? At the time being I could not
>> figure it out.
>>
>
> Similar to the update method, you can use the create method to create
> permissions. Is that what you are looking for ? See org.keycloak.testsuite.
> authz.PermissionManagementTest#testCreatePermissionTicketWithResourceName.
>

from what i see in the code, permission are persisted only when we invoking
the token api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket

so in my understanding there is now way (assuming I am the owner of the
resource) to store directly the permission (with grant=true), which would
what
could be the way a user could share directly his resources as it is now
possible in the interface.

am I wrong?

i am lost... i see that in the code you refer to i see that you invoke
the token
api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket you are
setting
the claim using the accessToken, but i don't see what this has to do with
the ability of a resource owner to grant directly the access to a resource
(i.e. creating a permission with grant = true)


-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From federico.facca at martel-innovate.com  Sat May 12 08:23:06 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Sat, 12 May 2018 14:23:06 +0200
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
Message-ID: <CAOxz=rOy6+MBhYXZCSFkpJ9L8Y0ag0_LWHoPZAFpRxhh46ZsTg@mail.gmail.com>

hi,

i did some tests using your example, and i don't think it is working as
expcted.

On 11 May 2018 at 18:04, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
>>
>> Also, out of curiosity is there are a way i can list all resources i can
>> access thanks either to UMA permission or policies?
>> That would be very handful.
>>
>
> You can do that by asking all permissions. See https://www.keycloak.org/d
> ocs/latest/authorization_services/index.html#_service_obtain
> ing_permissions.
>
> There is an cURL example there similar to this:
>
> curl -X POST \
>   http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
>   -H "Authorization: Bearer ${access_token}" \
>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
>
>
> In the example above you are basically, saying that you want a RPT for any
> resource/scope granted to the user as a result of evaluating permissions
> associated with resources which the either the user or resource server is
> the owner. But yeah, depending on how many resources you will get a huge
> RPT which can take some time to be issued.
>


My set-up is a follows:
1. I have a policy that says that the owner of a resource is authorised
with scope read, write and delete. Such policy is attached to a resource
with a * path (e.g. /resource/*).
2. User A create a resource /resource/A
3. User A ask all permissions. He is returned he can do anything on
/resource/A

So far so good. Now it's the part that i believe is not working as i would
expect.

4. User B create a resource /resource/B
5. User B share resource B with User A
6. User A ask all permissions. He is returned he can do anything on /resource/A
but no information is returned about resource B,
    despite there is a permission granted.

It looks like User A can check if he can access resource B only if I create
a permission ticket and I specifically check that, but as a requester,
I don't know in advance if i am authorised to access a resource via UMA
ticket or via another policy.

In fact, if ask if i have read permission using the permission parameter, i
get not authorised:

curl --request POST \
  --url
http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token \
  --header 'Authorization: Bearer xxx' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data
'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&permission=da2fdbf6-076e-4716-8b91-2c7feeda8bee%23read&audience=test'

while if i create a ticket for that resource with permission read, i get
authorised.

It looks like when asking permissions, UMA permissions and policy based
permissions are kept totally separated, which i don't think it should be
the case.
If not knowing which resources you can access becomes super complex.

Federico

-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From sebastian.perkins at hoistgroup.com  Sat May 12 09:46:16 2018
From: sebastian.perkins at hoistgroup.com (Sebastian Perkins - Hoist Group - Switzerland)
Date: Sat, 12 May 2018 13:46:16 +0000
Subject: [keycloak-user] keycloak password policy and ldap
Message-ID: <HE1PR07MB4330F382BCED934F280BF51C819E0@HE1PR07MB4330.eurprd07.prod.outlook.com>

Hello,

We have integrated keycloak 3.2 with our ldap backend via 4 federations (different filters to extract users).

Our next goal is to use keycloak as a central password reset : this also works fine.

The next step is to enforce policy in keycloak and not use the ldap one. For this, we have created a simple policy (6 chars mini).

2 of the federations are blocked by this (if we add a non compliant password) but not the 2 others : they seem to ignore the policy, what I don't really understand as the system should store all the policy info locally.

As the passwords get updated the federations are correctly set up (ldapsearch checked).

I even tried to force a password reset to a user as described in the docs after a policy change, but it still gets through.

Am I missing some configuration ?

Thanks for the help and guidance !

Sebastian

From sarojnp2003 at gmail.com  Sun May 13 02:31:49 2018
From: sarojnp2003 at gmail.com (SaRoJ)
Date: Sun, 13 May 2018 12:16:49 +0545
Subject: [keycloak-user] Invalid request URI
Message-ID: <CADWhby-TomqWxE2c3omVQQY7E-+r=524mTtphy3Vw0yvsVRA0g@mail.gmail.com>

?Hello Team,?


?I'm using Keycloak and then connecting to spring boot using the Keycloak
Client Adapter. My keycloak auth server url is
https://auth.avinash.com.np/auth/ and my spring boot application is running
on http://localhost:9090. In the keycloak admin console, redirect_url is
set to http://localhost:9090/*.
Now when my application tries to authenticate via keycloak, the
redirect_url is set to http://localhost:9090/sso/login but keycloak
redirect it to https://auth.avinash.com.np/sso/login . We are not sure how
to debug this behavior and have tried to investigate it but haven't found
anything.

Our keycloak server is behind a nginx proxy and the X-FORWARDED-FOR ,
X-FORWARDED-PROTO and Hosts headers are set appropriately. FYI, this setup
seems to work locally agains a local keycloak instance.

Any help regarding this would be appreciated.

Best reagrds,
Saroj Gautam?
?
?
?

From yossi.baruch at iucc.ac.il  Sun May 13 02:49:05 2018
From: yossi.baruch at iucc.ac.il (Yossi Baruch)
Date: Sun, 13 May 2018 06:49:05 +0000
Subject: [keycloak-user] help with freeipa+keycloak+saml
Message-ID: <VI1PR03MB3069EB59066AFAE6A36B897CBF9D0@VI1PR03MB3069.eurprd03.prod.outlook.com>

Hi,

I'm using KC to connect to FreeIPA and create a user federation, I'm mapping several attributes from FreeIPA, among them is eduPersonTargetedID (EPTID). This EPTID is used to connect to a saml client and then as one of the attributes used in the edugain federation.

The issue is that EPTID should be an array and not a single value, I get errors from the inter-federation that this EPTID is not structured right, I think that usually this EPTID is generated whenever the saml client connects but I have no idea how to do so.

Anyone has an opinion about this? Has mitigated this In the past?


[https://ci3.googleusercontent.com/proxy/7W7WLuvZjirS7ZgZCSisfzJizY7_Rc_hUy9DuIOC088v_670fQpK0J-xmTdjXc05GyNzRwUDVPzMIGXH9IytuClaNK4RMTLwvMo0VusyQ0I1zno=s0-d-e1-ft#http://www.iucc.ac.il/wp-content/uploads/2013/04/IUCCLogo.png]
Sincerely Yours,
Yossi Baruch, IT specialist
office:           +972-3-646-0569
fax:               +972-3-646-0557
E-Mail:          yossi.baruch at iucc.ac.il<mailto:yossi.baruch at iucc.ac.il>
Website:       www.iucc.ac.il<http://www.iucc.ac.il/>

"May The Force Be With You." ? Master Yoda

"I'm trying to free your mind... But I can only show you the door. You're the one that has to walk through it." ? Morpheus

"We are continually faced with a series of great opportunities brilliantly disguised as insoluble problems." - John W. Gardner

"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light." - ?Dylan Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2920 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180513/1df63a2a/attachment.jpg 

From saeich at rmm.li  Sun May 13 05:15:32 2018
From: saeich at rmm.li (Michael Meier)
Date: Sun, 13 May 2018 11:15:32 +0200
Subject: [keycloak-user] ldap group-ldap-mapper needs up to 60 seconds to
 add a user to a group
Message-ID: <afe88087-913e-6b3b-a937-ff6b05da751a@rmm.li>

We are using keycloak 3.4.3-final with an ldap user federation. Users 
and groups are created in keycloak, and from there automatically written 
to an openldap servers, since some application can only access them over 
ldap. So the "edit mode" is writable and "sync registrations" is activated..
The group-mapper is configured as ldap_only.
Creating a new user is lightning fast. But if I add the user to a group, 
where already around 1000 users are members of, it takes around 60 
seconds to add it or also to remove it.it was faster when the group had 
less member, but we can watch how the time grows the more members that 
groups has. But it was already slow when there were only around 100 
users, then it took around 10 seconds to add the user to the group.
When we add the users to th e groups directly in ldap it works in 
miliseconds. So the problem seems to be a keycloak one.
In total there are maybe 2000 users and 15 different groups.
Keycloak is running in a docker container.
	

Anybody experiences similar problems? Or has any ideas what we could change?
We already tried to change the "User Groups Retrieve Strategy", disabled 
the ldap cache. disable connection pooling and pagination.  But nothing 
seems to work.
thanks in advance

michael

From thomas.sousa.96 at gmail.com  Sun May 13 21:03:32 2018
From: thomas.sousa.96 at gmail.com (=?UTF-8?Q?Thom=C3=A1s_Sousa_Silva?=)
Date: Sun, 13 May 2018 22:03:32 -0300
Subject: [keycloak-user] How to integrate Keycloak with Payara Micro?
Message-ID: <CA+V2wEHTPqcHxEm9JwDHUGCicV3jkzbPP_jvDT=bkXxED5CqVw@mail.gmail.com>

Hello!

How i can integrate the Keycloak <https://www.keycloak.org/> with Payara
Micro <https://www.payara.fish/payara_micro>?

I want create an stateless REST JAX-RS application that use the Keycloak as
authentication and authorization server, but i unknown how do it.

The Eclipse MicroProfile JWT Authentication API defines the @LoginConfig
annotation:

@LoginConfig(authMethod = "MP-JWT", realmName =
"admin-realm")@ApplicationPath("/")public class MyApplication extends
Application {...}

And the java EE the @RolesAllowed annotation:

@Path("/api/v1/books")public class BooksController {

    @GET
    @RolesAllowed("read-books")
    public Books findAll() {...}
}

How integrate these two things?
-- 


*Thom?s Sousa Silva*

From rodney.i.platt at gmail.com  Sun May 13 23:46:53 2018
From: rodney.i.platt at gmail.com (Rodney Platt)
Date: Mon, 14 May 2018 13:46:53 +1000
Subject: [keycloak-user] Securing a MQTT broker
Message-ID: <CAMh5CB+V2HKR1XMDN5OM6CX9nfGc5iq_yqib1cTWSyX75ki2vg@mail.gmail.com>

Hi,
I'm new to keycloak and am looking for some advice, I would like to know
the best way of doing the following:

   - Allow user to sign up and get access to some urls;
   - Use then could add devices to there account (devices been small IOT
   device);
   - the device then could authenticate and have access to mqtt mroker and
   apis.


any pointers, examples or tutorial, would be greatl

Some more info, in my test setup I'm using openresty as my Authenticating
Reverse Proxy, device management still up in the air but most likely a
custom web portal and Mosquitto as my MQTT broker. I would think the IOT
device would need to use a JWT for access, but I'm open to ideas.

Thank for any help
Rodney

From juansahe at gmail.com  Mon May 14 02:38:05 2018
From: juansahe at gmail.com (=?utf-8?Q?Juan_David_S=C3=A1nchez_Hern=C3=A1ndez?=)
Date: Mon, 14 May 2018 01:38:05 -0500
Subject: [keycloak-user] 403 on /sso/login with Spring Boot and Keycloak
	Adapter
Message-ID: <C7C6E6C4-A159-48B2-B770-0C6ABD054B31@gmail.com>

Hi, 

I?m having the same annoying issue but haven?t figure it out how to fix it. According to what Marc said I thought that  if I changed my sslRequired to NONE then KC should be able to construct the redirect URL (also changing that parameter on the realm), but no, same error. KC goes into SSL mode even if I declare the realm as NONE?, I?m testing outside, so is not local. How do I specify a SSL port?, I?m completely lost here, can you point me to the specs on the documentation?.

Thanks in advance

jds

From Tim.Benke at comlineag.de  Mon May 14 06:19:55 2018
From: Tim.Benke at comlineag.de (Benke, Tim)
Date: Mon, 14 May 2018 10:19:55 +0000
Subject: [keycloak-user] Authenticate websocket communication
Message-ID: <A51E1F57-1BF0-4E9B-8471-698A0D1DF6FD@comlineag.de>

Hello,
?
I?m trying out how to secure the websocket communication between a SPA and a Spring Java backend. According to the specification it?s not possible to set the authorization header in the initial HTTP communication. Instead it?s often suggested to perform authentication and authorization in the STOMP communication afterwards.
?
I looked a bit at keycloak?s spring security adapter, but it seems to be very focused on the HttpFacade and I?m wondering if the right way forward is to fake this interface for STOMP or somehow re-implement something that validates the token similarly.
?
Here?s a link to Spring?s docs that leaves open the part about using the token from STOMP?s headers:
https://github.com/spring-projects/spring-framework/blob/master/src/docs/asciidoc/web/websocket.adoc#token-authentication
?
Here?s a stackoverflow question about the problem. I?m not very fond of the alternative to send the token in the request?s URL as a query parameter, but it is indeed working correctly:
https://stackoverflow.com/questions/30887788/json-web-token-jwt-with-spring-based-sockjs-stomp-web-socket/39456274#39456274
?
Best regards,
Tim Benke



From federico.facca at martel-innovate.com  Mon May 14 08:25:45 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Mon, 14 May 2018 14:25:45 +0200
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
Message-ID: <CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>

Hi Pedro, All,

I am have been looking a bit more in the permission CRUD operations. I
think that it would be better to split the permission ticket from the
permission policy themselves.
In fact, if i understand correctly the spec, the current permission
endpoint should be only used to create the permission ticket. UMA doesn't
say anything on how to
represent policies so this is totally up to keycloak.

Ideally we should have:

- /permission
  - POST - create a permission ticket
- /user-policy (or anything similar)
  - POST - create a policy (owner of a resource can create a policy on it
without RPT process)
  - GET - list policies
  - GET /id return a specific policy
  - DELETE /id remove a policy
  - PUT /id update a policy

While at the time being this endpoint may support only "UMA policies" i.e.
x request access to y with scope z, and owner grants it,
in the future it could allow resource owners to "manage" directly other
policies. E.g. allow scope x to all users in group z.

For the time being (given that we needed to allow owners to grant directly
access to a resource without using an permission ticket),
we modified the existing "PUT" to allow the creation of a permission on a
resource if the access token used is the one of the resource owner.

Best,
Federico

On 11 May 2018 at 23:43, Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:

> Hi,
>
> On 11 May 2018 at 18:04, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>>
>>
>> On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca <
>> federico.facca at martel-innovate.com> wrote:
>>
>>>
>>> Now the first question was how to ?share? directly a resource with a
>>> user.
>>>
>>> Currently using the API, supposing I am user A and I want to access a
>>> resource Z from user B, we proceed as follow (i hope is the correct way?
>>> any correction or guidance will be appreciated):
>>>
>>> 1.  We create a permission request on the API (to get the ticket). E.g.
>>> read resource x
>>>
>>> 2.  We use the ticket to ask for a rtp token using a user token.
>>>
>>> curl --request POST \
>>>   --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-con
>>> nect/token \
>>>   --header 'Authorization: Bearer xxx' \
>>>   --header 'Content-Type: application/x-www-form-urlencoded' \
>>>   --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-t
>>> icket&ticket=xxxx'
>>>
>>> If the user has already access, then he gets the rtp, if not he gets:
>>>
>>> {
>>>     "error": "access_denied",
>>>     "error_description": "request_submitted"
>>> }
>>>
>>> Only in this moment the permission ticket i created at step 1 appears in
>>> the list of permissions. (I am not sure this is the intended behaviour
>>> though).
>>>
>>
>> Yeah, that is the expected behavior. But you can also use a request
>> parameter to tell to the token endpoint that you don't want to submit an
>> authorization request. See https://www.keycloak.org/d
>> ocs/latest/authorization_services/index.html#_service_authorization_aat.
>>
>>
>>>
>>> Then is up to the owner to authorise access (via API we can do that by
>>> updating the permission and set granted to true)
>>>
>>> Now let?s suppose that I am the owner of the resource A, and I want to
>>> authorise directly (without the user asking access to the resource A)
>>> the user Z to access it. How can I do that? At the time being I could
>>> not figure it out.
>>>
>>
>> Similar to the update method, you can use the create method to create
>> permissions. Is that what you are looking for ?
>> See org.keycloak.testsuite.authz.PermissionManagementTest#te
>> stCreatePermissionTicketWithResourceName.
>>
>
> from what i see in the code, permission are persisted only when we
> invoking the token api with grant_type=urn:ietf:
> params:oauth:grant-type:uma-ticket
>
> so in my understanding there is now way (assuming I am the owner of the
> resource) to store directly the permission (with grant=true), which would
> what
> could be the way a user could share directly his resources as it is now
> possible in the interface.
>
> am I wrong?
>
> i am lost... i see that in the code you refer to i see that you invoke the
>  token api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
> you are setting
> the claim using the accessToken, but i don't see what this has to do with
> the ability of a resource owner to grant directly the access to a resource
> (i.e. creating a permission with grant = true)
>
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>



-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From psilva at redhat.com  Mon May 14 08:36:34 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 14 May 2018 09:36:34 -0300
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
	<CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
Message-ID: <CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>

We do have endpoints for managing policies via Keycloak Admin REST API.
>From this package:


https://github.com/pedroigor/keycloak/tree/035ebc881abfe78544861f394c30b1dd9623f879/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization

You'll find tests for each permission/policy type we support. Is that what
you are looking for ?

On Mon, May 14, 2018 at 9:25 AM, Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:

> Hi Pedro, All,
>
> I am have been looking a bit more in the permission CRUD operations. I
> think that it would be better to split the permission ticket from the
> permission policy themselves.
> In fact, if i understand correctly the spec, the current permission
> endpoint should be only used to create the permission ticket. UMA doesn't
> say anything on how to
> represent policies so this is totally up to keycloak.
>
> Ideally we should have:
>
> - /permission
>   - POST - create a permission ticket
> - /user-policy (or anything similar)
>   - POST - create a policy (owner of a resource can create a policy on it
> without RPT process)
>   - GET - list policies
>   - GET /id return a specific policy
>   - DELETE /id remove a policy
>   - PUT /id update a policy
>
> While at the time being this endpoint may support only "UMA policies" i.e.
> x request access to y with scope z, and owner grants it,
> in the future it could allow resource owners to "manage" directly other
> policies. E.g. allow scope x to all users in group z.
>
> For the time being (given that we needed to allow owners to grant directly
> access to a resource without using an permission ticket),
> we modified the existing "PUT" to allow the creation of a permission on a
> resource if the access token used is the one of the resource owner.
>
> Best,
> Federico
>
> On 11 May 2018 at 23:43, Federico Michele Facca <federico.facca at martel-
> innovate.com> wrote:
>
>> Hi,
>>
>> On 11 May 2018 at 18:04, Pedro Igor Silva <psilva at redhat.com> wrote:
>>
>>>
>>>
>>> On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca <
>>> federico.facca at martel-innovate.com> wrote:
>>>
>>>>
>>>> Now the first question was how to ?share? directly a resource with a
>>>> user.
>>>>
>>>> Currently using the API, supposing I am user A and I want to access a
>>>> resource Z from user B, we proceed as follow (i hope is the correct way?
>>>> any correction or guidance will be appreciated):
>>>>
>>>> 1.  We create a permission request on the API (to get the ticket). E.g.
>>>> read resource x
>>>>
>>>> 2.  We use the ticket to ask for a rtp token using a user token.
>>>>
>>>> curl --request POST \
>>>>   --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-con
>>>> nect/token \
>>>>   --header 'Authorization: Bearer xxx' \
>>>>   --header 'Content-Type: application/x-www-form-urlencoded' \
>>>>   --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-t
>>>> icket&ticket=xxxx'
>>>>
>>>> If the user has already access, then he gets the rtp, if not he gets:
>>>>
>>>> {
>>>>     "error": "access_denied",
>>>>     "error_description": "request_submitted"
>>>> }
>>>>
>>>> Only in this moment the permission ticket i created at step 1 appears
>>>> in the list of permissions. (I am not sure this is the intended behaviour
>>>> though).
>>>>
>>>
>>> Yeah, that is the expected behavior. But you can also use a request
>>> parameter to tell to the token endpoint that you don't want to submit an
>>> authorization request. See https://www.keycloak.org/d
>>> ocs/latest/authorization_services/index.html#_service_authorization_aat.
>>>
>>>
>>>>
>>>> Then is up to the owner to authorise access (via API we can do that by
>>>> updating the permission and set granted to true)
>>>>
>>>> Now let?s suppose that I am the owner of the resource A, and I want to
>>>> authorise directly (without the user asking access to the resource A)
>>>> the user Z to access it. How can I do that? At the time being I could
>>>> not figure it out.
>>>>
>>>
>>> Similar to the update method, you can use the create method to create
>>> permissions. Is that what you are looking for ?
>>> See org.keycloak.testsuite.authz.PermissionManagementTest#te
>>> stCreatePermissionTicketWithResourceName.
>>>
>>
>> from what i see in the code, permission are persisted only when we
>> invoking the token api with grant_type=urn:ietf:param
>> s:oauth:grant-type:uma-ticket
>>
>> so in my understanding there is now way (assuming I am the owner of the
>> resource) to store directly the permission (with grant=true), which would
>> what
>> could be the way a user could share directly his resources as it is now
>> possible in the interface.
>>
>> am I wrong?
>>
>> i am lost... i see that in the code you refer to i see that you invoke
>> the token api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
>> you are setting
>> the claim using the accessToken, but i don't see what this has to do with
>> the ability of a resource owner to grant directly the access to a resource
>> (i.e. creating a permission with grant = true)
>>
>>
>> --
>> *Dr. FEDERICO MICHELE FACCA*
>> *Head of Martel Lab*
>> 0041 78 807 58 38
>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>> support for innovation projects
>> Click to download our innovators' insights!
>> <https://www.martel-innovate.com/premium-content/>
>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>
>
>
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>

From nicolas.gillet at market-ip.com  Mon May 14 09:50:44 2018
From: nicolas.gillet at market-ip.com (Nicolas Gillet)
Date: Mon, 14 May 2018 13:50:44 +0000
Subject: [keycloak-user] Customize email "from" by FQDN inside the same realm
Message-ID: <AM4PR0501MB2770F5EFF7F0E272C4EE2E4DC19C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>

Hello,

We are providing a single web application that is accessed under several domain names.
We want to use KC to do the authentication to this web app.

With the different domains names also come different "brandings" or "themes" for each domain.
As we have a single realm, we managed to do this branding using a dedicated service that map KC templates' assets (css, img, ...) to the right file, based on the FQDN.

One points remains hard to change: the "from" and "reply to" fields in every mail KC sends (like password recovery).
These fields are statically configured for the whole realm in the Email settings and I don't think there exists any way to make this "dynamic".

So I turn to you folk to grab some hints/ideas about ways I could modify KC in order to replace the email' "sender" by another value using the request's domain.
I never dug into KC code yet so I don't have any clue where to start acually.

Many thanks,


Nicolas GILLET

From Qiang.He at lombardrisk.com  Mon May 14 09:55:34 2018
From: Qiang.He at lombardrisk.com (Qiang He)
Date: Mon, 14 May 2018 13:55:34 +0000
Subject: [keycloak-user] CatalinaSamlAuthenticator issue using keycloak
 saml eap6 adapter
Message-ID: <DB6PR0601MB21665DA87EEACD7CC7D982779E9C0@DB6PR0601MB2166.eurprd06.prod.outlook.com>

I am having the same problem. Is there any update on this thread?



From federico.facca at martel-innovate.com  Mon May 14 10:28:26 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Mon, 14 May 2018 16:28:26 +0200
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
	<CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
	<CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>
Message-ID: <CAOxz=rMQ7Z8LpSsyptkkr_oNeLfStk+HcTwbAhoAK5J-1VSgeg@mail.gmail.com>

hi pedro,
that's are not what we can call "user managed authorisation" policies, in
fact are from the "admin" api (and indeed i have been wondering why the
back implementation of current "uma permissions" is not based on "user
policy").
"user managed authorisation" is related to the fact that a user owns the
resource. in practise you could implement "user managed authorisation"
using existing policies (this would actually also avoid the current issue i
reported,
i.e. regarding the complete separation between UMA permissions and policy
based permissions at the evaluation time which leads to the fact that
authorised users with UMA are not listed as authorised when asking access
via permissions)

i copy again the test:

My set-up is a follows:
1. I have a policy that says that the owner of a resource is authorised
with scope read, write and delete. Such policy is attached to a resource
with a * path (e.g. /resource/*).
2. User A create a resource /resource/A
3. User A ask all permissions. He is returned he can do anything on
/resource/A

So far so good. Now it's the part that i believe is not working as i would
expect.

4. User B create a resource /resource/B
5. User B share resource B with User A
6. User A ask all permissions. He is returned he can do anything on /resource/A
but no information is returned about resource B,
    despite there is a permission granted.

It looks like User A can check if he can access resource B only if I create
a permission ticket and I specifically check that, but as a requester,
I don't know in advance if i am authorised to access a resource via UMA
ticket or via another policy.

In fact, if ask if i have read permission using the permission parameter, i
get not authorised:

curl --request POST \
  --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-
connect/token \
  --header 'Authorization: Bearer xxx' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%
3Auma-ticket&permission=da2fdbf6-076e-4716-8b91-
2c7feeda8bee%23read&audience=test'

while if i create a ticket for that resource with permission read, i get
authorised.

federico

On 14 May 2018 at 14:36, Pedro Igor Silva <psilva at redhat.com> wrote:

> We do have endpoints for managing policies via Keycloak Admin REST API.
> From this package:
>
>     https://github.com/pedroigor/keycloak/tree/
> 035ebc881abfe78544861f394c30b1dd9623f879/testsuite/
> integration-arquillian/tests/base/src/test/java/org/
> keycloak/testsuite/admin/client/authorization
>
> You'll find tests for each permission/policy type we support. Is that what
> you are looking for ?
>
> On Mon, May 14, 2018 at 9:25 AM, Federico Michele Facca <
> federico.facca at martel-innovate.com> wrote:
>
>> Hi Pedro, All,
>>
>> I am have been looking a bit more in the permission CRUD operations. I
>> think that it would be better to split the permission ticket from the
>> permission policy themselves.
>> In fact, if i understand correctly the spec, the current permission
>> endpoint should be only used to create the permission ticket. UMA doesn't
>> say anything on how to
>> represent policies so this is totally up to keycloak.
>>
>> Ideally we should have:
>>
>> - /permission
>>   - POST - create a permission ticket
>> - /user-policy (or anything similar)
>>   - POST - create a policy (owner of a resource can create a policy on it
>> without RPT process)
>>   - GET - list policies
>>   - GET /id return a specific policy
>>   - DELETE /id remove a policy
>>   - PUT /id update a policy
>>
>> While at the time being this endpoint may support only "UMA policies"
>> i.e. x request access to y with scope z, and owner grants it,
>> in the future it could allow resource owners to "manage" directly other
>> policies. E.g. allow scope x to all users in group z.
>>
>> For the time being (given that we needed to allow owners to grant
>> directly access to a resource without using an permission ticket),
>> we modified the existing "PUT" to allow the creation of a permission on a
>> resource if the access token used is the one of the resource owner.
>>
>> Best,
>> Federico
>>
>> On 11 May 2018 at 23:43, Federico Michele Facca <
>> federico.facca at martel-innovate.com> wrote:
>>
>>> Hi,
>>>
>>> On 11 May 2018 at 18:04, Pedro Igor Silva <psilva at redhat.com> wrote:
>>>
>>>>
>>>>
>>>> On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca <
>>>> federico.facca at martel-innovate.com> wrote:
>>>>
>>>>>
>>>>> Now the first question was how to ?share? directly a resource with a
>>>>> user.
>>>>>
>>>>> Currently using the API, supposing I am user A and I want to access a
>>>>> resource Z from user B, we proceed as follow (i hope is the correct way?
>>>>> any correction or guidance will be appreciated):
>>>>>
>>>>> 1.  We create a permission request on the API (to get the ticket).
>>>>> E.g. read resource x
>>>>>
>>>>> 2.  We use the ticket to ask for a rtp token using a user token.
>>>>>
>>>>> curl --request POST \
>>>>>   --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-con
>>>>> nect/token \
>>>>>   --header 'Authorization: Bearer xxx' \
>>>>>   --header 'Content-Type: application/x-www-form-urlencoded' \
>>>>>   --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-t
>>>>> icket&ticket=xxxx'
>>>>>
>>>>> If the user has already access, then he gets the rtp, if not he gets:
>>>>>
>>>>> {
>>>>>     "error": "access_denied",
>>>>>     "error_description": "request_submitted"
>>>>> }
>>>>>
>>>>> Only in this moment the permission ticket i created at step 1 appears
>>>>> in the list of permissions. (I am not sure this is the intended behaviour
>>>>> though).
>>>>>
>>>>
>>>> Yeah, that is the expected behavior. But you can also use a request
>>>> parameter to tell to the token endpoint that you don't want to submit an
>>>> authorization request. See https://www.keycloak.org/d
>>>> ocs/latest/authorization_services/index.html#_service_authorization_aat
>>>> .
>>>>
>>>>
>>>>>
>>>>> Then is up to the owner to authorise access (via API we can do that by
>>>>> updating the permission and set granted to true)
>>>>>
>>>>> Now let?s suppose that I am the owner of the resource A, and I want to
>>>>> authorise directly (without the user asking access to the resource A)
>>>>> the user Z to access it. How can I do that? At the time being I could
>>>>> not figure it out.
>>>>>
>>>>
>>>> Similar to the update method, you can use the create method to create
>>>> permissions. Is that what you are looking for ?
>>>> See org.keycloak.testsuite.authz.PermissionManagementTest#te
>>>> stCreatePermissionTicketWithResourceName.
>>>>
>>>
>>> from what i see in the code, permission are persisted only when we
>>> invoking the token api with grant_type=urn:ietf:param
>>> s:oauth:grant-type:uma-ticket
>>>
>>> so in my understanding there is now way (assuming I am the owner of the
>>> resource) to store directly the permission (with grant=true), which would
>>> what
>>> could be the way a user could share directly his resources as it is now
>>> possible in the interface.
>>>
>>> am I wrong?
>>>
>>> i am lost... i see that in the code you refer to i see that you invoke
>>> the token api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
>>> you are setting
>>> the claim using the accessToken, but i don't see what this has to do
>>> with the ability of a resource owner to grant directly the access to a
>>> resource (i.e. creating a permission with grant = true)
>>>
>>>
>>> --
>>> *Dr. FEDERICO MICHELE FACCA*
>>> *Head of Martel Lab*
>>> 0041 78 807 58 38
>>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>>> support for innovation projects
>>> Click to download our innovators' insights!
>>> <https://www.martel-innovate.com/premium-content/>
>>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>>
>>
>>
>>
>> --
>> *Dr. FEDERICO MICHELE FACCA*
>> *Head of Martel Lab*
>> 0041 78 807 58 38
>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>> support for innovation projects
>> Click to download our innovators' insights!
>> <https://www.martel-innovate.com/premium-content/>
>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>
>
>


-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From pulgupta at redhat.com  Mon May 14 12:42:28 2018
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Mon, 14 May 2018 22:12:28 +0530
Subject: [keycloak-user] intermittent 403 while logging in
Message-ID: <CAApADD3NzauTArV=SwtxnZuWzug8apftmacd==jvjWciw-chWg@mail.gmail.com>

Hi Team,

I am using Keycloak OIDC JBoss EAP 6 adapter and RH-SSO version is 7.2.
I updated my app's auth method in web.xml and also added keycloak.json.
After creating the client I tried logging in and it worked as expected.
However while testing more I saw that sometimes I am getting 403 and the
login fails. This is a very random behavior and app works almost 70% of the
time.
Also I integrated one more app which is using the same Keycloak server as
IDP but the app is having a different sub-domain from the first app.
Sometimes if I login to one app successfully and then open the other app in
the other tab I see this intermittent 403 issue.

Its intermittent nature is making it difficult for me to find out the root
cause. Any suggestions where to look for such an issue.

*ADAPTER LOGS:*
2018-05-14 05:27:15,239 [ajp-/10.7.24.224:8009-15] ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] failed to turn code into
token
2018-05-14 05:27:15,239 [ajp-/10.7.24.224:8009-15] ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] status from server: 400
2018-05-14 05:27:15,239 [ajp-/10.7.24.224:8009-15] ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator]
{"error":"invalid_grant","error_description":"Code not valid"}

-- 

PULKIT GUPTA

From psilva at redhat.com  Mon May 14 13:05:10 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 14 May 2018 14:05:10 -0300
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAOxz=rMQ7Z8LpSsyptkkr_oNeLfStk+HcTwbAhoAK5J-1VSgeg@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
	<CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
	<CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>
	<CAOxz=rMQ7Z8LpSsyptkkr_oNeLfStk+HcTwbAhoAK5J-1VSgeg@mail.gmail.com>
Message-ID: <CAJrcDBePLvX9tHyVBBs5Dq0Q=82w-=jALdWHKTwswjbzV-xE-g@mail.gmail.com>

I see now...

We could solve your current issue by fixing the processing of entitlement
requests to also consider permissions granted by a user via permission
tickets. This is the easiest solution ...

However, I think we would be still limiting users regarding the different
policies they can use to protect their resources. For instance, today a
permission granted directly by the user (and backed by a permission ticket
approved by this same user) takes precedence over whatever policy you have
defined to a resource.

We could start using a policy (and not the ticket) to decide whether or not
the user is granted access to someone else resource. In fact, it would make
sense to use an Aggregated Policy to combine whatever policy the user has
defined to rule access to a resource. The current implementation is using
the ticket because users can only decide to share a resource or not,
regardless of other conditions.

The "/user-policy" endpoint you mentioned would be basically managing the
"Aggregated Policy" associated with a specific resource by adding and
removing whatever policy the user wants to define.

Does it make sense for you?


On Mon, May 14, 2018 at 11:28 AM, Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:

> hi pedro,
> that's are not what we can call "user managed authorisation" policies, in
> fact are from the "admin" api (and indeed i have been wondering why the
> back implementation of current "uma permissions" is not based on "user
> policy").
> "user managed authorisation" is related to the fact that a user owns the
> resource. in practise you could implement "user managed authorisation"
> using existing policies (this would actually also avoid the current issue i
> reported,
> i.e. regarding the complete separation between UMA permissions and policy
> based permissions at the evaluation time which leads to the fact that
> authorised users with UMA are not listed as authorised when asking access
> via permissions)
>

> i copy again the test:
>
> My set-up is a follows:
> 1. I have a policy that says that the owner of a resource is authorised
> with scope read, write and delete. Such policy is attached to a resource
> with a * path (e.g. /resource/*).
> 2. User A create a resource /resource/A
> 3. User A ask all permissions. He is returned he can do anything on
> /resource/A
>
> So far so good. Now it's the part that i believe is not working as i would
> expect.
>
> 4. User B create a resource /resource/B
> 5. User B share resource B with User A
> 6. User A ask all permissions. He is returned he can do anything on /resource/A
> but no information is returned about resource B,
>     despite there is a permission granted.
>
> It looks like User A can check if he can access resource B only if I
> create a permission ticket and I specifically check that, but as a
> requester,
> I don't know in advance if i am authorised to access a resource via UMA
> ticket or via another policy.
>
> In fact, if ask if i have read permission using the permission parameter,
> i get not authorised:
>
> curl --request POST \
>   --url http://127.0.0.1:8080/auth/realms/master/protocol/
> openid-connect/token \
>   --header 'Authorization: Bearer xxx' \
>   --header 'Content-Type: application/x-www-form-urlencoded' \
>   --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-
> ticket&permission=da2fdbf6-076e-4716-8b91-2c7feeda8bee%
> 23read&audience=test'
>
> while if i create a ticket for that resource with permission read, i get
> authorised.
>
> federico
>
> On 14 May 2018 at 14:36, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> We do have endpoints for managing policies via Keycloak Admin REST API.
>> From this package:
>>
>>     https://github.com/pedroigor/keycloak/tree/035ebc881abfe78
>> 544861f394c30b1dd9623f879/testsuite/integration-
>> arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/
>> authorization
>>
>> You'll find tests for each permission/policy type we support. Is that
>> what you are looking for ?
>>
>> On Mon, May 14, 2018 at 9:25 AM, Federico Michele Facca <
>> federico.facca at martel-innovate.com> wrote:
>>
>>> Hi Pedro, All,
>>>
>>> I am have been looking a bit more in the permission CRUD operations. I
>>> think that it would be better to split the permission ticket from the
>>> permission policy themselves.
>>> In fact, if i understand correctly the spec, the current permission
>>> endpoint should be only used to create the permission ticket. UMA doesn't
>>> say anything on how to
>>> represent policies so this is totally up to keycloak.
>>>
>>> Ideally we should have:
>>>
>>> - /permission
>>>   - POST - create a permission ticket
>>> - /user-policy (or anything similar)
>>>   - POST - create a policy (owner of a resource can create a policy on
>>> it without RPT process)
>>>   - GET - list policies
>>>   - GET /id return a specific policy
>>>   - DELETE /id remove a policy
>>>   - PUT /id update a policy
>>>
>>> While at the time being this endpoint may support only "UMA policies"
>>> i.e. x request access to y with scope z, and owner grants it,
>>> in the future it could allow resource owners to "manage" directly other
>>> policies. E.g. allow scope x to all users in group z.
>>>
>>> For the time being (given that we needed to allow owners to grant
>>> directly access to a resource without using an permission ticket),
>>> we modified the existing "PUT" to allow the creation of a permission on
>>> a resource if the access token used is the one of the resource owner.
>>>
>>> Best,
>>> Federico
>>>
>>> On 11 May 2018 at 23:43, Federico Michele Facca <
>>> federico.facca at martel-innovate.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> On 11 May 2018 at 18:04, Pedro Igor Silva <psilva at redhat.com> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Fri, May 11, 2018 at 10:19 AM, Federico Michele Facca <
>>>>> federico.facca at martel-innovate.com> wrote:
>>>>>
>>>>>>
>>>>>> Now the first question was how to ?share? directly a resource with a
>>>>>> user.
>>>>>>
>>>>>> Currently using the API, supposing I am user A and I want to access a
>>>>>> resource Z from user B, we proceed as follow (i hope is the correct way?
>>>>>> any correction or guidance will be appreciated):
>>>>>>
>>>>>> 1.  We create a permission request on the API (to get the ticket).
>>>>>> E.g. read resource x
>>>>>>
>>>>>> 2.  We use the ticket to ask for a rtp token using a user token.
>>>>>>
>>>>>> curl --request POST \
>>>>>>   --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-con
>>>>>> nect/token \
>>>>>>   --header 'Authorization: Bearer xxx' \
>>>>>>   --header 'Content-Type: application/x-www-form-urlencoded' \
>>>>>>   --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-t
>>>>>> icket&ticket=xxxx'
>>>>>>
>>>>>> If the user has already access, then he gets the rtp, if not he gets:
>>>>>>
>>>>>> {
>>>>>>     "error": "access_denied",
>>>>>>     "error_description": "request_submitted"
>>>>>> }
>>>>>>
>>>>>> Only in this moment the permission ticket i created at step 1 appears
>>>>>> in the list of permissions. (I am not sure this is the intended behaviour
>>>>>> though).
>>>>>>
>>>>>
>>>>> Yeah, that is the expected behavior. But you can also use a request
>>>>> parameter to tell to the token endpoint that you don't want to submit an
>>>>> authorization request. See https://www.keycloak.org/d
>>>>> ocs/latest/authorization_services/index.html#_service_author
>>>>> ization_aat.
>>>>>
>>>>>
>>>>>>
>>>>>> Then is up to the owner to authorise access (via API we can do that
>>>>>> by updating the permission and set granted to true)
>>>>>>
>>>>>> Now let?s suppose that I am the owner of the resource A, and I want
>>>>>> to authorise directly (without the user asking access to the resource A)
>>>>>> the user Z to access it. How can I do that? At the time being I could
>>>>>> not figure it out.
>>>>>>
>>>>>
>>>>> Similar to the update method, you can use the create method to create
>>>>> permissions. Is that what you are looking for ?
>>>>> See org.keycloak.testsuite.authz.PermissionManagementTest#te
>>>>> stCreatePermissionTicketWithResourceName.
>>>>>
>>>>
>>>> from what i see in the code, permission are persisted only when we
>>>> invoking the token api with grant_type=urn:ietf:param
>>>> s:oauth:grant-type:uma-ticket
>>>>
>>>> so in my understanding there is now way (assuming I am the owner of the
>>>> resource) to store directly the permission (with grant=true), which would
>>>> what
>>>> could be the way a user could share directly his resources as it is now
>>>> possible in the interface.
>>>>
>>>> am I wrong?
>>>>
>>>> i am lost... i see that in the code you refer to i see that you invoke
>>>> the token api with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
>>>> you are setting
>>>> the claim using the accessToken, but i don't see what this has to do
>>>> with the ability of a resource owner to grant directly the access to a
>>>> resource (i.e. creating a permission with grant = true)
>>>>
>>>>
>>>> --
>>>> *Dr. FEDERICO MICHELE FACCA*
>>>> *Head of Martel Lab*
>>>> 0041 78 807 58 38
>>>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>>>> support for innovation projects
>>>> Click to download our innovators' insights!
>>>> <https://www.martel-innovate.com/premium-content/>
>>>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>>>
>>>
>>>
>>>
>>> --
>>> *Dr. FEDERICO MICHELE FACCA*
>>> *Head of Martel Lab*
>>> 0041 78 807 58 38
>>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>>> support for innovation projects
>>> Click to download our innovators' insights!
>>> <https://www.martel-innovate.com/premium-content/>
>>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>>
>>
>>
>
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>

From Qiang.He at lombardrisk.com  Mon May 14 13:13:23 2018
From: Qiang.He at lombardrisk.com (Qiang He)
Date: Mon, 14 May 2018 17:13:23 +0000
Subject: [keycloak-user] CatalinaSamlAuthenticator issue using keycloak saml
	eap6 adapter
Message-ID: <DB6PR0601MB21666AAA1C44A974E825CD2D9E9C0@DB6PR0601MB2166.eurprd06.prod.outlook.com>

Hi,

I have a problem using the JBoss EAP 6 SAML Adapter.
I followed the configuration from the document. However the browser is redirected between the IDP and my SP infinitely. I researched by reading the source code and found that when CatalinaSamlAuthenticator creates handler, it always creates BrowserHandler. And in BrowserHandler, it always handle by using null samlRequest and null samlResponse.
This seems like a bug?

I also found the same question being asked one year ago in the mailing list, but without any reply: http://lists.jboss.org/pipermail/keycloak-user/2017-April/010477.html. In this mail, it suggested to comment out some code and it will work. Can anyone more knowledgeable confirm this is a bug and it will be fixed in the future release of the SAML Adapter? I would rather wait for the release of the fix from Keycloak, rather than I have to clone the source code and fix/customize it by myself, without clearly knowing the impact of changing the code.

Thanks a lot in advance.
QH


From federico.facca at martel-innovate.com  Mon May 14 13:57:32 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Mon, 14 May 2018 19:57:32 +0200
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAJrcDBePLvX9tHyVBBs5Dq0Q=82w-=jALdWHKTwswjbzV-xE-g@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
	<CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
	<CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>
	<CAOxz=rMQ7Z8LpSsyptkkr_oNeLfStk+HcTwbAhoAK5J-1VSgeg@mail.gmail.com>
	<CAJrcDBePLvX9tHyVBBs5Dq0Q=82w-=jALdWHKTwswjbzV-xE-g@mail.gmail.com>
Message-ID: <CAOxz=rPrUZGHqO8_pM8+WZW4uZSgbh-GYg3XgQO4G+=9pw5veA@mail.gmail.com>

Hi,

I think it makes sense (I hope i understood at least what you mean :) )

As first steps, I could do the following if you agree:

1. Make a pull request that split the permission ticket API from the
"policy" api. I propose to use /uma-policy,
    Basically no change w.r.t. what is there now, except we expose a policy
creation method in /uma-policy that can be used only be resource owners to
share directly their policies.
    in future, the model and api can be extended to support "user policies"
(in a constrained way of course) beyond "the ticket like" ones.

2. Make a pull request to have in the authorisation part so to combine
under certain conditions UMA and normal policy evaluation.
    e.g. no ticket and no rpt = return evaluation from UMA policies
(related to the user identified by the accessToken) + generic policies
    e.g. permission = return evaluation from UMA policies (related to the
user identified by the accessToken and the resources in the permissions) +
generic policies (applicable to resources  and scopes included in the
"permission" request and for the specific user)
    ticket based authorisation will not change.

The above would allow already to:
1. User A owning a resource B to share directly with User C, without User C
asking.
2. User A to ask if he can access to a resource with Ticket or permission
indifferently.

Later on, we can think how to generalise the "user" policies in something
more generic than the ticket based ones (but I think this would be better
to be discussed with some design document).
Ideally, while the encoding should be the same as the normal keycloak
policies, the API should constrain the type of policies created and
simplify the creation (allowing a single call to the API rather than
multiple ones).
Still such policies should be probably stored separately (allowing for
control only by users and not by admins). Evaluation will be always
disjoint and result aggregated (result = Evaluation generic policies +
Evaluation user policies).
Still it may be interesting to provide a mechanism (I have to understand
how policy evaluation works currently) where if by default resource Type X
can be accessible by anyone, the user can say no, this is now protected if
instance of Type X is owned by me).

Federico

On 14 May 2018 at 19:05, Pedro Igor Silva <psilva at redhat.com> wrote:

> I see now...
>
> We could solve your current issue by fixing the processing of entitlement
> requests to also consider permissions granted by a user via permission
> tickets. This is the easiest solution ...
>
> However, I think we would be still limiting users regarding the different
> policies they can use to protect their resources. For instance, today a
> permission granted directly by the user (and backed by a permission ticket
> approved by this same user) takes precedence over whatever policy you have
> defined to a resource.
>
> We could start using a policy (and not the ticket) to decide whether or
> not the user is granted access to someone else resource. In fact, it would
> make sense to use an Aggregated Policy to combine whatever policy the user
> has defined to rule access to a resource. The current implementation is
> using the ticket because users can only decide to share a resource or not,
> regardless of other conditions.
>
> The "/user-policy" endpoint you mentioned would be basically managing the
> "Aggregated Policy" associated with a specific resource by adding and
> removing whatever policy the user wants to define.
>
> Does it make sense for you?
>
>
-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From rakesh.alladi at salesfusion.com  Mon May 14 14:47:36 2018
From: rakesh.alladi at salesfusion.com (Rakesh Alladi)
Date: Mon, 14 May 2018 14:47:36 -0400
Subject: [keycloak-user] Ability to login Users from different buckets
Message-ID: <CA+87PGGziGYw396fuhpf1cZGZB6Zhyai1ZUEYSqzhcGJEOL6NA@mail.gmail.com>

Hi,

So far we have been working with KeyCloak and been able to set it up and
run it successfully.
We are able to set up the users and login and achieve SSO between our
applications.
Now we need to actually find how to achieve the below scenario with
Keycloak:

Our users can be part of multiple bukcets, meaning multiple user records
with same email can exist within different buckets. So I might need
something like BucketId in User_Entity table in Keycloak database and use
it in login page.
So,
1. While logging in a user would enter Username, Password, BucketId.
2. Keyclock should authenticate him by verifying the username and password
against the provided BucketId.

I have searched for documentation but did not find anything related. May be
I have missed it if it already exist. Can anyone please let me know how to
implement this.

Thanks

-- 
IMPORTANT: The information contained in this message is intended only for 
the confidential use of the designated recipient. If the reader of this 
message is not the intended recipient or an agent responsible for 
delivering it to the intended recipient, you are hereby notified that you 
have received this document in error and that any review, dissemination, 
distribution or copying of this message is strictly prohibited. If you have 
received this communication in error, please notify us immediately and 
delete this message and any attachments from your computer. Thank you.

From john.lewis at geodis.com  Mon May 14 14:52:52 2018
From: john.lewis at geodis.com (Lewis, John)
Date: Mon, 14 May 2018 18:52:52 +0000
Subject: [keycloak-user] Does Keycloak adhere to industry-standard
 recommendations for application designs OWASP?
Message-ID: <AM3PR04MB1331FD5FEA9E83C904C50CD8EF9C0@AM3PR04MB1331.eurprd04.prod.outlook.com>

Does Keycloak adhere to industry-standard recommendations for application designs (i.e. OWASP)?

Is there a certification process in place?

From getankur86 at gmail.com  Mon May 14 14:59:22 2018
From: getankur86 at gmail.com (Ankur Singhal)
Date: Tue, 15 May 2018 00:29:22 +0530
Subject: [keycloak-user] Keycloak - Multi/2FA Factor - OTP - QR Code -
 Custom Login Screen - Rest API
Message-ID: <CAM64y=KJUtH9LR8bgWTi4FUY8AenJsdwO4DV7t5FYwpap72_Lg@mail.gmail.com>

 Hi All,
<https://stackoverflow.com/questions/50319327/keycloak-multi-2fa-factor-otp-qr-code-custom-login-screen-rest-api#>

I have *my own Login page where user enters username/password.* This
username/password are used to login through Keycloak Rest API.

http://localhost:8080/auth/realms/Demo/protocol/openid-connect/token

input - {username,password,grant_type,client_secret,client_id}

And in response i get access token.

Now i wish to enable Authenticator (Google Authenticator). I have enabled
it from backend. Now if user wishes to login thorugh my application, my
login page i need to get below details.

1.) Somehow i need to include QR Code that appears on keycloak login page
post username/password validation to show on my login screen for the first
time login once user enter username/password. So do we have any API which
return Keycloak QR code image in response.

2.) Subsequent login i will have OTP field, so need a REST api to pass OTP
along with username/password.

Please help with REST API if keycloak has any. Integrating through
Javascript.

Similar flow as described in use case 1 here
<http://lists.jboss.org/pipermail/keycloak-user/2018-February/013254.html>

Just want to use keycloak as a database, doing all operation for me, input
will be my screen. I do want redirection of URL's while login in and yet
should be standalone deployed.

https://stackoverflow.com/questions/50319327/keycloak-multi-2fa-factor-otp-qr-code-custom-login-screen-rest-api


Thanks

Ankur

From psilva at redhat.com  Mon May 14 15:36:48 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 14 May 2018 16:36:48 -0300
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAOxz=rPrUZGHqO8_pM8+WZW4uZSgbh-GYg3XgQO4G+=9pw5veA@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
	<CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
	<CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>
	<CAOxz=rMQ7Z8LpSsyptkkr_oNeLfStk+HcTwbAhoAK5J-1VSgeg@mail.gmail.com>
	<CAJrcDBePLvX9tHyVBBs5Dq0Q=82w-=jALdWHKTwswjbzV-xE-g@mail.gmail.com>
	<CAOxz=rPrUZGHqO8_pM8+WZW4uZSgbh-GYg3XgQO4G+=9pw5veA@mail.gmail.com>
Message-ID: <CAJrcDBeQfNGOSDf_EmfVon6kc1SdcFxoOawcGYJ-r2_xQpNfxQ@mail.gmail.com>

On Mon, May 14, 2018 at 2:57 PM, Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:

> Hi,
>
> I think it makes sense (I hope i understood at least what you mean :) )
>
> As first steps, I could do the following if you agree:
>
> 1. Make a pull request that split the permission ticket API from the
> "policy" api. I propose to use /uma-policy,
>     Basically no change w.r.t. what is there now, except we expose a
> policy creation method in /uma-policy that can be used only be resource
> owners to share directly their policies.
>     in future, the model and api can be extended to support "user
> policies" (in a constrained way of course) beyond "the ticket like" ones.
>

What if we just change HTTP POST to /permission to persist tickets where
this operation is only allowed if the owner is making the request (like you
said)? We could add both "requester" and "grant" properties to
PermissionRequest. If grant is marked as true we persist the ticket.


>
> 2. Make a pull request to have in the authorisation part so to combine
> under certain conditions UMA and normal policy evaluation.
>     e.g. no ticket and no rpt = return evaluation from UMA policies
> (related to the user identified by the accessToken) + generic policies
>     e.g. permission = return evaluation from UMA policies (related to the
> user identified by the accessToken and the resources in the permissions) +
> generic policies (applicable to resources  and scopes included in the
> "permission" request and for the specific user)
>     ticket based authorisation will not change.
>

+1. The change should e quite trivial.


>
> The above would allow already to:
> 1. User A owning a resource B to share directly with User C, without User
> C asking.
> 2. User A to ask if he can access to a resource with Ticket or permission
> indifferently.
>
> Later on, we can think how to generalise the "user" policies in something
> more generic than the ticket based ones (but I think this would be better
> to be discussed with some design document).
> Ideally, while the encoding should be the same as the normal keycloak
> policies, the API should constrain the type of policies created and
> simplify the creation (allowing a single call to the API rather than
> multiple ones).
> Still such policies should be probably stored separately (allowing for
> control only by users and not by admins). Evaluation will be always
> disjoint and result aggregated (result = Evaluation generic policies +
> Evaluation user policies).
> Still it may be interesting to provide a mechanism (I have to understand
> how policy evaluation works currently) where if by default resource Type X
> can be accessible by anyone, the user can say no, this is now protected if
> instance of Type X is owned by me).
>

I played with this a bit and the changes should be quite trivial.
Basically, everytime a ticket is marked as "granted" we create a aggregated
policy. Then we add to this policy a user policy that grants access to the
requester. Once this is set, the policy evaluation engine will treat UMA
permissions just like any other policy associated with the resource. The
difference is that decisions taken from a UMA policy (now a aggregated
policy) takes precedence over any other policy associated with the resource.

When access is revoked by removing a ticket, we also remove the aggregated
policy.

The nice thing abou this is that we could use the "/uma-policy" (or
whatever name we decide for this) to allow users to manage policies
associated with a resource (add users, time, group, etc). Instead of what
we have today that always grant access to a requester if there is a ticket
granted by the owner (good for now but limited if we think about more
complex use cases).

The user could configure if they want to all policies to evaluate to a
PERMIT or just one of them, etc, etc.

Maybe an endpoint like this "/permission/{resource_id}/policy".

Btw, won't ask you to move this discussion to keycloak-dev :) Sorry for
that.


>
> Federico
>
> On 14 May 2018 at 19:05, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> I see now...
>>
>> We could solve your current issue by fixing the processing of entitlement
>> requests to also consider permissions granted by a user via permission
>> tickets. This is the easiest solution ...
>>
>> However, I think we would be still limiting users regarding the different
>> policies they can use to protect their resources. For instance, today a
>> permission granted directly by the user (and backed by a permission ticket
>> approved by this same user) takes precedence over whatever policy you have
>> defined to a resource.
>>
>> We could start using a policy (and not the ticket) to decide whether or
>> not the user is granted access to someone else resource. In fact, it would
>> make sense to use an Aggregated Policy to combine whatever policy the user
>> has defined to rule access to a resource. The current implementation is
>> using the ticket because users can only decide to share a resource or not,
>> regardless of other conditions.
>>
>> The "/user-policy" endpoint you mentioned would be basically managing
>> the "Aggregated Policy" associated with a specific resource by adding and
>> removing whatever policy the user wants to define.
>>
>> Does it make sense for you?
>>
>>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>

From federico.facca at martel-innovate.com  Mon May 14 16:15:33 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Mon, 14 May 2018 22:15:33 +0200
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAJrcDBeQfNGOSDf_EmfVon6kc1SdcFxoOawcGYJ-r2_xQpNfxQ@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
	<CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
	<CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>
	<CAOxz=rMQ7Z8LpSsyptkkr_oNeLfStk+HcTwbAhoAK5J-1VSgeg@mail.gmail.com>
	<CAJrcDBePLvX9tHyVBBs5Dq0Q=82w-=jALdWHKTwswjbzV-xE-g@mail.gmail.com>
	<CAOxz=rPrUZGHqO8_pM8+WZW4uZSgbh-GYg3XgQO4G+=9pw5veA@mail.gmail.com>
	<CAJrcDBeQfNGOSDf_EmfVon6kc1SdcFxoOawcGYJ-r2_xQpNfxQ@mail.gmail.com>
Message-ID: <CAOxz=rOFpAq8ZKBXJscY1stUxbx2Jct9aMeRbOmiDQw75pW2+A@mail.gmail.com>

Hi,

On 14 May 2018 at 21:36, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Mon, May 14, 2018 at 2:57 PM, Federico Michele Facca <
> federico.facca at martel-innovate.com> wrote:
>>
>> 1. Make a pull request that split the permission ticket API from the
>> "policy" api. I propose to use /uma-policy,
>>     Basically no change w.r.t. what is there now, except we expose a
>> policy creation method in /uma-policy that can be used only be resource
>> owners to share directly their policies.
>>     in future, the model and api can be extended to support "user
>> policies" (in a constrained way of course) beyond "the ticket like" ones.
>>
>
> What if we just change HTTP POST to /permission to persist tickets where
> this operation is only allowed if the owner is making the request (like you
> said)? We could add both "requester" and "grant" properties to
> PermissionRequest. If grant is marked as true we persist the ticket.
>

i think that in the end this is not going to be "clean" because:
a) to extend to "real" policies we will need any how to have the
/uma-policy endpoint
b) in my understanding the according to the standard, /permissions is only
to create tickets (you cannot manage them)
c) we are going to embed more and more information in the ticket that is
not part of the standard (requester and grant)

d) :P i almost have a pull request to split the end point (tests are
running locally, for the time being as regards the authz client, i
deprecated the old methods, but are still supported (i changed the
endpoint)


>
>
>>
>> 2. Make a pull request to have in the authorisation part so to combine
>> under certain conditions UMA and normal policy evaluation.
>>     e.g. no ticket and no rpt = return evaluation from UMA policies
>> (related to the user identified by the accessToken) + generic policies
>>     e.g. permission = return evaluation from UMA policies (related to
>> the user identified by the accessToken and the resources in the
>> permissions) + generic policies (applicable to resources  and scopes
>> included in the "permission" request and for the specific user)
>>     ticket based authorisation will not change.
>>
>
> +1. The change should e quite trivial.
>
>
>>
>> The above would allow already to:
>> 1. User A owning a resource B to share directly with User C, without User
>> C asking.
>> 2. User A to ask if he can access to a resource with Ticket or permission
>> indifferently.
>>
>> Later on, we can think how to generalise the "user" policies in something
>> more generic than the ticket based ones (but I think this would be better
>> to be discussed with some design document).
>> Ideally, while the encoding should be the same as the normal keycloak
>> policies, the API should constrain the type of policies created and
>> simplify the creation (allowing a single call to the API rather than
>> multiple ones).
>> Still such policies should be probably stored separately (allowing for
>> control only by users and not by admins). Evaluation will be always
>> disjoint and result aggregated (result = Evaluation generic policies +
>> Evaluation user policies).
>> Still it may be interesting to provide a mechanism (I have to understand
>> how policy evaluation works currently) where if by default resource Type X
>> can be accessible by anyone, the user can say no, this is now protected if
>> instance of Type X is owned by me).
>>
>
> I played with this a bit and the changes should be quite trivial.
> Basically, everytime a ticket is marked as "granted" we create a aggregated
> policy. Then we add to this policy a user policy that grants access to the
> requester. Once this is set, the policy evaluation engine will treat UMA
> permissions just like any other policy associated with the resource. The
> difference is that decisions taken from a UMA policy (now a aggregated
> policy) takes precedence over any other policy associated with the resource.
>
>
you surely know the code better than me :) i started looking into it last
thursday xD


> When access is revoked by removing a ticket, we also remove the aggregated
> policy.
>
> The nice thing abou this is that we could use the "/uma-policy" (or
> whatever name we decide for this) to allow users to manage policies
> associated with a resource (add users, time, group, etc). Instead of what
> we have today that always grant access to a requester if there is a ticket
> granted by the owner (good for now but limited if we think about more
> complex use cases).
>

looks nice, things is "how" to define resource from the user perspective
then without conflicting with "global" definition of resource.
e.g. admin creates a default resource that map to a generic endpoint
/resource/{id} and defines default policies.
would the user be able to define his own policies for all the resources he
will own that that match the pattern  /resource/{id} ?
i suppose this in the ends means creating "a new policy" with path
/resource/{id} that is specific to the user and where
he can attach his policies and that is evaluated only for resources owned
by him.

maybe to complex at this point :)


>
> The user could configure if they want to all policies to evaluate to a
> PERMIT or just one of them, etc, etc.
>
> Maybe an endpoint like this "/permission/{resource_id}/policy".
>
> Btw, won't ask you to move this discussion to keycloak-dev :) Sorry for
> that.
>
>

-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From psilva at redhat.com  Mon May 14 17:11:26 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 14 May 2018 18:11:26 -0300
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAOxz=rOFpAq8ZKBXJscY1stUxbx2Jct9aMeRbOmiDQw75pW2+A@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
	<CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
	<CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>
	<CAOxz=rMQ7Z8LpSsyptkkr_oNeLfStk+HcTwbAhoAK5J-1VSgeg@mail.gmail.com>
	<CAJrcDBePLvX9tHyVBBs5Dq0Q=82w-=jALdWHKTwswjbzV-xE-g@mail.gmail.com>
	<CAOxz=rPrUZGHqO8_pM8+WZW4uZSgbh-GYg3XgQO4G+=9pw5veA@mail.gmail.com>
	<CAJrcDBeQfNGOSDf_EmfVon6kc1SdcFxoOawcGYJ-r2_xQpNfxQ@mail.gmail.com>
	<CAOxz=rOFpAq8ZKBXJscY1stUxbx2Jct9aMeRbOmiDQw75pW2+A@mail.gmail.com>
Message-ID: <CAJrcDBeAz8eNA5N6YvG1JeVB8AQm3RAwKch=J2mAUwDTTcL=Cw@mail.gmail.com>

On Mon, May 14, 2018 at 5:15 PM, Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:

> Hi,
>
> On 14 May 2018 at 21:36, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>>
>>
>> On Mon, May 14, 2018 at 2:57 PM, Federico Michele Facca <
>> federico.facca at martel-innovate.com> wrote:
>>>
>>> 1. Make a pull request that split the permission ticket API from the
>>> "policy" api. I propose to use /uma-policy,
>>>     Basically no change w.r.t. what is there now, except we expose a
>>> policy creation method in /uma-policy that can be used only be resource
>>> owners to share directly their policies.
>>>     in future, the model and api can be extended to support "user
>>> policies" (in a constrained way of course) beyond "the ticket like" ones.
>>>
>>
>> What if we just change HTTP POST to /permission to persist tickets where
>> this operation is only allowed if the owner is making the request (like you
>> said)? We could add both "requester" and "grant" properties to
>> PermissionRequest. If grant is marked as true we persist the ticket.
>>
>
> i think that in the end this is not going to be "clean" because:
> a) to extend to "real" policies we will need any how to have the
> /uma-policy endpoint
> b) in my understanding the according to the standard, /permissions is only
> to create tickets (you cannot manage them)
> c) we are going to embed more and more information in the ticket that is
> not part of the standard (requester and grant)
>

> d) :P i almost have a pull request to split the end point (tests are
> running locally, for the time being as regards the authz client, i
> deprecated the old methods, but are still supported (i changed the
> endpoint)
>

OK, let`s see what you have. It will be nice to get a better picture on
what you are proposing. I don't see any issue in extending the spec and
supporting those additional methods to /permissions (as long as we support
what is defined in the spec).


>
>
>>
>>
>>>
>>> 2. Make a pull request to have in the authorisation part so to combine
>>> under certain conditions UMA and normal policy evaluation.
>>>     e.g. no ticket and no rpt = return evaluation from UMA policies
>>> (related to the user identified by the accessToken) + generic policies
>>>     e.g. permission = return evaluation from UMA policies (related to
>>> the user identified by the accessToken and the resources in the
>>> permissions) + generic policies (applicable to resources  and scopes
>>> included in the "permission" request and for the specific user)
>>>     ticket based authorisation will not change.
>>>
>>
>> +1. The change should e quite trivial.
>>
>>
>>>
>>> The above would allow already to:
>>> 1. User A owning a resource B to share directly with User C, without
>>> User C asking.
>>> 2. User A to ask if he can access to a resource with Ticket or
>>> permission indifferently.
>>>
>>> Later on, we can think how to generalise the "user" policies in
>>> something more generic than the ticket based ones (but I think this would
>>> be better to be discussed with some design document).
>>> Ideally, while the encoding should be the same as the normal keycloak
>>> policies, the API should constrain the type of policies created and
>>> simplify the creation (allowing a single call to the API rather than
>>> multiple ones).
>>> Still such policies should be probably stored separately (allowing for
>>> control only by users and not by admins). Evaluation will be always
>>> disjoint and result aggregated (result = Evaluation generic policies +
>>> Evaluation user policies).
>>> Still it may be interesting to provide a mechanism (I have to understand
>>> how policy evaluation works currently) where if by default resource Type X
>>> can be accessible by anyone, the user can say no, this is now protected if
>>> instance of Type X is owned by me).
>>>
>>
>> I played with this a bit and the changes should be quite trivial.
>> Basically, everytime a ticket is marked as "granted" we create a aggregated
>> policy. Then we add to this policy a user policy that grants access to the
>> requester. Once this is set, the policy evaluation engine will treat UMA
>> permissions just like any other policy associated with the resource. The
>> difference is that decisions taken from a UMA policy (now a aggregated
>> policy) takes precedence over any other policy associated with the resource.
>>
>>
> you surely know the code better than me :) i started looking into it last
> thursday xD
>
>
>> When access is revoked by removing a ticket, we also remove the
>> aggregated policy.
>>
>> The nice thing abou this is that we could use the "/uma-policy" (or
>> whatever name we decide for this) to allow users to manage policies
>> associated with a resource (add users, time, group, etc). Instead of what
>> we have today that always grant access to a requester if there is a ticket
>> granted by the owner (good for now but limited if we think about more
>> complex use cases).
>>
>
> looks nice, things is "how" to define resource from the user perspective
> then without conflicting with "global" definition of resource.
> e.g. admin creates a default resource that map to a generic endpoint
> /resource/{id} and defines default policies.
> would the user be able to define his own policies for all the resources he
> will own that that match the pattern  /resource/{id} ?
> i suppose this in the ends means creating "a new policy" with path
> /resource/{id} that is specific to the user and where
> he can attach his policies and that is evaluated only for resources owned
> by him.
>

In fact, if I understood correctly what you said, we already have support
that. If you have a typed resource (/resource/{id} and type foo} associated
with some default permissions/policies you can override permissions when
evaluating them for a resource with the same type that belongs to the user
(/resource/1 and type foo).


>
> maybe to complex at this point :)
>
>
>>
>> The user could configure if they want to all policies to evaluate to a
>> PERMIT or just one of them, etc, etc.
>>
>> Maybe an endpoint like this "/permission/{resource_id}/policy".
>>
>> Btw, won't ask you to move this discussion to keycloak-dev :) Sorry for
>> that.
>>
>>
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>

From federico at info.nl  Tue May 15 04:25:21 2018
From: federico at info.nl (Federico Navarro Polo - Info.nl)
Date: Tue, 15 May 2018 08:25:21 +0000
Subject: [keycloak-user] Upgrading Keycloak and Infinispan conflict
Message-ID: <075E9E0E-D289-466E-99A8-2C479AF69C23@info.nl>

Hi,

We are upgrading our Keycloak environment to the latest stable version, and we?ve found out a problem with Infinispan. Our setup is a standalone-ha with distributed cache.

Apparently, there were breaking changes when going from Keycloak 3.1.0 to 3.2.0, since some classes and enums were removed from codebase. Those entities are still cached by Infinispan, so after upgrading Keycloak, on restart, a big amount of ClassNotFoundException or IllegalArgumentException due to these changes.

Is there any way to cleanly transition without clearing the caches?

Met vriendelijke groet,

Federico Navarro

backend developer

federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  -<tel:+31205309161>

info.nl<http://www.info.nl/>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>



From valsarajpv at gmail.com  Tue May 15 04:37:56 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 15 May 2018 14:07:56 +0530
Subject: [keycloak-user] How to get user details
Message-ID: <CAOA-0XuqiVy3xUE3Luuw8nuptfVGB-ekN7gHuHmMnUjkm1KLaw@mail.gmail.com>

Hi,

User redirected to Keyclock & after successful login user redirected back
to application. Now there is no user information stored on application
side. Earlier it was in LDAP & we fetch user details from LDAP. Now how to
get user details in Keyclock based login scenario?
Please share if any useful links.

Thanks,
Valsaraj Viswanathan

From pulgupta at redhat.com  Tue May 15 05:38:09 2018
From: pulgupta at redhat.com (Pulkit Gupta)
Date: Tue, 15 May 2018 15:08:09 +0530
Subject: [keycloak-user] UTF-8 character set support for user name and
 other fields / attributes
In-Reply-To: <CAPob62fwQSrbvqr_mi4U4kBUK_746iMwOE8741gtdSOZbWVc+w@mail.gmail.com>
References: <CAPob62fwQSrbvqr_mi4U4kBUK_746iMwOE8741gtdSOZbWVc+w@mail.gmail.com>
Message-ID: <CAApADD1TQR6isJ8_icUvWisRsD3f5qQnqow7G67G09UG6cXdPQ@mail.gmail.com>

Hi Upananda,

Were you able to solve this.
I am also getting this but it seems this is related to something else when
the code is reused and is sent twice to the server.

Regards,
Pulkit


On Tue, Mar 27, 2018 at 1:13 PM, Upananda Singha <upananda313 at gmail.com>
wrote:

> Hi,
>
> I am working with the Keycloak OIDC feature, and needed some clarification
> regarding the character set it supports:
>
> 1. I have a requirement to use utf-8 characters (multi byte) in the
> Username field
> which seems to work fine while setting the user name and I can login to
> Keycloak.
>
> But it seems there are other related issues while generating / encoding the
> tokens.
> Sometimes (some characters) it works fine but for some multibye characters
> it throws
>
> {
>     "error": "invalid_grant",
>     "error_description": "Code not valid"
> }
>
> while trying to get the Tokens using the authorization code.
>
> Can someone tell me if Keycloak actually supports utf-8 character set in
> Username and other fields and also in Custom user attributes?
>
> It would be of great help if anybody can share some information.
>
> Thanks,
>
> Upananda,
> Motorola Solutions
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

PULKIT GUPTA

SENIOR SOFTWARE APPLICATIONS ENGINEER

Red Hat IN IT GBD <https://www.redhat.com/>

Pune - India

pulgupta at redhat.com    T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/>     IM: pulgupta

https://bluejeans.com/pulgupta
<https://red.ht/sig>

From dev.spike.j at gmail.com  Tue May 15 07:02:58 2018
From: dev.spike.j at gmail.com (Spike J)
Date: Tue, 15 May 2018 13:02:58 +0200
Subject: [keycloak-user] Keycloak extension wiith admin-client
Message-ID: <CAKe9+pzDo2wu3=VYf=MDRR7Jj7ODgS7AozBx8Ma=a3xL4CxSPg@mail.gmail.com>

Hi everyone,

we try to build an additional keycloak REST endpoint that should use the
admin client.
Therefore in my code I copied the example from keycloak github and added:

Keycloak kc = KeycloakBuilder.builder()
    .serverUrl("https://localhost:8080/auth")
    .realm("master")
    .username("admin")
    .password("admin")
    .clientId("admin-cli")
    .resteasyClient(
        new ResteasyClientBuilder()
            .connectionPoolSize(5).build()
    ).build();


When I put my jar into standalone/deployments first it does not find
KeycloakBuilder. So I had to deploy keycloak-admin-client-4.0.0.Beta3.jar
as a module manually. In
"/opt/jboss/keycloak/modules/system/layers/keycloak/org/keycloak" seem to
be lots of modules but keycloak-admin-client is missing.
After manually deployment of the keycloak-admin-client as a module, I added
a jboss-deployment-structure.xml to my extension with:

<jboss-deployment-structure>
<deployment>
    <dependencies>
      <module name="org.keycloak.keycloak-admin-client" />
    </dependencies>
</deployment>
</jboss-deployment-structure>

When I hot-deploy my REST extension now I get
09:53:29,655 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-1) Uncaught server error: java.lang.IllegalArgumentException:
interface org.keycloak.admin.client.token.TokenService is not visible from
class loader

By the way, the same errors returns when I go the long way and build a
module.xml and deploy my extension with the standalone.xml

Any suggestions how to solve that?

Thanks and kind regards
Spike

From valsarajpv at gmail.com  Tue May 15 07:14:38 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 15 May 2018 16:44:38 +0530
Subject: [keycloak-user] NoClassDefFoundError: org/keycloak/KeycloakPrincipal
Message-ID: <CAOA-0XvjaxTxLEqf7TLjp3KMo9jUs-d8oBMV2PWPu4Q6ZcgVQQ@mail.gmail.com>

Hi,

I am getting following exception while deploying ear in WildFly 10. Apapter
is installed so no jars included in ear & no dependencies set.

> Caused by: java.lang.NoClassDefFoundError: org/keycloak/KeycloakPrincipal
>
>     Caused by: java.lang.ClassNotFoundException:
>> org.keycloak.KeycloakPrincipal from [Module
>> \"deployment.app.ear.appEJB.jar:main\" from Service Module Loader]"},
>
>         "WFLYCTL0412: Required services that are not installed:" => [
>
>             "jboss.undertow.deployment.default-server.default-host./App",
>
>
>> "org.camunda.bpm.platform.process-application-module.\"deployment.app.ear.appWEB.war:main\".NO_VIEW"
>
>         ]
>
>
>
Please let me know if U need to include core jar or set the subsystem
dependencies. I saw in one comment that there is no need to set them
explicitly.
Please advise.

Thanks,
Valsaraj Viswanathan

From valsarajpv at gmail.com  Tue May 15 07:54:58 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 15 May 2018 17:24:58 +0530
Subject: [keycloak-user] NoClassDefFoundError:
	org/keycloak/KeycloakPrincipal
In-Reply-To: <CAOA-0XvjaxTxLEqf7TLjp3KMo9jUs-d8oBMV2PWPu4Q6ZcgVQQ@mail.gmail.com>
References: <CAOA-0XvjaxTxLEqf7TLjp3KMo9jUs-d8oBMV2PWPu4Q6ZcgVQQ@mail.gmail.com>
Message-ID: <CAOA-0Xvbp4ZXjXTMT9eRzxyHrM_7b+oMhQcjBLa4YB8Ai7gsxg@mail.gmail.com>

This issue comes only for classes in  appEJB.jar. The classes in  appWEB.war
has no dependency issue.
Here is my subsystem conf:

> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>
>                 <secure-deployment name="appWEB.war">
>
>                     <realm>demo</realm>
>
>                     <resource>app</resource>
>
>
>> <use-resource-role-mappings>true</use-resource-role-mappings>
>
>                     <public-client>true</public-client>
>
>                     <auth-server-url>http://localhost:8180/auth
>> </auth-server-url>
>
>                     <ssl-required>EXTERNAL</ssl-required>
>
>
>> <principal-attribute>preferred_username</principal-attribute>
>
>                 </secure-deployment>
>
>             </subsystem>
>
> Is there any other way to configure ear deployment in subsystem so that
ejb.jar also get Keycloak libraries implicitly?

Thanks!


On Tue, May 15, 2018 at 4:44 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

> Hi,
>
> I am getting following exception while deploying ear in WildFly 10.
> Apapter is installed so no jars included in ear & no dependencies set.
>
>> Caused by: java.lang.NoClassDefFoundError: org/keycloak/KeycloakPrincipal
>>
>>     Caused by: java.lang.ClassNotFoundException:
>>> org.keycloak.KeycloakPrincipal from [Module \"deployment.app.ear.appEJB.jar:main\"
>>> from Service Module Loader]"},
>>
>>         "WFLYCTL0412: Required services that are not installed:" => [
>>
>>             "jboss.undertow.deployment.default-server.default-host./App",
>>
>>             "org.camunda.bpm.platform.process-application-module.\"
>>> deployment.app.ear.appWEB.war:main\".NO_VIEW"
>>
>>         ]
>>
>>
>>
> Please let me know if U need to include core jar or set the subsystem
> dependencies. I saw in one comment that there is no need to set them
> explicitly.
> Please advise.
>
> Thanks,
> Valsaraj Viswanathan
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From uo67113 at gmail.com  Tue May 15 07:58:15 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Tue, 15 May 2018 13:58:15 +0200
Subject: [keycloak-user] NoClassDefFoundError:
	org/keycloak/KeycloakPrincipal
In-Reply-To: <CAOA-0XvjaxTxLEqf7TLjp3KMo9jUs-d8oBMV2PWPu4Q6ZcgVQQ@mail.gmail.com>
References: <CAOA-0XvjaxTxLEqf7TLjp3KMo9jUs-d8oBMV2PWPu4Q6ZcgVQQ@mail.gmail.com>
Message-ID: <CACp70Mk1faLvhg1p_6sXfyH5_s21RfHKetafrsRqLfSuxCwzQA@mail.gmail.com>

Hi Valsaraj,

Below works for me on apache-tomcat 9.0.5 with the servlet filter adapter:

keycloak-tomcat-adapter-spi-3.4.3.Fiinal.jar
keycloak-servlet-adapter-spi-3.4.3.Final.jar
keycloak-saml-tomcat8-adapter-3.4.3.Final.jar
keycloak-saml-tomcat-adapter-core-3.4.3.Final.jar
keycloak-saml-core-public-3.4.3.Final.jar
keycloak-saml-core-3.4.3.Final.jar
keycloak-saml-adapter-core-3.4.3.Final.jar
keycloak-saml-adapter-api-public-3.4.3.Final.jar
keycloak-common-3.4.3.Final.jar
keycloak-adapter-spi-3.4.3.Final.jar

Yes, most probably you will need core.jar for your adapter too

Hope it helps,

Luis









2018-05-15 13:14 GMT+02:00 valsaraj pv <valsarajpv at gmail.com>:

> Hi,
>
> I am getting following exception while deploying ear in WildFly 10. Apapter
> is installed so no jars included in ear & no dependencies set.
>
> > Caused by: java.lang.NoClassDefFoundError:
> org/keycloak/KeycloakPrincipal
> >
> >     Caused by: java.lang.ClassNotFoundException:
> >> org.keycloak.KeycloakPrincipal from [Module
> >> \"deployment.app.ear.appEJB.jar:main\" from Service Module Loader]"},
> >
> >         "WFLYCTL0412: Required services that are not installed:" => [
> >
> >             "jboss.undertow.deployment.default-server.default-host./
> App",
> >
> >
> >> "org.camunda.bpm.platform.process-application-module.\"
> deployment.app.ear.appWEB.war:main\".NO_VIEW"
> >
> >         ]
> >
> >
> >
> Please let me know if U need to include core jar or set the subsystem
> dependencies. I saw in one comment that there is no need to set them
> explicitly.
> Please advise.
>
> Thanks,
> Valsaraj Viswanathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From valsarajpv at gmail.com  Tue May 15 08:45:05 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 15 May 2018 18:15:05 +0530
Subject: [keycloak-user] NoClassDefFoundError:
	org/keycloak/KeycloakPrincipal
In-Reply-To: <CACp70Mk1faLvhg1p_6sXfyH5_s21RfHKetafrsRqLfSuxCwzQA@mail.gmail.com>
References: <CAOA-0XvjaxTxLEqf7TLjp3KMo9jUs-d8oBMV2PWPu4Q6ZcgVQQ@mail.gmail.com>
	<CACp70Mk1faLvhg1p_6sXfyH5_s21RfHKetafrsRqLfSuxCwzQA@mail.gmail.com>
Message-ID: <CAOA-0XspymD6WY9Fuq1mmO+HKa7aNjNxaZ7pwKiM-KJQgr-uTA@mail.gmail.com>

Hi Luis,

I am using wildfly adapter and no keycloak jar will be bundled in ear. Ear
contians web.war and ejb.jar. The classes in web and ejb modules referes
Keyclock API class. Issue is only for ejb.jar module For web module the
keyclock adapter provides required jar.

> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">

                <secure-deployment name="appWEB.war">

                    <realm>demo</realm>

                    <resource>app</resource>

                    <use-resource-role-mappings>true</use-resource-role-
> mappings>

                    <public-client>true</public-client>

                    <auth-server-url>http://localhost:8180/auth</auth-
> server-url>

                    <ssl-required>EXTERNAL</ssl-required>

                    <principal-attribute>preferred_username</principal-
> attribute>

                </secure-deployment>

            </subsystem>

I wonder whether I should modify this conf in WildFly so that the keyclock
adapter modules will be available for both web & ejb modules in ear. In
samples I see only war config for war file. How to configure ear files?

Thanks!

On Tue, May 15, 2018 at 5:28 PM, Luis Rodr?guez Fern?ndez <uo67113 at gmail.com
> wrote:

> Hi Valsaraj,
>
> Below works for me on apache-tomcat 9.0.5 with the servlet filter adapter:
>
> keycloak-tomcat-adapter-spi-3.4.3.Fiinal.jar
> keycloak-servlet-adapter-spi-3.4.3.Final.jar
> keycloak-saml-tomcat8-adapter-3.4.3.Final.jar
> keycloak-saml-tomcat-adapter-core-3.4.3.Final.jar
> keycloak-saml-core-public-3.4.3.Final.jar
> keycloak-saml-core-3.4.3.Final.jar
> keycloak-saml-adapter-core-3.4.3.Final.jar
> keycloak-saml-adapter-api-public-3.4.3.Final.jar
> keycloak-common-3.4.3.Final.jar
> keycloak-adapter-spi-3.4.3.Final.jar
>
> Yes, most probably you will need core.jar for your adapter too
>
> Hope it helps,
>
> Luis
>
>
>
>
>
>
>
>
>
> 2018-05-15 13:14 GMT+02:00 valsaraj pv <valsarajpv at gmail.com>:
>
> > Hi,
> >
> > I am getting following exception while deploying ear in WildFly 10.
> Apapter
> > is installed so no jars included in ear & no dependencies set.
> >
> > > Caused by: java.lang.NoClassDefFoundError:
> > org/keycloak/KeycloakPrincipal
> > >
> > >     Caused by: java.lang.ClassNotFoundException:
> > >> org.keycloak.KeycloakPrincipal from [Module
> > >> \"deployment.app.ear.appEJB.jar:main\" from Service Module Loader]"},
> > >
> > >         "WFLYCTL0412: Required services that are not installed:" => [
> > >
> > >             "jboss.undertow.deployment.default-server.default-host./
> > App",
> > >
> > >
> > >> "org.camunda.bpm.platform.process-application-module.\"
> > deployment.app.ear.appWEB.war:main\".NO_VIEW"
> > >
> > >         ]
> > >
> > >
> > >
> > Please let me know if U need to include core jar or set the subsystem
> > dependencies. I saw in one comment that there is no need to set them
> > explicitly.
> > Please advise.
> >
> > Thanks,
> > Valsaraj Viswanathan
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From federico.facca at martel-innovate.com  Tue May 15 09:09:05 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Tue, 15 May 2018 15:09:05 +0200
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAJrcDBeAz8eNA5N6YvG1JeVB8AQm3RAwKch=J2mAUwDTTcL=Cw@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
	<CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
	<CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>
	<CAOxz=rMQ7Z8LpSsyptkkr_oNeLfStk+HcTwbAhoAK5J-1VSgeg@mail.gmail.com>
	<CAJrcDBePLvX9tHyVBBs5Dq0Q=82w-=jALdWHKTwswjbzV-xE-g@mail.gmail.com>
	<CAOxz=rPrUZGHqO8_pM8+WZW4uZSgbh-GYg3XgQO4G+=9pw5veA@mail.gmail.com>
	<CAJrcDBeQfNGOSDf_EmfVon6kc1SdcFxoOawcGYJ-r2_xQpNfxQ@mail.gmail.com>
	<CAOxz=rOFpAq8ZKBXJscY1stUxbx2Jct9aMeRbOmiDQw75pW2+A@mail.gmail.com>
	<CAJrcDBeAz8eNA5N6YvG1JeVB8AQm3RAwKch=J2mAUwDTTcL=Cw@mail.gmail.com>
Message-ID: <CAOxz=rPapNtWkwRsviWnz8ngtMTbm4qTwQEnA1S84WzsqYGyBA@mail.gmail.com>

hi,

On 14 May 2018 at 23:11, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Mon, May 14, 2018 at 5:15 PM, Federico Michele Facca <
> federico.facca at martel-innovate.com> wrote:
>
>> Hi,
>>
>> On 14 May 2018 at 21:36, Pedro Igor Silva <psilva at redhat.com> wrote:
>>
>>>
>>>
>>> On Mon, May 14, 2018 at 2:57 PM, Federico Michele Facca <
>>> federico.facca at martel-innovate.com> wrote:
>>>>
>>>>
>>>> OK, let`s see what you have. It will be nice to get a better picture on
> what you are proposing. I don't see any issue in extending the spec and
> supporting those additional methods to /permissions (as long as we support
> what is defined in the spec).
>


i made the pull request for splitting the ticket creation from the ticket
management. this was the /permission api stays fully compliant with the
standard spec.

we will have "/uma-policy" we may not need anymore the ticket management,
but that requires a bit of work on the specs, since i think the api need to
be simple
and not requiring many different calls as it is in the admin api (thus
hiding the complexity to the user, while keeping the same internal
re-presentation).

the policy structure could be something like:

{
   subject: "xxx", (id linked to a subjectType)
   subjectType: "xxx" (a user, a group, a role, a client)
   resource: "xxx",
   resourceType: "xxx",
   scopes: [
     "xxx",
     "xxx"
   ],
   "owner": "xxx" (creator of the policy)
   "active":  true (or false),
   "positive": true (or false)
}

so he can express things as:
- share with scope read resource A to user X
- share with scope read resource A to group X
- share with scope read resource A to client X
- share with scope read resource A to role X
- share with scope read any resource of type Z (owned by me) to user X

and so on.

current ticket could be then translated to "share with scope read resource
A to user X" with active = false and we would not need "ticket management".
my current code knowledge is not good enough to evaluate if the above can
be done leveraging on the current "policy store" and it allow to
filter policies by owner (so that admin should not be able to see / edit
them in the current list of client policies).

should we have a google doc to discuss this?

today i am gonna work on 2:



>>>
>>>>
>>>> 2. Make a pull request to have in the authorisation part so to combine
>>>> under certain conditions UMA and normal policy evaluation.
>>>>     e.g. no ticket and no rpt = return evaluation from UMA policies
>>>> (related to the user identified by the accessToken) + generic policies
>>>>     e.g. permission = return evaluation from UMA policies (related to
>>>> the user identified by the accessToken and the resources in the
>>>> permissions) + generic policies (applicable to resources  and scopes
>>>> included in the "permission" request and for the specific user)
>>>>     ticket based authorisation will not change.
>>>>
>>>
>>> +1. The change should e quite trivial.
>>>
>>>
>>
federico


>
>> --
>> *Dr. FEDERICO MICHELE FACCA*
>> *Head of Martel Lab*
>> 0041 78 807 58 38
>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>> support for innovation projects
>> Click to download our innovators' insights!
>> <https://www.martel-innovate.com/premium-content/>
>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>
>
>


-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From psilva at redhat.com  Tue May 15 10:06:11 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 15 May 2018 11:06:11 -0300
Subject: [keycloak-user] [keycloak-dev] How to share a resource with a
	user via UMA 2.0 API
In-Reply-To: <CAOxz=rPapNtWkwRsviWnz8ngtMTbm4qTwQEnA1S84WzsqYGyBA@mail.gmail.com>
References: <CAOxz=rOGhiZEGrQn9a38xLHDsQj+Yh8UXCodeHBSp_j=+6O__Q@mail.gmail.com>
	<CAJrcDBeLVM3JOccuDVNaS_tO254=5cEyc3k2BJZhndrpsJE12Q@mail.gmail.com>
	<A64D0E10-CFFC-40E3-826D-4E16B7F06F70@martel-innovate.com>
	<CAJrcDBe4XHphqWniJ5+jZcR8ta5d8Wga1-t0sgPGvEP=h=Snrw@mail.gmail.com>
	<CAOxz=rMRFgGtLA4jDqMSMJhCx4FmACy0SdtQHOsbAj=kXCN2JQ@mail.gmail.com>
	<CAOxz=rMSg2k5Xxja2Up2QwzepBLXcTZp7CXESqsTn=w-b+87=w@mail.gmail.com>
	<CAJrcDBdTHbyUxnX+2C6VNaYCU2r6UCmnrfm2QfAoh46wxPK-4A@mail.gmail.com>
	<CAOxz=rMQ7Z8LpSsyptkkr_oNeLfStk+HcTwbAhoAK5J-1VSgeg@mail.gmail.com>
	<CAJrcDBePLvX9tHyVBBs5Dq0Q=82w-=jALdWHKTwswjbzV-xE-g@mail.gmail.com>
	<CAOxz=rPrUZGHqO8_pM8+WZW4uZSgbh-GYg3XgQO4G+=9pw5veA@mail.gmail.com>
	<CAJrcDBeQfNGOSDf_EmfVon6kc1SdcFxoOawcGYJ-r2_xQpNfxQ@mail.gmail.com>
	<CAOxz=rOFpAq8ZKBXJscY1stUxbx2Jct9aMeRbOmiDQw75pW2+A@mail.gmail.com>
	<CAJrcDBeAz8eNA5N6YvG1JeVB8AQm3RAwKch=J2mAUwDTTcL=Cw@mail.gmail.com>
	<CAOxz=rPapNtWkwRsviWnz8ngtMTbm4qTwQEnA1S84WzsqYGyBA@mail.gmail.com>
Message-ID: <CAJrcDBewDyUoK-wWYZgGdFdbM9TeMpar1o-QzQHN3p5-E1tHWQ@mail.gmail.com>

On Tue, May 15, 2018 at 10:09 AM, Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:

> hi,
>
> On 14 May 2018 at 23:11, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>>
>>
>> On Mon, May 14, 2018 at 5:15 PM, Federico Michele Facca <
>> federico.facca at martel-innovate.com> wrote:
>>
>>> Hi,
>>>
>>> On 14 May 2018 at 21:36, Pedro Igor Silva <psilva at redhat.com> wrote:
>>>
>>>>
>>>>
>>>> On Mon, May 14, 2018 at 2:57 PM, Federico Michele Facca <
>>>> federico.facca at martel-innovate.com> wrote:
>>>>>
>>>>>
>>>>> OK, let`s see what you have. It will be nice to get a better picture
>> on what you are proposing. I don't see any issue in extending the spec and
>> supporting those additional methods to /permissions (as long as we support
>> what is defined in the spec).
>>
>
>
> i made the pull request for splitting the ticket creation from the ticket
> management. this was the /permission api stays fully compliant with the
> standard spec.
>

Nice ! Will take a look at it.


>
> we will have "/uma-policy" we may not need anymore the ticket management,
> but that requires a bit of work on the specs, since i think the api need to
> be simple
> and not requiring many different calls as it is in the admin api (thus
> hiding the complexity to the user, while keeping the same internal
> re-presentation).
>
> the policy structure could be something like:
>
> {
>    subject: "xxx", (id linked to a subjectType)
>    subjectType: "xxx" (a user, a group, a role, a client)
>    resource: "xxx",
>    resourceType: "xxx",
>    scopes: [
>      "xxx",
>      "xxx"
>    ],
>    "owner": "xxx" (creator of the policy)
>    "active":  true (or false),
>    "positive": true (or false)
> }
>
> so he can express things as:
> - share with scope read resource A to user X
> - share with scope read resource A to group X
> - share with scope read resource A to client X
> - share with scope read resource A to role X
> - share with scope read any resource of type Z (owned by me) to user X
>

I like the idea and that should be possible as we can easily map this
structure to any policy representation. That would work for role,user,group
and client policies. But not sure how to represent other types of policies
such as time-based, JS or drools.


>
> and so on.
>
> current ticket could be then translated to "share with scope read
> resource A to user X" with active = false and we would not need "ticket
> management".
> my current code knowledge is not good enough to evaluate if the above can
> be done leveraging on the current "policy store" and it allow to
> filter policies by owner (so that admin should not be able to see / edit
> them in the current list of client policies).
>

Policies do not have an owner, but I don't think we should hide such
policies to admins.


>
> should we have a google doc to discuss this?
>

+1. I've created https://issues.jboss.org/browse/KEYCLOAK-7353. We can link
a document there.


>
> today i am gonna work on 2:
>
>
>
>>>>
>>>>>
>>>>> 2. Make a pull request to have in the authorisation part so to combine
>>>>> under certain conditions UMA and normal policy evaluation.
>>>>>     e.g. no ticket and no rpt = return evaluation from UMA policies
>>>>> (related to the user identified by the accessToken) + generic policies
>>>>>     e.g. permission = return evaluation from UMA policies (related to
>>>>> the user identified by the accessToken and the resources in the
>>>>> permissions) + generic policies (applicable to resources  and scopes
>>>>> included in the "permission" request and for the specific user)
>>>>>     ticket based authorisation will not change.
>>>>>
>>>>
>>>> +1. The change should e quite trivial.
>>>>
>>>>
>>>
> federico
>
>
>>
>>> --
>>> *Dr. FEDERICO MICHELE FACCA*
>>> *Head of Martel Lab*
>>> 0041 78 807 58 38
>>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>>> support for innovation projects
>>> Click to download our innovators' insights!
>>> <https://www.martel-innovate.com/premium-content/>
>>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>>
>>
>>
>
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>

From daicy_duarte00 at hotmail.com  Tue May 15 11:09:47 2018
From: daicy_duarte00 at hotmail.com (Daicy Duarte)
Date: Tue, 15 May 2018 15:09:47 +0000
Subject: [keycloak-user] Send information about the authenticator type into
 the OpenID Connect token
Message-ID: <BY2PR20MB021390B672785B4CFE48A807F5930@BY2PR20MB0213.namprd20.prod.outlook.com>

Hi,

I need to send inside the openID Connect token information about the authenticator type that the user has used to log in.

I have seen that in Clients -> Mappers is possible to add some fields that you want to send inside the openid connect token, but not the authenticator type that was used, for example the custom authenticator "secret-question".


Best regards,

---
Daicy

From sinsn_619 at abv.bg  Tue May 15 12:46:00 2018
From: sinsn_619 at abv.bg (Pedro Pedro)
Date: Tue, 15 May 2018 19:46:00 +0300 (EEST)
Subject: [keycloak-user] Realm resolution based on username (email address)
Message-ID: <2053198511.654526.1526402760358.JavaMail.apache@nm83.abv.bg>

Hi. 
   I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier.  
  Now in Keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the username (email address).  
  How do I go about doing that?   
  Best regards, Pedro. 

From andreas.taube at collect.ai  Tue May 15 17:09:24 2018
From: andreas.taube at collect.ai (Andreas Taube)
Date: Tue, 15 May 2018 23:09:24 +0200
Subject: [keycloak-user] Identity Provider / First Broker Login Flow Hooks
Message-ID: <CADhPWCg2Eb_+Q5CMsZLC1msmdqxDLEsALLD6327esTgwXwKddw@mail.gmail.com>

Hey together,

I would like to integrate with an external Identity Provider and I wonder
about the best way to hook into this process? As soon as the external IP
authorizes the user with a valid token I would like to do some internal
setup calls and link metadata to the user (attributes) being created by
Keycloak.

I know it is possible to extend Keycloak with custom IdentityProviderMapper
extensions but I would like to validate if they are also meant to execute
async http requests? If not, are there any other options better suited for
this use case?

Thanks for any feedback
Andreas

From andreas.taube at collect.ai  Tue May 15 17:12:07 2018
From: andreas.taube at collect.ai (Andreas Taube)
Date: Tue, 15 May 2018 23:12:07 +0200
Subject: [keycloak-user] Identity Provider / First Broker Login Flow Hooks
Message-ID: <CADhPWCgW3-GCNffOPDN=DFtYjs3zCR03ptx3yXXu+G0g1Q_g3g@mail.gmail.com>

Hey together,

I would like to integrate with an external Identity Provider and I wonder
about the best way to hook into this process? As soon as the external IP
authorizes the user with a valid token I would like to do some internal
setup calls and link metadata to the user (attributes) being created by
Keycloak.

I know it is possible to extend Keycloak with custom IdentityProviderMapper
extensions but I would like to validate if they are also meant to execute
async http requests? If not, are there any other options better suited for
this use case?

Thanks for any feedback

From info at lynxlogic.com  Tue May 15 21:06:07 2018
From: info at lynxlogic.com (Lynxlogic)
Date: Tue, 15 May 2018 19:06:07 -0600
Subject: [keycloak-user] Unable to process SAML response from Azure AD
Message-ID: <16BFD481-866E-41AE-AAB1-7529A82FD64F@lynxlogic.com>

I?m trying to setup SAML SSO between Azure AD and Keycloak. On the redirect back after auth, Keycloak is failing to process the response and generates an internal server error:

00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-5) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider.
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:444)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:479)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:237)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:157)
.
.
.
Caused by: java.lang.NullPointerException
at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
at java.util.regex.Matcher.reset(Matcher.java:309)
at java.util.regex.Matcher.<init>(Matcher.java:229)
at java.util.regex.Pattern.matcher(Pattern.java:1093)
at java.util.regex.Pattern.split(Pattern.java:1206)
at org.keycloak.broker.provider.util.IdentityBrokerState.encoded(IdentityBrokerState.java:41)
at org.keycloak.services.resources.IdentityBrokerService.parseEncodedSessionCode(IdentityBrokerService.java:980)
at org.keycloak.services.resources.IdentityBrokerService.authenticated(IdentityBrokerService.java:490)
at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:440)
... 63 more

I?ve posted the SAML response at https://gist.github.com/dieseldjango/72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/72057b7df68dbe3dc289ec8e3f5826bf>.

The stack trace indicates it?s failing at IdentityBrokerService.parseEncodedSessionCode(). I?ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone point me in the right direction to solve this?

Thanks,
David

From siddhartha.chakraborty at microfocus.com  Wed May 16 04:58:52 2018
From: siddhartha.chakraborty at microfocus.com (CHAKRABORTY, SIDDHARTHA)
Date: Wed, 16 May 2018 08:58:52 +0000
Subject: [keycloak-user] Keycloak mod_cluster : Standalone Cluster Mode
Message-ID: <DF4PR8401MB069967C06DA57C6FFB1C8BDE9A920@DF4PR8401MB0699.NAMPRD84.PROD.OUTLOOK.COM>

Hi Team,

I have the below Query:

I want to implement  Keycloak in mod_cluster in Standalone Cluster Mode.
We want to implement only the clustering functionality  of mod_cluster without Load Balancer, as we already have an existing  Load Balancer Setup.

The below link do suggest the setup of mod_cluster in keycloak.
https://www.keycloak.org/docs/latest/server_installation/index.html#_example-setup-with-mod-cluster
But it introduces a Load Balancer Node, which we don't want for our case.
We basically don't want to introduce an extra node for load balancing.
Also we don't want to introduce Apache HTTPD.

So, basically below is the implementation which we are looking for:
Any help or Support in this regard will be really grateful.



[cid:image001.jpg at 01D3ED22.3577C8F0]


Thanks,
Siddhartha

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 9070 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180516/619b573d/attachment-0001.jpg 

From pulkitsrivastavajd at gmail.com  Wed May 16 05:04:57 2018
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Wed, 16 May 2018 14:34:57 +0530
Subject: [keycloak-user] Keycloak + NoSQL
Message-ID: <CAA-7KZ_MzcEkhpKqc89MuSWJ7SURORbLGqXwkurDyd43Y-0w0Q@mail.gmail.com>

 How can we integrate Keycloak with NoSQL db to store user credentials and
user authentication details.

Thanks,
Pulkit

From siddharthachak at gmail.com  Wed May 16 05:07:51 2018
From: siddharthachak at gmail.com (siddhartha chakraborty)
Date: Wed, 16 May 2018 14:37:51 +0530
Subject: [keycloak-user] Keycloak mod_cluster : Standalone Cluster Mode
Message-ID: <CAGOh0FMb0c96+nfm=sxaakAiBQyHgjyBu6BFy7mA15d6jDv3WA@mail.gmail.com>

Hi Team,



I have the below Query:



I want to implement  Keycloak in mod_cluster in Standalone Cluster Mode.

We want to implement only the clustering functionality  of mod_cluster
without Load Balancer, as we already have an existing  Load Balancer Setup.



The below link do suggest the setup of mod_cluster in keycloak.

https://www.keycloak.org/docs/latest/server_installation/index.html#_example-setup-with-mod-cluster

But it introduces a Load Balancer Node, which we don?t want for our case.

We basically don?t want to introduce an extra node for load balancing.

Also we don?t want to introduce Apache HTTPD.



Any help or Support in this regard will be really grateful.











Thanks,

Siddhartha

From Dennis.Bayer.82+keycloak-user at gmail.com  Wed May 16 05:09:31 2018
From: Dennis.Bayer.82+keycloak-user at gmail.com (Dennis Bayer)
Date: Wed, 16 May 2018 11:09:31 +0200
Subject: [keycloak-user] Securing an endpoint using Wildfly-Swarm,
	Keycloak and MP-JWT-Auth
In-Reply-To: <CAC9+atP=M183jGGWJzz1WjcmpReek95nBL9Y+9+521P2sdMJ-A@mail.gmail.com>
References: <CAC9+atP=M183jGGWJzz1WjcmpReek95nBL9Y+9+521P2sdMJ-A@mail.gmail.com>
Message-ID: <CAC9+atOF25NhYFtQ2kQJSTDRSLuphacS+6tqvvFmnwLopkvHsA@mail.gmail.com>

Hi there,

I did some debugging and might have found the issue. It seems that the
keycloak logic has some issues with passing the roles (I added an update to
the project readme located at
https://github.com/DennisBayer/playground-mp-jwt-auth.git).

Any feedback is appreciated.

Best regards.

PS: The bug is filed under https://issues.jboss.org/browse/KEYCLOAK-7309

Dennis Bayer <Dennis.Bayer.82+keycloak-user at gmail.com> schrieb am Fr., 27.
Apr. 2018 um 15:02 Uhr:

> Hi there,
>
> I hope this is the right place to raise my question. Currently I am having
> some problems to get my example working. The authentication works fine, but
> the authorization fails, because the roles are omitted during the request.
>
> Thus it's mostly easier to have a reproducible example than writing a wall
> of text, I created a project (
> https://github.com/DennisBayer/playground-mp-jwt-auth).
>
> I'd appreciate any hints pointing out what is going wrong.
>
> In addition I already raised this question in the mp-jwt-auth-project (
> https://github.com/eclipse/microprofile-jwt-auth/issues/89)/gitter room (
> https://gitter.im/eclipse/microprofile-bom#). At first glimpse, the usage
> of the mp-jwt-auth seems to be ok according to one of the microprofile
> members (he said he's not an expert on jwt) and he pointed me to the
> keycloak mailing list.
>
> Thanks in advance and best regards
>
> Dennis
>

From uo67113 at gmail.com  Wed May 16 06:00:19 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 16 May 2018 12:00:19 +0200
Subject: [keycloak-user] Unable to process SAML response from Azure AD
In-Reply-To: <16BFD481-866E-41AE-AAB1-7529A82FD64F@lynxlogic.com>
References: <16BFD481-866E-41AE-AAB1-7529A82FD64F@lynxlogic.com>
Message-ID: <CACp70MnUHvbvi68cw+p6kGdKxbcKmb64zqWe+YtuyKPavPCNEQ@mail.gmail.com>

Hello David,

Me, in your <samlp:Response> I am missing a couple of attributes:

Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489"

Probably "consent" one is not causing the issue, but "inresponseto"
contains the id of the AuthRequest sent by keycloak, and maybe keycloak
wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar to
yours BTW). You can have a look here to one of the ADFS2 responses:
https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a

Hope it helps,

Luis















2018-05-16 3:06 GMT+02:00 Lynxlogic <info at lynxlogic.com>:

> I?m trying to setup SAML SSO between Azure AD and Keycloak. On the
> redirect back after auth, Keycloak is failing to process the response and
> generates an internal server error:
>
> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-5) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException:
> Could not process response from SAML identity provider.
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
> SAMLEndpoint.java:444)
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(
> SAMLEndpoint.java:479)
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
> SAMLEndpoint.java:237)
> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
> SAMLEndpoint.java:157)
> .
> .
> .
> Caused by: java.lang.NullPointerException
> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
> at java.util.regex.Matcher.reset(Matcher.java:309)
> at java.util.regex.Matcher.<init>(Matcher.java:229)
> at java.util.regex.Pattern.matcher(Pattern.java:1093)
> at java.util.regex.Pattern.split(Pattern.java:1206)
> at org.keycloak.broker.provider.util.IdentityBrokerState.
> encoded(IdentityBrokerState.java:41)
> at org.keycloak.services.resources.IdentityBrokerService.
> parseEncodedSessionCode(IdentityBrokerService.java:980)
> at org.keycloak.services.resources.IdentityBrokerService.authenticated(
> IdentityBrokerService.java:490)
> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
> SAMLEndpoint.java:440)
> ... 63 more
>
> I?ve posted the SAML response at https://gist.github.com/dieseldjango/
> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/
> 72057b7df68dbe3dc289ec8e3f5826bf>.
>
> The stack trace indicates it?s failing at IdentityBrokerService.parseEncodedSessionCode().
> I?ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone point
> me in the right direction to solve this?
>
> Thanks,
> David
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From info at lynxlogic.com  Wed May 16 08:12:58 2018
From: info at lynxlogic.com (Lynxlogic)
Date: Wed, 16 May 2018 06:12:58 -0600
Subject: [keycloak-user] Unable to process SAML response from Azure AD
In-Reply-To: <CACp70MnUHvbvi68cw+p6kGdKxbcKmb64zqWe+YtuyKPavPCNEQ@mail.gmail.com>
References: <16BFD481-866E-41AE-AAB1-7529A82FD64F@lynxlogic.com>
	<CACp70MnUHvbvi68cw+p6kGdKxbcKmb64zqWe+YtuyKPavPCNEQ@mail.gmail.com>
Message-ID: <38D9B92F-2CEA-4A86-9374-0069BEF66943@lynxlogic.com>

Thanks for the info Luis. I was getting this error when using Azure?s ?Test SAML Settings? tool. Apparently when testing that way the attributes you mentioned are omitted from the SAML response. If I follow a normal login flow it works.

However, I?m unable to get single sign out to work. If I turn on backchannel logout, then when I sign out from keycloak I?m not signed out from Azure. If I turn this off, keycloak sends a SAML request on logout, but Azure complaints that it is invalid. Azure?s documentation says that the sign out URL should be configured as, 'https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0?. If I hit this URL manually I do get signed out of Azure, but if I specify that URL as the ?Single Logout Service URL? in the identity provider setup, Keycloak seems to ignore it. The behavior is the same with or without that setting - Keycloak does not redirect to that URL.

David

> On May 16, 2018, at 04:00, Luis Rodr?guez Fern?ndez <uo67113 at gmail.com> wrote:
> 
> Hello David,
> 
> Me, in your <samlp:Response> I am missing a couple of attributes:
> 
> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
> InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489"
> 
> Probably "consent" one is not causing the issue, but "inresponseto"
> contains the id of the AuthRequest sent by keycloak, and maybe keycloak
> wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar to
> yours BTW). You can have a look here to one of the ADFS2 responses:
> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a <https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a>
> 
> Hope it helps,
> 
> Luis
> 
> 2018-05-16 3:06 GMT+02:00 Lynxlogic <info at lynxlogic.com <mailto:info at lynxlogic.com>>:
> 
>> I?m trying to setup SAML SSO between Azure AD and Keycloak. On the
>> redirect back after auth, Keycloak is failing to process the response and
>> generates an internal server error:
>> 
>> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>> (default task-5) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException:
>> Could not process response from SAML identity provider.
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>> SAMLEndpoint.java:444)
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(
>> SAMLEndpoint.java:479)
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
>> SAMLEndpoint.java:237)
>> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
>> SAMLEndpoint.java:157)
>> .
>> .
>> .
>> Caused by: java.lang.NullPointerException
>> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
>> at java.util.regex.Matcher.reset(Matcher.java:309)
>> at java.util.regex.Matcher.<init>(Matcher.java:229)
>> at java.util.regex.Pattern.matcher(Pattern.java:1093)
>> at java.util.regex.Pattern.split(Pattern.java:1206)
>> at org.keycloak.broker.provider.util.IdentityBrokerState.
>> encoded(IdentityBrokerState.java:41)
>> at org.keycloak.services.resources.IdentityBrokerService.
>> parseEncodedSessionCode(IdentityBrokerService.java:980)
>> at org.keycloak.services.resources.IdentityBrokerService.authenticated(
>> IdentityBrokerService.java:490)
>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>> SAMLEndpoint.java:440)
>> ... 63 more
>> 
>> I?ve posted the SAML response at https://gist.github.com/dieseldjango/
>> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/ <https://gist.github.com/dieseldjango/>
>> 72057b7df68dbe3dc289ec8e3f5826bf>.
>> 
>> The stack trace indicates it?s failing at IdentityBrokerService.parseEncodedSessionCode().
>> I?ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone point
>> me in the right direction to solve this?
>> 
>> Thanks,
>> David
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
> 
> -- 
> 
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
> 
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

From saloniudani.23 at gmail.com  Wed May 16 08:52:00 2018
From: saloniudani.23 at gmail.com (saloni udani)
Date: Wed, 16 May 2018 18:22:00 +0530
Subject: [keycloak-user] Configuring 'LOGOUT' with
	keycloak-spring-security-adapter.
Message-ID: <CAP9kh-9dFqfeQPdiT_EeyBMzFQwgB24ueJ-xArE3BBohVe3s1A@mail.gmail.com>

Hi

I have a spring-boot 2 application which I am trying to secure with
Keycloak. I have used 'keycloak-spring-security-adapter' and
'keycloak-spring-boot-2-starter' adapters.

Following is my security configuration
--------

import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;

@ConditionalOnProperty(value = "keycloak.enabled")
@Configuration
@EnableWebSecurity
public class KeycloakSecurityConfiguration extends
KeycloakWebSecurityConfigurerAdapter {


    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
throws Exception {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider
= keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new
SimpleAuthorityMapper());
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Bean
    public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    // Specifies the session authentication strategy
    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new
SessionRegistryImpl());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http
            .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
            .addFilterBefore(keycloakAuthenticationProcessingFilter(),
X509AuthenticationFilter.class)
            .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
            .and()
            .authorizeRequests()
            .antMatchers("/**").hasRole("superuser")
            .anyRequest().permitAll();
    }

    @Bean
    public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
        KeycloakAuthenticationProcessingFilter filter) {
        FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
        KeycloakPreAuthActionsFilter filter) {
        FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
        KeycloakAuthenticatedActionsFilter filter) {
        FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }

    @Bean
    public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
        KeycloakSecurityContextRequestFilter filter) {
        FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
        registrationBean.setEnabled(false);
        return registrationBean;
    }
}

--------

Following are the keycloak properties from application.properties
--------

keycloak.enabled=true
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.realm=MyRealm
keycloak.resource=my-app
keycloak.public-client=true

keycloak.security-constraints[0].authRoles[0]=superuser
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*


--------

I am successfully able to login via Keycloak and serve my app. But I am
stucked for logout. I believe that as we already use keycloak spring
security adapter,  any custom logout handler should not be required.

Here is an excerpt from a html page which handles logout
----------

<form action="/logout" method="post">
   <input type="hidden"
         name="${_csrf.parameterName}"
         value="${_csrf.token}"/>
   <input type="submit" value="Logout">
</form>


----------

This does not work and on hitting 'Logout' button , it posts request to '
http://localhost:8080/logout' (my app runs on 8080) and returns 403.

Kindly guide me through the logout process.


Thanks
Saloni Udani

From getankur86 at gmail.com  Wed May 16 09:26:50 2018
From: getankur86 at gmail.com (Ankur Singhal)
Date: Wed, 16 May 2018 18:56:50 +0530
Subject: [keycloak-user] Keycloak - Multi/2FA Factor - OTP - QR Code -
 Custom Login Screen - Rest API
In-Reply-To: <CAM64y=KJUtH9LR8bgWTi4FUY8AenJsdwO4DV7t5FYwpap72_Lg@mail.gmail.com>
References: <CAM64y=KJUtH9LR8bgWTi4FUY8AenJsdwO4DV7t5FYwpap72_Lg@mail.gmail.com>
Message-ID: <CAM64y=Lge8OCh-_cbQHdjJq-0fHs3P6zLna3rg0ezTtbS2qbhA@mail.gmail.com>

Hi All,
<https://stackoverflow.com/questions/50319327/keycloak-multi-2fa-factor-otp-qr-code-custom-login-screen-rest-api#>

I have *my own Login page where user enters username/password.* This
username/password are used to login through Keycloak Rest API.

http://localhost:8080/auth/realms/Demo/protocol/openid-connect/token

input - {username,password,grant_type,client_secret,client_id}

And in response i get access token.

Now i wish to enable Authenticator (Google Authenticator). I have enabled
it from backend. Now if user wishes to login thorugh my application, my
login page i need to get below details.

1.) Somehow i need to include QR Code that appears on keycloak login page
post username/password validation to show on my login screen for the first
time login once user enter username/password. So do we have any API which
return Keycloak QR code image in response.

2.) Subsequent login i will have OTP field, so need a REST api to pass OTP
along with username/password.

Please help with REST API if keycloak has any. Integrating through
Javascript.

Similar flow as described in use case 1 here
<http://lists.jboss.org/pipermail/keycloak-user/2018-February/013254.html>

Just want to use keycloak as a database, doing all operation for me, input
will be my screen. I do want redirection of URL's while login in and yet
should be standalone deployed.

https://stackoverflow.com/questions/50319327/keycloak-
multi-2fa-factor-otp-qr-code-custom-login-screen-rest-api


Thanks

Ankur

From valsarajpv at gmail.com  Wed May 16 09:49:00 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Wed, 16 May 2018 19:19:00 +0530
Subject: [keycloak-user] Return user pass to client or processed user
	attribute to client
Message-ID: <CAOA-0XujnGbpnJ68dxy+o28BoNr5kaZgmayf7b1zjuYGB+f9Vw@mail.gmail.com>

Hi,

Is there any way to return user password while redirecting to client. I
have a certificate as user attribute which is encrypted with password. I
added mapping for user certificate attribute and retrieved on client
application from IDToken. But password also required to use that. Otherwise
is there any option to do the certificate decryption on keycloak side and
return decrypted certificate to client?

Thanks!

From msakho at redhat.com  Wed May 16 10:21:32 2018
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Wed, 16 May 2018 16:21:32 +0200
Subject: [keycloak-user] Keycloak + NoSQL
In-Reply-To: <CAA-7KZ_MzcEkhpKqc89MuSWJ7SURORbLGqXwkurDyd43Y-0w0Q@mail.gmail.com>
References: <CAA-7KZ_MzcEkhpKqc89MuSWJ7SURORbLGqXwkurDyd43Y-0w0Q@mail.gmail.com>
Message-ID: <CAF83W6JBeWtjqgN41OPgti+fQ_x0Zt7YAKMfB2rBG6AFx25JvA@mail.gmail.com>

NoSQL is not supported out of the box.
You'll have to implement a User Storage SPI if you want to use it.

Meissa

2018-05-16 11:04 GMT+02:00 Pulkit Srivastava <pulkitsrivastavajd at gmail.com>:

>  How can we integrate Keycloak with NoSQL db to store user credentials and
> user authentication details.
>
> Thanks,
> Pulkit
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From roy.liu at indexexchange.com  Wed May 16 11:15:04 2018
From: roy.liu at indexexchange.com (Roy Liu)
Date: Wed, 16 May 2018 15:15:04 +0000
Subject: [keycloak-user] Keycloak password storage normalization
Message-ID: <YTOPR0101MB22041C1B026AF7E931E8CE7EEA920@YTOPR0101MB2204.CANPRD01.PROD.OUTLOOK.COM>

Does keycloak perform any unicode normalization on password strings before storing them in the database?

From sr.misc at gmail.com  Wed May 16 11:32:47 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Wed, 16 May 2018 17:32:47 +0200
Subject: [keycloak-user] Configuring 'LOGOUT' with
	keycloak-spring-security-adapter.
In-Reply-To: <CAP9kh-9dFqfeQPdiT_EeyBMzFQwgB24ueJ-xArE3BBohVe3s1A@mail.gmail.com>
References: <CAP9kh-9dFqfeQPdiT_EeyBMzFQwgB24ueJ-xArE3BBohVe3s1A@mail.gmail.com>
Message-ID: <CABiaesR_WSThwTLV6Gr_-ftaVT6F6jLifDe8DFF2vGYMtWvDvA@mail.gmail.com>

try the following in the Controller

@GetMapping("/logout")
public String logout(HttpServletRequest request) throws Exception {
    request.logout();
    return "redirect:/";
}



On Wed, May 16, 2018 at 2:52 PM, saloni udani <saloniudani.23 at gmail.com>
wrote:

> Hi
>
> I have a spring-boot 2 application which I am trying to secure with
> Keycloak. I have used 'keycloak-spring-security-adapter' and
> 'keycloak-spring-boot-2-starter' adapters.
>
> Following is my security configuration
> --------
>
> import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
> import org.keycloak.adapters.springsecurity.authentication.
> KeycloakAuthenticationProvider;
> import org.keycloak.adapters.springsecurity.config.
> KeycloakWebSecurityConfigurerAdapter;
> import org.keycloak.adapters.springsecurity.filter.
> KeycloakAuthenticatedActionsFilter;
> import org.keycloak.adapters.springsecurity.filter.
> KeycloakAuthenticationProcessingFilter;
> import org.keycloak.adapters.springsecurity.filter.
> KeycloakPreAuthActionsFilter;
> import org.keycloak.adapters.springsecurity.filter.
> KeycloakSecurityContextRequestFilter;
> import org.springframework.beans.factory.annotation.Autowired;
> import org.springframework.boot.autoconfigure.condition.
> ConditionalOnProperty;
> import org.springframework.boot.web.servlet.FilterRegistrationBean;
> import org.springframework.context.annotation.Bean;
> import org.springframework.context.annotation.Configuration;
> import org.springframework.security.config.annotation.
> authentication.builders.AuthenticationManagerBuilder;
> import org.springframework.security.config.annotation.method.
> configuration.EnableGlobalMethodSecurity;
> import org.springframework.security.config.annotation.web.
> builders.HttpSecurity;
> import org.springframework.security.config.annotation.web.configuration.
> EnableWebSecurity;
> import org.springframework.security.core.authority.mapping.
> SimpleAuthorityMapper;
> import org.springframework.security.core.session.SessionRegistryImpl;
> import org.springframework.security.web.authentication.logout.
> LogoutFilter;
> import org.springframework.security.web.authentication.preauth.
> x509.X509AuthenticationFilter;
> import org.springframework.security.web.authentication.session.
> RegisterSessionAuthenticationStrategy;
> import org.springframework.security.web.authentication.session.
> SessionAuthenticationStrategy;
> import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
>
> @ConditionalOnProperty(value = "keycloak.enabled")
> @Configuration
> @EnableWebSecurity
> public class KeycloakSecurityConfiguration extends
> KeycloakWebSecurityConfigurerAdapter {
>
>
>     @Autowired
>     public void configureGlobal(AuthenticationManagerBuilder auth)
> throws Exception {
>         KeycloakAuthenticationProvider keycloakAuthenticationProvider
> = keycloakAuthenticationProvider();
>         keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new
> SimpleAuthorityMapper());
>         auth.authenticationProvider(keycloakAuthenticationProvider);
>     }
>
>     @Bean
>     public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
>         return new KeycloakSpringBootConfigResolver();
>     }
>
>     // Specifies the session authentication strategy
>     @Bean
>     @Override
>     protected SessionAuthenticationStrategy sessionAuthenticationStrategy()
> {
>         return new RegisterSessionAuthenticationStrategy(new
> SessionRegistryImpl());
>     }
>
>     @Override
>     protected void configure(HttpSecurity http) throws Exception {
>         super.configure(http);
>         http
>             .addFilterBefore(keycloakPreAuthActionsFilter(),
> LogoutFilter.class)
>             .addFilterBefore(keycloakAuthenticationProcessingFilter(),
> X509AuthenticationFilter.class)
>             .exceptionHandling().authenticationEntryPoint(
> authenticationEntryPoint())
>             .and()
>             .authorizeRequests()
>             .antMatchers("/**").hasRole("superuser")
>             .anyRequest().permitAll();
>     }
>
>     @Bean
>     public FilterRegistrationBean
> keycloakAuthenticationProcessingFilterRegistrationBean(
>         KeycloakAuthenticationProcessingFilter filter) {
>         FilterRegistrationBean registrationBean = new
> FilterRegistrationBean(filter);
>         registrationBean.setEnabled(false);
>         return registrationBean;
>     }
>
>     @Bean
>     public FilterRegistrationBean keycloakPreAuthActionsFilterRe
> gistrationBean(
>         KeycloakPreAuthActionsFilter filter) {
>         FilterRegistrationBean registrationBean = new
> FilterRegistrationBean(filter);
>         registrationBean.setEnabled(false);
>         return registrationBean;
>     }
>
>     @Bean
>     public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
>         KeycloakAuthenticatedActionsFilter filter) {
>         FilterRegistrationBean registrationBean = new
> FilterRegistrationBean(filter);
>         registrationBean.setEnabled(false);
>         return registrationBean;
>     }
>
>     @Bean
>     public FilterRegistrationBean keycloakSecurityContextRequest
> FilterBean(
>         KeycloakSecurityContextRequestFilter filter) {
>         FilterRegistrationBean registrationBean = new
> FilterRegistrationBean(filter);
>         registrationBean.setEnabled(false);
>         return registrationBean;
>     }
> }
>
> --------
>
> Following are the keycloak properties from application.properties
> --------
>
> keycloak.enabled=true
> keycloak.auth-server-url=http://localhost:8180/auth
> keycloak.realm=MyRealm
> keycloak.resource=my-app
> keycloak.public-client=true
>
> keycloak.security-constraints[0].authRoles[0]=superuser
> keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*
>
>
> --------
>
> I am successfully able to login via Keycloak and serve my app. But I am
> stucked for logout. I believe that as we already use keycloak spring
> security adapter,  any custom logout handler should not be required.
>
> Here is an excerpt from a html page which handles logout
> ----------
>
> <form action="/logout" method="post">
>    <input type="hidden"
>          name="${_csrf.parameterName}"
>          value="${_csrf.token}"/>
>    <input type="submit" value="Logout">
> </form>
>
>
> ----------
>
> This does not work and on hitting 'Logout' button , it posts request to '
> http://localhost:8080/logout' (my app runs on 8080) and returns 403.
>
> Kindly guide me through the logout process.
>
>
> Thanks
> Saloni Udani
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jsimon at cardconnect.com  Wed May 16 16:51:30 2018
From: jsimon at cardconnect.com (Jeremy Simon)
Date: Wed, 16 May 2018 20:51:30 +0000
Subject: [keycloak-user] Spring Context in custom user storage module
Message-ID: <C85C4401-4D0C-4BD8-984B-4182EE4225B0@cardconnect.com>

Hi,

I?ve been trying to standup a Spring context in my user storage factory but I ran into some classloader issue(s) I cannot get past.  I created a separate Spring module which seems to resolve all the Spring dependencies I needed, but upon start up of the server, the configuration class I have referenced in my user storage module cannot be seen.

Snippet of standing up Spring Context in my user storage module:
ApplicationContext springContext = new AnnotationConfigApplicationContext(SomeConfig.class);

SomeConfig.class is the same package as the factory class.

On startup there?s a stack trace that the bottom cause is as follows:
Caused by: java.lang.ClassNotFoundException: com.mycompany.keycloak.storage.user.SomeConfig from [Module "deployment.keycloak-server.war" from Service Module Loader]

Any thoughts?  I started going down the trail of putting all my dependencies into this module, but it?s becoming a rabbit trail as well.
jeremy

THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information protected from disclosure and intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message or any attachments is strictly prohibited. If you have received this communication in error, please notify CardConnect immediately by replying to this message and then delete this message and any attachments from your computer.


From neil.chapman at scm.ca  Wed May 16 17:19:53 2018
From: neil.chapman at scm.ca (Neil Chapman)
Date: Wed, 16 May 2018 21:19:53 +0000
Subject: [keycloak-user] New mappers not reflected when using original
	refresh token
Message-ID: <YQBPR0101MB112283A2B72DADFDE18CDE89F3920@YQBPR0101MB1122.CANPRD01.PROD.OUTLOOK.COM>

Hello

We are using Keycloak to store users, roles, and we have various role name mappers to transform the roles into a custom format within the access token. Once a user had been setup, we issue them a refresh token and they are able to create access tokens from the refresh token and all is good.

The issue we are having is that if we then create a new role and new role name mapper to map this new role into the access token, the new mapper functionality is not reflected in the original refresh token we issued to the client.

Whether we use the access token or new refresh token that is based on the initial refresh token we never see the new mapper functionality reflected in the access token. We see the new role in the default position in the access token, but it's not mapped to the right place based on our mapper.
We find ourselves having to create a brand new refresh token by running the following cURL command internally and then instructing the client to use the new refresh token:

curl --data "grant_type=password&client_secret=xxxxxxxxxxx&client_id=xxxx&username=xxx at xxx.com&password=xxxx&scope=offline_access" https://auth.xxxxxxxx.com/auth/realms/opta/protocol/openid-connect/token

After we do this and give the user the new refresh token the new mapper functionality is present in all future access tokens.

Is there a way for our users to continue to use the original refresh token and have new role mappers be reflected in the user's access tokens?

Our goal and understanding was that there is a way to issue a client a refresh token once and all changes to that user's profile (roles, attributes, mappers) would be reflected by using the original refresh token to create access tokens.

We'd like to issue a single refresh token to a user and then make changes to the users roles, mappers, etc. and not have the user adopt a new refresh token each time.

We are using version 3.2.1-final.

Thank you

From pieter.dekinder at bricsys.com  Thu May 17 04:31:50 2018
From: pieter.dekinder at bricsys.com (pieter.dekinder at bricsys.com)
Date: Thu, 17 May 2018 10:31:50 +0200
Subject: [keycloak-user] Wrong event after email verify started by REST
	(send-verify-email)
Message-ID: <005c01d3edb9$81a2a910$84e7fb30$@bricsys.com>

Hi all,

 

We are using the REST API Keycloak to trigger an email verification email.
(.../send-verify-email)

When the verification process is done, the EVENT logged is a
CUSTOM_REQUIRED_ACTION event.

Email verification is not a customization, so it should probably be logged
as VERIFY_EMAIL.

 

Is this expected behaviour? Or can this be considered is as a bug?

 

Kind regards,

Pieter


From omri.tavor at forcepoint.com  Thu May 17 04:39:56 2018
From: omri.tavor at forcepoint.com (Omri Tavor)
Date: Thu, 17 May 2018 08:39:56 +0000
Subject: [keycloak-user] Getting user information for a service behind a
 reverse proxy running keycloak
Message-ID: <BY2PR14MB03286D50ECD196520642EAFAED910@BY2PR14MB0328.namprd14.prod.outlook.com>

Hi,
Quick question. I have an Apache httpd server running the OIDC httpd adapter. This httpd server acts a reverse proxy to another Tomcat server running legacy JSF code (httpServletRequest).
What would be the correct (and simplest) way of getting the user information from within that tomcat scope? (I've tried request.getUserPrincipal() but got a null value).
I would appreciate any help!
Omri.

From sr.misc at gmail.com  Thu May 17 05:22:33 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Thu, 17 May 2018 11:22:33 +0200
Subject: [keycloak-user] magic link or one-time access to the application
 without login in Keycloak 3.x
Message-ID: <CABiaesQM-O+XvFWGWpo6d7PumuXtfaZ5xJLqC5-maGe6_k5jnQ@mail.gmail.com>

Hi all,

We are using Keycloak 3.4.3.

Is magic link or one-time access to the application without login screen
possible?

I notice that magic link was available in previous KC 1x or 2.x versions.

Please advise.

Regards,
SR

From subodhcjoshi82 at gmail.com  Thu May 17 05:29:59 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 17 May 2018 14:59:59 +0530
Subject: [keycloak-user] magic link or one-time access to the
 application without login in Keycloak 3.x
In-Reply-To: <CABiaesQM-O+XvFWGWpo6d7PumuXtfaZ5xJLqC5-maGe6_k5jnQ@mail.gmail.com>
References: <CABiaesQM-O+XvFWGWpo6d7PumuXtfaZ5xJLqC5-maGe6_k5jnQ@mail.gmail.com>
Message-ID: <CAFss9rpH=t4Qz5Kh4r64PmThphqvft-14EPedt-ERdrKjGfF_g@mail.gmail.com>

Hope this  video link will work for you

https://www.youtube.com/watch?v=oyUsI3QgEq8


On Thu, May 17, 2018 at 2:53 PM Sachin Rastogi <sr.misc at gmail.com> wrote:

> Hi all,
>
> We are using Keycloak 3.4.3.
>
> Is magic link or one-time access to the application without login screen
> possible?
>
> I notice that magic link was available in previous KC 1x or 2.x versions.
>
> Please advise.
>
> Regards,
> SR
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From uo67113 at gmail.com  Thu May 17 05:49:11 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Thu, 17 May 2018 11:49:11 +0200
Subject: [keycloak-user] Unable to process SAML response from Azure AD
In-Reply-To: <38D9B92F-2CEA-4A86-9374-0069BEF66943@lynxlogic.com>
References: <16BFD481-866E-41AE-AAB1-7529A82FD64F@lynxlogic.com>
	<CACp70MnUHvbvi68cw+p6kGdKxbcKmb64zqWe+YtuyKPavPCNEQ@mail.gmail.com>
	<38D9B92F-2CEA-4A86-9374-0069BEF66943@lynxlogic.com>
Message-ID: <CACp70M=bo-afrokfgSC+6Gp8gFkKCzg61w4QS8Wp6fDRP4MvAg@mail.gmail.com>

Hello David,

May I ask you to share your logout request, please?

Me I am using https://www.keycloak.org/docs/latest/securing_apps/
index.html#logout-2 and Microsoft ADFS2 does not complain about the
request, You can have a look  at the SAMLRequest param here [1].

The full request looks like this:

GET https://login.cern.ch/adfs/ls/?SAMLRequest=...&RelayState=
logout&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%
2Fxmldsig-more%23rsa-sha256&Signature=...
HTTP/1.1
Host: login.cern.ch
User-Agent:...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: MSISAuth=...
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Hope it helps,

Luis

ps: thank you sooooo much because your post help me a lot! I thought that
for bein able of using [1] I needed to have keycloak server, register the
SP, etc... But it turns out that Keycloack SAML Client Adapter Core makes
all the magic, thanks Keycloak team!

pps: for weblogic I needed to implement myself the SLO [2] :(

[1] https://gist.github.com/lurodrig/a4aeba70d89dd123ce1d6f49cd45fc0f
[2] https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo/


2018-05-16 14:12 GMT+02:00 Lynxlogic <info at lynxlogic.com>:

> Thanks for the info Luis. I was getting this error when using Azure?s
> ?Test SAML Settings? tool. Apparently when testing that way the attributes
> you mentioned are omitted from the SAML response. If I follow a normal
> login flow it works.
>
> However, I?m unable to get single sign out to work. If I turn on
> backchannel logout, then when I sign out from keycloak I?m not signed out
> from Azure. If I turn this off, keycloak sends a SAML request on logout,
> but Azure complaints that it is invalid. Azure?s documentation says that
> the sign out URL should be configured as, 'https://login.
> microsoftonline.com/common/wsfederation?wa=wsignout1.0?. If I hit this
> URL manually I do get signed out of Azure, but if I specify that URL as the
> ?Single Logout Service URL? in the identity provider setup, Keycloak seems
> to ignore it. The behavior is the same with or without that setting -
> Keycloak does not redirect to that URL.
>
> David
>
> > On May 16, 2018, at 04:00, Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
> wrote:
> >
> > Hello David,
> >
> > Me, in your <samlp:Response> I am missing a couple of attributes:
> >
> > Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
> > InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489"
> >
> > Probably "consent" one is not causing the issue, but "inresponseto"
> > contains the id of the AuthRequest sent by keycloak, and maybe keycloak
> > wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar
> to
> > yours BTW). You can have a look here to one of the ADFS2 responses:
> > https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a <
> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a>
> >
> > Hope it helps,
> >
> > Luis
> >
> > 2018-05-16 3:06 GMT+02:00 Lynxlogic <info at lynxlogic.com <mailto:
> info at lynxlogic.com>>:
> >
> >> I?m trying to setup SAML SSO between Azure AD and Keycloak. On the
> >> redirect back after auth, Keycloak is failing to process the response
> and
> >> generates an internal server error:
> >>
> >> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> >> (default task-5) Uncaught server error: org.keycloak.broker.provider.
> IdentityBrokerException:
> >> Could not process response from SAML identity provider.
> >> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
> >> SAMLEndpoint.java:444)
> >> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(
> >> SAMLEndpoint.java:479)
> >> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
> >> SAMLEndpoint.java:237)
> >> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
> >> SAMLEndpoint.java:157)
> >> .
> >> .
> >> .
> >> Caused by: java.lang.NullPointerException
> >> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
> >> at java.util.regex.Matcher.reset(Matcher.java:309)
> >> at java.util.regex.Matcher.<init>(Matcher.java:229)
> >> at java.util.regex.Pattern.matcher(Pattern.java:1093)
> >> at java.util.regex.Pattern.split(Pattern.java:1206)
> >> at org.keycloak.broker.provider.util.IdentityBrokerState.
> >> encoded(IdentityBrokerState.java:41)
> >> at org.keycloak.services.resources.IdentityBrokerService.
> >> parseEncodedSessionCode(IdentityBrokerService.java:980)
> >> at org.keycloak.services.resources.IdentityBrokerService.authenticated(
> >> IdentityBrokerService.java:490)
> >> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
> >> SAMLEndpoint.java:440)
> >> ... 63 more
> >>
> >> I?ve posted the SAML response at https://gist.github.com/dieseldjango/
> >> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/
> <https://gist.github.com/dieseldjango/>
> >> 72057b7df68dbe3dc289ec8e3f5826bf>.
> >>
> >> The stack trace indicates it?s failing at IdentityBrokerService.
> parseEncodedSessionCode().
> >> I?ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone
> point
> >> me in the right direction to solve this?
> >>
> >> Thanks,
> >> David
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user <
> https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> >
> >
> >
> > --
> >
> > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
> >
> > - Samuel Beckett
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user <
> https://lists.jboss.org/mailman/listinfo/keycloak-user>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From subodhcjoshi82 at gmail.com  Thu May 17 05:51:22 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 17 May 2018 15:21:22 +0530
Subject: [keycloak-user] Getting user information for a service behind a
 reverse proxy running keycloak
In-Reply-To: <BY2PR14MB03286D50ECD196520642EAFAED910@BY2PR14MB0328.namprd14.prod.outlook.com>
References: <BY2PR14MB03286D50ECD196520642EAFAED910@BY2PR14MB0328.namprd14.prod.outlook.com>
Message-ID: <CAFss9rpcCsfQ5ndiVg3NdAzdkU9MZsC9dFZC47RmWDSZdMXF+A@mail.gmail.com>

We achieve  it like this way

        userId = httpRequest.getRemoteUser();
        CasAuthenticationToken castoken = (CasAuthenticationToken)
httpRequest.getUserPrincipal();
        String castgtToken =
castoken.getAssertion().getPrincipal().getAttributes().get("tgtToken").toString();

        log.info("CAS Logged in User "+userId);
        log.info("CAS Token Attribute-->
"+castoken.getAssertion().getPrincipal().getAttributes());
        password =
castoken.getAssertion().getPrincipal().getAttributes().get("password").toString();
        tgtToken = getToken(userId,castgtToken);
        String urlEncodeToken = URLEncoder.encode(tgtToken, "UTF-8");
       KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
httpRequest.getAttribute(KeycloakSecurityContext.class.getName());
        System.out.println(httpRequest.getHeaderNames());
        Map<String, String> map = new HashMap<String, String>();

        Enumeration headerNames = httpRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String key = (String) headerNames.nextElement();
            String value = httpRequest.getHeader(key);
            map.put(key, value);
        }
        System.out.println(map);
        if(map.containsKey("authorization")){
            tgtToken = map.get("authorization");
        }

You can separate out the code ,i simply copy-paste the code. Our JSF
application behind Kong/Nginx.

Thanks & regards

On Thu, May 17, 2018 at 2:10 PM Omri Tavor <omri.tavor at forcepoint.com>
wrote:

> Hi,
> Quick question. I have an Apache httpd server running the OIDC httpd
> adapter. This httpd server acts a reverse proxy to another Tomcat server
> running legacy JSF code (httpServletRequest).
> What would be the correct (and simplest) way of getting the user
> information from within that tomcat scope? (I've tried
> request.getUserPrincipal() but got a null value).
> I would appreciate any help!
> Omri.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From sr.misc at gmail.com  Thu May 17 07:10:45 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Thu, 17 May 2018 13:10:45 +0200
Subject: [keycloak-user] magic link or one-time access to the
 application without login in Keycloak 3.x
In-Reply-To: <CAFss9rpH=t4Qz5Kh4r64PmThphqvft-14EPedt-ERdrKjGfF_g@mail.gmail.com>
References: <CABiaesQM-O+XvFWGWpo6d7PumuXtfaZ5xJLqC5-maGe6_k5jnQ@mail.gmail.com>
	<CAFss9rpH=t4Qz5Kh4r64PmThphqvft-14EPedt-ERdrKjGfF_g@mail.gmail.com>
Message-ID: <CABiaesTiec8fLjTjmBxLhaJs2df_=8U+ctfKHcKHNOn7aJ50xg@mail.gmail.com>

Hi Subodh,

Thanks for your reply. I have seen this video before and tried the same on
Keycloak 3.4.3. But it doesn't have magic link option.

Am I also curious, if I can construct the magic link via APIs, which valid
for only single use without authentication.

Please see the attached screenshot from Keycloak 3.4.3.

Regards,
SR

On Thu, May 17, 2018 at 11:29 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> Hope this  video link will work for you
>
> https://www.youtube.com/watch?v=oyUsI3QgEq8
>
>
> On Thu, May 17, 2018 at 2:53 PM Sachin Rastogi <sr.misc at gmail.com> wrote:
>
>> Hi all,
>>
>> We are using Keycloak 3.4.3.
>>
>> Is magic link or one-time access to the application without login screen
>> possible?
>>
>> I notice that magic link was available in previous KC 1x or 2.x versions.
>>
>> Please advise.
>>
>> Regards,
>> SR
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2018-05-17 13_05_35-Keycloak Admin Console.png
Type: image/png
Size: 33107 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180517/4c365638/attachment-0001.png 

From subodhcjoshi82 at gmail.com  Thu May 17 08:05:28 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 17 May 2018 17:35:28 +0530
Subject: [keycloak-user] magic link or one-time access to the
 application without login in Keycloak 3.x
In-Reply-To: <CABiaesTiec8fLjTjmBxLhaJs2df_=8U+ctfKHcKHNOn7aJ50xg@mail.gmail.com>
References: <CABiaesQM-O+XvFWGWpo6d7PumuXtfaZ5xJLqC5-maGe6_k5jnQ@mail.gmail.com>
	<CAFss9rpH=t4Qz5Kh4r64PmThphqvft-14EPedt-ERdrKjGfF_g@mail.gmail.com>
	<CABiaesTiec8fLjTjmBxLhaJs2df_=8U+ctfKHcKHNOn7aJ50xg@mail.gmail.com>
Message-ID: <CAFss9rqosOW37--Eq1tZP-sbHiHCuiw8VHKiMfB_4sVLA0BBhg@mail.gmail.com>

After trying things here and there i am also not able to find magic Link
option in 3.2.1 and 3.3.1.May be the remove that option but no and update
about when its removed or they moved this option somewhere else.But i found
this experimental extensions .See if this will help you.

https://github.com/stianst/keycloak-experimental

On Thu, May 17, 2018 at 4:40 PM Sachin Rastogi <sr.misc at gmail.com> wrote:

> Hi Subodh,
>
> Thanks for your reply. I have seen this video before and tried the same on
> Keycloak 3.4.3. But it doesn't have magic link option.
>
> Am I also curious, if I can construct the magic link via APIs, which valid
> for only single use without authentication.
>
> Please see the attached screenshot from Keycloak 3.4.3.
>
> Regards,
> SR
>
> On Thu, May 17, 2018 at 11:29 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
> wrote:
>
>> Hope this  video link will work for you
>>
>> https://www.youtube.com/watch?v=oyUsI3QgEq8
>>
>>
>> On Thu, May 17, 2018 at 2:53 PM Sachin Rastogi <sr.misc at gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> We are using Keycloak 3.4.3.
>>>
>>> Is magic link or one-time access to the application without login screen
>>> possible?
>>>
>>> I notice that magic link was available in previous KC 1x or 2.x versions.
>>>
>>> Please advise.
>>>
>>> Regards,
>>> SR
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> --
>> Subodh Chandra Joshi
>> subodh1_joshi82 at yahoo.co.in
>> http://www.trendsinnews.com
>>
>
>

-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From subodhcjoshi82 at gmail.com  Thu May 17 08:10:11 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 17 May 2018 17:40:11 +0530
Subject: [keycloak-user] How to get user details
In-Reply-To: <CAOA-0XuqiVy3xUE3Luuw8nuptfVGB-ekN7gHuHmMnUjkm1KLaw@mail.gmail.com>
References: <CAOA-0XuqiVy3xUE3Luuw8nuptfVGB-ekN7gHuHmMnUjkm1KLaw@mail.gmail.com>
Message-ID: <CAFss9rrst7_7y0hEr9DcUBS_DyhvfmAES0vV-WA=6fzXC0mC4A@mail.gmail.com>

You did not mentioned which technology you are using its JS or Java .I
Assumed its Java you can check below sample code.

>  KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
> httpRequest.getAttribute(KeycloakSecurityContext.class.getName());
>  AccessToken accessToken = securityContext.getToken();
>           if(null != accessToken ){
>           userId = accessToken.getPreferredUsername();
> }
>

On Tue, May 15, 2018 at 2:26 PM valsaraj pv <valsarajpv at gmail.com> wrote:

> Hi,
>
> User redirected to Keyclock & after successful login user redirected back
> to application. Now there is no user information stored on application
> side. Earlier it was in LDAP & we fetch user details from LDAP. Now how to
> get user details in Keyclock based login scenario?
> Please share if any useful links.
>
> Thanks,
> Valsaraj Viswanathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From valsarajpv at gmail.com  Thu May 17 08:30:42 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 17 May 2018 18:00:42 +0530
Subject: [keycloak-user] How to get user details
In-Reply-To: <CAFss9rrst7_7y0hEr9DcUBS_DyhvfmAES0vV-WA=6fzXC0mC4A@mail.gmail.com>
References: <CAOA-0XuqiVy3xUE3Luuw8nuptfVGB-ekN7gHuHmMnUjkm1KLaw@mail.gmail.com>
	<CAFss9rrst7_7y0hEr9DcUBS_DyhvfmAES0vV-WA=6fzXC0mC4A@mail.gmail.com>
Message-ID: <CAOA-0Xt0ZSwuP-4bjwUW3RLiptkgtf5fraEXnbcMqsyJL4+XWA@mail.gmail.com>

Hi Subodh,

I am able to fetch these details.
My current issue is:

The java ee application (deployed to wildfly) stores sensitive data like
access keys, etc. for different users in LDAP. In order to decrypt these
data - it needs a master password associated with the current user. A
password entered when the user logs in to application is used for this.

Now I'm considering a possibility of using keycloak to secure this
application. But it looks like there's no way to obtain a password for a
currently logged in user with keycloak (as it operates with tokens)? Asking
user to enter the password again in the application is not an option.
Is there any way to get password back on java application (not recommended)
or process decryption of user keys on Keycloak & return to client java
application using the password that user entered?
Currently I am getting encrypted  user keys from KC using user attribute
mapping. But unable to use it without decryption using password. So if that
can be done along with login in Keycloak, provlem will be solved.
Please suggest if have idea about customizing for this.

Thanks!

On Thu, May 17, 2018 at 5:40 PM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> You did not mentioned which technology you are using its JS or Java .I
> Assumed its Java you can check below sample code.
>
>>  KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>> httpRequest.getAttribute(KeycloakSecurityContext.class.getName());
>>  AccessToken accessToken = securityContext.getToken();
>>           if(null != accessToken ){
>>           userId = accessToken.getPreferredUsername();
>> }
>>
>
> On Tue, May 15, 2018 at 2:26 PM valsaraj pv <valsarajpv at gmail.com> wrote:
>
>> Hi,
>>
>> User redirected to Keyclock & after successful login user redirected back
>> to application. Now there is no user information stored on application
>> side. Earlier it was in LDAP & we fetch user details from LDAP. Now how to
>> get user details in Keyclock based login scenario?
>> Please share if any useful links.
>>
>> Thanks,
>> Valsaraj Viswanathan
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From subodhcjoshi82 at gmail.com  Thu May 17 08:55:42 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 17 May 2018 18:25:42 +0530
Subject: [keycloak-user] How to get user details
In-Reply-To: <CAOA-0Xt0ZSwuP-4bjwUW3RLiptkgtf5fraEXnbcMqsyJL4+XWA@mail.gmail.com>
References: <CAOA-0XuqiVy3xUE3Luuw8nuptfVGB-ekN7gHuHmMnUjkm1KLaw@mail.gmail.com>
	<CAFss9rrst7_7y0hEr9DcUBS_DyhvfmAES0vV-WA=6fzXC0mC4A@mail.gmail.com>
	<CAOA-0Xt0ZSwuP-4bjwUW3RLiptkgtf5fraEXnbcMqsyJL4+XWA@mail.gmail.com>
Message-ID: <CAFss9rrKm-CU7SF0mOiiJMDh-vKaNM+E9Eg-1+4aDcf9kv=bPQ@mail.gmail.com>

Is this not true you are making things more complicated if your
successfully login,why again user password required ? Same user session
should enable
access the contents of the project.Getting password and then again passing
it to authenticate no one will recommend you and doing this also not
feasible.
Rather than you can use

>   tgtToken = securityContext.getTokenString();
>

Some token to access the contents . Same way we are achieving things in our
production server
We have 2 web application one in JSF another in React and deployed in
different virtual machine and our own REST API deployed into another
machine even
different Jboss instance But all share same keycloak .So if we are doing
any rest call we will pass *TGTTOKEN *which will be verify by rest-api
through keycloak.
There are too many other things evolved but this is basic concept.

From valsarajpv at gmail.com  Thu May 17 09:20:14 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 17 May 2018 18:50:14 +0530
Subject: [keycloak-user] How to get user details
In-Reply-To: <CAFss9rrKm-CU7SF0mOiiJMDh-vKaNM+E9Eg-1+4aDcf9kv=bPQ@mail.gmail.com>
References: <CAOA-0XuqiVy3xUE3Luuw8nuptfVGB-ekN7gHuHmMnUjkm1KLaw@mail.gmail.com>
	<CAFss9rrst7_7y0hEr9DcUBS_DyhvfmAES0vV-WA=6fzXC0mC4A@mail.gmail.com>
	<CAOA-0Xt0ZSwuP-4bjwUW3RLiptkgtf5fraEXnbcMqsyJL4+XWA@mail.gmail.com>
	<CAFss9rrKm-CU7SF0mOiiJMDh-vKaNM+E9Eg-1+4aDcf9kv=bPQ@mail.gmail.com>
Message-ID: <CAOA-0XsKx8Mtv-5UvnHe1SfqaGoDuSoVgtGFQ7TPy20ajkO5xA@mail.gmail.com>

Passing password is *not *recommended.  What about other option?
In my use case I need user password to decrypt keys (either do it on KC or
in Java app). Keys are available in Keycloak through LDAP federation.
 So can we customize & return decrypted keys from Keyclock in IDToken?
I have reached upto returning encrypted keys as user attribute which
Keyclock supports out of the box.
In addition to this, I need a decryption of keys using the password entered
by user & then return in token (a little bit custom code required).
I am looking how to customize for this.

You can see similar scenario here as well:
https://stackoverflow.com/questions/36512154/keycloak-how-to-get-current-user-password-or-store-encrypted-data
.


On Thu, May 17, 2018 at 6:25 PM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> Is this not true you are making things more complicated if your
> successfully login,why again user password required ? Same user session
> should enable
> access the contents of the project.Getting password and then again passing
> it to authenticate no one will recommend you and doing this also not
> feasible.
> Rather than you can use
>
>>   tgtToken = securityContext.getTokenString();
>>
>
> Some token to access the contents . Same way we are achieving things in
> our production server
> We have 2 web application one in JSF another in React and deployed in
> different virtual machine and our own REST API deployed into another
> machine even
> different Jboss instance But all share same keycloak .So if we are doing
> any rest call we will pass *TGTTOKEN *which will be verify by rest-api
> through keycloak.
> There are too many other things evolved but this is basic concept.
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From ryan.king at yagi.space  Thu May 17 10:09:17 2018
From: ryan.king at yagi.space (Ryan King)
Date: Thu, 17 May 2018 23:09:17 +0900
Subject: [keycloak-user] Keycloak LDAP federation (FreeIPA) and expired
	passwords
Message-ID: <CAJf7bXTXPP=rcE4PB4VMu8HR_PnNSkVkG1of1iqUUPkHb4YQDg@mail.gmail.com>

Hello,

We're trying to use Keycloak as the main portal for users (to access
services + manage their accounts) - but I've been struggling to come up
with the best solution for handling expired passwords (for federated users
- FreeIPA LDAP).  We are using Keycloak (3.4.3).

As far as I am aware, expired passwords are currently only handled
correctly with Active Directory (using the msad-user-account-control
mapper).  It looks like someone was interested in implementing for other
LDAP providers, but didn't:

https://issues.jboss.org/browse/KEYCLOAK-4052

I've also tried configuring keycloak to use Kerberos password
authentication (LDAP + Kerberos integration..) - but that still didn't seem
to detect the expired password (even though from a console, kinit prompts
the user to change their password).

So, currently I have put in a workaround by:

1. Under the realm Authentication - Required Actions - set "Update
Password" to default (so "new" users - ie: those who are given a temp
password - are prompted to set a new password... keycloak has been given
access to set non-expired passwords on our FreeIPA servers)

2. Set a password policy on the realm - 90 days expiry (matches that of the
FreeIPA password policy).

Some issues with this are - if the user sets their password via FreeIPA
directly (kpasswd, ldap, etc) - then keycloak won't know about the new
expiry - hence, the user may have to set their password again on Keycloak
sooner than they would expect.

So, my questions are:

1. Is there a better way to handle this?  We'd just like to avoid sending
our users around to different places (ie: to the freeIPA UI) to work around
an expired password & we'd like to make sure it's clear _when_ their
password has expired... to the best of our ability.

2. I'm also not 100% certain if this Keycloak password policy is actually
implemented on federated ldap users?  Does anyone know?  I came across a
few issues that discussed implementing it - but so far haven't come up with
anything conclusive (I'm setting the password expiry to 1 day now to test
it out).  I checked a dump of the database, and could not see anything that
looked like a timestamp or anything (to indicate a 90 day expiry) for a
user who just changed their password in Keycloak... so, I'm not sure how
that's tracked?  (if I could find it in the DB, I was thinking of another
dirty hack to sync the password expiry from freeipa -> keycloak via a hook
if someone does update their account in freeipa).

Thanks,

Ryan

From mbelivea at redhat.com  Thu May 17 11:47:18 2018
From: mbelivea at redhat.com (Matthew Beliveau)
Date: Thu, 17 May 2018 11:47:18 -0400 (EDT)
Subject: [keycloak-user] Adding another User Federation
In-Reply-To: <903984633.22916179.1526571931667.JavaMail.zimbra@redhat.com>
Message-ID: <1576076774.22917258.1526572038358.JavaMail.zimbra@redhat.com>

Hello,

I am currently working on another Federation that allows me to read and write to freeIPA. Right now I am trying to get used to the Keycloak development code/build. I have cloned LDAP's code and changed the ID to "foobar" and it compiles just fine. I've added a foobar module in the federation pom.xml. However, when I start the testsuite server, I do not see my extra provider there. I was wondering where else in the code I would have to add my extra provider for it to show up on the testsuite. 

Any help would be gratefully appreciated,
Matthew Beliveau

From info at lynxlogic.com  Thu May 17 12:00:42 2018
From: info at lynxlogic.com (Lynxlogic)
Date: Thu, 17 May 2018 10:00:42 -0600
Subject: [keycloak-user] Unable to process SAML response from Azure AD
In-Reply-To: <CACp70M=bo-afrokfgSC+6Gp8gFkKCzg61w4QS8Wp6fDRP4MvAg@mail.gmail.com>
References: <16BFD481-866E-41AE-AAB1-7529A82FD64F@lynxlogic.com>
	<CACp70MnUHvbvi68cw+p6kGdKxbcKmb64zqWe+YtuyKPavPCNEQ@mail.gmail.com>
	<38D9B92F-2CEA-4A86-9374-0069BEF66943@lynxlogic.com>
	<CACp70M=bo-afrokfgSC+6Gp8gFkKCzg61w4QS8Wp6fDRP4MvAg@mail.gmail.com>
Message-ID: <2DEDF143-ABDA-42D1-87CB-E85EA058E5EC@lynxlogic.com>

Unfortunately, after updgrading to the latest Keycloak I can?t seem to get it to send the logout request at all. I turned of backchannel logout, but there is no redirect to to the AD logout.

> On May 17, 2018, at 03:49, Luis Rodr?guez Fern?ndez <uo67113 at gmail.com> wrote:
> 
> Hello David,
> 
> May I ask you to share your logout request, please?
> 
> Me I am using https://www.keycloak.org/docs/latest/securing_apps/
> index.html#logout-2 and Microsoft ADFS2 does not complain about the
> request, You can have a look  at the SAMLRequest param here [1].
> 
> The full request looks like this:
> 
> GET https://login.cern.ch/adfs/ls/?SAMLRequest=...&RelayState=
> logout&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%
> 2Fxmldsig-more%23rsa-sha256&Signature=...
> HTTP/1.1
> Host: login.cern.ch
> User-Agent:...
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Cookie: MSISAuth=...
> Connection: keep-alive
> Upgrade-Insecure-Requests: 1
> 
> Hope it helps,
> 
> Luis
> 
> ps: thank you sooooo much because your post help me a lot! I thought that
> for bein able of using [1] I needed to have keycloak server, register the
> SP, etc... But it turns out that Keycloack SAML Client Adapter Core makes
> all the magic, thanks Keycloak team!
> 
> pps: for weblogic I needed to implement myself the SLO [2] :(
> 
> [1] https://gist.github.com/lurodrig/a4aeba70d89dd123ce1d6f49cd45fc0f
> [2] https://github.com/cerndb/wls-cern-sso/tree/master/saml2slo/
> 
> 
> 2018-05-16 14:12 GMT+02:00 Lynxlogic <info at lynxlogic.com>:
> 
>> Thanks for the info Luis. I was getting this error when using Azure?s
>> ?Test SAML Settings? tool. Apparently when testing that way the attributes
>> you mentioned are omitted from the SAML response. If I follow a normal
>> login flow it works.
>> 
>> However, I?m unable to get single sign out to work. If I turn on
>> backchannel logout, then when I sign out from keycloak I?m not signed out
>> from Azure. If I turn this off, keycloak sends a SAML request on logout,
>> but Azure complaints that it is invalid. Azure?s documentation says that
>> the sign out URL should be configured as, 'https://login.
>> microsoftonline.com/common/wsfederation?wa=wsignout1.0?. If I hit this
>> URL manually I do get signed out of Azure, but if I specify that URL as the
>> ?Single Logout Service URL? in the identity provider setup, Keycloak seems
>> to ignore it. The behavior is the same with or without that setting -
>> Keycloak does not redirect to that URL.
>> 
>> David
>> 
>>> On May 16, 2018, at 04:00, Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
>> wrote:
>>> 
>>> Hello David,
>>> 
>>> Me, in your <samlp:Response> I am missing a couple of attributes:
>>> 
>>> Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
>>> InResponseTo="ID_99d1aa37-7ed7-4565-90b4-19ed50d38489"
>>> 
>>> Probably "consent" one is not causing the issue, but "inresponseto"
>>> contains the id of the AuthRequest sent by keycloak, and maybe keycloak
>>> wants to verify it. My setup is keycloak SP and ADFS2 IdP (very similar
>> to
>>> yours BTW). You can have a look here to one of the ADFS2 responses:
>>> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a <
>> https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a>
>>> 
>>> Hope it helps,
>>> 
>>> Luis
>>> 
>>> 2018-05-16 3:06 GMT+02:00 Lynxlogic <info at lynxlogic.com <mailto:
>> info at lynxlogic.com>>:
>>> 
>>>> I?m trying to setup SAML SSO between Azure AD and Keycloak. On the
>>>> redirect back after auth, Keycloak is failing to process the response
>> and
>>>> generates an internal server error:
>>>> 
>>>> 00:27:04,170 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>>>> (default task-5) Uncaught server error: org.keycloak.broker.provider.
>> IdentityBrokerException:
>>>> Could not process response from SAML identity provider.
>>>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>>>> SAMLEndpoint.java:444)
>>>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(
>>>> SAMLEndpoint.java:479)
>>>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(
>>>> SAMLEndpoint.java:237)
>>>> at org.keycloak.broker.saml.SAMLEndpoint.postBinding(
>>>> SAMLEndpoint.java:157)
>>>> .
>>>> .
>>>> .
>>>> Caused by: java.lang.NullPointerException
>>>> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
>>>> at java.util.regex.Matcher.reset(Matcher.java:309)
>>>> at java.util.regex.Matcher.<init>(Matcher.java:229)
>>>> at java.util.regex.Pattern.matcher(Pattern.java:1093)
>>>> at java.util.regex.Pattern.split(Pattern.java:1206)
>>>> at org.keycloak.broker.provider.util.IdentityBrokerState.
>>>> encoded(IdentityBrokerState.java:41)
>>>> at org.keycloak.services.resources.IdentityBrokerService.
>>>> parseEncodedSessionCode(IdentityBrokerService.java:980)
>>>> at org.keycloak.services.resources.IdentityBrokerService.authenticated(
>>>> IdentityBrokerService.java:490)
>>>> at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(
>>>> SAMLEndpoint.java:440)
>>>> ... 63 more
>>>> 
>>>> I?ve posted the SAML response at https://gist.github.com/dieseldjango/
>>>> 72057b7df68dbe3dc289ec8e3f5826bf <https://gist.github.com/dieseldjango/
>> <https://gist.github.com/dieseldjango/>
>>>> 72057b7df68dbe3dc289ec8e3f5826bf>.
>>>> 
>>>> The stack trace indicates it?s failing at IdentityBrokerService.
>> parseEncodedSessionCode().
>>>> I?ve tried this with Keycloak 3.2.1 and with 4.0 Beta 2. Can someone
>> point
>>>> me in the right direction to solve this?
>>>> 
>>>> Thanks,
>>>> David
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <
>> https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> 
>>> 
>>> 
>>> 
>>> --
>>> 
>>> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>>> 
>>> - Samuel Beckett
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <
>> https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
> 
> 
> 
> -- 
> 
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
> 
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From valsarajpv at gmail.com  Thu May 17 13:12:17 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 17 May 2018 22:42:17 +0530
Subject: [keycloak-user] Set client roles to registered users automatically
 once synced from source LDAP/DB
Message-ID: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>

Hi,

Here is the scenario:
Java web application client registers users to local LDAP/DB and sets roles.
These users are periodically synced to Keycloak. Roles are also synced once
as it not changed more often.
So when a user registered in local LDAP via application, they are also
reflected in Keycloak but they can't access web application after login via
Keycloak.
The new users can access only after setting client roles manually.
What is the best option to automate this. Is there is any API to set client
roles?
If available, we can't write code to set role in registration method since
the users will be synced to Keycloak only on next sync. Then option is a
delayed call which first ensures that the user reached Keycloak DB and then
set role.
Please share your thoughts!

Thanks!

From lrozenblyum at gmail.com  Thu May 17 16:05:54 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Thu, 17 May 2018 23:05:54 +0300
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
Message-ID: <CANZPfwTOSp+64kMoLCOXBkuqdcq=e5TNZ1a1SZNVECeJtbXEoQ@mail.gmail.com>

Hello everybody.
I'm trying to set up Tomcat <-> Keycloak SAML integration.
I've got stuck with the infinite redirect issue: after successful
authentication I'm returned back to Tomcat Web app (to its protected
resource) and then redirected back to keycloak with message YOU ARE ALREADY
LOGGED IN.

Keycloak 3.4.3
Tomcat 8

The problem is practically the same as described:
https://stackoverflow.com/questions/43452853/unable-to-redirect-to-my-tomcat-application-after-keycloak-login

The problem is reproduced when I try to load
http://localhost:8080/lr/protected
(the web application is attached).

Thanks for every advice!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lr.7z
Type: application/octet-stream
Size: 2122 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180517/96495e02/attachment.obj 

From forsudden at gmail.com  Thu May 17 16:44:38 2018
From: forsudden at gmail.com (For Ever)
Date: Thu, 17 May 2018 16:44:38 -0400
Subject: [keycloak-user] S3_ping authentication problem
Message-ID: <CAPyFshY5q_n2AZ-PzixoCnZec7=YMXeojz-emvoXrqQdwMWbuw@mail.gmail.com>

Hello Everyone:

                  I'm trying to etup clustering with S3_ping.  I'm getting
the below error message when starting up Keycloak in standalone clustered
mode.




NOTE:

            I did a test as the user on my Linux node using awscli.  The
username on the Linux box is the same as the IAM user in AWS.  I gave
list,read and write permisison(Policy) for the user in IAM

20:37:04,480 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "jgroups"),
    ("channel" => "ee")
]) - failure description: {"WFLYCTL0080: Failed services" => {"
org.wildfly.clustering.jgroups.channel.ee" => "java.io.IOException: bucket
's3-ping-keycloak-sothebys-dev' could not be accessed (rsp=403 (Forbidden).
Maybe the bucket is owned by somebody else or the authentication failed
    Caused by: java.io.IOException: bucket 's3-ping-keycloak-sothebys-dev'
could not be accessed (rsp=403 (Forbidden). Maybe the bucket is owned by
somebody else or the authentication failed"}}




###standaline-ha.xml snippet.

<stack name="tcp">
                    <transport type="TCP" socket-binding="jgroups-tcp"/>
                    <socket-protocol type="MPING"
socket-binding="jgroups-mping"/>
                    <protocol type="MERGE3"/>
                    <protocol type="S3_PING">
                        <property name="access_key">
                            blahblah
                        </property>
                        <property name="secret_access_key">
                           blahblah
                        </property>
                        <property name="location">
                           s3-ping-somebucket
                        </property>
                    </protocol>

From byarger at redhat.com  Thu May 17 19:18:29 2018
From: byarger at redhat.com (Brent Yarger)
Date: Thu, 17 May 2018 16:18:29 -0700
Subject: [keycloak-user] Comma separated attribute value to roles
Message-ID: <CAEYGLuZf-M5A-Hi_fAhPH_N1gvms4zCyFE3yAnE7KN4a++sryQ@mail.gmail.com>

Hello,
I am using keycloak ( Red Hat SSO 7.2 ) as an identity broker for a SAML
v2.0 identity provider. The SAML XML that I get back has an attribute named
"groups" with a value of a comma-separated list of user roles.

Example:

<saml:Attribute Name="groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema "
xsi:type="xs:string">
        Admin,User,Auditor,Manager
    </saml:AttributeValue>
</saml:Attribute>


Is it possible to map the "groups" attribute to all of the roles in the
list? In the above example, the user would then have four roles assigned --
Admin, User, Auditor, and Manager.

Thanks,
Brent

From subodhcjoshi82 at gmail.com  Thu May 17 21:46:49 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 18 May 2018 07:16:49 +0530
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
Message-ID: <CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>

I think admin-cli will help you regarding this but issue is documetation is
not that good.

On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com> wrote:

> Hi,
>
> Here is the scenario:
> Java web application client registers users to local LDAP/DB and sets
> roles.
> These users are periodically synced to Keycloak. Roles are also synced once
> as it not changed more often.
> So when a user registered in local LDAP via application, they are also
> reflected in Keycloak but they can't access web application after login via
> Keycloak.
> The new users can access only after setting client roles manually.
> What is the best option to automate this. Is there is any API to set client
> roles?
> If available, we can't write code to set role in registration method since
> the users will be synced to Keycloak only on next sync. Then option is a
> delayed call which first ensures that the user reached Keycloak DB and then
> set role.
> Please share your thoughts!
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From subodhcjoshi82 at gmail.com  Thu May 17 21:50:56 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 18 May 2018 07:20:56 +0530
Subject: [keycloak-user] How to get user details
In-Reply-To: <CAOA-0XsKx8Mtv-5UvnHe1SfqaGoDuSoVgtGFQ7TPy20ajkO5xA@mail.gmail.com>
References: <CAOA-0XuqiVy3xUE3Luuw8nuptfVGB-ekN7gHuHmMnUjkm1KLaw@mail.gmail.com>
	<CAFss9rrst7_7y0hEr9DcUBS_DyhvfmAES0vV-WA=6fzXC0mC4A@mail.gmail.com>
	<CAOA-0Xt0ZSwuP-4bjwUW3RLiptkgtf5fraEXnbcMqsyJL4+XWA@mail.gmail.com>
	<CAFss9rrKm-CU7SF0mOiiJMDh-vKaNM+E9Eg-1+4aDcf9kv=bPQ@mail.gmail.com>
	<CAOA-0XsKx8Mtv-5UvnHe1SfqaGoDuSoVgtGFQ7TPy20ajkO5xA@mail.gmail.com>
Message-ID: <CAFss9rqerUo7sAgSN-g=2ixtav9g=vMiTcfvYf28fW99HxDjwg@mail.gmail.com>

Again your issue is you need password I think it's not possible to get
password . You have to change the logic in your application so those file
you want to access should be available by accesstoken.

On Thu, 17 May 2018, 18:50 valsaraj pv, <valsarajpv at gmail.com> wrote:

> Passing password is *not *recommended.  What about other option?
> In my use case I need user password to decrypt keys (either do it on KC or
> in Java app). Keys are available in Keycloak through LDAP federation.
>  So can we customize & return decrypted keys from Keyclock in IDToken?
> I have reached upto returning encrypted keys as user attribute which
> Keyclock supports out of the box.
> In addition to this, I need a decryption of keys using the password
> entered by user & then return in token (a little bit custom code required).
> I am looking how to customize for this.
>
> You can see similar scenario here as well:
> https://stackoverflow.com/questions/36512154/keycloak-how-to-get-current-user-password-or-store-encrypted-data
> .
>
>
> On Thu, May 17, 2018 at 6:25 PM, Subodh Joshi <subodhcjoshi82 at gmail.com>
> wrote:
>
>> Is this not true you are making things more complicated if your
>> successfully login,why again user password required ? Same user session
>> should enable
>> access the contents of the project.Getting password and then again
>> passing it to authenticate no one will recommend you and doing this also
>> not feasible.
>> Rather than you can use
>>
>>>   tgtToken = securityContext.getTokenString();
>>>
>>
>> Some token to access the contents . Same way we are achieving things in
>> our production server
>> We have 2 web application one in JSF another in React and deployed in
>> different virtual machine and our own REST API deployed into another
>> machine even
>> different Jboss instance But all share same keycloak .So if we are doing
>> any rest call we will pass *TGTTOKEN *which will be verify by rest-api
>> through keycloak.
>> There are too many other things evolved but this is basic concept.
>>
>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
>

From valsarajpv at gmail.com  Thu May 17 23:19:22 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 18 May 2018 08:49:22 +0530
Subject: [keycloak-user] How to get user details
In-Reply-To: <CAFss9rqerUo7sAgSN-g=2ixtav9g=vMiTcfvYf28fW99HxDjwg@mail.gmail.com>
References: <CAOA-0XuqiVy3xUE3Luuw8nuptfVGB-ekN7gHuHmMnUjkm1KLaw@mail.gmail.com>
	<CAFss9rrst7_7y0hEr9DcUBS_DyhvfmAES0vV-WA=6fzXC0mC4A@mail.gmail.com>
	<CAOA-0Xt0ZSwuP-4bjwUW3RLiptkgtf5fraEXnbcMqsyJL4+XWA@mail.gmail.com>
	<CAFss9rrKm-CU7SF0mOiiJMDh-vKaNM+E9Eg-1+4aDcf9kv=bPQ@mail.gmail.com>
	<CAOA-0XsKx8Mtv-5UvnHe1SfqaGoDuSoVgtGFQ7TPy20ajkO5xA@mail.gmail.com>
	<CAFss9rqerUo7sAgSN-g=2ixtav9g=vMiTcfvYf28fW99HxDjwg@mail.gmail.com>
Message-ID: <CAOA-0Xs5WfWrxp74y7bzMLArmJWGPfLWioixD8upzNZuLO_waQ@mail.gmail.com>

Is there a way to process user attribute before returning to client from
Keycloak side?

On Fri 18 May, 2018, 7:21 AM Subodh Joshi, <subodhcjoshi82 at gmail.com> wrote:

> Again your issue is you need password I think it's not possible to get
> password . You have to change the logic in your application so those file
> you want to access should be available by accesstoken.
>
> On Thu, 17 May 2018, 18:50 valsaraj pv, <valsarajpv at gmail.com> wrote:
>
>> Passing password is *not *recommended.  What about other option?
>> In my use case I need user password to decrypt keys (either do it on KC
>> or in Java app). Keys are available in Keycloak through LDAP federation.
>>  So can we customize & return decrypted keys from Keyclock in IDToken?
>> I have reached upto returning encrypted keys as user attribute which
>> Keyclock supports out of the box.
>> In addition to this, I need a decryption of keys using the password
>> entered by user & then return in token (a little bit custom code required).
>> I am looking how to customize for this.
>>
>> You can see similar scenario here as well:
>> https://stackoverflow.com/questions/36512154/keycloak-how-to-get-current-user-password-or-store-encrypted-data
>> .
>>
>>
>> On Thu, May 17, 2018 at 6:25 PM, Subodh Joshi <subodhcjoshi82 at gmail.com>
>> wrote:
>>
>>> Is this not true you are making things more complicated if your
>>> successfully login,why again user password required ? Same user session
>>> should enable
>>> access the contents of the project.Getting password and then again
>>> passing it to authenticate no one will recommend you and doing this also
>>> not feasible.
>>> Rather than you can use
>>>
>>>>   tgtToken = securityContext.getTokenString();
>>>>
>>>
>>> Some token to access the contents . Same way we are achieving things in
>>> our production server
>>> We have 2 web application one in JSF another in React and deployed in
>>> different virtual machine and our own REST API deployed into another
>>> machine even
>>> different Jboss instance But all share same keycloak .So if we are doing
>>> any rest call we will pass *TGTTOKEN *which will be verify by rest-api
>>> through keycloak.
>>> There are too many other things evolved but this is basic concept.
>>>
>>
>>
>>
>> --
>> Life is like this: "Just when we get all the answers of life.... God
>> changes the question paper....
>>
>> Valsaraj Viswanathan
>>
>

From valsarajpv at gmail.com  Thu May 17 23:20:21 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 18 May 2018 08:50:21 +0530
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
	<CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
Message-ID: <CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>

Do you have any links that will be helpful?

On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com> wrote:

> I think admin-cli will help you regarding this but issue is documetation
> is not that good.
>
> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com> wrote:
>
>> Hi,
>>
>> Here is the scenario:
>> Java web application client registers users to local LDAP/DB and sets
>> roles.
>> These users are periodically synced to Keycloak. Roles are also synced
>> once
>> as it not changed more often.
>> So when a user registered in local LDAP via application, they are also
>> reflected in Keycloak but they can't access web application after login
>> via
>> Keycloak.
>> The new users can access only after setting client roles manually.
>> What is the best option to automate this. Is there is any API to set
>> client
>> roles?
>> If available, we can't write code to set role in registration method since
>> the users will be synced to Keycloak only on next sync. Then option is a
>> delayed call which first ensures that the user reached Keycloak DB and
>> then
>> set role.
>> Please share your thoughts!
>>
>> Thanks!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From pulkitsrivastavajd at gmail.com  Fri May 18 00:54:48 2018
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Fri, 18 May 2018 10:24:48 +0530
Subject: [keycloak-user] Fwd:  Keycloak + NoSQL
In-Reply-To: <CAA-7KZ-OSmnquXogWJ1CNhrFqp-M_-FyoyTraG68g328TSjEZg@mail.gmail.com>
References: <CAA-7KZ_MzcEkhpKqc89MuSWJ7SURORbLGqXwkurDyd43Y-0w0Q@mail.gmail.com>
	<CAF83W6JBeWtjqgN41OPgti+fQ_x0Zt7YAKMfB2rBG6AFx25JvA@mail.gmail.com>
	<CAA-7KZ-OSmnquXogWJ1CNhrFqp-M_-FyoyTraG68g328TSjEZg@mail.gmail.com>
Message-ID: <CAA-7KZ-VELVG2dLLJA99WvPsEZt1Yx77KNvmAfY3F_BOOJqEWA@mail.gmail.com>

Thanks or the reply.
One more question.

Can we integrate Keycloak with Amazon Dynamo DB using User Storage SPI.

Thanks,
Pulkit

On Wed, May 16, 2018 at 7:51 PM, Meissa M'baye Sakho <msakho at redhat.com>
wrote:

> NoSQL is not supported out of the box.
> You'll have to implement a User Storage SPI if you want to use it.
>
> Meissa
>
> 2018-05-16 11:04 GMT+02:00 Pulkit Srivastava <pulkitsrivastavajd at gmail.com
> >:
>
>>  How can we integrate Keycloak with NoSQL db to store user credentials and
>> user authentication details.
>>
>> Thanks,
>> Pulkit
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From pulkitsrivastavajd at gmail.com  Fri May 18 01:03:05 2018
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Fri, 18 May 2018 10:33:05 +0530
Subject: [keycloak-user] Keycloak UI customization
Message-ID: <CAA-7KZ-CXF6Wqg+3Wj_1R5L9k7pqnyf2_fqRi8qoRUA5BBjg9Q@mail.gmail.com>

Can we customize keycloak's UI to completely replace with custom UI.

Thanks,
Pulkit

From subodhcjoshi82 at gmail.com  Fri May 18 01:09:36 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 18 May 2018 10:39:36 +0530
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
	<CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
	<CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>
Message-ID: <CAFss9rpn12t9qVEn0t-JS4SsZ+7oo2M3MDVjJ8ywPgDaFpt6SQ@mail.gmail.com>

You have to write script to run admin-cli commands
https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html

On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv at gmail.com> wrote:

> Do you have any links that will be helpful?
>
> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com>
> wrote:
>
>> I think admin-cli will help you regarding this but issue is documetation
>> is not that good.
>>
>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Here is the scenario:
>>> Java web application client registers users to local LDAP/DB and sets
>>> roles.
>>> These users are periodically synced to Keycloak. Roles are also synced
>>> once
>>> as it not changed more often.
>>> So when a user registered in local LDAP via application, they are also
>>> reflected in Keycloak but they can't access web application after login
>>> via
>>> Keycloak.
>>> The new users can access only after setting client roles manually.
>>> What is the best option to automate this. Is there is any API to set
>>> client
>>> roles?
>>> If available, we can't write code to set role in registration method
>>> since
>>> the users will be synced to Keycloak only on next sync. Then option is a
>>> delayed call which first ensures that the user reached Keycloak DB and
>>> then
>>> set role.
>>> Please share your thoughts!
>>>
>>> Thanks!
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From hartror at gmail.com  Fri May 18 02:21:58 2018
From: hartror at gmail.com (Rory Hart)
Date: Fri, 18 May 2018 16:21:58 +1000
Subject: [keycloak-user] IdentityBrokerState Exception
Message-ID: <CADf+qJdUQPwUq62L8Hj8FO+dad_QFEFxLohsftZ6Y1RuhLQP-w@mail.gmail.com>

Hi

I have this exception with a client's ADFS IdP integrating with our
Keycloak. The exception happens upon login and isn't happening on the
staging instance.

Caused by: java.lang.NullPointerException
        at java.base/java.util.regex.Matcher.getTextLength(Matcher.
java:1769)
        at java.base/java.util.regex.Matcher.reset(Matcher.java:416)
        at java.base/java.util.regex.Matcher.<init>(Matcher.java:253)
        at java.base/java.util.regex.Pattern.matcher(Pattern.java:1147)
        at java.base/java.util.regex.Pattern.split(Pattern.java:1264)
        at org.keycloak.keycloak-server-spi-private//org.keycloak.
broker.provider.util.IdentityBrokerState.decode(IdentityBrokerState.java:75)
        at org.keycloak.keycloak-server-spi-private//org.keycloak.
broker.provider.util.IdentityBrokerState.getDecodedState(
IdentityBrokerState.java:54)
        at org.keycloak.keycloak-services//org.keycloak.services.resources.
IdentityBrokerService.parseEncodedSessionCode(IdentityBrokerService.java:
958)
        at org.keycloak.keycloak-services//org.keycloak.services.resources.
IdentityBrokerService.authenticated(IdentityBrokerService.java:473)
        at org.keycloak.keycloak-services//org.keycloak.broker.
saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:440)
        ... 63 more

Any ideas what this could be?

Thanks

Rory Hart

From valsarajpv at gmail.com  Fri May 18 02:32:17 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 18 May 2018 12:02:17 +0530
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <CAFss9rpn12t9qVEn0t-JS4SsZ+7oo2M3MDVjJ8ywPgDaFpt6SQ@mail.gmail.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
	<CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
	<CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>
	<CAFss9rpn12t9qVEn0t-JS4SsZ+7oo2M3MDVjJ8ywPgDaFpt6SQ@mail.gmail.com>
Message-ID: <CAOA-0XuqbVJNjxpOmVhKJ8zqL6G_ua2RGFVSF6gqE0XLtXPHCQ@mail.gmail.com>

Got this sample:
https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b

On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> You have to write script to run admin-cli commands
> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>
> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv at gmail.com> wrote:
>
>> Do you have any links that will be helpful?
>>
>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com>
>> wrote:
>>
>>> I think admin-cli will help you regarding this but issue is documetation
>>> is not that good.
>>>
>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> Here is the scenario:
>>>> Java web application client registers users to local LDAP/DB and sets
>>>> roles.
>>>> These users are periodically synced to Keycloak. Roles are also synced
>>>> once
>>>> as it not changed more often.
>>>> So when a user registered in local LDAP via application, they are also
>>>> reflected in Keycloak but they can't access web application after login
>>>> via
>>>> Keycloak.
>>>> The new users can access only after setting client roles manually.
>>>> What is the best option to automate this. Is there is any API to set
>>>> client
>>>> roles?
>>>> If available, we can't write code to set role in registration method
>>>> since
>>>> the users will be synced to Keycloak only on next sync. Then option is a
>>>> delayed call which first ensures that the user reached Keycloak DB and
>>>> then
>>>> set role.
>>>> Please share your thoughts!
>>>>
>>>> Thanks!
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From raphoa at worteks.com  Fri May 18 04:04:07 2018
From: raphoa at worteks.com (=?UTF-8?Q?Rapha=c3=abl_HOAREAU?=)
Date: Fri, 18 May 2018 10:04:07 +0200
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <CAOA-0XuqbVJNjxpOmVhKJ8zqL6G_ua2RGFVSF6gqE0XLtXPHCQ@mail.gmail.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
	<CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
	<CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>
	<CAFss9rpn12t9qVEn0t-JS4SsZ+7oo2M3MDVjJ8ywPgDaFpt6SQ@mail.gmail.com>
	<CAOA-0XuqbVJNjxpOmVhKJ8zqL6G_ua2RGFVSF6gqE0XLtXPHCQ@mail.gmail.com>
Message-ID: <9684d785-6f29-03ca-2fa9-f2bf029f7ea6@worteks.com>

Can't you just create 'role-ldap-mapper' in your ldap user federation so 
it reflects your ldap roles to keycloak realm or client roles ?

Assuming that roles in your local LDAP are the same (name) than the one 
you use in keycloak.


Le 18/05/2018 ? 08:32, valsaraj pv a ?crit?:
> Got this sample:
> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
>
> On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
> wrote:
>
>> You have to write script to run admin-cli commands
>> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>>
>> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv at gmail.com> wrote:
>>
>>> Do you have any links that will be helpful?
>>>
>>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com>
>>> wrote:
>>>
>>>> I think admin-cli will help you regarding this but issue is documetation
>>>> is not that good.
>>>>
>>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Here is the scenario:
>>>>> Java web application client registers users to local LDAP/DB and sets
>>>>> roles.
>>>>> These users are periodically synced to Keycloak. Roles are also synced
>>>>> once
>>>>> as it not changed more often.
>>>>> So when a user registered in local LDAP via application, they are also
>>>>> reflected in Keycloak but they can't access web application after login
>>>>> via
>>>>> Keycloak.
>>>>> The new users can access only after setting client roles manually.
>>>>> What is the best option to automate this. Is there is any API to set
>>>>> client
>>>>> roles?
>>>>> If available, we can't write code to set role in registration method
>>>>> since
>>>>> the users will be synced to Keycloak only on next sync. Then option is a
>>>>> delayed call which first ensures that the user reached Keycloak DB and
>>>>> then
>>>>> set role.
>>>>> Please share your thoughts!
>>>>>
>>>>> Thanks!
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>> --
>> Subodh Chandra Joshi
>> subodh1_joshi82 at yahoo.co.in
>> http://www.trendsinnews.com
>>
>
>
-- 
Rapha?l HOAREAU | Support & Hosting Solutions Manager

raphael.hoareau at worteks.com
+33 7 72 37 59 82

Worteks | https://www.worteks.com


From valsarajpv at gmail.com  Fri May 18 04:11:31 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 18 May 2018 13:41:31 +0530
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <9684d785-6f29-03ca-2fa9-f2bf029f7ea6@worteks.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
	<CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
	<CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>
	<CAFss9rpn12t9qVEn0t-JS4SsZ+7oo2M3MDVjJ8ywPgDaFpt6SQ@mail.gmail.com>
	<CAOA-0XuqbVJNjxpOmVhKJ8zqL6G_ua2RGFVSF6gqE0XLtXPHCQ@mail.gmail.com>
	<9684d785-6f29-03ca-2fa9-f2bf029f7ea6@worteks.com>
Message-ID: <CAOA-0XvUNx8apkdJGc4z5D=xBV3xRqoJsAFvEE3oJPpfoXFjyA@mail.gmail.com>

Yes,  'role-ldap-mapper created & those roles appeared in Keyclock client
set in mapper. But these roles were not assigned to users. For that need to
open user from admin cosole & select client abd set client roles. I am
checking how to automate this.

On Fri, May 18, 2018 at 1:34 PM, Rapha?l HOAREAU <raphoa at worteks.com> wrote:

> Can't you just create 'role-ldap-mapper' in your ldap user federation so
> it reflects your ldap roles to keycloak realm or client roles ?
>
> Assuming that roles in your local LDAP are the same (name) than the one
> you use in keycloak.
>
>
> Le 18/05/2018 ? 08:32, valsaraj pv a ?crit :
> > Got this sample:
> > https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
> >
> > On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <subodhcjoshi82 at gmail.com
> >
> > wrote:
> >
> >> You have to write script to run admin-cli commands
> >> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
> >>
> >> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv at gmail.com>
> wrote:
> >>
> >>> Do you have any links that will be helpful?
> >>>
> >>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com>
> >>> wrote:
> >>>
> >>>> I think admin-cli will help you regarding this but issue is
> documetation
> >>>> is not that good.
> >>>>
> >>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com> wrote:
> >>>>
> >>>>> Hi,
> >>>>>
> >>>>> Here is the scenario:
> >>>>> Java web application client registers users to local LDAP/DB and sets
> >>>>> roles.
> >>>>> These users are periodically synced to Keycloak. Roles are also
> synced
> >>>>> once
> >>>>> as it not changed more often.
> >>>>> So when a user registered in local LDAP via application, they are
> also
> >>>>> reflected in Keycloak but they can't access web application after
> login
> >>>>> via
> >>>>> Keycloak.
> >>>>> The new users can access only after setting client roles manually.
> >>>>> What is the best option to automate this. Is there is any API to set
> >>>>> client
> >>>>> roles?
> >>>>> If available, we can't write code to set role in registration method
> >>>>> since
> >>>>> the users will be synced to Keycloak only on next sync. Then option
> is a
> >>>>> delayed call which first ensures that the user reached Keycloak DB
> and
> >>>>> then
> >>>>> set role.
> >>>>> Please share your thoughts!
> >>>>>
> >>>>> Thanks!
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >> --
> >> Subodh Chandra Joshi
> >> subodh1_joshi82 at yahoo.co.in
> >> http://www.trendsinnews.com
> >>
> >
> >
> --
> Rapha?l HOAREAU | Support & Hosting Solutions Manager
>
> raphael.hoareau at worteks.com
> +33 7 72 37 59 82
>
> Worteks | https://www.worteks.com
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From saloniudani.23 at gmail.com  Fri May 18 04:25:07 2018
From: saloniudani.23 at gmail.com (saloni udani)
Date: Fri, 18 May 2018 13:55:07 +0530
Subject: [keycloak-user] Keycloak spring-boot-adapter logout session from
	keycloak.
Message-ID: <CAP9kh-8z+JSpJe=CE8uTmtTR9VwatfDBc9jnu-arxYXU5-_tzg@mail.gmail.com>

Hi

I have a spring-boot 2 application which I am trying to secure with
Keycloak. I have used  'keycloak-spring-boot-2-starter' adapter.

Following is my security configuration
--------

import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticatedActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter;
import org.keycloak.adapters.springsecurity.filter.KeycloakSecurityContextRequestFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;

@ConditionalOnProperty(value = "keycloak.enabled")
@Configuration
@EnableWebSecurity
public class KeycloakSecurityConfiguration extends
KeycloakWebSecurityConfigurerAdapter {


@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws
Exception {
    KeycloakAuthenticationProvider keycloakAuthenticationProvider =
keycloakAuthenticationProvider();
    keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new
SimpleAuthorityMapper());
    auth.authenticationProvider(keycloakAuthenticationProvider);
}

@Bean
public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
    return new KeycloakSpringBootConfigResolver();
}

// Specifies the session authentication strategy
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    super.configure(http);
    http
        .csrf().disable()
        .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
        .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
        .and()
        .logout()
        .logoutUrl("/logout")
        //.invalidateHttpSession(true)
        //.deleteCookies("JSESSIONID")
        .and()
        .authorizeRequests()
        .antMatchers("/").hasRole("superuser").anyRequest().permitAll();
}

@Bean
public FilterRegistrationBean
keycloakAuthenticationProcessingFilterRegistrationBean(
    KeycloakAuthenticationProcessingFilter filter) {
    FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
    registrationBean.setEnabled(false);
    return registrationBean;
}

@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
    KeycloakPreAuthActionsFilter filter) {
    FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
    registrationBean.setEnabled(false);
    return registrationBean;
}

@Bean
public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
    KeycloakAuthenticatedActionsFilter filter) {
    FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
    registrationBean.setEnabled(false);
    return registrationBean;
}

@Bean
public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
    KeycloakSecurityContextRequestFilter filter) {
    FilterRegistrationBean registrationBean = new
FilterRegistrationBean(filter);
    registrationBean.setEnabled(false);
    return registrationBean;
}


}

--------

Following are the keycloak properties from application.properties
--------

keycloak.enabled=true
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.realm=MyRealm
keycloak.resource=my-app
keycloak.public-client=true

keycloak.security-constraints[0].authRoles[0]=superuser
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*


--------
Now the default logoutSuccessfulUrl used by KeycloakLogoutHandler is '/'
which is my secure endpoint. So when I do logout in application, it hits
'/' and automatically logs in again as the session with Keycloak does not
get deleted on logout.

If I change logoutSuccessfulUrl to some unsecure endpoint , then the
session from keycloak seems to get deleted.And from that unsecure page if I
try to hit secure page, it asks for login as expected.

So here I am trying to understand that in which scenario the session from
Keycloak should be deleted(logged out) when we fire logout from
application? What is the difference in both the above mentioned logout
scenario?


Thanks

From Qiang.He at lombardrisk.com  Fri May 18 04:25:07 2018
From: Qiang.He at lombardrisk.com (Qiang He)
Date: Fri, 18 May 2018 08:25:07 +0000
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
In-Reply-To: <CANZPfwTOSp+64kMoLCOXBkuqdcq=e5TNZ1a1SZNVECeJtbXEoQ@mail.gmail.com>
References: <CANZPfwTOSp+64kMoLCOXBkuqdcq=e5TNZ1a1SZNVECeJtbXEoQ@mail.gmail.com>
Message-ID: <DB6PR0601MB21660916B151A405C7EAE1BB9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>

What's your Master SAML Processing URL in the Clients settings in the keycloak sever? Make sure it ends with "/saml", 

Or in your client adapter setting, set the ACS URL ending with /rest, as per the document mentioned (copied below): 

assertionConsumerServiceUrl
URL of the assertion consumer service (ACS) where the IDP login service should send responses to. This setting is OPTIONAL. By default it is unset, relying on the configuration in the IdP. When set, it must end in /saml, e.g. http://sp.domain.com/my/endpoint/for/saml. The value of this property is sent in AssertionConsumerServiceURL attribute of SAML AuthnRequest message. This property is typically accompanied by the responseBinding attribute.



-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Leonid Rozenblyum
Sent: 17 May 2018 21:06
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect

Hello everybody.
I'm trying to set up Tomcat <-> Keycloak SAML integration.
I've got stuck with the infinite redirect issue: after successful authentication I'm returned back to Tomcat Web app (to its protected
resource) and then redirected back to keycloak with message YOU ARE ALREADY LOGGED IN.

Keycloak 3.4.3
Tomcat 8

The problem is practically the same as described:
https://stackoverflow.com/questions/43452853/unable-to-redirect-to-my-tomcat-application-after-keycloak-login

The problem is reproduced when I try to load http://localhost:8080/lr/protected
(the web application is attached).

Thanks for every advice!


From valsarajpv at gmail.com  Fri May 18 05:49:30 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 18 May 2018 15:19:30 +0530
Subject: [keycloak-user] Restricting users by realm
Message-ID: <CAOA-0XuvfADTu9BfTE0YAdKP1phCQnfcgDqMc81J98UOkbTknQ@mail.gmail.com>

Hi,

I have a set of users & 2 realms for 2 different applications.
One is my application and other is test vanilla application. These two are
using separate realms under single Keycloak server.
When a user logged in to my application & when I click login button of
vanilla application, it shows that user as logged in.
Is this existing scenario in Keyclock? Since user is logged in with
different realm, how that user shown as logged in in vanilla app?
Is there any way to prevent this?

Thanks,
Valsaraj Viswanathan

From subodhcjoshi82 at gmail.com  Fri May 18 06:14:29 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 18 May 2018 15:44:29 +0530
Subject: [keycloak-user] Restricting users by realm
In-Reply-To: <CAOA-0XuvfADTu9BfTE0YAdKP1phCQnfcgDqMc81J98UOkbTknQ@mail.gmail.com>
References: <CAOA-0XuvfADTu9BfTE0YAdKP1phCQnfcgDqMc81J98UOkbTknQ@mail.gmail.com>
Message-ID: <CAFss9rpsMMudxRULsxNeey_CPMN7AzTQ1Y2Na6+aGDfY8TTJJQ@mail.gmail.com>

Here is the scenario i tried

   1. We have a Single user *admin*
   2. First i login to default(master) realm and used this url https://<IP
   Address>:8666/auth/*.*
   3. Then i tried another realm url https://<IP
   ADDRESS>/auth/realms/Realm100/account <https://<IP
   ADDRESS>:8666/auth/realms/Realm100/account>
   4. Now again its ask me to me .

In your case check the url you are using correct or not

On Fri, May 18, 2018 at 3:20 PM valsaraj pv <valsarajpv at gmail.com> wrote:

> Hi,
>
> I have a set of users & 2 realms for 2 different applications.
> One is my application and other is test vanilla application. These two are
> using separate realms under single Keycloak server.
> When a user logged in to my application & when I click login button of
> vanilla application, it shows that user as logged in.
> Is this existing scenario in Keyclock? Since user is logged in with
> different realm, how that user shown as logged in in vanilla app?
> Is there any way to prevent this?
>
> Thanks,
> Valsaraj Viswanathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From subodhcjoshi82 at gmail.com  Fri May 18 06:17:22 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 18 May 2018 15:47:22 +0530
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <CAOA-0XvUNx8apkdJGc4z5D=xBV3xRqoJsAFvEE3oJPpfoXFjyA@mail.gmail.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
	<CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
	<CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>
	<CAFss9rpn12t9qVEn0t-JS4SsZ+7oo2M3MDVjJ8ywPgDaFpt6SQ@mail.gmail.com>
	<CAOA-0XuqbVJNjxpOmVhKJ8zqL6G_ua2RGFVSF6gqE0XLtXPHCQ@mail.gmail.com>
	<9684d785-6f29-03ca-2fa9-f2bf029f7ea6@worteks.com>
	<CAOA-0XvUNx8apkdJGc4z5D=xBV3xRqoJsAFvEE3oJPpfoXFjyA@mail.gmail.com>
Message-ID: <CAFss9roxi+8v-AMqxyyOEhAMeMtZf4xJoxNRx+nyRv61dvSWhw@mail.gmail.com>

We used admin-cli in our project to make things automate some first time
system brought up,we create user/group/client/realm  and map group with
user ,See if this will help you to automate your requirement.

https://mytechnicallife.quora.com/Keycloak-how-to-work-with-admin-cli

Thanks & regards

On Fri, May 18, 2018 at 1:42 PM valsaraj pv <valsarajpv at gmail.com> wrote:

> Yes,  'role-ldap-mapper created & those roles appeared in Keyclock client
> set in mapper. But these roles were not assigned to users. For that need to
> open user from admin cosole & select client abd set client roles. I am
> checking how to automate this.
>
> On Fri, May 18, 2018 at 1:34 PM, Rapha?l HOAREAU <raphoa at worteks.com>
> wrote:
>
> > Can't you just create 'role-ldap-mapper' in your ldap user federation so
> > it reflects your ldap roles to keycloak realm or client roles ?
> >
> > Assuming that roles in your local LDAP are the same (name) than the one
> > you use in keycloak.
> >
> >
> > Le 18/05/2018 ? 08:32, valsaraj pv a ?crit :
> > > Got this sample:
> > >
> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
> > >
> > > On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <
> subodhcjoshi82 at gmail.com
> > >
> > > wrote:
> > >
> > >> You have to write script to run admin-cli commands
> > >> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
> > >>
> > >> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv at gmail.com>
> > wrote:
> > >>
> > >>> Do you have any links that will be helpful?
> > >>>
> > >>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com
> >
> > >>> wrote:
> > >>>
> > >>>> I think admin-cli will help you regarding this but issue is
> > documetation
> > >>>> is not that good.
> > >>>>
> > >>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com>
> wrote:
> > >>>>
> > >>>>> Hi,
> > >>>>>
> > >>>>> Here is the scenario:
> > >>>>> Java web application client registers users to local LDAP/DB and
> sets
> > >>>>> roles.
> > >>>>> These users are periodically synced to Keycloak. Roles are also
> > synced
> > >>>>> once
> > >>>>> as it not changed more often.
> > >>>>> So when a user registered in local LDAP via application, they are
> > also
> > >>>>> reflected in Keycloak but they can't access web application after
> > login
> > >>>>> via
> > >>>>> Keycloak.
> > >>>>> The new users can access only after setting client roles manually.
> > >>>>> What is the best option to automate this. Is there is any API to
> set
> > >>>>> client
> > >>>>> roles?
> > >>>>> If available, we can't write code to set role in registration
> method
> > >>>>> since
> > >>>>> the users will be synced to Keycloak only on next sync. Then option
> > is a
> > >>>>> delayed call which first ensures that the user reached Keycloak DB
> > and
> > >>>>> then
> > >>>>> set role.
> > >>>>> Please share your thoughts!
> > >>>>>
> > >>>>> Thanks!
> > >>>>> _______________________________________________
> > >>>>> keycloak-user mailing list
> > >>>>> keycloak-user at lists.jboss.org
> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>>>
> > >> --
> > >> Subodh Chandra Joshi
> > >> subodh1_joshi82 at yahoo.co.in
> > >> http://www.trendsinnews.com
> > >>
> > >
> > >
> > --
> > Rapha?l HOAREAU | Support & Hosting Solutions Manager
> >
> > raphael.hoareau at worteks.com
> > +33 7 72 37 59 82
> >
> > Worteks | https://www.worteks.com
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From valsarajpv at gmail.com  Fri May 18 06:58:39 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 18 May 2018 16:28:39 +0530
Subject: [keycloak-user] Restricting users by realm
In-Reply-To: <CAFss9rpsMMudxRULsxNeey_CPMN7AzTQ1Y2Na6+aGDfY8TTJJQ@mail.gmail.com>
References: <CAOA-0XuvfADTu9BfTE0YAdKP1phCQnfcgDqMc81J98UOkbTknQ@mail.gmail.com>
	<CAFss9rpsMMudxRULsxNeey_CPMN7AzTQ1Y2Na6+aGDfY8TTJJQ@mail.gmail.com>
Message-ID: <CAOA-0Xu+0St-tOB0WUfiNDyBS8rZFntGwnhySJ7t5QryW+jCDQ@mail.gmail.com>

Let me correct. The realm is same but clients are different. They are app &
vanilla. So once logged in to app, then user automatically gets logged into
vanilla.

On Fri, May 18, 2018 at 3:44 PM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> Here is the scenario i tried
>
>    1. We have a Single user *admin*
>    2. First i login to default(master) realm and used this url https://<IP
>    Address>:8666/auth/*.*
>    3. Then i tried another realm url https://<IP
>    ADDRESS>/auth/realms/Realm100/account
>    4. Now again its ask me to me .
>
> In your case check the url you are using correct or not
>
> On Fri, May 18, 2018 at 3:20 PM valsaraj pv <valsarajpv at gmail.com> wrote:
>
>> Hi,
>>
>> I have a set of users & 2 realms for 2 different applications.
>> One is my application and other is test vanilla application. These two are
>> using separate realms under single Keycloak server.
>> When a user logged in to my application & when I click login button of
>> vanilla application, it shows that user as logged in.
>> Is this existing scenario in Keyclock? Since user is logged in with
>> different realm, how that user shown as logged in in vanilla app?
>> Is there any way to prevent this?
>>
>> Thanks,
>> Valsaraj Viswanathan
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From subodhcjoshi82 at gmail.com  Fri May 18 07:07:44 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 18 May 2018 16:37:44 +0530
Subject: [keycloak-user] Restricting users by realm
In-Reply-To: <CAOA-0Xu+0St-tOB0WUfiNDyBS8rZFntGwnhySJ7t5QryW+jCDQ@mail.gmail.com>
References: <CAOA-0XuvfADTu9BfTE0YAdKP1phCQnfcgDqMc81J98UOkbTknQ@mail.gmail.com>
	<CAFss9rpsMMudxRULsxNeey_CPMN7AzTQ1Y2Na6+aGDfY8TTJJQ@mail.gmail.com>
	<CAOA-0Xu+0St-tOB0WUfiNDyBS8rZFntGwnhySJ7t5QryW+jCDQ@mail.gmail.com>
Message-ID: <CAFss9rorVa8yJSEZic2DzSACmggUNu+9w2r248CQQ+3O4i5cBw@mail.gmail.com>

In that case it wont ask you to login again.

From luke at code-house.org  Fri May 18 07:38:26 2018
From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=)
Date: Fri, 18 May 2018 13:38:26 +0200
Subject: [keycloak-user] Keycloak UI customization
In-Reply-To: <CAA-7KZ-CXF6Wqg+3Wj_1R5L9k7pqnyf2_fqRi8qoRUA5BBjg9Q@mail.gmail.com>
References: <CAA-7KZ-CXF6Wqg+3Wj_1R5L9k7pqnyf2_fqRi8qoRUA5BBjg9Q@mail.gmail.com>
Message-ID: <5fbd4f91-a743-c6e3-5c8e-acd2393818fa@code-house.org>

Hey Pulkit,
You can create your own theme which will cover all aspects of user interface. Just check how themes are made. Most of them uses common base but you can start new one from the ground. See below link: https://accounts.apifocal.org/auth/ - this is just restyled keycloak theme.

Kind regards,
Lukasz

On 18.05.2018 07:03, Pulkit Srivastava wrote:
> Can we customize keycloak's UI to completely replace with custom UI.
>
> Thanks,
> Pulkit
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From sr.misc at gmail.com  Fri May 18 09:49:55 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Fri, 18 May 2018 15:49:55 +0200
Subject: [keycloak-user] Mixed Content - endpoint over a secure connection,
 but contains a form that targets an insecure endpoint
Message-ID: <CABiaesSSW3LY7vZzOG1E9J7Dts0-Tkw=_=+a+7sC+03gkO-X3w@mail.gmail.com>

Hi all,

We are using Keycloak 3.4.3 and getting following warning when accessing
Keycloak Account Management page.

Realm "TestRealm" has Require SSL "external requests".

Mixed Content: The page at '
https://qsso.ourportal.com/auth/realms/TestRealm/account' was loaded over a
secure connection, but contains a form that targets an insecure endpoint '
http://qsso.ourportal.com/auth/realms/TestRealm/account/'. This endpoint
should be made available over a secure connection.

We have a issue which I believe is due to endpoints exposed over non SSL
port. Hence, curious, how can configure Keycloak to use secure endpoint.

Please advise.

Regards,
SR

From lrozenblyum at gmail.com  Fri May 18 09:52:54 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Fri, 18 May 2018 16:52:54 +0300
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
In-Reply-To: <DB6PR0601MB21660916B151A405C7EAE1BB9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
References: <CANZPfwTOSp+64kMoLCOXBkuqdcq=e5TNZ1a1SZNVECeJtbXEoQ@mail.gmail.com>
	<DB6PR0601MB21660916B151A405C7EAE1BB9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
Message-ID: <CANZPfwTCws0H1=RFdhapa3HcQaBQvWEprfjAHa+-UAy5xyxeVA@mail.gmail.com>

Thank you very much Qiang He!

My Master SAML Processing URL was NOT set at all in keycloak (I wasn't
aware it should be set... Before trying keycloak SAML tomcat adapter I've
tried spring security saml extension and it didn't require this URL...)

I've set it up now to <host:port>/<mywebapp>/saml

It looks like the infinite redirect issue has been solved!

Do I need to set up something else e.g. some listener on this /saml url or
tomcat adapter automatically sets up something listening to this url?



On Fri, May 18, 2018 at 11:25 AM, Qiang He <Qiang.He at lombardrisk.com> wrote:

> What's your Master SAML Processing URL in the Clients settings in the
> keycloak sever? Make sure it ends with "/saml",
>
> Or in your client adapter setting, set the ACS URL ending with /rest, as
> per the document mentioned (copied below):
>
> assertionConsumerServiceUrl
> URL of the assertion consumer service (ACS) where the IDP login service
> should send responses to. This setting is OPTIONAL. By default it is unset,
> relying on the configuration in the IdP. When set, it must end in /saml,
> e.g. http://sp.domain.com/my/endpoint/for/saml. The value of this
> property is sent in AssertionConsumerServiceURL attribute of SAML
> AuthnRequest message. This property is typically accompanied by the
> responseBinding attribute.
>
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] On Behalf Of Leonid Rozenblyum
> Sent: 17 May 2018 21:06
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
>
> Hello everybody.
> I'm trying to set up Tomcat <-> Keycloak SAML integration.
> I've got stuck with the infinite redirect issue: after successful
> authentication I'm returned back to Tomcat Web app (to its protected
> resource) and then redirected back to keycloak with message YOU ARE
> ALREADY LOGGED IN.
>
> Keycloak 3.4.3
> Tomcat 8
>
> The problem is practically the same as described:
> https://stackoverflow.com/questions/43452853/unable-to-
> redirect-to-my-tomcat-application-after-keycloak-login
>
> The problem is reproduced when I try to load http://localhost:8080/lr/
> protected
> (the web application is attached).
>
> Thanks for every advice!
>

From sr.misc at gmail.com  Fri May 18 10:02:09 2018
From: sr.misc at gmail.com (Sachin Rastogi)
Date: Fri, 18 May 2018 16:02:09 +0200
Subject: [keycloak-user] magic link or one-time access to the
 application without login in Keycloak 3.x
In-Reply-To: <CAFss9rqosOW37--Eq1tZP-sbHiHCuiw8VHKiMfB_4sVLA0BBhg@mail.gmail.com>
References: <CABiaesQM-O+XvFWGWpo6d7PumuXtfaZ5xJLqC5-maGe6_k5jnQ@mail.gmail.com>
	<CAFss9rpH=t4Qz5Kh4r64PmThphqvft-14EPedt-ERdrKjGfF_g@mail.gmail.com>
	<CABiaesTiec8fLjTjmBxLhaJs2df_=8U+ctfKHcKHNOn7aJ50xg@mail.gmail.com>
	<CAFss9rqosOW37--Eq1tZP-sbHiHCuiw8VHKiMfB_4sVLA0BBhg@mail.gmail.com>
Message-ID: <CABiaesQ-njLb8tqT28sFeazepR6p_YSZYVmXbatPNCB7GGt7HA@mail.gmail.com>

Thanks Subodh,

On Thu, May 17, 2018 at 2:05 PM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> After trying things here and there i am also not able to find magic Link
> option in 3.2.1 and 3.3.1.May be the remove that option but no and update
> about when its removed or they moved this option somewhere else.But i found
> this experimental extensions .See if this will help you.
>
> https://github.com/stianst/keycloak-experimental
>
> On Thu, May 17, 2018 at 4:40 PM Sachin Rastogi <sr.misc at gmail.com> wrote:
>
>> Hi Subodh,
>>
>> Thanks for your reply. I have seen this video before and tried the same
>> on Keycloak 3.4.3. But it doesn't have magic link option.
>>
>> Am I also curious, if I can construct the magic link via APIs, which
>> valid for only single use without authentication.
>>
>> Please see the attached screenshot from Keycloak 3.4.3.
>>
>> Regards,
>> SR
>>
>> On Thu, May 17, 2018 at 11:29 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
>> wrote:
>>
>>> Hope this  video link will work for you
>>>
>>> https://www.youtube.com/watch?v=oyUsI3QgEq8
>>>
>>>
>>> On Thu, May 17, 2018 at 2:53 PM Sachin Rastogi <sr.misc at gmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> We are using Keycloak 3.4.3.
>>>>
>>>> Is magic link or one-time access to the application without login screen
>>>> possible?
>>>>
>>>> I notice that magic link was available in previous KC 1x or 2.x
>>>> versions.
>>>>
>>>> Please advise.
>>>>
>>>> Regards,
>>>> SR
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> --
>>> Subodh Chandra Joshi
>>> subodh1_joshi82 at yahoo.co.in
>>> http://www.trendsinnews.com
>>>
>>
>>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>

From Qiang.He at lombardrisk.com  Fri May 18 10:34:50 2018
From: Qiang.He at lombardrisk.com (Qiang He)
Date: Fri, 18 May 2018 14:34:50 +0000
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
In-Reply-To: <CANZPfwTCws0H1=RFdhapa3HcQaBQvWEprfjAHa+-UAy5xyxeVA@mail.gmail.com>
References: <CANZPfwTOSp+64kMoLCOXBkuqdcq=e5TNZ1a1SZNVECeJtbXEoQ@mail.gmail.com>
	<DB6PR0601MB21660916B151A405C7EAE1BB9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
	<CANZPfwTCws0H1=RFdhapa3HcQaBQvWEprfjAHa+-UAy5xyxeVA@mail.gmail.com>
Message-ID: <DB6PR0601MB21663CD13435AAC0C78ECC1E9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>

No, you don?t need set up any listener. The adapter will automatically handle the url.

Only when you don?t want to install the adapter in Tomcat, and want to use the pure servlet in your SP application, you need to set up listener for the /saml url.


From: Leonid Rozenblyum [mailto:lrozenblyum at gmail.com]
Sent: 18 May 2018 14:53
To: Qiang He <Qiang.He at lombardrisk.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Tomcat SAML Client adapter and infinite redirect

Thank you very much Qiang He!

My Master SAML Processing URL was NOT set at all in keycloak (I wasn't aware it should be set... Before trying keycloak SAML tomcat adapter I've tried spring security saml extension and it didn't require this URL...)

I've set it up now to <host:port>/<mywebapp>/saml

It looks like the infinite redirect issue has been solved!

Do I need to set up something else e.g. some listener on this /saml url or tomcat adapter automatically sets up something listening to this url?



On Fri, May 18, 2018 at 11:25 AM, Qiang He <Qiang.He at lombardrisk.com<mailto:Qiang.He at lombardrisk.com>> wrote:
What's your Master SAML Processing URL in the Clients settings in the keycloak sever? Make sure it ends with "/saml",

Or in your client adapter setting, set the ACS URL ending with /rest, as per the document mentioned (copied below):

assertionConsumerServiceUrl
URL of the assertion consumer service (ACS) where the IDP login service should send responses to. This setting is OPTIONAL. By default it is unset, relying on the configuration in the IdP. When set, it must end in /saml, e.g. http://sp.domain.com/my/endpoint/for/saml. The value of this property is sent in AssertionConsumerServiceURL attribute of SAML AuthnRequest message. This property is typically accompanied by the responseBinding attribute.



-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] On Behalf Of Leonid Rozenblyum
Sent: 17 May 2018 21:06
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect

Hello everybody.
I'm trying to set up Tomcat <-> Keycloak SAML integration.
I've got stuck with the infinite redirect issue: after successful authentication I'm returned back to Tomcat Web app (to its protected
resource) and then redirected back to keycloak with message YOU ARE ALREADY LOGGED IN.

Keycloak 3.4.3
Tomcat 8

The problem is practically the same as described:
https://stackoverflow.com/questions/43452853/unable-to-redirect-to-my-tomcat-application-after-keycloak-login

The problem is reproduced when I try to load http://localhost:8080/lr/protected
(the web application is attached).

Thanks for every advice!


From subodhcjoshi82 at gmail.com  Fri May 18 11:11:09 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 18 May 2018 20:41:09 +0530
Subject: [keycloak-user] magic link or one-time access to the
 application without login in Keycloak 3.x
In-Reply-To: <CABiaesQ-njLb8tqT28sFeazepR6p_YSZYVmXbatPNCB7GGt7HA@mail.gmail.com>
References: <CABiaesQM-O+XvFWGWpo6d7PumuXtfaZ5xJLqC5-maGe6_k5jnQ@mail.gmail.com>
	<CAFss9rpH=t4Qz5Kh4r64PmThphqvft-14EPedt-ERdrKjGfF_g@mail.gmail.com>
	<CABiaesTiec8fLjTjmBxLhaJs2df_=8U+ctfKHcKHNOn7aJ50xg@mail.gmail.com>
	<CAFss9rqosOW37--Eq1tZP-sbHiHCuiw8VHKiMfB_4sVLA0BBhg@mail.gmail.com>
	<CABiaesQ-njLb8tqT28sFeazepR6p_YSZYVmXbatPNCB7GGt7HA@mail.gmail.com>
Message-ID: <CAFss9rqXr4hc6r8OLKFzHxPMUs_t3jUFcB-iexm+TgN1vg+JAg@mail.gmail.com>

Is this work-around worked for you ?

On Fri, 18 May 2018, 19:32 Sachin Rastogi, <sr.misc at gmail.com> wrote:

> Thanks Subodh,
>
> On Thu, May 17, 2018 at 2:05 PM, Subodh Joshi <subodhcjoshi82 at gmail.com>
> wrote:
>
>> After trying things here and there i am also not able to find magic Link
>> option in 3.2.1 and 3.3.1.May be the remove that option but no and update
>> about when its removed or they moved this option somewhere else.But i found
>> this experimental extensions .See if this will help you.
>>
>> https://github.com/stianst/keycloak-experimental
>>
>> On Thu, May 17, 2018 at 4:40 PM Sachin Rastogi <sr.misc at gmail.com> wrote:
>>
>>> Hi Subodh,
>>>
>>> Thanks for your reply. I have seen this video before and tried the same
>>> on Keycloak 3.4.3. But it doesn't have magic link option.
>>>
>>> Am I also curious, if I can construct the magic link via APIs, which
>>> valid for only single use without authentication.
>>>
>>> Please see the attached screenshot from Keycloak 3.4.3.
>>>
>>> Regards,
>>> SR
>>>
>>> On Thu, May 17, 2018 at 11:29 AM, Subodh Joshi <subodhcjoshi82 at gmail.com
>>> > wrote:
>>>
>>>> Hope this  video link will work for you
>>>>
>>>> https://www.youtube.com/watch?v=oyUsI3QgEq8
>>>>
>>>>
>>>> On Thu, May 17, 2018 at 2:53 PM Sachin Rastogi <sr.misc at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> We are using Keycloak 3.4.3.
>>>>>
>>>>> Is magic link or one-time access to the application without login
>>>>> screen
>>>>> possible?
>>>>>
>>>>> I notice that magic link was available in previous KC 1x or 2.x
>>>>> versions.
>>>>>
>>>>> Please advise.
>>>>>
>>>>> Regards,
>>>>> SR
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>> --
>>>> Subodh Chandra Joshi
>>>> subodh1_joshi82 at yahoo.co.in
>>>> http://www.trendsinnews.com
>>>>
>>>
>>>
>>
>> --
>> Subodh Chandra Joshi
>> subodh1_joshi82 at yahoo.co.in
>> http://www.trendsinnews.com
>>
>
>

From valsarajpv at gmail.com  Fri May 18 13:45:57 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 18 May 2018 23:15:57 +0530
Subject: [keycloak-user] NoClassDefFoundError:
	org/keycloak/KeycloakPrincipal
In-Reply-To: <CAOA-0XspymD6WY9Fuq1mmO+HKa7aNjNxaZ7pwKiM-KJQgr-uTA@mail.gmail.com>
References: <CAOA-0XvjaxTxLEqf7TLjp3KMo9jUs-d8oBMV2PWPu4Q6ZcgVQQ@mail.gmail.com>
	<CACp70Mk1faLvhg1p_6sXfyH5_s21RfHKetafrsRqLfSuxCwzQA@mail.gmail.com>
	<CAOA-0XspymD6WY9Fuq1mmO+HKa7aNjNxaZ7pwKiM-KJQgr-uTA@mail.gmail.com>
Message-ID: <CAOA-0Xuj3WZt0FJDOmhig4Nmv-VC6rf9qqoVTfWGPm+THQnveQ@mail.gmail.com>

Issue fixed when I set Keycloak modules dependency for ejb.jar in jboss
deployment descriptor.

On Tue 15 May, 2018, 6:15 PM valsaraj pv, <valsarajpv at gmail.com> wrote:

> Hi Luis,
>
> I am using wildfly adapter and no keycloak jar will be bundled in ear. Ear
> contians web.war and ejb.jar. The classes in web and ejb modules referes
> Keyclock API class. Issue is only for ejb.jar module For web module the
> keyclock adapter provides required jar.
>
>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>
>                 <secure-deployment name="appWEB.war">
>
>                     <realm>demo</realm>
>
>                     <resource>app</resource>
>
>
>> <use-resource-role-mappings>true</use-resource-role-mappings>
>
>                     <public-client>true</public-client>
>
>                     <auth-server-url>http://localhost:8180/auth
>> </auth-server-url>
>
>                     <ssl-required>EXTERNAL</ssl-required>
>
>
>> <principal-attribute>preferred_username</principal-attribute>
>
>                 </secure-deployment>
>
>             </subsystem>
>
> I wonder whether I should modify this conf in WildFly so that the keyclock
>    adapter modules will be available for both web & ejb modules in ear.
> In samples I see only war config for war file. How to configure ear files?
>
> Thanks!
>
> On Tue, May 15, 2018 at 5:28 PM, Luis Rodr?guez Fern?ndez <
> uo67113 at gmail.com> wrote:
>
>> Hi Valsaraj,
>>
>> Below works for me on apache-tomcat 9.0.5 with the servlet filter adapter:
>>
>> keycloak-tomcat-adapter-spi-3.4.3.Fiinal.jar
>> keycloak-servlet-adapter-spi-3.4.3.Final.jar
>> keycloak-saml-tomcat8-adapter-3.4.3.Final.jar
>> keycloak-saml-tomcat-adapter-core-3.4.3.Final.jar
>> keycloak-saml-core-public-3.4.3.Final.jar
>> keycloak-saml-core-3.4.3.Final.jar
>> keycloak-saml-adapter-core-3.4.3.Final.jar
>> keycloak-saml-adapter-api-public-3.4.3.Final.jar
>> keycloak-common-3.4.3.Final.jar
>> keycloak-adapter-spi-3.4.3.Final.jar
>>
>> Yes, most probably you will need core.jar for your adapter too
>>
>> Hope it helps,
>>
>> Luis
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2018-05-15 13:14 GMT+02:00 valsaraj pv <valsarajpv at gmail.com>:
>>
>> > Hi,
>> >
>> > I am getting following exception while deploying ear in WildFly 10.
>> Apapter
>> > is installed so no jars included in ear & no dependencies set.
>> >
>> > > Caused by: java.lang.NoClassDefFoundError:
>> > org/keycloak/KeycloakPrincipal
>> > >
>> > >     Caused by: java.lang.ClassNotFoundException:
>> > >> org.keycloak.KeycloakPrincipal from [Module
>> > >> \"deployment.app.ear.appEJB.jar:main\" from Service Module Loader]"},
>> > >
>> > >         "WFLYCTL0412: Required services that are not installed:" => [
>> > >
>> > >             "jboss.undertow.deployment.default-server.default-host./
>> > App",
>> > >
>> > >
>> > >> "org.camunda.bpm.platform.process-application-module.\"
>> > deployment.app.ear.appWEB.war:main\".NO_VIEW"
>> > >
>> > >         ]
>> > >
>> > >
>> > >
>> > Please let me know if U need to include core jar or set the subsystem
>> > dependencies. I saw in one comment that there is no need to set them
>> > explicitly.
>> > Please advise.
>> >
>> > Thanks,
>> > Valsaraj Viswanathan
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>>
>>
>> --
>>
>> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>>
>> - Samuel Beckett
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
>

From msakho at redhat.com  Sat May 19 06:02:46 2018
From: msakho at redhat.com (Meissa M'baye Sakho)
Date: Sat, 19 May 2018 12:02:46 +0200
Subject: [keycloak-user] Keycloak + NoSQL
In-Reply-To: <CAA-7KZ-VELVG2dLLJA99WvPsEZt1Yx77KNvmAfY3F_BOOJqEWA@mail.gmail.com>
References: <CAA-7KZ_MzcEkhpKqc89MuSWJ7SURORbLGqXwkurDyd43Y-0w0Q@mail.gmail.com>
	<CAF83W6JBeWtjqgN41OPgti+fQ_x0Zt7YAKMfB2rBG6AFx25JvA@mail.gmail.com>
	<CAA-7KZ-OSmnquXogWJ1CNhrFqp-M_-FyoyTraG68g328TSjEZg@mail.gmail.com>
	<CAA-7KZ-VELVG2dLLJA99WvPsEZt1Yx77KNvmAfY3F_BOOJqEWA@mail.gmail.com>
Message-ID: <CAF83W6LNwVrVnMB_yvybM0AR=QpKs6HzUyozwY0WY4VG3X+EeQ@mail.gmail.com>

You can use it with whatever DB you want once you implement the SPI.

2018-05-18 6:54 GMT+02:00 Pulkit Srivastava <pulkitsrivastavajd at gmail.com>:

> Thanks or the reply.
> One more question.
>
> Can we integrate Keycloak with Amazon Dynamo DB using User Storage SPI.
>
> Thanks,
> Pulkit
>
> On Wed, May 16, 2018 at 7:51 PM, Meissa M'baye Sakho <msakho at redhat.com>
> wrote:
>
>> NoSQL is not supported out of the box.
>> You'll have to implement a User Storage SPI if you want to use it.
>>
>> Meissa
>>
>> 2018-05-16 11:04 GMT+02:00 Pulkit Srivastava <
>> pulkitsrivastavajd at gmail.com>:
>>
>>>  How can we integrate Keycloak with NoSQL db to store user credentials
>>> and
>>> user authentication details.
>>>
>>> Thanks,
>>> Pulkit
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>

From getankur86 at gmail.com  Sun May 20 21:33:23 2018
From: getankur86 at gmail.com (Ankur Singhal)
Date: Mon, 21 May 2018 07:03:23 +0530
Subject: [keycloak-user] Keycloak - Multi/2FA Factor - OTP - QR Code -
 Custom Login Screen - Rest API
In-Reply-To: <CAM64y=Lge8OCh-_cbQHdjJq-0fHs3P6zLna3rg0ezTtbS2qbhA@mail.gmail.com>
References: <CAM64y=KJUtH9LR8bgWTi4FUY8AenJsdwO4DV7t5FYwpap72_Lg@mail.gmail.com>
	<CAM64y=Lge8OCh-_cbQHdjJq-0fHs3P6zLna3rg0ezTtbS2qbhA@mail.gmail.com>
Message-ID: <CAM64y=K2e2EMKXfmWm_rLvO3BLuPUnfOnr6GvLk5H1k8Dp-9Sg@mail.gmail.com>

Hi All,
<https://stackoverflow.com/questions/50319327/keycloak-multi-2fa-factor-otp-qr-code-custom-login-screen-rest-api#>

I have *my own Login page where user enters username/password.* This
username/password are used to login through Keycloak Rest API.

http://localhost:8080/auth/realms/Demo/protocol/openid-connect/token

input - {username,password,grant_type,client_secret,client_id}

And in response i get access token.

Now i wish to enable Authenticator (Google Authenticator). I have enabled
it from backend. Now if user wishes to login thorugh my application, my
login page i need to get below details.

1.) Somehow i need to include QR Code that appears on keycloak login page
post username/password validation to show on my login screen for the first
time login once user enter username/password. So do we have any API which
return Keycloak QR code image in response.

2.) Subsequent login i will have OTP field, so need a REST api to pass OTP
along with username/password.

Please help with REST API if keycloak has any. Integrating through
Javascript.

Similar flow as described in use case 1 here
<http://lists.jboss.org/pipermail/keycloak-user/2018-February/013254.html>

Just want to use keycloak as a database, doing all operation for me, input
will be my screen. I do want redirection of URL's while login in and yet
should be standalone deployed.

https://stackoverflow.com/questions/50319327/keycloak-multi-
2fa-factor-otp-qr-code-custom-login-screen-rest-api


Thanks

Ankur

From subodhcjoshi82 at gmail.com  Mon May 21 00:50:44 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Mon, 21 May 2018 10:20:44 +0530
Subject: [keycloak-user] How to get user details
In-Reply-To: <CAOA-0Xs5WfWrxp74y7bzMLArmJWGPfLWioixD8upzNZuLO_waQ@mail.gmail.com>
References: <CAOA-0XuqiVy3xUE3Luuw8nuptfVGB-ekN7gHuHmMnUjkm1KLaw@mail.gmail.com>
	<CAFss9rrst7_7y0hEr9DcUBS_DyhvfmAES0vV-WA=6fzXC0mC4A@mail.gmail.com>
	<CAOA-0Xt0ZSwuP-4bjwUW3RLiptkgtf5fraEXnbcMqsyJL4+XWA@mail.gmail.com>
	<CAFss9rrKm-CU7SF0mOiiJMDh-vKaNM+E9Eg-1+4aDcf9kv=bPQ@mail.gmail.com>
	<CAOA-0XsKx8Mtv-5UvnHe1SfqaGoDuSoVgtGFQ7TPy20ajkO5xA@mail.gmail.com>
	<CAFss9rqerUo7sAgSN-g=2ixtav9g=vMiTcfvYf28fW99HxDjwg@mail.gmail.com>
	<CAOA-0Xs5WfWrxp74y7bzMLArmJWGPfLWioixD8upzNZuLO_waQ@mail.gmail.com>
Message-ID: <CAFss9roFeH4f-0B_nOaswF-Rs8JMXQgk7+ri8zR3+Zg4QEa2Pw@mail.gmail.com>

I am not sure about it.

On Fri, May 18, 2018 at 8:49 AM valsaraj pv <valsarajpv at gmail.com> wrote:

> Is there a way to process user attribute before returning to client from
> Keycloak side?
>
> On Fri 18 May, 2018, 7:21 AM Subodh Joshi, <subodhcjoshi82 at gmail.com>
> wrote:
>
>> Again your issue is you need password I think it's not possible to get
>> password . You have to change the logic in your application so those file
>> you want to access should be available by accesstoken.
>>
>> On Thu, 17 May 2018, 18:50 valsaraj pv, <valsarajpv at gmail.com> wrote:
>>
>>> Passing password is *not *recommended.  What about other option?
>>> In my use case I need user password to decrypt keys (either do it on KC
>>> or in Java app). Keys are available in Keycloak through LDAP federation.
>>>  So can we customize & return decrypted keys from Keyclock in IDToken?
>>> I have reached upto returning encrypted keys as user attribute which
>>> Keyclock supports out of the box.
>>> In addition to this, I need a decryption of keys using the password
>>> entered by user & then return in token (a little bit custom code required).
>>> I am looking how to customize for this.
>>>
>>> You can see similar scenario here as well:
>>> https://stackoverflow.com/questions/36512154/keycloak-how-to-get-current-user-password-or-store-encrypted-data
>>> .
>>>
>>>
>>> On Thu, May 17, 2018 at 6:25 PM, Subodh Joshi <subodhcjoshi82 at gmail.com>
>>> wrote:
>>>
>>>> Is this not true you are making things more complicated if your
>>>> successfully login,why again user password required ? Same user session
>>>> should enable
>>>> access the contents of the project.Getting password and then again
>>>> passing it to authenticate no one will recommend you and doing this also
>>>> not feasible.
>>>> Rather than you can use
>>>>
>>>>>   tgtToken = securityContext.getTokenString();
>>>>>
>>>>
>>>> Some token to access the contents . Same way we are achieving things in
>>>> our production server
>>>> We have 2 web application one in JSF another in React and deployed in
>>>> different virtual machine and our own REST API deployed into another
>>>> machine even
>>>> different Jboss instance But all share same keycloak .So if we are
>>>> doing any rest call we will pass *TGTTOKEN *which will be verify by
>>>> rest-api through keycloak.
>>>> There are too many other things evolved but this is basic concept.
>>>>
>>>
>>>
>>>
>>> --
>>> Life is like this: "Just when we get all the answers of life.... God
>>> changes the question paper....
>>>
>>> Valsaraj Viswanathan
>>>
>>

-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From lrozenblyum at gmail.com  Mon May 21 02:29:35 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Mon, 21 May 2018 09:29:35 +0300
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
In-Reply-To: <DB6PR0601MB21663CD13435AAC0C78ECC1E9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
References: <CANZPfwTOSp+64kMoLCOXBkuqdcq=e5TNZ1a1SZNVECeJtbXEoQ@mail.gmail.com>
	<DB6PR0601MB21660916B151A405C7EAE1BB9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
	<CANZPfwTCws0H1=RFdhapa3HcQaBQvWEprfjAHa+-UAy5xyxeVA@mail.gmail.com>
	<DB6PR0601MB21663CD13435AAC0C78ECC1E9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
Message-ID: <CANZPfwS=rydPO+ykisW8WxH4QZ0ir8AR2e3fCJS0=03GzUsQHQ@mail.gmail.com>

Thank you very much!

It would be a great idea to enrich the documentation on KeyCloak SAML
Tomcat adapter with the info about the mandatory  Master SAML Processing URL
It would be a life saver!

On Fri, May 18, 2018 at 5:34 PM, Qiang He <Qiang.He at lombardrisk.com> wrote:

> No, you don?t need set up any listener. The adapter will automatically
> handle the url.
>
>
>
> Only when you don?t want to install the adapter in Tomcat, and want to use
> the pure servlet in your SP application, you need to set up listener for
> the /saml url.
>
>
>
>
>
> *From:* Leonid Rozenblyum [mailto:lrozenblyum at gmail.com]
> *Sent:* 18 May 2018 14:53
> *To:* Qiang He <Qiang.He at lombardrisk.com>; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Tomcat SAML Client adapter and infinite
> redirect
>
>
>
> Thank you very much Qiang He!
>
>
>
> My Master SAML Processing URL was NOT set at all in keycloak (I wasn't
> aware it should be set... Before trying keycloak SAML tomcat adapter I've
> tried spring security saml extension and it didn't require this URL...)
>
>
>
> I've set it up now to <host:port>/<mywebapp>/saml
>
>
>
> It looks like the infinite redirect issue has been solved!
>
>
>
> Do I need to set up something else e.g. some listener on this /saml url or
> tomcat adapter automatically sets up something listening to this url?
>
>
>
>
>
>
>
> On Fri, May 18, 2018 at 11:25 AM, Qiang He <Qiang.He at lombardrisk.com>
> wrote:
>
> What's your Master SAML Processing URL in the Clients settings in the
> keycloak sever? Make sure it ends with "/saml",
>
> Or in your client adapter setting, set the ACS URL ending with /rest, as
> per the document mentioned (copied below):
>
> assertionConsumerServiceUrl
> URL of the assertion consumer service (ACS) where the IDP login service
> should send responses to. This setting is OPTIONAL. By default it is unset,
> relying on the configuration in the IdP. When set, it must end in /saml,
> e.g. http://sp.domain.com/my/endpoint/for/saml. The value of this
> property is sent in AssertionConsumerServiceURL attribute of SAML
> AuthnRequest message. This property is typically accompanied by the
> responseBinding attribute.
>
>
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] On Behalf Of Leonid Rozenblyum
> Sent: 17 May 2018 21:06
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
>
> Hello everybody.
> I'm trying to set up Tomcat <-> Keycloak SAML integration.
> I've got stuck with the infinite redirect issue: after successful
> authentication I'm returned back to Tomcat Web app (to its protected
> resource) and then redirected back to keycloak with message YOU ARE
> ALREADY LOGGED IN.
>
> Keycloak 3.4.3
> Tomcat 8
>
> The problem is practically the same as described:
> https://stackoverflow.com/questions/43452853/unable-to-
> redirect-to-my-tomcat-application-after-keycloak-login
>
> The problem is reproduced when I try to load http://localhost:8080/lr/
> protected
> (the web application is attached).
>
> Thanks for every advice!
>
>
>

From lrozenblyum at gmail.com  Mon May 21 03:42:59 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Mon, 21 May 2018 10:42:59 +0300
Subject: [keycloak-user] Tomcat SAML keycloak adapater and dynamic redirect
	URLs
Message-ID: <CANZPfwSvPKWS_ZRuau6h2E2VzzkNyFkAwo0NgObdCR+gdywDow@mail.gmail.com>

Hello!

I'm using Tomcat SAML keycloak adapter in Tomcat8.

Is it possible to redirect back to the application after authentication to
the URL depending on the initiator of authentication?

So suppose the user loaded the application via:
<domain>/<base>/
then after authentication it would be nice to come back to the same
<domain>/<base>

If the user loaded the app via <IP>/<base> it would be nice to come back
here after logging-in in keycloak.

Can we somehow control that? It looks like Master SAML Processing URL
supports just absolute URLs.

Thanks.

From hmlnarik at redhat.com  Mon May 21 03:46:02 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Mon, 21 May 2018 09:46:02 +0200
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
In-Reply-To: <CANZPfwS=rydPO+ykisW8WxH4QZ0ir8AR2e3fCJS0=03GzUsQHQ@mail.gmail.com>
References: <CANZPfwTOSp+64kMoLCOXBkuqdcq=e5TNZ1a1SZNVECeJtbXEoQ@mail.gmail.com>
	<DB6PR0601MB21660916B151A405C7EAE1BB9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
	<CANZPfwTCws0H1=RFdhapa3HcQaBQvWEprfjAHa+-UAy5xyxeVA@mail.gmail.com>
	<DB6PR0601MB21663CD13435AAC0C78ECC1E9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
	<CANZPfwS=rydPO+ykisW8WxH4QZ0ir8AR2e3fCJS0=03GzUsQHQ@mail.gmail.com>
Message-ID: <CAMvXD=H2AzRPEt5vqaCM3Brf-im32eDPhDmr-u=GYpQp_zxgqA@mail.gmail.com>

Could you please file a KEYCLOAK JIRA for improving the documentation here?
There's a link ("Report an issue") in the relevant section which you can
use for that.

On Mon, May 21, 2018 at 8:29 AM, Leonid Rozenblyum <lrozenblyum at gmail.com>
wrote:

> Thank you very much!
>
> It would be a great idea to enrich the documentation on KeyCloak SAML
> Tomcat adapter with the info about the mandatory  Master SAML Processing
> URL
> It would be a life saver!
>
> On Fri, May 18, 2018 at 5:34 PM, Qiang He <Qiang.He at lombardrisk.com>
> wrote:
>
> > No, you don?t need set up any listener. The adapter will automatically
> > handle the url.
> >
> >
> >
> > Only when you don?t want to install the adapter in Tomcat, and want to
> use
> > the pure servlet in your SP application, you need to set up listener for
> > the /saml url.
> >
> >
> >
> >
> >
> > *From:* Leonid Rozenblyum [mailto:lrozenblyum at gmail.com]
> > *Sent:* 18 May 2018 14:53
> > *To:* Qiang He <Qiang.He at lombardrisk.com>; keycloak-user at lists.jboss.org
> > *Subject:* Re: [keycloak-user] Tomcat SAML Client adapter and infinite
> > redirect
> >
> >
> >
> > Thank you very much Qiang He!
> >
> >
> >
> > My Master SAML Processing URL was NOT set at all in keycloak (I wasn't
> > aware it should be set... Before trying keycloak SAML tomcat adapter I've
> > tried spring security saml extension and it didn't require this URL...)
> >
> >
> >
> > I've set it up now to <host:port>/<mywebapp>/saml
> >
> >
> >
> > It looks like the infinite redirect issue has been solved!
> >
> >
> >
> > Do I need to set up something else e.g. some listener on this /saml url
> or
> > tomcat adapter automatically sets up something listening to this url?
> >
> >
> >
> >
> >
> >
> >
> > On Fri, May 18, 2018 at 11:25 AM, Qiang He <Qiang.He at lombardrisk.com>
> > wrote:
> >
> > What's your Master SAML Processing URL in the Clients settings in the
> > keycloak sever? Make sure it ends with "/saml",
> >
> > Or in your client adapter setting, set the ACS URL ending with /rest, as
> > per the document mentioned (copied below):
> >
> > assertionConsumerServiceUrl
> > URL of the assertion consumer service (ACS) where the IDP login service
> > should send responses to. This setting is OPTIONAL. By default it is
> unset,
> > relying on the configuration in the IdP. When set, it must end in /saml,
> > e.g. http://sp.domain.com/my/endpoint/for/saml. The value of this
> > property is sent in AssertionConsumerServiceURL attribute of SAML
> > AuthnRequest message. This property is typically accompanied by the
> > responseBinding attribute.
> >
> >
> >
> >
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces@
> > lists.jboss.org] On Behalf Of Leonid Rozenblyum
> > Sent: 17 May 2018 21:06
> > To: keycloak-user at lists.jboss.org
> > Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
> >
> > Hello everybody.
> > I'm trying to set up Tomcat <-> Keycloak SAML integration.
> > I've got stuck with the infinite redirect issue: after successful
> > authentication I'm returned back to Tomcat Web app (to its protected
> > resource) and then redirected back to keycloak with message YOU ARE
> > ALREADY LOGGED IN.
> >
> > Keycloak 3.4.3
> > Tomcat 8
> >
> > The problem is practically the same as described:
> > https://stackoverflow.com/questions/43452853/unable-to-
> > redirect-to-my-tomcat-application-after-keycloak-login
> >
> > The problem is reproduced when I try to load http://localhost:8080/lr/
> > protected
> > (the web application is attached).
> >
> > Thanks for every advice!
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

From pulkitsrivastavajd at gmail.com  Mon May 21 03:58:07 2018
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Mon, 21 May 2018 13:28:07 +0530
Subject: [keycloak-user] SAML client + google IDP
Message-ID: <CAA-7KZ8Vz9Gmu3dV4L34nMOMwUzO5Z4_bt6bbcxnfzOnzHJU-w@mail.gmail.com>

Is it possible to authenticate a SAML client in keycloak using google as
identity provider.?

My scenario is :
a SAML application would be redirected to keycloak and then to google for
authentication. After authentication user should be redirected back to the
application.

Thanks,
Pulkit

From lrozenblyum at gmail.com  Mon May 21 04:46:11 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Mon, 21 May 2018 11:46:11 +0300
Subject: [keycloak-user] Tomcat SAML Client adapter and infinite redirect
In-Reply-To: <CAMvXD=H2AzRPEt5vqaCM3Brf-im32eDPhDmr-u=GYpQp_zxgqA@mail.gmail.com>
References: <CANZPfwTOSp+64kMoLCOXBkuqdcq=e5TNZ1a1SZNVECeJtbXEoQ@mail.gmail.com>
	<DB6PR0601MB21660916B151A405C7EAE1BB9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
	<CANZPfwTCws0H1=RFdhapa3HcQaBQvWEprfjAHa+-UAy5xyxeVA@mail.gmail.com>
	<DB6PR0601MB21663CD13435AAC0C78ECC1E9E900@DB6PR0601MB2166.eurprd06.prod.outlook.com>
	<CANZPfwS=rydPO+ykisW8WxH4QZ0ir8AR2e3fCJS0=03GzUsQHQ@mail.gmail.com>
	<CAMvXD=H2AzRPEt5vqaCM3Brf-im32eDPhDmr-u=GYpQp_zxgqA@mail.gmail.com>
Message-ID: <CANZPfwQzfzM_3OTGmUG8qiUxEjXqOeeCxPMST8JBcZxP_eAvYQ@mail.gmail.com>

Done, reported: https://issues.jboss.org/browse/KEYCLOAK-7379

On Mon, May 21, 2018 at 10:46 AM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:

> Could you please file a KEYCLOAK JIRA for improving the documentation
> here? There's a link ("Report an issue") in the relevant section which you
> can use for that.
>
> On Mon, May 21, 2018 at 8:29 AM, Leonid Rozenblyum <lrozenblyum at gmail.com>
> wrote:
>
>> Thank you very much!
>>
>> It would be a great idea to enrich the documentation on KeyCloak SAML
>> Tomcat adapter with the info about the mandatory  Master SAML Processing
>> URL
>> It would be a life saver!
>>
>> On Fri, May 18, 2018 at 5:34 PM, Qiang He <Qiang.He at lombardrisk.com>
>> wrote:
>>
>> > No, you don?t need set up any listener. The adapter will automatically
>> > handle the url.
>> >
>> >
>> >
>> > Only when you don?t want to install the adapter in Tomcat, and want to
>> use
>> > the pure servlet in your SP application, you need to set up listener for
>> > the /saml url.
>> >
>> >
>> >
>> >
>> >
>> > *From:* Leonid Rozenblyum [mailto:lrozenblyum at gmail.com]
>> > *Sent:* 18 May 2018 14:53
>> > *To:* Qiang He <Qiang.He at lombardrisk.com>;
>> keycloak-user at lists.jboss.org
>> > *Subject:* Re: [keycloak-user] Tomcat SAML Client adapter and infinite
>>
>> > redirect
>> >
>> >
>> >
>> > Thank you very much Qiang He!
>> >
>> >
>> >
>> > My Master SAML Processing URL was NOT set at all in keycloak (I wasn't
>> > aware it should be set... Before trying keycloak SAML tomcat adapter
>> I've
>> > tried spring security saml extension and it didn't require this URL...)
>> >
>> >
>> >
>> > I've set it up now to <host:port>/<mywebapp>/saml
>> >
>> >
>> >
>> > It looks like the infinite redirect issue has been solved!
>> >
>> >
>> >
>> > Do I need to set up something else e.g. some listener on this /saml url
>> or
>> > tomcat adapter automatically sets up something listening to this url?
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Fri, May 18, 2018 at 11:25 AM, Qiang He <Qiang.He at lombardrisk.com>
>> > wrote:
>> >
>> > What's your Master SAML Processing URL in the Clients settings in the
>> > keycloak sever? Make sure it ends with "/saml",
>> >
>> > Or in your client adapter setting, set the ACS URL ending with /rest, as
>> > per the document mentioned (copied below):
>> >
>> > assertionConsumerServiceUrl
>> > URL of the assertion consumer service (ACS) where the IDP login service
>> > should send responses to. This setting is OPTIONAL. By default it is
>> unset,
>> > relying on the configuration in the IdP. When set, it must end in /saml,
>> > e.g. http://sp.domain.com/my/endpoint/for/saml. The value of this
>> > property is sent in AssertionConsumerServiceURL attribute of SAML
>> > AuthnRequest message. This property is typically accompanied by the
>> > responseBinding attribute.
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: keycloak-user-bounces at lists.jboss.org [mailto:
>> keycloak-user-bounces@
>> > lists.jboss.org] On Behalf Of Leonid Rozenblyum
>> > Sent: 17 May 2018 21:06
>> > To: keycloak-user at lists.jboss.org
>> > Subject: [keycloak-user] Tomcat SAML Client adapter and infinite
>> redirect
>> >
>> > Hello everybody.
>> > I'm trying to set up Tomcat <-> Keycloak SAML integration.
>> > I've got stuck with the infinite redirect issue: after successful
>> > authentication I'm returned back to Tomcat Web app (to its protected
>> > resource) and then redirected back to keycloak with message YOU ARE
>> > ALREADY LOGGED IN.
>> >
>> > Keycloak 3.4.3
>> > Tomcat 8
>> >
>> > The problem is practically the same as described:
>> > https://stackoverflow.com/questions/43452853/unable-to-
>> > redirect-to-my-tomcat-application-after-keycloak-login
>> >
>> > The problem is reproduced when I try to load http://localhost:8080/lr/
>> > protected
>> > (the web application is attached).
>> >
>> > Thanks for every advice!
>> >
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
>
> --Hynek
>

From lrozenblyum at gmail.com  Mon May 21 05:44:52 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Mon, 21 May 2018 12:44:52 +0300
Subject: [keycloak-user] Keycloak identity brokering and fallback scenario
Message-ID: <CANZPfwTNkPEa-_CpTzHH=0-ePiy9yOR1=5zAYD900TGy=kCueA@mail.gmail.com>

Suppose we use some 3'd party SAML identity provider and keycloak as the
identity broker.

Can keycloak be used for a fallback scenario when the 3'd party is down?

E.g. to be able to authenticate a user via keycloak-stored credentials?
Does keycloak support user entering a password for this locally 'cached'
account?

From lrozenblyum at gmail.com  Mon May 21 05:51:03 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Mon, 21 May 2018 12:51:03 +0300
Subject: [keycloak-user] Keycloak SAML tomcat adapter and correct log-out
Message-ID: <CANZPfwTb3WTk-_qdnd36WJjgx1YF3-QMFn=F5RJdrYQYJnGgww@mail.gmail.com>

Hello!

I'm using a keycloak tomcat SAML adapter and I have a question related to
?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE
stack, request.logout() is not the way to go, right?).

When I use GLO=true, my session inside the Keycloak is indeed invalidated
however the local session in Tomcat is not.

When I try session.invalidate() and then redirect to GLO=true, sometimes my
protected page still can be loaded.

Is there a robust documented way to do the logout with help of Keycloak
SAML tomcat adapter?

Thanks

From lrozenblyum at gmail.com  Mon May 21 06:10:00 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Mon, 21 May 2018 13:10:00 +0300
Subject: [keycloak-user] Tomcat SAML Keycloak adapter
Message-ID: <CANZPfwR8pPw2Li_=X+PGsJ+gqm0=zd0dPMiu2KFHSNCFbEWyMw@mail.gmail.com>

Hello!

Can Tomcat SAML keycloak adapter be used to connect to a 3'd party
not-keycloak Idp or it has something deeply keycloak-dependent?

From mposolda at redhat.com  Mon May 21 06:23:47 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 21 May 2018 12:23:47 +0200
Subject: [keycloak-user] Configure granted consents to not persistent
In-Reply-To: <42589CB0-81F7-4E55-A633-B0D139DE9F12@gmail.com>
References: <42589CB0-81F7-4E55-A633-B0D139DE9F12@gmail.com>
Message-ID: <994ed5d3-2635-56e5-d88f-5df06d9aa23a@redhat.com>

Hi,

at this moment it's not available OOTB. There are unsupported ways to 
workaround this. For example override default UserProvider 
(JpaUserProvider) and change the consent related CRUD methods to do 
nothing.

Feel free to create JIRA for this. Maybe we can either:
- Add flag to client (or clientScope?) whether consent should be persistent.
- Use some OpenID standard mechanisms. For example consent screen will 
be always shown if the parameter "prompt=login" is used at the initial 
OIDC Authentication Endpoint request. The thing is, that users can 
manually update URL to bypass this, which is likely not good from 
security perspective. Will it work for you?

Thanks,
Marek

On 02/05/18 07:25, CS CHONG wrote:
> Hi,
>
> Are we able to force user to confirm consent after every login ?
>
> In another words, user will need to confirm consent for a particular client every time when they login.
>
>
> I understand that Keycloak has introduced "Persistent grants? in released 1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>, which user doesn't need to confirm consent for particular client more times.
>
> I couldn?t found any similar solutions from KC documentation, or KC forum. I would greatly appreciate it if you kindly give me some
>   hints.
>
> Regards,
> CS
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon May 21 06:29:01 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 21 May 2018 12:29:01 +0200
Subject: [keycloak-user] Multiple audience from auth endpoint
In-Reply-To: <CAGE7c6Cch6YyPRcZjYev4xPYLi-B95otvCJ9D6YnbCj9c-UG9g@mail.gmail.com>
References: <CAGE7c6Cch6YyPRcZjYev4xPYLi-B95otvCJ9D6YnbCj9c-UG9g@mail.gmail.com>
Message-ID: <6c1a7499-d56e-164f-db60-365f52c22526@redhat.com>

Hi,

we plan to improve audience in future versions soon (EG. in next weeks 
or months) together with adding support for client scopes. Related JIRA 
is https://issues.jboss.org/browse/KEYCLOAK-6638 . You can add yourself 
as watcher.

Marek

On 03/05/18 17:53, triton oidc wrote:
> Hi,
>
> I saw a feature for KC to handle multiple audiences.
>
> https://issues.jboss.org/browse/KEYCLOAK-5791
>
> I'd like to test this feature in my POC.
>
> I saw that i can use ScriptBasedOIDCProtocolMapper
>
> but didn't found any clear way to do it.
>
> Currently when i ask for a code
> the first query looks like :
>
> https://imyserver:9443/auth/realms/GreenAirlines/protocol/openid-connect/auth?client_id=greenairlines-secure&redirect_uri=https://mywebapp/callback&response_type=code&scope=openid
> email profile
>
> By default the audience equals the clientID
> Is there a parameter that i can add in the query to ask for an additional
> audience ?
>
> If the documentation was somewhere and i didn't found it, i'm really sorry
>
> Thanks for any tips
>
> Amaury
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From subodhcjoshi82 at gmail.com  Mon May 21 07:21:51 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Mon, 21 May 2018 16:51:51 +0530
Subject: [keycloak-user] How to access custom attribute/Client Mapper in
	Login Page?
Message-ID: <CAFss9rpj_x1Ss+XbK=F9dq_88PC2D6LU8qpRXAen_0kJgW30Vw@mail.gmail.com>

Hi ,
We have created our own theme for keycloak and we are able to access
realm-name/client-name via this code

> <div id="parent">
>
>         <div id="pro-fam-name">
>
>                 ${msg("loginTitleHtml",(realm.displayNameHtml!''))?no_esc}
>
>         </div>
>
>         <div id="pro-des"> ${client.name!''} </div>
>
>         <div id="version"> ${client.description!''} </div>
>
>     </div>
>


Now we will want to access some custom attribute or client mapper into same
login page before user login.
As i know Keycloak wont support to add attribute in realm level any other
way to do this?
Is this possible to achieve this in keycloak version 3.4.1.Final ? We want
to achieve this in our JS application so according to realm/tenant-name we
have diffrent-2 login page.

-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From getankur86 at gmail.com  Mon May 21 07:34:17 2018
From: getankur86 at gmail.com (Ankur Singhal)
Date: Mon, 21 May 2018 17:04:17 +0530
Subject: [keycloak-user] Fetch QR Code - OTP REST API
In-Reply-To: <81e147a70ca34f398bdbd056718ed12f@IRIS-MAILDB-02.irissoftware.com>
References: <81e147a70ca34f398bdbd056718ed12f@IRIS-MAILDB-02.irissoftware.com>
Message-ID: <CAM64y=LKbuH6f966JHVqbT4WraMnhZkuzaHLv_0J0mBM5YEcgQ@mail.gmail.com>

Hi All,



I have my own login page, wish to integrate this with Keycloak OTP
Functionality.

Looking for REST API for below flows.



1.)    User Enters username/password and login.

2.)    If *CONFIGURE_OTP* action is configured, REST API return with QR
Code (image/secret).

3.)    User scans and submits the OTP.

4.)    Subsequent login just return to enter OTP if no action configured.



Thanks

Ankur

From neo11078016 at gmail.com  Mon May 21 08:23:18 2018
From: neo11078016 at gmail.com (Min Han Lee)
Date: Mon, 21 May 2018 13:23:18 +0100
Subject: [keycloak-user] Required User Actions - Update Profile
In-Reply-To: <d10803a4-4fa8-64fd-4b8d-e5c53dd8ce80@redhat.com>
References: <CAHKN4LM_pbL0RDbORWRN+wKHWx53PT3YkrY4NNLVTG4BScudyw@mail.gmail.com>
	<d10803a4-4fa8-64fd-4b8d-e5c53dd8ce80@redhat.com>
Message-ID: <CAHKN4LNRoY-k+cXfnBYET2gPfns4ud96Z9e=MBpPP2_akwQ4gg@mail.gmail.com>

Hello Marek,

Thanks for this.

I was trying to add more fields under this screen - Update user profile for
new user first login.



I've tried to edit the account.tfl but it only works for the Account
dashboard which is under <server-root>/auth/realms/{realm-name}/account.

Kind Regards
Neo Lee


On Mon, May 21, 2018 at 12:25 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Hi Neo Lee,
>
> could you please rather send your question to keycloak-user mailing list,
> so more people can chime in? And add more details? From the descriptions of
> your question, I am not sure what are you talking about. Also the
> screenshot doesn't contain much info.
>
> Regards,
> Marek
>
>
> On 21/05/18 08:57, Min Han Lee wrote:
>
> Hello Marek,
>
> I hope you're well.
>
> I'm wondered if it possible to add more attributes to the "Update Profile"
> for the user first login?
>
>
>
> Kind Regards
> Neo Lee
>
>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 68213 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180521/079f997d/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 3091 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180521/079f997d/attachment-0003.png 

From mposolda at redhat.com  Mon May 21 08:48:46 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 21 May 2018 14:48:46 +0200
Subject: [keycloak-user] Required User Actions - Update Profile
In-Reply-To: <CAHKN4LNRoY-k+cXfnBYET2gPfns4ud96Z9e=MBpPP2_akwQ4gg@mail.gmail.com>
References: <CAHKN4LM_pbL0RDbORWRN+wKHWx53PT3YkrY4NNLVTG4BScudyw@mail.gmail.com>
	<d10803a4-4fa8-64fd-4b8d-e5c53dd8ce80@redhat.com>
	<CAHKN4LNRoY-k+cXfnBYET2gPfns4ud96Z9e=MBpPP2_akwQ4gg@mail.gmail.com>
Message-ID: <be5b11af-a5aa-51fe-384a-fe0235fad4c3@redhat.com>

Hi,

there is login-update-profile.ftl for this and it's part of login theme. 
I suggest to try this one.

Marek

On 21/05/18 14:23, Min Han Lee wrote:
> Hello Marek,
>
> Thanks for this.
>
> I was trying to add more fields under this screen - Update user 
> profile for new user first login.
>
>
>
> I've tried to edit the account.tfl but it only works for the Account 
> dashboard which is under |<server-root>/auth/realms/{realm-name}/account|.
>
> Kind Regards
> Neo Lee
>
>
> On Mon, May 21, 2018 at 12:25 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Hi Neo Lee,
>
>     could you please rather send your question to keycloak-user
>     mailing list, so more people can chime in? And add more details?
>     From the descriptions of your question, I am not sure what are you
>     talking about. Also the screenshot doesn't contain much info.
>
>     Regards,
>     Marek
>
>
>     On 21/05/18 08:57, Min Han Lee wrote:
>>     Hello Marek,
>>
>>     I hope you're well.
>>
>>     I'm wondered if it possible to add more attributes to the "Update
>>     Profile" for the user first login?
>>
>>
>>
>>     Kind Regards
>>     Neo Lee
>>
>>
>>
>>
>
>


From neo11078016 at gmail.com  Mon May 21 09:42:22 2018
From: neo11078016 at gmail.com (Min Han Lee)
Date: Mon, 21 May 2018 14:42:22 +0100
Subject: [keycloak-user] Required User Actions - Update Profile
In-Reply-To: <be5b11af-a5aa-51fe-384a-fe0235fad4c3@redhat.com>
References: <CAHKN4LM_pbL0RDbORWRN+wKHWx53PT3YkrY4NNLVTG4BScudyw@mail.gmail.com>
	<d10803a4-4fa8-64fd-4b8d-e5c53dd8ce80@redhat.com>
	<CAHKN4LNRoY-k+cXfnBYET2gPfns4ud96Z9e=MBpPP2_akwQ4gg@mail.gmail.com>
	<be5b11af-a5aa-51fe-384a-fe0235fad4c3@redhat.com>
Message-ID: <CAHKN4LNzbhApV_38KYUU6VXuNaGZW6ksRuCsnKxtJKydgbHtvA@mail.gmail.com>

cheers!

On Mon, May 21, 2018 at 1:48 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> there is login-update-profile.ftl for this and it's part of login theme. I
> suggest to try this one.
>
> Marek
>
> On 21/05/18 14:23, Min Han Lee wrote:
>
> Hello Marek,
>
> Thanks for this.
>
> I was trying to add more fields under this screen - Update user profile
> for new user first login.
>
>
>
> I've tried to edit the account.tfl but it only works for the Account
> dashboard which is under <server-root>/auth/realms/{realm-name}/account.
>
> Kind Regards
> Neo Lee
>
>
> On Mon, May 21, 2018 at 12:25 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> Hi Neo Lee,
>>
>> could you please rather send your question to keycloak-user mailing list,
>> so more people can chime in? And add more details? From the descriptions of
>> your question, I am not sure what are you talking about. Also the
>> screenshot doesn't contain much info.
>>
>> Regards,
>> Marek
>>
>>
>> On 21/05/18 08:57, Min Han Lee wrote:
>>
>> Hello Marek,
>>
>> I hope you're well.
>>
>> I'm wondered if it possible to add more attributes to the "Update
>> Profile" for the user first login?
>>
>>
>>
>> Kind Regards
>> Neo Lee
>>
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 68213 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180521/840bae29/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 3091 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180521/840bae29/attachment-0003.png 

From neo11078016 at gmail.com  Mon May 21 12:34:24 2018
From: neo11078016 at gmail.com (Min Han Lee)
Date: Mon, 21 May 2018 17:34:24 +0100
Subject: [keycloak-user] Custom Reset Actions for Users
Message-ID: <CAHKN4LNWKWM+xxuwRE+m6k5fE4qdHBH9-zsxekSS4nvWzR62ig@mail.gmail.com>

Hello Marek, and everyone,

I wondered if it is possible to custom actions for Reset Actions in the
Users credential section?



Appreciate any available pointer.

Kind Regards
Neo Lee
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 47302 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180521/6a954142/attachment-0001.png 

From chris.latta at dovetailgames.com  Mon May 21 18:10:44 2018
From: chris.latta at dovetailgames.com (Chris Latta)
Date: Mon, 21 May 2018 23:10:44 +0100
Subject: [keycloak-user] Bulk user imports
Message-ID: <CAF1B6G4RMeNp+8eo-Fu7Z0Qr9TvU1XiVSMizCovQxssR4VstSw@mail.gmail.com>

Hi,

We are in the process of upgrading from 2.5.5 to 4.0.0 and have had to
switch from MongoDB to MySQL. We have been able to export our user base but
with 280k+ users to import back into Keycloak this is proving troublesome.
The import process takes 25 mins to import one file of 500 users, which
doesnt really seem practical as that would take us approximately 9/10 days
to import the user base if we were working 24/7.

Any thoughts or ideas would be appreciated.

Kind Regards





Chris Latta

Dev Ops Engineer

Email: *chris.latta at dovetailgames.com <chris.latta at dovetailgames.com>*

Website *www.dovetailgames.com <http://www.dovetailgames.com/>*

P Please consider the environment before deciding to print this email.



*This e-mail and its attachments may be confidential and are intended
solely for the use of the individual to whom it is addressed. *



*Any views or opinions expressed are solely those of the author and do not
necessarily represent those of Railsimulator.com*



*If you are not the intended recipient of this email and its attachments,
you must take no action based upon them, nor must you copy or show them to
anyone. *



*Please contact the sender if you believe you have received this email in
error.*



*Dovetail games is a trading name of RailSimulator.com LTD Registered In
England No: 6751125 *



*Registered Office: Dovetail Games is a trading name of Railsimulator.com
Ltd The Observatory, Chatham Maritime, Chatham, Kent, ME4 4NT*



*VAT Registration No: 948 5431 91*

 P please don't print this e-mail unless you really need to.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 9398 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180521/fde59b65/attachment.png 

From cheesiangcs at gmail.com  Mon May 21 23:42:29 2018
From: cheesiangcs at gmail.com (CS CHONG)
Date: Tue, 22 May 2018 11:42:29 +0800
Subject: [keycloak-user] Configure granted consents to not persistent
In-Reply-To: <994ed5d3-2635-56e5-d88f-5df06d9aa23a@redhat.com>
References: <42589CB0-81F7-4E55-A633-B0D139DE9F12@gmail.com>
	<994ed5d3-2635-56e5-d88f-5df06d9aa23a@redhat.com>
Message-ID: <C40C43A5-229C-4A1C-AA4A-28D8E45C7E12@gmail.com>

Hi Marek,

Since we want to enforce user to click on consent every time when they login, it's okay to "override default UserProvider". 

Do you know where can I update/override the UserProvider (JpaUserProvider) ? 

Thanks !


Regards,
CS

?On 21/5/18, 6:23 PM, "Marek Posolda" <mposolda at redhat.com> wrote:

    Hi,
    
    at this moment it's not available OOTB. There are unsupported ways to 
    workaround this. For example override default UserProvider 
    (JpaUserProvider) and change the consent related CRUD methods to do 
    nothing.
    
    Feel free to create JIRA for this. Maybe we can either:
    - Add flag to client (or clientScope?) whether consent should be persistent.
    - Use some OpenID standard mechanisms. For example consent screen will 
    be always shown if the parameter "prompt=login" is used at the initial 
    OIDC Authentication Endpoint request. The thing is, that users can 
    manually update URL to bypass this, which is likely not good from 
    security perspective. Will it work for you?
    
    Thanks,
    Marek
    
    On 02/05/18 07:25, CS CHONG wrote:
    > Hi,
    >
    > Are we able to force user to confirm consent after every login ?
    >
    > In another words, user will need to confirm consent for a particular client every time when they login.
    >
    >
    > I understand that Keycloak has introduced "Persistent grants? in released 1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>, which user doesn't need to confirm consent for particular client more times.
    >
    > I couldn?t found any similar solutions from KC documentation, or KC forum. I would greatly appreciate it if you kindly give me some
    >   hints.
    >
    > Regards,
    > CS
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    
    
    




From pulkitsrivastavajd at gmail.com  Tue May 22 00:31:28 2018
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Tue, 22 May 2018 10:01:28 +0530
Subject: [keycloak-user] SAML client + google IDP
In-Reply-To: <CAA-7KZ8Vz9Gmu3dV4L34nMOMwUzO5Z4_bt6bbcxnfzOnzHJU-w@mail.gmail.com>
References: <CAA-7KZ8Vz9Gmu3dV4L34nMOMwUzO5Z4_bt6bbcxnfzOnzHJU-w@mail.gmail.com>
Message-ID: <CAA-7KZ9D-7YUKaLBhF1NJkxPM-5XvP6eF04XcozURgZDY8qcmw@mail.gmail.com>

Any solution to this.

I am in need of dire of help for this.

Thanks,
Pulkit

On Mon, May 21, 2018 at 1:28 PM, Pulkit Srivastava <
pulkitsrivastavajd at gmail.com> wrote:

> Is it possible to authenticate a SAML client in keycloak using google as
> identity provider.?
>
> My scenario is :
> a SAML application would be redirected to keycloak and then to google for
> authentication. After authentication user should be redirected back to the
> application.
>
> Thanks,
> Pulkit
>

From arun.velayudhan at motorolasolutions.com  Tue May 22 01:12:32 2018
From: arun.velayudhan at motorolasolutions.com (Arun Velayudhan)
Date: Tue, 22 May 2018 10:42:32 +0530
Subject: [keycloak-user] Bulk user imports
In-Reply-To: <CAF1B6G4RMeNp+8eo-Fu7Z0Qr9TvU1XiVSMizCovQxssR4VstSw@mail.gmail.com>
References: <CAF1B6G4RMeNp+8eo-Fu7Z0Qr9TvU1XiVSMizCovQxssR4VstSw@mail.gmail.com>
Message-ID: <CAFi6rQ8OYhGur1yc0AvQsmi6Q=8L43bLfZM0AHHWmjjZ=fOTGQ@mail.gmail.com>

One thought would be to migrate user on-demand. I.e Migrate the user when
the user logs-in / or the next time login.   You would need to keep both
the systems active till all users have been migrated. Again, this depends
on the type of application that you are running but for some apps this
mechanism works better than bulk migrate and it takes care of any real-time
data that the app maintains.

Arun

On Tue, May 22, 2018 at 3:40 AM, Chris Latta <chris.latta at dovetailgames.com>
wrote:

> Hi,
>
> We are in the process of upgrading from 2.5.5 to 4.0.0 and have had to
> switch from MongoDB to MySQL. We have been able to export our user base but
> with 280k+ users to import back into Keycloak this is proving troublesome.
> The import process takes 25 mins to import one file of 500 users, which
> doesnt really seem practical as that would take us approximately 9/10 days
> to import the user base if we were working 24/7.
>
> Any thoughts or ideas would be appreciated.
>
> Kind Regards
>
>
>
>
>
> Chris Latta
>
> Dev Ops Engineer
>
> Email: *chris.latta at dovetailgames.com <chris.latta at dovetailgames.com>*
>
> Website *www.dovetailgames.com <https://urldefense.
> proofpoint.com/v2/url?u=http-3A__www.dovetailgames.com_&d=
> DwIBaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_
> 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=_HgpMwhlqiUmJ_
> XCFFf6pca_gQTfRn_B7ffiTjA2GFo&s=VooA7E_wHEXBe3mebYeF_
> 3gLbE7D3MVKSfIhD1bkc70&e=>*
>
> P Please consider the environment before deciding to print this email.
>
>
>
> *This e-mail and its attachments may be confidential and are intended
> solely for the use of the individual to whom it is addressed. *
>
>
>
> *Any views or opinions expressed are solely those of the author and do not
> necessarily represent those of Railsimulator.com*
>
>
>
> *If you are not the intended recipient of this email and its attachments,
> you must take no action based upon them, nor must you copy or show them to
> anyone. *
>
>
>
> *Please contact the sender if you believe you have received this email in
> error.*
>
>
>
> *Dovetail games is a trading name of RailSimulator.com LTD Registered In
> England No: 6751125 *
>
>
>
> *Registered Office: Dovetail Games is a trading name of Railsimulator.com
> Ltd The Observatory, Chatham Maritime, Chatham, Kent, ME4 4NT*
>
>
>
> *VAT Registration No: 948 5431 91*
>
>  P please don't print this e-mail unless you really need to.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=
> q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_
> 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=_HgpMwhlqiUmJ_
> XCFFf6pca_gQTfRn_B7ffiTjA2GFo&s=Jfxn8u56My6lDDZf6YNhUwBS-
> XMNM5T539rXphLQMaE&e=
>

From mposolda at redhat.com  Tue May 22 02:40:12 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 08:40:12 +0200
Subject: [keycloak-user] Configure granted consents to not persistent
In-Reply-To: <C40C43A5-229C-4A1C-AA4A-28D8E45C7E12@gmail.com>
References: <42589CB0-81F7-4E55-A633-B0D139DE9F12@gmail.com>
	<994ed5d3-2635-56e5-d88f-5df06d9aa23a@redhat.com>
	<C40C43A5-229C-4A1C-AA4A-28D8E45C7E12@gmail.com>
Message-ID: <64974610-852a-b2b9-bf29-fa8f3403dad4@redhat.com>

First I suggest to take a look at the "Server Developer" guide and look 
at the SPI chapter. Then looking at our "providers" examples and 
quickstarts. This should give you some understanding of providers/SPI in 
Keycloak. Then you can take a look at the JPA provider itself. It's the 
SPI "user" and you will need to create new provider and extend 
JpaUserProvider and JpaUserProviderFactory and then configure your 
provider in standalone.xml for SPI "user" .

Marek

On 22/05/18 05:42, CS CHONG wrote:
> Hi Marek,
>
> Since we want to enforce user to click on consent every time when they login, it's okay to "override default UserProvider".
>
> Do you know where can I update/override the UserProvider (JpaUserProvider) ?
>
> Thanks !
>
>
> Regards,
> CS
>
> ?On 21/5/18, 6:23 PM, "Marek Posolda" <mposolda at redhat.com> wrote:
>
>      Hi,
>      
>      at this moment it's not available OOTB. There are unsupported ways to
>      workaround this. For example override default UserProvider
>      (JpaUserProvider) and change the consent related CRUD methods to do
>      nothing.
>      
>      Feel free to create JIRA for this. Maybe we can either:
>      - Add flag to client (or clientScope?) whether consent should be persistent.
>      - Use some OpenID standard mechanisms. For example consent screen will
>      be always shown if the parameter "prompt=login" is used at the initial
>      OIDC Authentication Endpoint request. The thing is, that users can
>      manually update URL to bypass this, which is likely not good from
>      security perspective. Will it work for you?
>      
>      Thanks,
>      Marek
>      
>      On 02/05/18 07:25, CS CHONG wrote:
>      > Hi,
>      >
>      > Are we able to force user to confirm consent after every login ?
>      >
>      > In another words, user will need to confirm consent for a particular client every time when they login.
>      >
>      >
>      > I understand that Keycloak has introduced "Persistent grants? in released 1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>, which user doesn't need to confirm consent for particular client more times.
>      >
>      > I couldn?t found any similar solutions from KC documentation, or KC forum. I would greatly appreciate it if you kindly give me some
>      >   hints.
>      >
>      > Regards,
>      > CS
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      
>      
>      
>
>


From mposolda at redhat.com  Tue May 22 02:41:43 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 08:41:43 +0200
Subject: [keycloak-user] Custom Reset Actions for Users
In-Reply-To: <CAHKN4LNWKWM+xxuwRE+m6k5fE4qdHBH9-zsxekSS4nvWzR62ig@mail.gmail.com>
References: <CAHKN4LNWKWM+xxuwRE+m6k5fE4qdHBH9-zsxekSS4nvWzR62ig@mail.gmail.com>
Message-ID: <175dfd12-fa4f-40cc-9441-4847ddaeaf55@redhat.com>

Yes, it is SPI and you can create your own. Take a look here 
https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi 
. Especially 8.4 (Required Actions Walkthrough) chapter.

Marek

On 21/05/18 18:34, Min Han Lee wrote:
> Hello Marek, and everyone,
>
> I wondered if it is possible to custom actions for Reset Actions in 
> the Users credential section?
>
>
>
> Appreciate any available pointer.
>
> Kind Regards
> Neo Lee
>


From raphoa at worteks.com  Tue May 22 02:50:47 2018
From: raphoa at worteks.com (=?ISO-8859-1?Q?Rapha=EBl_HOAREAU?=)
Date: Tue, 22 May 2018 06:50:47 +0000
Subject: [keycloak-user] SAML client + google IDP
In-Reply-To: <CAA-7KZ9D-7YUKaLBhF1NJkxPM-5XvP6eF04XcozURgZDY8qcmw@mail.gmail.com>
References: <CAA-7KZ9D-7YUKaLBhF1NJkxPM-5XvP6eF04XcozURgZDY8qcmw@mail.gmail.com>
Message-ID: <20180522065047.B76926B4B0@mail.worteks.com>



From mposolda at redhat.com  Tue May 22 02:50:50 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 08:50:50 +0200
Subject: [keycloak-user] Bulk user imports
In-Reply-To: <CAFi6rQ8OYhGur1yc0AvQsmi6Q=8L43bLfZM0AHHWmjjZ=fOTGQ@mail.gmail.com>
References: <CAF1B6G4RMeNp+8eo-Fu7Z0Qr9TvU1XiVSMizCovQxssR4VstSw@mail.gmail.com>
	<CAFi6rQ8OYhGur1yc0AvQsmi6Q=8L43bLfZM0AHHWmjjZ=fOTGQ@mail.gmail.com>
Message-ID: <cdaf885c-4006-4941-4068-1fa5308a127b@redhat.com>

Or fix the DB connection to be faster? EG. temporarily deploy Keycloak 
on some server close to the DB server? As with fast network between 
Keycloak and DB, the import of 500 users should take few seconds instead 
of 25 minutes.

Marek

On 22/05/18 07:12, Arun Velayudhan wrote:
> One thought would be to migrate user on-demand. I.e Migrate the user when
> the user logs-in / or the next time login.   You would need to keep both
> the systems active till all users have been migrated. Again, this depends
> on the type of application that you are running but for some apps this
> mechanism works better than bulk migrate and it takes care of any real-time
> data that the app maintains.
>
> Arun
>
> On Tue, May 22, 2018 at 3:40 AM, Chris Latta <chris.latta at dovetailgames.com>
> wrote:
>
>> Hi,
>>
>> We are in the process of upgrading from 2.5.5 to 4.0.0 and have had to
>> switch from MongoDB to MySQL. We have been able to export our user base but
>> with 280k+ users to import back into Keycloak this is proving troublesome.
>> The import process takes 25 mins to import one file of 500 users, which
>> doesnt really seem practical as that would take us approximately 9/10 days
>> to import the user base if we were working 24/7.
>>
>> Any thoughts or ideas would be appreciated.
>>
>> Kind Regards
>>
>>
>>
>>
>>
>> Chris Latta
>>
>> Dev Ops Engineer
>>
>> Email: *chris.latta at dovetailgames.com <chris.latta at dovetailgames.com>*
>>
>> Website *www.dovetailgames.com <https://urldefense.
>> proofpoint.com/v2/url?u=http-3A__www.dovetailgames.com_&d=
>> DwIBaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_
>> 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=_HgpMwhlqiUmJ_
>> XCFFf6pca_gQTfRn_B7ffiTjA2GFo&s=VooA7E_wHEXBe3mebYeF_
>> 3gLbE7D3MVKSfIhD1bkc70&e=>*
>>
>> P Please consider the environment before deciding to print this email.
>>
>>
>>
>> *This e-mail and its attachments may be confidential and are intended
>> solely for the use of the individual to whom it is addressed. *
>>
>>
>>
>> *Any views or opinions expressed are solely those of the author and do not
>> necessarily represent those of Railsimulator.com*
>>
>>
>>
>> *If you are not the intended recipient of this email and its attachments,
>> you must take no action based upon them, nor must you copy or show them to
>> anyone. *
>>
>>
>>
>> *Please contact the sender if you believe you have received this email in
>> error.*
>>
>>
>>
>> *Dovetail games is a trading name of RailSimulator.com LTD Registered In
>> England No: 6751125 *
>>
>>
>>
>> *Registered Office: Dovetail Games is a trading name of Railsimulator.com
>> Ltd The Observatory, Chatham Maritime, Chatham, Kent, ME4 4NT*
>>
>>
>>
>> *VAT Registration No: 948 5431 91*
>>
>>   P please don't print this e-mail unless you really need to.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
>> jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=
>> q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_
>> 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=_HgpMwhlqiUmJ_
>> XCFFf6pca_gQTfRn_B7ffiTjA2GFo&s=Jfxn8u56My6lDDZf6YNhUwBS-
>> XMNM5T539rXphLQMaE&e=
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue May 22 02:52:23 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 08:52:23 +0200
Subject: [keycloak-user] SAML client + google IDP
In-Reply-To: <CAA-7KZ9D-7YUKaLBhF1NJkxPM-5XvP6eF04XcozURgZDY8qcmw@mail.gmail.com>
References: <CAA-7KZ8Vz9Gmu3dV4L34nMOMwUzO5Z4_bt6bbcxnfzOnzHJU-w@mail.gmail.com>
	<CAA-7KZ9D-7YUKaLBhF1NJkxPM-5XvP6eF04XcozURgZDY8qcmw@mail.gmail.com>
Message-ID: <46339297-4c3a-a68b-2e8b-da2a9b494917@redhat.com>

Yes, that is possible. The communication between application and 
Keycloak is independent on the authentication mechanism, which was used. 
So the fact that Google IDP was used to authenticate user and Google 
itself is OIDC provider doesn't block this scenario.

Marek

On 22/05/18 06:31, Pulkit Srivastava wrote:
> Any solution to this.
>
> I am in need of dire of help for this.
>
> Thanks,
> Pulkit
>
> On Mon, May 21, 2018 at 1:28 PM, Pulkit Srivastava <
> pulkitsrivastavajd at gmail.com> wrote:
>
>> Is it possible to authenticate a SAML client in keycloak using google as
>> identity provider.?
>>
>> My scenario is :
>> a SAML application would be redirected to keycloak and then to google for
>> authentication. After authentication user should be redirected back to the
>> application.
>>
>> Thanks,
>> Pulkit
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue May 22 03:04:26 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 09:04:26 +0200
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <CAOA-0XvUNx8apkdJGc4z5D=xBV3xRqoJsAFvEE3oJPpfoXFjyA@mail.gmail.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
	<CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
	<CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>
	<CAFss9rpn12t9qVEn0t-JS4SsZ+7oo2M3MDVjJ8ywPgDaFpt6SQ@mail.gmail.com>
	<CAOA-0XuqbVJNjxpOmVhKJ8zqL6G_ua2RGFVSF6gqE0XLtXPHCQ@mail.gmail.com>
	<9684d785-6f29-03ca-2fa9-f2bf029f7ea6@worteks.com>
	<CAOA-0XvUNx8apkdJGc4z5D=xBV3xRqoJsAFvEE3oJPpfoXFjyA@mail.gmail.com>
Message-ID: <49203157-28d8-63d4-9a41-43b23407764a@redhat.com>

That's strange. The role-kdap-mapper should ensure that roles from LDAP 
are available in Keycloak and also that they are assigned to users in 
Keycloak. So Keycloak should be able to see the role mappings based on 
the role mappings in LDAP. It's just a matter of correct configuration. 
You can take a look at "keycloak-examples" distribution and the example 
"ldap" to see how to configure things.

Marek

On 18/05/18 10:11, valsaraj pv wrote:
> Yes,  'role-ldap-mapper created & those roles appeared in Keyclock client
> set in mapper. But these roles were not assigned to users. For that need to
> open user from admin cosole & select client abd set client roles. I am
> checking how to automate this.
>
> On Fri, May 18, 2018 at 1:34 PM, Rapha?l HOAREAU <raphoa at worteks.com> wrote:
>
>> Can't you just create 'role-ldap-mapper' in your ldap user federation so
>> it reflects your ldap roles to keycloak realm or client roles ?
>>
>> Assuming that roles in your local LDAP are the same (name) than the one
>> you use in keycloak.
>>
>>
>> Le 18/05/2018 ? 08:32, valsaraj pv a ?crit :
>>> Got this sample:
>>> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
>>>
>>> On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <subodhcjoshi82 at gmail.com
>>>
>>> wrote:
>>>
>>>> You have to write script to run admin-cli commands
>>>> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>>>>
>>>> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv at gmail.com>
>> wrote:
>>>>> Do you have any links that will be helpful?
>>>>>
>>>>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I think admin-cli will help you regarding this but issue is
>> documetation
>>>>>> is not that good.
>>>>>>
>>>>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Here is the scenario:
>>>>>>> Java web application client registers users to local LDAP/DB and sets
>>>>>>> roles.
>>>>>>> These users are periodically synced to Keycloak. Roles are also
>> synced
>>>>>>> once
>>>>>>> as it not changed more often.
>>>>>>> So when a user registered in local LDAP via application, they are
>> also
>>>>>>> reflected in Keycloak but they can't access web application after
>> login
>>>>>>> via
>>>>>>> Keycloak.
>>>>>>> The new users can access only after setting client roles manually.
>>>>>>> What is the best option to automate this. Is there is any API to set
>>>>>>> client
>>>>>>> roles?
>>>>>>> If available, we can't write code to set role in registration method
>>>>>>> since
>>>>>>> the users will be synced to Keycloak only on next sync. Then option
>> is a
>>>>>>> delayed call which first ensures that the user reached Keycloak DB
>> and
>>>>>>> then
>>>>>>> set role.
>>>>>>> Please share your thoughts!
>>>>>>>
>>>>>>> Thanks!
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>> --
>>>> Subodh Chandra Joshi
>>>> subodh1_joshi82 at yahoo.co.in
>>>> http://www.trendsinnews.com
>>>>
>>>
>> --
>> Rapha?l HOAREAU | Support & Hosting Solutions Manager
>>
>> raphael.hoareau at worteks.com
>> +33 7 72 37 59 82
>>
>> Worteks | https://www.worteks.com
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


From mposolda at redhat.com  Tue May 22 03:13:29 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 09:13:29 +0200
Subject: [keycloak-user] Keycloak LDAP federation (FreeIPA) and expired
 passwords
In-Reply-To: <CAJf7bXTXPP=rcE4PB4VMu8HR_PnNSkVkG1of1iqUUPkHb4YQDg@mail.gmail.com>
References: <CAJf7bXTXPP=rcE4PB4VMu8HR_PnNSkVkG1of1iqUUPkHb4YQDg@mail.gmail.com>
Message-ID: <3ba85d3a-c49a-8143-6cc2-243b665c3b3e@redhat.com>

The KEYCLOAK-4052 is already implemented. This is useful mainly for LDAP 
servers, which itself doesn't provide the feature of password 
expiration. That way, the password expiration is handled only by Keycloak.

The thing is, that FreeIPA itself has support for password expiration. 
If you combine both Keycloak password policies and FreeIPA password 
policies, you need to make sure that:
- After password is updated in Keycloak, the password-update time is 
correctly updated in FreeIPA as well
- After update of password in FreeIPA, the password-update time is 
currectly updated in Keycloak as well

I don't think that Keycloak itself has ability to provide this OOTB. So 
I likely suggest to rely either Keycloak password policies (and then 
disable FreeIPA password policies if possible) or on FreeIPA password 
policies (but this likely doesn't work in Keycloak OOTB). In shortcut, 
you will likely need to do some customization if you want to rely on 
FreeIPA password policies. We didn't yet try to test anything like this.

Marek

On 17/05/18 16:09, Ryan King wrote:
> Hello,
>
> We're trying to use Keycloak as the main portal for users (to access
> services + manage their accounts) - but I've been struggling to come up
> with the best solution for handling expired passwords (for federated users
> - FreeIPA LDAP).  We are using Keycloak (3.4.3).
>
> As far as I am aware, expired passwords are currently only handled
> correctly with Active Directory (using the msad-user-account-control
> mapper).  It looks like someone was interested in implementing for other
> LDAP providers, but didn't:
>
> https://issues.jboss.org/browse/KEYCLOAK-4052
>
> I've also tried configuring keycloak to use Kerberos password
> authentication (LDAP + Kerberos integration..) - but that still didn't seem
> to detect the expired password (even though from a console, kinit prompts
> the user to change their password).
>
> So, currently I have put in a workaround by:
>
> 1. Under the realm Authentication - Required Actions - set "Update
> Password" to default (so "new" users - ie: those who are given a temp
> password - are prompted to set a new password... keycloak has been given
> access to set non-expired passwords on our FreeIPA servers)
>
> 2. Set a password policy on the realm - 90 days expiry (matches that of the
> FreeIPA password policy).
>
> Some issues with this are - if the user sets their password via FreeIPA
> directly (kpasswd, ldap, etc) - then keycloak won't know about the new
> expiry - hence, the user may have to set their password again on Keycloak
> sooner than they would expect.
>
> So, my questions are:
>
> 1. Is there a better way to handle this?  We'd just like to avoid sending
> our users around to different places (ie: to the freeIPA UI) to work around
> an expired password & we'd like to make sure it's clear _when_ their
> password has expired... to the best of our ability.
>
> 2. I'm also not 100% certain if this Keycloak password policy is actually
> implemented on federated ldap users?  Does anyone know?  I came across a
> few issues that discussed implementing it - but so far haven't come up with
> anything conclusive (I'm setting the password expiry to 1 day now to test
> it out).  I checked a dump of the database, and could not see anything that
> looked like a timestamp or anything (to indicate a 90 day expiry) for a
> user who just changed their password in Keycloak... so, I'm not sure how
> that's tracked?  (if I could find it in the DB, I was thinking of another
> dirty hack to sync the password expiry from freeipa -> keycloak via a hook
> if someone does update their account in freeipa).
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue May 22 03:15:25 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 09:15:25 +0200
Subject: [keycloak-user] Identity Provider / First Broker Login Flow
	Hooks
In-Reply-To: <CADhPWCgW3-GCNffOPDN=DFtYjs3zCR03ptx3yXXu+G0g1Q_g3g@mail.gmail.com>
References: <CADhPWCgW3-GCNffOPDN=DFtYjs3zCR03ptx3yXXu+G0g1Q_g3g@mail.gmail.com>
Message-ID: <d110c2d2-e704-6e96-c7a5-3c7f22ec5ec1@redhat.com>

As you pointed, you can use either IdentityProviderMapper or custom 
Authenticator into First Broker Login flow. Depends on exact usecase 
which option is better.

Marek

On 15/05/18 23:12, Andreas Taube wrote:
> Hey together,
>
> I would like to integrate with an external Identity Provider and I wonder
> about the best way to hook into this process? As soon as the external IP
> authorizes the user with a valid token I would like to do some internal
> setup calls and link metadata to the user (attributes) being created by
> Keycloak.
>
> I know it is possible to extend Keycloak with custom IdentityProviderMapper
> extensions but I would like to validate if they are also meant to execute
> async http requests? If not, are there any other options better suited for
> this use case?
>
> Thanks for any feedback
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue May 22 03:18:32 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 09:18:32 +0200
Subject: [keycloak-user] Send information about the authenticator type
 into the OpenID Connect token
In-Reply-To: <BY2PR20MB021390B672785B4CFE48A807F5930@BY2PR20MB0213.namprd20.prod.outlook.com>
References: <BY2PR20MB021390B672785B4CFE48A807F5930@BY2PR20MB0213.namprd20.prod.outlook.com>
Message-ID: <a4047c49-b410-f0c9-53e3-70799bf9e698@redhat.com>

You may need to implement custom protocolMapper for this. ProtocolMapper 
has access to AuthenticatedClientSessionModel, which contains the 
property "executions" with the list of authenticator UUIDS, which were 
used during authentication.

Marek

On 15/05/18 17:09, Daicy Duarte wrote:
> Hi,
>
> I need to send inside the openID Connect token information about the authenticator type that the user has used to log in.
>
> I have seen that in Clients -> Mappers is possible to add some fields that you want to send inside the openid connect token, but not the authenticator type that was used, for example the custom authenticator "secret-question".
>
>
> Best regards,
>
> ---
> Daicy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue May 22 03:20:03 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 09:20:03 +0200
Subject: [keycloak-user] Upgrading Keycloak and Infinispan conflict
In-Reply-To: <075E9E0E-D289-466E-99A8-2C479AF69C23@info.nl>
References: <075E9E0E-D289-466E-99A8-2C479AF69C23@info.nl>
Message-ID: <f2d49b2f-eafe-bbc9-81a1-c473636a5370@redhat.com>

We don't support rolling upgrades. You need to stop all the nodes in 
cluster and then start them again with newer version. The content of 
caches will be cleared.

Marek

On 15/05/18 10:25, Federico Navarro Polo - Info.nl wrote:
> Hi,
>
> We are upgrading our Keycloak environment to the latest stable version, and we?ve found out a problem with Infinispan. Our setup is a standalone-ha with distributed cache.
>
> Apparently, there were breaking changes when going from Keycloak 3.1.0 to 3.2.0, since some classes and enums were removed from codebase. Those entities are still cached by Infinispan, so after upgrading Keycloak, on restart, a big amount of ClassNotFoundException or IllegalArgumentException due to these changes.
>
> Is there any way to cleanly transition without clearing the caches?
>
> Met vriendelijke groet,
>
> Federico Navarro
>
> backend developer
>
> federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  -<tel:+31205309161>
>
> info.nl<http://www.info.nl/>
>
> Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue May 22 03:23:27 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 09:23:27 +0200
Subject: [keycloak-user] ldap group-ldap-mapper needs up to 60 seconds
 to add a user to a group
In-Reply-To: <afe88087-913e-6b3b-a937-ff6b05da751a@rmm.li>
References: <afe88087-913e-6b3b-a937-ff6b05da751a@rmm.li>
Message-ID: <2f7cbaa1-c593-c863-9c5b-033a5ed02fc1@redhat.com>

Feel free to create JIRA for this and use component "federation-ldap". I 
think we already have JIRA for this, but can't recall 100%.

Marek

On 13/05/18 11:15, Michael Meier wrote:
> We are using keycloak 3.4.3-final with an ldap user federation. Users
> and groups are created in keycloak, and from there automatically written
> to an openldap servers, since some application can only access them over
> ldap. So the "edit mode" is writable and "sync registrations" is activated..
> The group-mapper is configured as ldap_only.
> Creating a new user is lightning fast. But if I add the user to a group,
> where already around 1000 users are members of, it takes around 60
> seconds to add it or also to remove it.it was faster when the group had
> less member, but we can watch how the time grows the more members that
> groups has. But it was already slow when there were only around 100
> users, then it took around 10 seconds to add the user to the group.
> When we add the users to th e groups directly in ldap it works in
> miliseconds. So the problem seems to be a keycloak one.
> In total there are maybe 2000 users and 15 different groups.
> Keycloak is running in a docker container.
> 	
>
> Anybody experiences similar problems? Or has any ideas what we could change?
> We already tried to change the "User Groups Retrieve Strategy", disabled
> the ldap cache. disable connection pooling and pagination.  But nothing
> seems to work.
> thanks in advance
>
> michael
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue May 22 03:28:42 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 May 2018 09:28:42 +0200
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <1525956497800.9251@tcs.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
	<1522213483195.38672@tcs.com> <1522732009031.20269@tcs.com>
	<CAPZw1G4hFMEHJ1+3cPeTKTKa8z-jdCTFn1nHEV-WdeeqGQyoRg@mail.gmail.com>
	<1523338962307.3970@tcs.com>
	<CAPZw1G41zU9MYFpDiB=QhnEx4OQS+03yPEJAA2eW1hBLvfN7zw@mail.gmail.com>
	<1525688494185.73604@tcs.com>
	<CAPZw1G73i+spg988znfC7xJCKi_R-HuTGFu5_7HeojokA8xQdA@mail.gmail.com>
	<1525956497800.9251@tcs.com>
Message-ID: <cb30fbdb-22f6-7a9e-7fcf-232aa8190e0a@redhat.com>

- You can try to manually clear the user cache in Keycloak admin 
console. If the users are correctly updated after clearing the cache, 
then you know it's the cache issue and you just need to tweak the cache. 
Otherwise it's not cache issue and it's related to LDAP mapper 
configuration.
- What's the edit mode of LDAP mapper? You need to use LDAP_ONLY or 
READ_ONLY, but not IMPORT. With IMPORT, the roles are retrieved just 
during very first sync.

Marek

On 10/05/18 14:48, Lahari Guntha wrote:
> Hi Simon,
>
>
> We have tried that. We updated the configuration of group DN in keycloak as ou=groups,dc=example,dc=com.
>
> But still the groups are not getting synced properly.
>
>
> May I know whether am missing any configuration any where else??
>
>
> Thanks and Regards,
>
> Lahari G
>
> ________________________________
> From: Simon Payne <simonpayne58 at gmail.com>
> Sent: 10 May 2018 14:44
> To: Lahari Guntha
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Group-Mapping
>
> Hi Lahari, i would suggest to try the LDAP group DN as ou=groups,dc=example,dc=com rather than  cn=testgroup,ou=groups,dc=example,dc=com
>
> here you need to specify the group tree.
>
> regards,
>
> Simon.
>
>
>
> On Mon, May 7, 2018 at 11:21 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From valsarajpv at gmail.com  Tue May 22 03:49:34 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 22 May 2018 13:19:34 +0530
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <49203157-28d8-63d4-9a41-43b23407764a@redhat.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
	<CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
	<CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>
	<CAFss9rpn12t9qVEn0t-JS4SsZ+7oo2M3MDVjJ8ywPgDaFpt6SQ@mail.gmail.com>
	<CAOA-0XuqbVJNjxpOmVhKJ8zqL6G_ua2RGFVSF6gqE0XLtXPHCQ@mail.gmail.com>
	<9684d785-6f29-03ca-2fa9-f2bf029f7ea6@worteks.com>
	<CAOA-0XvUNx8apkdJGc4z5D=xBV3xRqoJsAFvEE3oJPpfoXFjyA@mail.gmail.com>
	<49203157-28d8-63d4-9a41-43b23407764a@redhat.com>
Message-ID: <CAOA-0XvwccjD+rtrqHjnDa-64b=HH+3WhU3sNCq-uxcfMzjnsw@mail.gmail.com>

 roles from LDAP are available in Keycloak  - worked
they are assigned to users in Keycloak - I checked both realm roles &
client roles. But not shown when I opened the user in KC admin console.
I will check LDAP sample.

On Tue, May 22, 2018 at 12:34 PM, Marek Posolda <mposolda at redhat.com> wrote:

> That's strange. The role-kdap-mapper should ensure that roles from LDAP
> are available in Keycloak and also that they are assigned to users in
> Keycloak. So Keycloak should be able to see the role mappings based on the
> role mappings in LDAP. It's just a matter of correct configuration. You can
> take a look at "keycloak-examples" distribution and the example "ldap" to
> see how to configure things.
>
> Marek
>
>
> On 18/05/18 10:11, valsaraj pv wrote:
>
>> Yes,  'role-ldap-mapper created & those roles appeared in Keyclock client
>> set in mapper. But these roles were not assigned to users. For that need
>> to
>> open user from admin cosole & select client abd set client roles. I am
>> checking how to automate this.
>>
>> On Fri, May 18, 2018 at 1:34 PM, Rapha?l HOAREAU <raphoa at worteks.com>
>> wrote:
>>
>> Can't you just create 'role-ldap-mapper' in your ldap user federation so
>>> it reflects your ldap roles to keycloak realm or client roles ?
>>>
>>> Assuming that roles in your local LDAP are the same (name) than the one
>>> you use in keycloak.
>>>
>>>
>>> Le 18/05/2018 ? 08:32, valsaraj pv a ?crit :
>>>
>>>> Got this sample:
>>>> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff3b87173a84b
>>>>
>>>> On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <
>>>> subodhcjoshi82 at gmail.com
>>>>
>>>> wrote:
>>>>
>>>> You have to write script to run admin-cli commands
>>>>> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>>>>>
>>>>> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv at gmail.com>
>>>>>
>>>> wrote:
>>>
>>>> Do you have any links that will be helpful?
>>>>>>
>>>>>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> I think admin-cli will help you regarding this but issue is
>>>>>>>
>>>>>> documetation
>>>
>>>> is not that good.
>>>>>>>
>>>>>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Here is the scenario:
>>>>>>>> Java web application client registers users to local LDAP/DB and
>>>>>>>> sets
>>>>>>>> roles.
>>>>>>>> These users are periodically synced to Keycloak. Roles are also
>>>>>>>>
>>>>>>> synced
>>>
>>>> once
>>>>>>>> as it not changed more often.
>>>>>>>> So when a user registered in local LDAP via application, they are
>>>>>>>>
>>>>>>> also
>>>
>>>> reflected in Keycloak but they can't access web application after
>>>>>>>>
>>>>>>> login
>>>
>>>> via
>>>>>>>> Keycloak.
>>>>>>>> The new users can access only after setting client roles manually.
>>>>>>>> What is the best option to automate this. Is there is any API to set
>>>>>>>> client
>>>>>>>> roles?
>>>>>>>> If available, we can't write code to set role in registration method
>>>>>>>> since
>>>>>>>> the users will be synced to Keycloak only on next sync. Then option
>>>>>>>>
>>>>>>> is a
>>>
>>>> delayed call which first ensures that the user reached Keycloak DB
>>>>>>>>
>>>>>>> and
>>>
>>>> then
>>>>>>>> set role.
>>>>>>>> Please share your thoughts!
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>> --
>>>>> Subodh Chandra Joshi
>>>>> subodh1_joshi82 at yahoo.co.in
>>>>> http://www.trendsinnews.com
>>>>>
>>>>>
>>>> --
>>> Rapha?l HOAREAU | Support & Hosting Solutions Manager
>>>
>>> raphael.hoareau at worteks.com
>>> +33 7 72 37 59 82
>>>
>>> Worteks | https://www.worteks.com
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>>
>


-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From subodhcjoshi82 at gmail.com  Tue May 22 03:52:46 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Tue, 22 May 2018 13:22:46 +0530
Subject: [keycloak-user] How to access custom attribute/Client Mapper in
	Login Page?
In-Reply-To: <CAFss9rpj_x1Ss+XbK=F9dq_88PC2D6LU8qpRXAen_0kJgW30Vw@mail.gmail.com>
References: <CAFss9rpj_x1Ss+XbK=F9dq_88PC2D6LU8qpRXAen_0kJgW30Vw@mail.gmail.com>
Message-ID: <CAFss9rqrvG+tPyOKhB9Cv-2kKsF_NdDv=yVegZ4nq4cy=emaLg@mail.gmail.com>

ANY HELP/SUGGESTION REGARDING THIS ISSUE

On Mon, May 21, 2018 at 4:51 PM Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> Hi ,
> We have created our own theme for keycloak and we are able to access
> realm-name/client-name via this code
>
>> <div id="parent">
>>
>>         <div id="pro-fam-name">
>>
>>                 ${msg("loginTitleHtml",(realm.displayNameHtml!''))?no_esc}
>>
>>         </div>
>>
>>         <div id="pro-des"> ${client.name!''} </div>
>>
>>         <div id="version"> ${client.description!''} </div>
>>
>>     </div>
>>
>
>
> Now we will want to access some custom attribute or client mapper into
> same login page before user login.
> As i know Keycloak wont support to add attribute in realm level any other
> way to do this?
> Is this possible to achieve this in keycloak version 3.4.1.Final ? We
> want to achieve this in our JS application so according to
> realm/tenant-name we have diffrent-2 login page.
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From valsarajpv at gmail.com  Tue May 22 05:05:33 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 22 May 2018 14:35:33 +0530
Subject: [keycloak-user] Set client roles to registered users
 automatically once synced from source LDAP/DB
In-Reply-To: <CAOA-0XvwccjD+rtrqHjnDa-64b=HH+3WhU3sNCq-uxcfMzjnsw@mail.gmail.com>
References: <CAOA-0Xv-si5axj0p3sk58V1vOyELufY5yU9p=oVLp4z4+mU9Gw@mail.gmail.com>
	<CAFss9rqpPj9Fu1LHGyXUs836irdLERiXX2rz3jZL6cikjo_+GA@mail.gmail.com>
	<CAOA-0XuM0ebe-_Yq3SP7BNMRvR1gG6J41RonSjqW_1bYZ71LXQ@mail.gmail.com>
	<CAFss9rpn12t9qVEn0t-JS4SsZ+7oo2M3MDVjJ8ywPgDaFpt6SQ@mail.gmail.com>
	<CAOA-0XuqbVJNjxpOmVhKJ8zqL6G_ua2RGFVSF6gqE0XLtXPHCQ@mail.gmail.com>
	<9684d785-6f29-03ca-2fa9-f2bf029f7ea6@worteks.com>
	<CAOA-0XvUNx8apkdJGc4z5D=xBV3xRqoJsAFvEE3oJPpfoXFjyA@mail.gmail.com>
	<49203157-28d8-63d4-9a41-43b23407764a@redhat.com>
	<CAOA-0XvwccjD+rtrqHjnDa-64b=HH+3WhU3sNCq-uxcfMzjnsw@mail.gmail.com>
Message-ID: <CAOA-0Xvt9o8HJ_OjxTa-uh2T_+Hyjzdi=qTkchCEvyNyXPh9sA@mail.gmail.com>

I checked configuration in LDAP sample:
>
>  {
>
>       "name" : "finance roles",
>
>       "federationMapperType" : "role-ldap-mapper",
>
>       "federationProviderDisplayName" : "ldap-apacheds",
>
>       "config" : {
>
>         "roles.dn" : "ou=FinanceRoles,dc=keycloak,dc=org",
>
>         "membership.ldap.attribute" : "member",
>
>         "role.name.ldap.attribute" : "cn",
>
>         "role.object.classes" : "groupOfNames",
>
>         "mode" : "LDAP_ONLY",
>
>         "use.realm.roles.mapping" : "false",
>
>         "client.id" : "finance"
>
>       }
>
>     }
>
>
Here is my config:

> {

              "id": "e0e3a3f6-986f-4352-9242-53fead7ec6b2",

              "name": "app-groups",

              "providerId": "role-ldap-mapper",

              "subComponents": {},

              "config": {

                "mode": [

                  "IMPORT"

                ],

                "membership.attribute.type": [

                  "DN"

                ],

                "user.roles.retrieve.strategy": [

                  "LOAD_ROLES_BY_MEMBER_ATTRIBUTE"

                ],

                "roles.dn": [

                  "ou=groups,dc=app,dc=com"

                ],

                "membership.user.ldap.attribute": [

                  "uid"

                ],

                "membership.ldap.attribute": [

                  "uniqueMember"

                ],

                "role.name.ldap.attribute": [

                  "cn"

                ],

                "memberof.ldap.attribute": [

                  "memberOf"

                ],

                "use.realm.roles.mapping": [

                  "false"

                ],

                "role.object.classes": [

                  "groupOfUniqueNames, top"

                ],

                "client.id": [

                  "app"

                ]

              }

            }


This OpenLDAP to Keycloak sync roles configured. Please let me know if you
see anything wrong. I can see roles synced but for users, these roles not
associated if they are member of some ldap groups.
Here is a group sample:
cn

   - appAdminConsole

objectClass

   - groupOfUniqueNames
   - top

uniqueMember

   - uid=testuser,ou=people,dc=app,dc=com


The group appAdminConsole synced & shown under client roles but when I
open  testuser, none of the roles are shown.

On Tue, May 22, 2018 at 1:19 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

> roles from LDAP are available in Keycloak  - worked
> they are assigned to users in Keycloak - I checked both realm roles &
> client roles. But not shown when I opened the user in KC admin console.
> I will check LDAP sample.
>
> On Tue, May 22, 2018 at 12:34 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> That's strange. The role-kdap-mapper should ensure that roles from LDAP
>> are available in Keycloak and also that they are assigned to users in
>> Keycloak. So Keycloak should be able to see the role mappings based on the
>> role mappings in LDAP. It's just a matter of correct configuration. You can
>> take a look at "keycloak-examples" distribution and the example "ldap" to
>> see how to configure things.
>>
>> Marek
>>
>>
>> On 18/05/18 10:11, valsaraj pv wrote:
>>
>>> Yes,  'role-ldap-mapper created & those roles appeared in Keyclock client
>>> set in mapper. But these roles were not assigned to users. For that need
>>> to
>>> open user from admin cosole & select client abd set client roles. I am
>>> checking how to automate this.
>>>
>>> On Fri, May 18, 2018 at 1:34 PM, Rapha?l HOAREAU <raphoa at worteks.com>
>>> wrote:
>>>
>>> Can't you just create 'role-ldap-mapper' in your ldap user federation so
>>>> it reflects your ldap roles to keycloak realm or client roles ?
>>>>
>>>> Assuming that roles in your local LDAP are the same (name) than the one
>>>> you use in keycloak.
>>>>
>>>>
>>>> Le 18/05/2018 ? 08:32, valsaraj pv a ?crit :
>>>>
>>>>> Got this sample:
>>>>> https://gist.github.com/thomasdarimont/c4e739c5a319cf78a4cff
>>>>> 3b87173a84b
>>>>>
>>>>> On Fri, May 18, 2018 at 10:39 AM, Subodh Joshi <
>>>>> subodhcjoshi82 at gmail.com
>>>>>
>>>>> wrote:
>>>>>
>>>>> You have to write script to run admin-cli commands
>>>>>> https://www.keycloak.org/docs/3.3/server_admin/topics/admin-cli.html
>>>>>>
>>>>>> On Fri, May 18, 2018 at 8:50 AM valsaraj pv <valsarajpv at gmail.com>
>>>>>>
>>>>> wrote:
>>>>
>>>>> Do you have any links that will be helpful?
>>>>>>>
>>>>>>> On Fri 18 May, 2018, 7:17 AM Subodh Joshi, <subodhcjoshi82 at gmail.com
>>>>>>> >
>>>>>>> wrote:
>>>>>>>
>>>>>>> I think admin-cli will help you regarding this but issue is
>>>>>>>>
>>>>>>> documetation
>>>>
>>>>> is not that good.
>>>>>>>>
>>>>>>>> On Thu, 17 May 2018, 22:43 valsaraj pv, <valsarajpv at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Here is the scenario:
>>>>>>>>> Java web application client registers users to local LDAP/DB and
>>>>>>>>> sets
>>>>>>>>> roles.
>>>>>>>>> These users are periodically synced to Keycloak. Roles are also
>>>>>>>>>
>>>>>>>> synced
>>>>
>>>>> once
>>>>>>>>> as it not changed more often.
>>>>>>>>> So when a user registered in local LDAP via application, they are
>>>>>>>>>
>>>>>>>> also
>>>>
>>>>> reflected in Keycloak but they can't access web application after
>>>>>>>>>
>>>>>>>> login
>>>>
>>>>> via
>>>>>>>>> Keycloak.
>>>>>>>>> The new users can access only after setting client roles manually.
>>>>>>>>> What is the best option to automate this. Is there is any API to
>>>>>>>>> set
>>>>>>>>> client
>>>>>>>>> roles?
>>>>>>>>> If available, we can't write code to set role in registration
>>>>>>>>> method
>>>>>>>>> since
>>>>>>>>> the users will be synced to Keycloak only on next sync. Then option
>>>>>>>>>
>>>>>>>> is a
>>>>
>>>>> delayed call which first ensures that the user reached Keycloak DB
>>>>>>>>>
>>>>>>>> and
>>>>
>>>>> then
>>>>>>>>> set role.
>>>>>>>>> Please share your thoughts!
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>> --
>>>>>> Subodh Chandra Joshi
>>>>>> subodh1_joshi82 at yahoo.co.in
>>>>>> http://www.trendsinnews.com
>>>>>>
>>>>>>
>>>>> --
>>>> Rapha?l HOAREAU | Support & Hosting Solutions Manager
>>>>
>>>> raphael.hoareau at worteks.com
>>>> +33 7 72 37 59 82
>>>>
>>>> Worteks | https://www.worteks.com
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>>
>>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From valsarajpv at gmail.com  Tue May 22 05:37:56 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 22 May 2018 15:07:56 +0530
Subject: [keycloak-user] java.lang.NoClassDefFoundError:
	org/keycloak/representations/AccessTokenResponse
Message-ID: <CAOA-0XvxxZFvYZp1pEs5+AdfvM8pCq=gPdBDjzROxdnoywNxkQ@mail.gmail.com>

Hi,

I am getting following exception when calling admin API:

> java.lang.NoClassDefFoundError:
>> org/keycloak/representations/AccessTokenResponse
>
> at java.lang.Class.getDeclaredMethods0(Native Method)
>
> at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
>
> at java.lang.Class.privateGetPublicMethods(Class.java:2902)
>
> at java.lang.Class.getMethods(Class.java:1615)
>
> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:48)
>
> at
>> org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:131)
>
> at
>> org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:74)
>
> at
>> org.keycloak.admin.client.token.TokenManager.<init>(TokenManager.java:55)
>
> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>
> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>
>
I have added keycloak-admin-client-3.4.3.Final.jar in ear lib & set
dependency to following modules:

> <module name="org.keycloak.keycloak-adapter-spi"/>

<module name="org.keycloak.keycloak-adapter-core"/>

<module name="org.keycloak.keycloak-common"/>

<module name="org.keycloak.keycloak-core"/>


Thanks!

From valsarajpv at gmail.com  Tue May 22 06:38:49 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 22 May 2018 16:08:49 +0530
Subject: [keycloak-user] java.lang.NoClassDefFoundError:
	org/keycloak/representations/AccessTokenResponse
In-Reply-To: <CAOA-0XvxxZFvYZp1pEs5+AdfvM8pCq=gPdBDjzROxdnoywNxkQ@mail.gmail.com>
References: <CAOA-0XvxxZFvYZp1pEs5+AdfvM8pCq=gPdBDjzROxdnoywNxkQ@mail.gmail.com>
Message-ID: <CAOA-0XsGD4J5YC-XTafVRw2k0jKReDgNNWx4Mj4s3KU5Y_=pMw@mail.gmail.com>

After adding keycloak-core-3.4.3.Final.jar into ear:

> java.lang.LinkageError: loader constraint violation: loader (instance of
> org/jboss/modules/ModuleClassLoader) previously initiated loading for a
> different type with name
> "org/keycloak/representations/idm/RealmRepresentation"
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:264)
> at com.sun.proxy.$Proxy344.<clinit>(Unknown Source)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:739)
> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:79)
> at
> org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:131)
> at
> org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:74)
> at org.keycloak.admin.client.Keycloak.realms(Keycloak.java:114)
> at org.keycloak.admin.client.Keycloak.realm(Keycloak.java:118)



On Tue, May 22, 2018 at 3:07 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

>
> Hi,
>
> I am getting following exception when calling admin API:
>
>> java.lang.NoClassDefFoundError: org/keycloak/representations/
>>> AccessTokenResponse
>>
>> at java.lang.Class.getDeclaredMethods0(Native Method)
>>
>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
>>
>> at java.lang.Class.privateGetPublicMethods(Class.java:2902)
>>
>> at java.lang.Class.getMethods(Class.java:1615)
>>
>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(
>>> ProxyBuilder.java:48)
>>
>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(
>>> ProxyBuilder.java:131)
>>
>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(
>>> ClientWebTarget.java:74)
>>
>> at org.keycloak.admin.client.token.TokenManager.<init>(
>>> TokenManager.java:55)
>>
>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>>
>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>
>>
> I have added keycloak-admin-client-3.4.3.Final.jar in ear lib & set
> dependency to following modules:
>
>> <module name="org.keycloak.keycloak-adapter-spi"/>
>
> <module name="org.keycloak.keycloak-adapter-core"/>
>
> <module name="org.keycloak.keycloak-common"/>
>
> <module name="org.keycloak.keycloak-core"/>
>
>
> Thanks!
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From valsarajpv at gmail.com  Tue May 22 06:41:23 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 22 May 2018 16:11:23 +0530
Subject: [keycloak-user] java.lang.NoClassDefFoundError:
	org/keycloak/representations/AccessTokenResponse
In-Reply-To: <CAOA-0XsGD4J5YC-XTafVRw2k0jKReDgNNWx4Mj4s3KU5Y_=pMw@mail.gmail.com>
References: <CAOA-0XvxxZFvYZp1pEs5+AdfvM8pCq=gPdBDjzROxdnoywNxkQ@mail.gmail.com>
	<CAOA-0XsGD4J5YC-XTafVRw2k0jKReDgNNWx4Mj4s3KU5Y_=pMw@mail.gmail.com>
Message-ID: <CAOA-0Xvp=K48tXMcZp2RUSyNSw+ipAOA73Y5Ns5UUHmHTW5tbg@mail.gmail.com>

Which Keycloak API jar we can use to call admin APIs from Java application?

On Tue, May 22, 2018 at 4:08 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

> After adding keycloak-core-3.4.3.Final.jar into ear:
>
>> java.lang.LinkageError: loader constraint violation: loader (instance of
>> org/jboss/modules/ModuleClassLoader) previously initiated loading for a
>> different type with name "org/keycloak/representations/
>> idm/RealmRepresentation"
>> at java.lang.Class.forName0(Native Method)
>> at java.lang.Class.forName(Class.java:264)
>> at com.sun.proxy.$Proxy344.<clinit>(Unknown Source)
>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(
>> NativeConstructorAccessorImpl.java:62)
>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
>> DelegatingConstructorAccessorImpl.java:45)
>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>> at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:739)
>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(
>> ProxyBuilder.java:79)
>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(
>> ProxyBuilder.java:131)
>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(
>> ClientWebTarget.java:74)
>> at org.keycloak.admin.client.Keycloak.realms(Keycloak.java:114)
>> at org.keycloak.admin.client.Keycloak.realm(Keycloak.java:118)
>
>
>
> On Tue, May 22, 2018 at 3:07 PM, valsaraj pv <valsarajpv at gmail.com> wrote:
>
>>
>> Hi,
>>
>> I am getting following exception when calling admin API:
>>
>>> java.lang.NoClassDefFoundError: org/keycloak/representations/A
>>>> ccessTokenResponse
>>>
>>> at java.lang.Class.getDeclaredMethods0(Native Method)
>>>
>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
>>>
>>> at java.lang.Class.privateGetPublicMethods(Class.java:2902)
>>>
>>> at java.lang.Class.getMethods(Class.java:1615)
>>>
>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuil
>>>> der.java:48)
>>>
>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuil
>>>> der.java:131)
>>>
>>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.
>>>> proxy(ClientWebTarget.java:74)
>>>
>>> at org.keycloak.admin.client.token.TokenManager.<init>(TokenMan
>>>> ager.java:55)
>>>
>>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>>>
>>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>>
>>>
>> I have added keycloak-admin-client-3.4.3.Final.jar in ear lib & set
>> dependency to following modules:
>>
>>> <module name="org.keycloak.keycloak-adapter-spi"/>
>>
>> <module name="org.keycloak.keycloak-adapter-core"/>
>>
>> <module name="org.keycloak.keycloak-common"/>
>>
>> <module name="org.keycloak.keycloak-core"/>
>>
>>
>> Thanks!
>>
>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From valsarajpv at gmail.com  Tue May 22 07:05:02 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 22 May 2018 16:35:02 +0530
Subject: [keycloak-user] java.lang.NoClassDefFoundError:
	org/keycloak/representations/AccessTokenResponse
In-Reply-To: <CAOA-0Xvp=K48tXMcZp2RUSyNSw+ipAOA73Y5Ns5UUHmHTW5tbg@mail.gmail.com>
References: <CAOA-0XvxxZFvYZp1pEs5+AdfvM8pCq=gPdBDjzROxdnoywNxkQ@mail.gmail.com>
	<CAOA-0XsGD4J5YC-XTafVRw2k0jKReDgNNWx4Mj4s3KU5Y_=pMw@mail.gmail.com>
	<CAOA-0Xvp=K48tXMcZp2RUSyNSw+ipAOA73Y5Ns5UUHmHTW5tbg@mail.gmail.com>
Message-ID: <CAOA-0XvLoV3MYhQDekRnhZTPtM-e3v+Qb1LN_x_+6OTHECk-Rw@mail.gmail.com>

Removed keycloak jars from application & then added
keycloak-admin-client-3.4.3.Final.jar in keycloak-core module for checking.
Then got following exception:

> java.lang.NoClassDefFoundError:
> org/jboss/resteasy/client/jaxrs/ResteasyClientBuilder
> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:58)
> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
> at com.ltchie.keycloak.util.KeycloakUtil.getInstance(KeycloakUtil.java:78)
> at
> org.tolven.web.security.GeneralSecurityFilter.doFilter(GeneralSecurityFilter.java:478)


Looks like resteasy dependency required here.
So  keycloak-admin-client not coming out of the box for WidFly modules. Is
there any other jar that can be used for calling admin APIs?


On Tue, May 22, 2018 at 4:11 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

> Which Keycloak API jar we can use to call admin APIs from Java application?
>
> On Tue, May 22, 2018 at 4:08 PM, valsaraj pv <valsarajpv at gmail.com> wrote:
>
>> After adding keycloak-core-3.4.3.Final.jar into ear:
>>
>>> java.lang.LinkageError: loader constraint violation: loader (instance of
>>> org/jboss/modules/ModuleClassLoader) previously initiated loading for a
>>> different type with name "org/keycloak/representations/
>>> idm/RealmRepresentation"
>>> at java.lang.Class.forName0(Native Method)
>>> at java.lang.Class.forName(Class.java:264)
>>> at com.sun.proxy.$Proxy344.<clinit>(Unknown Source)
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>>> ConstructorAccessorImpl.java:62)
>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>>> legatingConstructorAccessorImpl.java:45)
>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>> at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:739)
>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuil
>>> der.java:79)
>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuil
>>> der.java:131)
>>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.
>>> proxy(ClientWebTarget.java:74)
>>> at org.keycloak.admin.client.Keycloak.realms(Keycloak.java:114)
>>> at org.keycloak.admin.client.Keycloak.realm(Keycloak.java:118)
>>
>>
>>
>> On Tue, May 22, 2018 at 3:07 PM, valsaraj pv <valsarajpv at gmail.com>
>> wrote:
>>
>>>
>>> Hi,
>>>
>>> I am getting following exception when calling admin API:
>>>
>>>> java.lang.NoClassDefFoundError: org/keycloak/representations/A
>>>>> ccessTokenResponse
>>>>
>>>> at java.lang.Class.getDeclaredMethods0(Native Method)
>>>>
>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
>>>>
>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2902)
>>>>
>>>> at java.lang.Class.getMethods(Class.java:1615)
>>>>
>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuil
>>>>> der.java:48)
>>>>
>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuil
>>>>> der.java:131)
>>>>
>>>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.pro
>>>>> xy(ClientWebTarget.java:74)
>>>>
>>>> at org.keycloak.admin.client.token.TokenManager.<init>(TokenMan
>>>>> ager.java:55)
>>>>
>>>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>>>>
>>>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>>>
>>>>
>>> I have added keycloak-admin-client-3.4.3.Final.jar in ear lib & set
>>> dependency to following modules:
>>>
>>>> <module name="org.keycloak.keycloak-adapter-spi"/>
>>>
>>> <module name="org.keycloak.keycloak-adapter-core"/>
>>>
>>> <module name="org.keycloak.keycloak-common"/>
>>>
>>> <module name="org.keycloak.keycloak-core"/>
>>>
>>>
>>> Thanks!
>>>
>>
>>
>>
>> --
>> Life is like this: "Just when we get all the answers of life.... God
>> changes the question paper....
>>
>> Valsaraj Viswanathan
>>
>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From valsarajpv at gmail.com  Tue May 22 07:08:29 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 22 May 2018 16:38:29 +0530
Subject: [keycloak-user] java.lang.NoClassDefFoundError:
	org/keycloak/representations/AccessTokenResponse
In-Reply-To: <CAOA-0XvLoV3MYhQDekRnhZTPtM-e3v+Qb1LN_x_+6OTHECk-Rw@mail.gmail.com>
References: <CAOA-0XvxxZFvYZp1pEs5+AdfvM8pCq=gPdBDjzROxdnoywNxkQ@mail.gmail.com>
	<CAOA-0XsGD4J5YC-XTafVRw2k0jKReDgNNWx4Mj4s3KU5Y_=pMw@mail.gmail.com>
	<CAOA-0Xvp=K48tXMcZp2RUSyNSw+ipAOA73Y5Ns5UUHmHTW5tbg@mail.gmail.com>
	<CAOA-0XvLoV3MYhQDekRnhZTPtM-e3v+Qb1LN_x_+6OTHECk-Rw@mail.gmail.com>
Message-ID: <CAOA-0XuodG-OA7h=rO-tXgLviM11Wjqv0D5wCOdOWtkFB+OxJg@mail.gmail.com>

After setting resteasy dependency got another:

> 2018-05-22 16:35:25,069 WARN  [com.ltchie.mco.web.ErrorServlet] (default
>> task-9) Error in processing request: java.lang.NoClassDefFoundError:
>> javax/ws/rs/BadRequestException
>
> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>
> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>
>
>>

On Tue, May 22, 2018 at 4:35 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

> Removed keycloak jars from application & then added
> keycloak-admin-client-3.4.3.Final.jar in keycloak-core module for
> checking. Then got following exception:
>
>> java.lang.NoClassDefFoundError: org/jboss/resteasy/client/
>> jaxrs/ResteasyClientBuilder
>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:58)
>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>> at com.ltchie.keycloak.util.KeycloakUtil.getInstance(
>> KeycloakUtil.java:78)
>> at org.tolven.web.security.GeneralSecurityFilter.doFilter(
>> GeneralSecurityFilter.java:478)
>
>
> Looks like resteasy dependency required here.
> So  keycloak-admin-client not coming out of the box for WidFly modules.
> Is there any other jar that can be used for calling admin APIs?
>
>
> On Tue, May 22, 2018 at 4:11 PM, valsaraj pv <valsarajpv at gmail.com> wrote:
>
>> Which Keycloak API jar we can use to call admin APIs from Java
>> application?
>>
>> On Tue, May 22, 2018 at 4:08 PM, valsaraj pv <valsarajpv at gmail.com>
>> wrote:
>>
>>> After adding keycloak-core-3.4.3.Final.jar into ear:
>>>
>>>> java.lang.LinkageError: loader constraint violation: loader (instance
>>>> of org/jboss/modules/ModuleClassLoader) previously initiated loading
>>>> for a different type with name "org/keycloak/representations/
>>>> idm/RealmRepresentation"
>>>> at java.lang.Class.forName0(Native Method)
>>>> at java.lang.Class.forName(Class.java:264)
>>>> at com.sun.proxy.$Proxy344.<clinit>(Unknown Source)
>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>> Method)
>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>>>> ConstructorAccessorImpl.java:62)
>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>>>> legatingConstructorAccessorImpl.java:45)
>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>>> at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:739)
>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuil
>>>> der.java:79)
>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuil
>>>> der.java:131)
>>>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.pro
>>>> xy(ClientWebTarget.java:74)
>>>> at org.keycloak.admin.client.Keycloak.realms(Keycloak.java:114)
>>>> at org.keycloak.admin.client.Keycloak.realm(Keycloak.java:118)
>>>
>>>
>>>
>>> On Tue, May 22, 2018 at 3:07 PM, valsaraj pv <valsarajpv at gmail.com>
>>> wrote:
>>>
>>>>
>>>> Hi,
>>>>
>>>> I am getting following exception when calling admin API:
>>>>
>>>>> java.lang.NoClassDefFoundError: org/keycloak/representations/A
>>>>>> ccessTokenResponse
>>>>>
>>>>> at java.lang.Class.getDeclaredMethods0(Native Method)
>>>>>
>>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
>>>>>
>>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2902)
>>>>>
>>>>> at java.lang.Class.getMethods(Class.java:1615)
>>>>>
>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuil
>>>>>> der.java:48)
>>>>>
>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuil
>>>>>> der.java:131)
>>>>>
>>>>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.pro
>>>>>> xy(ClientWebTarget.java:74)
>>>>>
>>>>> at org.keycloak.admin.client.token.TokenManager.<init>(TokenMan
>>>>>> ager.java:55)
>>>>>
>>>>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>>>>>
>>>>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>>>>
>>>>>
>>>> I have added keycloak-admin-client-3.4.3.Final.jar in ear lib & set
>>>> dependency to following modules:
>>>>
>>>>> <module name="org.keycloak.keycloak-adapter-spi"/>
>>>>
>>>> <module name="org.keycloak.keycloak-adapter-core"/>
>>>>
>>>> <module name="org.keycloak.keycloak-common"/>
>>>>
>>>> <module name="org.keycloak.keycloak-core"/>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>
>>>
>>>
>>> --
>>> Life is like this: "Just when we get all the answers of life.... God
>>> changes the question paper....
>>>
>>> Valsaraj Viswanathan
>>>
>>
>>
>>
>> --
>> Life is like this: "Just when we get all the answers of life.... God
>> changes the question paper....
>>
>> Valsaraj Viswanathan
>>
>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From valsarajpv at gmail.com  Tue May 22 07:20:25 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Tue, 22 May 2018 16:50:25 +0530
Subject: [keycloak-user] java.lang.NoClassDefFoundError:
	org/keycloak/representations/AccessTokenResponse
In-Reply-To: <CAOA-0XuodG-OA7h=rO-tXgLviM11Wjqv0D5wCOdOWtkFB+OxJg@mail.gmail.com>
References: <CAOA-0XvxxZFvYZp1pEs5+AdfvM8pCq=gPdBDjzROxdnoywNxkQ@mail.gmail.com>
	<CAOA-0XsGD4J5YC-XTafVRw2k0jKReDgNNWx4Mj4s3KU5Y_=pMw@mail.gmail.com>
	<CAOA-0Xvp=K48tXMcZp2RUSyNSw+ipAOA73Y5Ns5UUHmHTW5tbg@mail.gmail.com>
	<CAOA-0XvLoV3MYhQDekRnhZTPtM-e3v+Qb1LN_x_+6OTHECk-Rw@mail.gmail.com>
	<CAOA-0XuodG-OA7h=rO-tXgLviM11Wjqv0D5wCOdOWtkFB+OxJg@mail.gmail.com>
Message-ID: <CAOA-0XvsVmVNV3538GeqYq8+4rLbW+p_fJUjQ85dgr=t7fhziA@mail.gmail.com>

Set <module name="javax.ws.rs.api"/> in keycloak-core module. Got another:
Caused by: javax.ws.rs.ClientErrorException: HTTP 403 Forbidden
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(ClientInvocation.java:216)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:174)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:104)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy253.list(Unknown Source)


On Tue, May 22, 2018 at 4:38 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

> After setting resteasy dependency got another:
>
>> 2018-05-22 16:35:25,069 WARN  [com.ltchie.mco.web.ErrorServlet] (default
>>> task-9) Error in processing request: java.lang.NoClassDefFoundError:
>>> javax/ws/rs/BadRequestException
>>
>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>>
>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>
>>
>>>
>
> On Tue, May 22, 2018 at 4:35 PM, valsaraj pv <valsarajpv at gmail.com> wrote:
>
>> Removed keycloak jars from application & then added
>> keycloak-admin-client-3.4.3.Final.jar in keycloak-core module for
>> checking. Then got following exception:
>>
>>> java.lang.NoClassDefFoundError: org/jboss/resteasy/client/jaxr
>>> s/ResteasyClientBuilder
>>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:58)
>>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>> at com.ltchie.keycloak.util.KeycloakUtil.getInstance(KeycloakUt
>>> il.java:78)
>>> at org.tolven.web.security.GeneralSecurityFilter.doFilter(Gener
>>> alSecurityFilter.java:478)
>>
>>
>> Looks like resteasy dependency required here.
>> So  keycloak-admin-client not coming out of the box for WidFly modules.
>> Is there any other jar that can be used for calling admin APIs?
>>
>>
>> On Tue, May 22, 2018 at 4:11 PM, valsaraj pv <valsarajpv at gmail.com>
>> wrote:
>>
>>> Which Keycloak API jar we can use to call admin APIs from Java
>>> application?
>>>
>>> On Tue, May 22, 2018 at 4:08 PM, valsaraj pv <valsarajpv at gmail.com>
>>> wrote:
>>>
>>>> After adding keycloak-core-3.4.3.Final.jar into ear:
>>>>
>>>>> java.lang.LinkageError: loader constraint violation: loader (instance
>>>>> of org/jboss/modules/ModuleClassLoader) previously initiated loading
>>>>> for a different type with name "org/keycloak/representations/
>>>>> idm/RealmRepresentation"
>>>>> at java.lang.Class.forName0(Native Method)
>>>>> at java.lang.Class.forName(Class.java:264)
>>>>> at com.sun.proxy.$Proxy344.<clinit>(Unknown Source)
>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>>> Method)
>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>>>>> ConstructorAccessorImpl.java:62)
>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>>>>> legatingConstructorAccessorImpl.java:45)
>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>>>> at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:739)
>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuil
>>>>> der.java:79)
>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuil
>>>>> der.java:131)
>>>>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.pro
>>>>> xy(ClientWebTarget.java:74)
>>>>> at org.keycloak.admin.client.Keycloak.realms(Keycloak.java:114)
>>>>> at org.keycloak.admin.client.Keycloak.realm(Keycloak.java:118)
>>>>
>>>>
>>>>
>>>> On Tue, May 22, 2018 at 3:07 PM, valsaraj pv <valsarajpv at gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I am getting following exception when calling admin API:
>>>>>
>>>>>> java.lang.NoClassDefFoundError: org/keycloak/representations/A
>>>>>>> ccessTokenResponse
>>>>>>
>>>>>> at java.lang.Class.getDeclaredMethods0(Native Method)
>>>>>>
>>>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
>>>>>>
>>>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2902)
>>>>>>
>>>>>> at java.lang.Class.getMethods(Class.java:1615)
>>>>>>
>>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuil
>>>>>>> der.java:48)
>>>>>>
>>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuil
>>>>>>> der.java:131)
>>>>>>
>>>>>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.pro
>>>>>>> xy(ClientWebTarget.java:74)
>>>>>>
>>>>>> at org.keycloak.admin.client.token.TokenManager.<init>(TokenMan
>>>>>>> ager.java:55)
>>>>>>
>>>>>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>>>>>>
>>>>>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>>>>>
>>>>>>
>>>>> I have added keycloak-admin-client-3.4.3.Final.jar in ear lib & set
>>>>> dependency to following modules:
>>>>>
>>>>>> <module name="org.keycloak.keycloak-adapter-spi"/>
>>>>>
>>>>> <module name="org.keycloak.keycloak-adapter-core"/>
>>>>>
>>>>> <module name="org.keycloak.keycloak-common"/>
>>>>>
>>>>> <module name="org.keycloak.keycloak-core"/>
>>>>>
>>>>>
>>>>> Thanks!
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Life is like this: "Just when we get all the answers of life.... God
>>>> changes the question paper....
>>>>
>>>> Valsaraj Viswanathan
>>>>
>>>
>>>
>>>
>>> --
>>> Life is like this: "Just when we get all the answers of life.... God
>>> changes the question paper....
>>>
>>> Valsaraj Viswanathan
>>>
>>
>>
>>
>> --
>> Life is like this: "Just when we get all the answers of life.... God
>> changes the question paper....
>>
>> Valsaraj Viswanathan
>>
>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From lists at merit.unu.edu  Tue May 22 07:28:59 2018
From: lists at merit.unu.edu (lists)
Date: Tue, 22 May 2018 13:28:59 +0200
Subject: [keycloak-user] SessionNotOnOrAfter attribute
Message-ID: <c553e567-3a08-7252-aa31-20d817116f39@merit.unu.edu>

Hi,

We are using keycloak as our IdP, and I am requested to add the 
SessionNotOnOrAfter attibute to our SAML2 accesstoken.

I can't find it in keycloak. Is is supported..?

Thanks,
MJ

From federico at info.nl  Tue May 22 07:56:41 2018
From: federico at info.nl (Federico Navarro Polo - Info.nl)
Date: Tue, 22 May 2018 11:56:41 +0000
Subject: [keycloak-user] Recommended practice for utf-8 messages resources
Message-ID: <5988246D-7C7E-4BA8-9B76-919E6F6ED872@info.nl>

Hello,

I noticed there was an upgrade of freemarker templates and a few text resources changed to start using the function ??no_esc?

However, there are still text resources in the messages properties files that would need escaping.

Eg:
In keycloak/themes/src/main/resources-community/theme/base/login/messages/messages_nl.properties

linkIdpMessage=U moet uw e-mailadres verifi?ren om uw account te koppelen aan {0}.

This text resource is passed to the template as a message, which is used in template.ftl:

<#if displayMessage && message?has_content>
    <div class="${properties.kcFeedbackAreaClass!}">
        <div class="alert alert-${message.type}">
            <#if message.type = 'success'><span class="${properties.kcFeedbackSuccessIcon!}"></span></#if>
            <#if message.type = 'warning'><span class="${properties.kcFeedbackWarningIcon!}"></span></#if>
            <#if message.type = 'error'><span class="${properties.kcFeedbackErrorIcon!}"></span></#if>
            <#if message.type = 'info'><span class="${properties.kcFeedbackInfoIcon!}"></span></#if>
            <span class="kc-feedback-text">${message.summary?no_esc}</span>
        </div>
    </div>
</#if>

The result is that the character ? is not escaped, but displayed as below:
U moet uw e-mailadres verifi??ren om uw account te koppelen aan Facebook.

I understand there might be reasons to use ?no_esc on the message summary, so my question would be, what?s the recommended approach for those resource files. Should be everything html?



Met vriendelijke groet,

Federico Navarro

backend developer

federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  -<tel:+31205309161>

info.nl<http://www.info.nl/>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>



From abhi.raghav007 at gmail.com  Tue May 22 08:03:58 2018
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Tue, 22 May 2018 17:33:58 +0530
Subject: [keycloak-user] =?utf-8?q?SSO_for_multiple_applications_=E2=80=93?=
	=?utf-8?q?_Session_Timeout_sync?=
Message-ID: <CAJmz6fveX4-+iSHF-WAG-kybkJcv6Jsaz2sfoWBGx5XQaD9QFg@mail.gmail.com>

Hi

I have configured two apps in a single realm, one is protected by mod-auth
openidc and  other is a SAML type client.

SSO and SLO works as expected and no problem with that.

I have a small doubt regarding a scenario, if anyone could clarify -


   - SSO session max is set as 8 hours. If a user is logged in for 8 hours.
   After 8 hours the KEYCLOAK_SESSION will be timed out. Is it possible that
   local SAML app cookie can also be invalidated after 8 hours, or can
   keycloak invalidated the local SAML cookie/session  like how it happens on
   SLO (single logout).


   - Right now what happens if a user leave his/her laptop overnight and
   opens next day, keycloak cookie is invalided due to max session age but the
   old app cookie still remains in the browser. is there a way to force
   authenticate even if a local SAML cookie already present in the browser.


   - In other words if the SSO cookie is timeout due to SSO max then is
   there a way that local app cookies can also be invalidated which are
   attached with that SSO session for a user.


I need to keep these sessions in sync in terms of session timeouts. Based
on my understanding no IDP really supports this kind of behavior as IDP is
not aware of all these 'local sessions'.

I was wondering can someone suggest any solution for this. Alternatively,
are there any best practices/recommendations available.





*- Best Regards*
   Abhishek Raghav

From lists at stefan-hesse.net  Tue May 22 08:43:56 2018
From: lists at stefan-hesse.net (Stefan Hesse)
Date: Tue, 22 May 2018 14:43:56 +0200
Subject: [keycloak-user] Create scopes from the REST API
Message-ID: <85f81974-48eb-82d5-0976-6e1678a0a093@stefan-hesse.net>

Hello,

I am looking for a way to create a scope from the REST-API:
https://www.keycloak.org/docs-api/4.0/rest-api/index.html#_scoperepresentation

But I simply can't find the appropriate resource in the doc.

We need this, because we use Keycloak to mange permissions for "apps",
which are supposed to "register" them-self in keycloak, in order to link
them to users.

Best Regards

Stefan


From psilva at redhat.com  Tue May 22 09:20:01 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 22 May 2018 10:20:01 -0300
Subject: [keycloak-user] Create scopes from the REST API
In-Reply-To: <85f81974-48eb-82d5-0976-6e1678a0a093@stefan-hesse.net>
References: <85f81974-48eb-82d5-0976-6e1678a0a093@stefan-hesse.net>
Message-ID: <CAJrcDBfhbx4+moN8D5VRGw12=wDpj2hPwUNVzgxpbXeL8C5JTg@mail.gmail.com>

You can use Keycloak Admin Java Client to manage scopes. Here is an example
[1].

But yeah, we are missing docs for authz services related resources in
rest-api docs.

[1] org.keycloak.testsuite.admin.client.authorization.AbstractAuthorizationTest#createScope

On Tue, May 22, 2018 at 9:43 AM, Stefan Hesse <lists at stefan-hesse.net>
wrote:

> Hello,
>
> I am looking for a way to create a scope from the REST-API:
> https://www.keycloak.org/docs-api/4.0/rest-api/index.html#_
> scoperepresentation
>
> But I simply can't find the appropriate resource in the doc.
>
> We need this, because we use Keycloak to mange permissions for "apps",
> which are supposed to "register" them-self in keycloak, in order to link
> them to users.
>
> Best Regards
>
> Stefan
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From fco at iec.ch  Tue May 22 09:21:50 2018
From: fco at iec.ch (Corbetta, Francesco)
Date: Tue, 22 May 2018 13:21:50 +0000
Subject: [keycloak-user] understanding cache and user storage SPI
Message-ID: <HE1PR09MB010829E06AF8C3EAC3C5C22BDA940@HE1PR09MB0108.eurprd09.prod.outlook.com>

Hi all

I implemented a User Storage SPI in order to authenticate users against my company User Relational DB.
Lately I had to add some custom attributes and therefore I overridden the method getAttributes of the UserAdapter to make it load the correct entities.

The problem I had is that it did not work till when I changed the cache policy of the storage provide to NO_CACHE.

Before that, the attributes where not loaded and no sql statement were sent to the DB.
Please note that I also restarted the application server with no success and cleaned all the cache for the realm from the admin interface.

Is this the expected behaviour? How does it work the user cache for external user provider? How is it possible that even a restart of keycloak did not erased the cache?

Best regards

Francesco


From lists at stefan-hesse.net  Tue May 22 09:43:22 2018
From: lists at stefan-hesse.net (Stefan Hesse)
Date: Tue, 22 May 2018 15:43:22 +0200
Subject: [keycloak-user] Magic Link feature removed?
Message-ID: <ab1f2a5d-6335-c03d-a9df-4bee2761feff@stefan-hesse.net>

Hello,

according to this issue: https://issues.jboss.org/browse/KEYCLOAK-1942
Magic Link was introduced in version 4.0.0.Beta1.

I am running 4.0.0.Beta.2, and I tried to follow the following tutorial
in order to implement it: https://www.youtube.com/watch?v=oyUsI3QgEq8

Strangely the option does not appear in the Beta2 anymore.

Was the feature removed again?

Regards

Stefan


From dremspider at gmail.com  Tue May 22 10:14:25 2018
From: dremspider at gmail.com (Daniel Lohin)
Date: Tue, 22 May 2018 10:14:25 -0400
Subject: [keycloak-user] Best Practices for running Keycloak and Kubernetes
Message-ID: <80A1D1D6-7F1B-4DDD-9AA4-D2786E320222@gmail.com>

I am very new to Keycloak/Oauth concents and trying to wrap my head around all of this.  I am working with a number of web applications that I want to have a single sign on provider for that is locally hosted.  Keycloak seems perfect and I have gotten it working, but I am mostly trying to understand what is the best way to do things inside of the Kubernetes in relation to the Keycloak proxy.

Originally, my thought was to use the concept of sidecar containers and place Keycloak-proxy in the same pod as the web application.  Essentially this meant that traffic went like this:


Ingress -> Web Service IP -> Keycloak Proxy -> Web service listening on localhost inside of the pod.

This means that Keycloak Proxy and Web service are in the same Pod.

I liked this set up for a few reasons:
- My unprotected web service is now only listening on Localhost which means other pods in the cluster can?t directly hit it
- Keycloak Proxy now scales with the web service

This works when I have one Pod in my cluster, but when I scale the pods to two or more, it seems like it only works when I get randomly load balanced to the original Pod.  This of course doesn?t work, though I could possibly mess with some of the session stickiness options in the Ingress controller to make this work.


My next option:

Ingress -> Keycloak Service IP -> Keycloak Proxy -> Web Service IP -> Web service listening on the same pod

This works, but my issue here is that Keycloak Proxy now becomes a failure point and doesn?t scale with the pods.  It also creates more network hops inside of the cluster.

What are the best practices for using Keycloak Proxy inside of Kubernetes?

From lrozenblyum at gmail.com  Tue May 22 10:23:50 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Tue, 22 May 2018 17:23:50 +0300
Subject: [keycloak-user] Warning in Keycloak when using Tomcat Keycloak SAML
	adapter
Message-ID: <CANZPfwRRYXyzeC2M1gFJEpdcdLNoj3vxNOYgKc963uR_S5o5RA@mail.gmail.com>

Every time I'm accessing a protected resource from Tomcat with SAML adapter
I see a warning in keycloak:

WARN  [org.keycloak.authentication.authenticators.browser.IdentityP
roviderAuthenticator] (default task-8) Provider not found or not enabled
for rea
lm

However the authentication goes on.

Am I missing something? E.g. something not configured properly in keycloak
client or in the web app's keycloak-saml.xml?

Thanks for advice in advance.

From getankur86 at gmail.com  Tue May 22 13:44:52 2018
From: getankur86 at gmail.com (Ankur Singhal)
Date: Tue, 22 May 2018 23:14:52 +0530
Subject: [keycloak-user] Fetch QR Code - TOTP REST API
Message-ID: <CAM64y=JdQwJ+qvqC1_jzHfVYxfo+x5QWWBSABMF0cL3R7vamwg@mail.gmail.com>

Hi All,



I have my own login page, wish to integrate this with Keycloak OTP
Functionality.

Looking for REST API for below flows.



1.)    User Enters username/password and login.

2.)    If *CONFIGURE_OTP* action is configured, REST API return with QR
Code (image/secret).

3.)    User scans and submits the OTP.

4.)    Subsequent login just return to enter OTP if no action configured.



Thanks

Ankur

From joshua.k.harness at gmail.com  Tue May 22 18:42:24 2018
From: joshua.k.harness at gmail.com (Josh Harness)
Date: Tue, 22 May 2018 18:42:24 -0400
Subject: [keycloak-user] Slow API Search for User Due to Wildcard
Message-ID: <CAOxVHU_NX-QLOiAGzf2bFLBMDc1AejGSrt3juORmuLp2tQ2JDQ@mail.gmail.com>

Hi -

      We're using this API to search for users by email:

           https://www.keycloak.org/docs-api/4.0/rest-api/index.
html#_users_resource

      It looks like it does the following in a SQL database:

        * Issues a "lower" function call on the search criteria
        * Bookends the query criteria with wildcards, eg '%'

      The lower function breaks the index. Our DBA's worked around this
with a function based index in Oracle. However, the second wildcard is
causing the entire table to be read (1,000,000 records) and is impacting
performance.

      Does anybody have any ideas about how to load users without the
wildcard when you only know the username or email address? We know the the
exact username or email. Our use case doesn't require the wild card search.

Thanks!

Josh

From raisandeepkmr at gmail.com  Tue May 22 20:52:04 2018
From: raisandeepkmr at gmail.com (Sandeep Rai)
Date: Wed, 23 May 2018 02:52:04 +0200
Subject: [keycloak-user] User Attributes not added in token
Message-ID: <CAHanGkKCPKyAw=ALn3h3-2HW4tNT785nd2i1+8gryDgGjDaXkw@mail.gmail.com>

 Hi Community,
I'm new to keycloak. And trying to federate login via external database.
While federating username and password validation trough JPA I'm trying to
add user attribute to the token.
To achieve that all I'm doing is adding the attribute in getAtrributes
method. As I'm expecting it then adds to the token. But after successful
validation the token I get does not have the 'phone' attribute
Is there something I'm missing ?
Do I have to add this attribute any other way ?

File:
public class UserAdapter extends AbstractUserAdapterFederatedStorage

@Override
public Map<String, List<String>> getAttributes() {
    Map<String, List<String>> attrs = super.getAttributes();
    MultivaluedHashMap<String, String> all = new MultivaluedHashMap<>();
    all.putAll(attrs);
    all.add("phone", userEntity.getMOBILE_NO());
    return all;
}

Kind Regards

From pulkitsrivastavajd at gmail.com  Wed May 23 00:55:21 2018
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Wed, 23 May 2018 10:25:21 +0530
Subject: [keycloak-user] Stuck in infinite loop | Keycloak
Message-ID: <CAA-7KZ_OJU4Tk1N0F9fm--DfYWy9fJiRjhLGp5ptNmL7JAcLjA@mail.gmail.com>

Hi,
I am new to keycloak and using keycloak as an IDP. I am being redirected
from my application to keycloak which if correct as per requirement. But
after authentication at keycloak my application gets stuck in an infinite
redirection loop between the url's mentioned below.

http://localhost:8080/auth/realms/demo/login-actions/authenticate?client_id=https%3A%2F%2Flocalhost%2Faaconversion-1.0.0%2Fsaml%2Fmetadata&tab_id=3iROWfTkFvU


https://localhost/aaconversion-1.0.0/unauthorized

I have checked all the keycloak configurations but unable to figure out
what's happening wrong. Please help.

Thanks,
Pulkit

From valsarajpv at gmail.com  Wed May 23 01:08:00 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Wed, 23 May 2018 10:38:00 +0530
Subject: [keycloak-user] java.lang.NoClassDefFoundError:
	org/keycloak/representations/AccessTokenResponse
In-Reply-To: <CAOA-0XvsVmVNV3538GeqYq8+4rLbW+p_fJUjQ85dgr=t7fhziA@mail.gmail.com>
References: <CAOA-0XvxxZFvYZp1pEs5+AdfvM8pCq=gPdBDjzROxdnoywNxkQ@mail.gmail.com>
	<CAOA-0XsGD4J5YC-XTafVRw2k0jKReDgNNWx4Mj4s3KU5Y_=pMw@mail.gmail.com>
	<CAOA-0Xvp=K48tXMcZp2RUSyNSw+ipAOA73Y5Ns5UUHmHTW5tbg@mail.gmail.com>
	<CAOA-0XvLoV3MYhQDekRnhZTPtM-e3v+Qb1LN_x_+6OTHECk-Rw@mail.gmail.com>
	<CAOA-0XuodG-OA7h=rO-tXgLviM11Wjqv0D5wCOdOWtkFB+OxJg@mail.gmail.com>
	<CAOA-0XvsVmVNV3538GeqYq8+4rLbW+p_fJUjQ85dgr=t7fhziA@mail.gmail.com>
Message-ID: <CAOA-0Xumcp+ub+U4TVTf5VO-R4=wfanw0Gs2=zNjrnPczV7wmQ@mail.gmail.com>

The previous issue was due to no permission for user in the realm. After
setting permission, issue fixed.

Here is samples of Java APIs:
https://www.programcreek.com/java-api-examples/?api=org.keycloak.representations.idm.UserRepresentation
I didn't find Java APIs in Keycloak docs, this might be helpful.

On Tue, May 22, 2018 at 4:50 PM, valsaraj pv <valsarajpv at gmail.com> wrote:

> Set <module name="javax.ws.rs.api"/> in keycloak-core module. Got another:
> Caused by: javax.ws.rs.ClientErrorException: HTTP 403 Forbidden
> at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.
> handleErrorStatus(ClientInvocation.java:216)
> at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.
> extractResult(ClientInvocation.java:174)
> at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.
> BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)
> at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(
> ClientInvoker.java:104)
> at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(
> ClientProxy.java:76)
> at com.sun.proxy.$Proxy253.list(Unknown Source)
>
>
> On Tue, May 22, 2018 at 4:38 PM, valsaraj pv <valsarajpv at gmail.com> wrote:
>
>> After setting resteasy dependency got another:
>>
>>> 2018-05-22 16:35:25,069 WARN  [com.ltchie.mco.web.ErrorServlet]
>>>> (default task-9) Error in processing request: java.lang.NoClassDefFoundError:
>>>> javax/ws/rs/BadRequestException
>>>
>>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>>>
>>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>>
>>>
>>>>
>>
>> On Tue, May 22, 2018 at 4:35 PM, valsaraj pv <valsarajpv at gmail.com>
>> wrote:
>>
>>> Removed keycloak jars from application & then added
>>> keycloak-admin-client-3.4.3.Final.jar in keycloak-core module for
>>> checking. Then got following exception:
>>>
>>>> java.lang.NoClassDefFoundError: org/jboss/resteasy/client/jaxr
>>>> s/ResteasyClientBuilder
>>>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:58)
>>>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>>> at com.ltchie.keycloak.util.KeycloakUtil.getInstance(KeycloakUt
>>>> il.java:78)
>>>> at org.tolven.web.security.GeneralSecurityFilter.doFilter(Gener
>>>> alSecurityFilter.java:478)
>>>
>>>
>>> Looks like resteasy dependency required here.
>>> So  keycloak-admin-client not coming out of the box for WidFly modules.
>>> Is there any other jar that can be used for calling admin APIs?
>>>
>>>
>>> On Tue, May 22, 2018 at 4:11 PM, valsaraj pv <valsarajpv at gmail.com>
>>> wrote:
>>>
>>>> Which Keycloak API jar we can use to call admin APIs from Java
>>>> application?
>>>>
>>>> On Tue, May 22, 2018 at 4:08 PM, valsaraj pv <valsarajpv at gmail.com>
>>>> wrote:
>>>>
>>>>> After adding keycloak-core-3.4.3.Final.jar into ear:
>>>>>
>>>>>> java.lang.LinkageError: loader constraint violation: loader (instance
>>>>>> of org/jboss/modules/ModuleClassLoader) previously initiated loading
>>>>>> for a different type with name "org/keycloak/representations/
>>>>>> idm/RealmRepresentation"
>>>>>> at java.lang.Class.forName0(Native Method)
>>>>>> at java.lang.Class.forName(Class.java:264)
>>>>>> at com.sun.proxy.$Proxy344.<clinit>(Unknown Source)
>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>>>> Method)
>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
>>>>>> ConstructorAccessorImpl.java:62)
>>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
>>>>>> legatingConstructorAccessorImpl.java:45)
>>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
>>>>>> at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:739)
>>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuil
>>>>>> der.java:79)
>>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuil
>>>>>> der.java:131)
>>>>>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.pro
>>>>>> xy(ClientWebTarget.java:74)
>>>>>> at org.keycloak.admin.client.Keycloak.realms(Keycloak.java:114)
>>>>>> at org.keycloak.admin.client.Keycloak.realm(Keycloak.java:118)
>>>>>
>>>>>
>>>>>
>>>>> On Tue, May 22, 2018 at 3:07 PM, valsaraj pv <valsarajpv at gmail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I am getting following exception when calling admin API:
>>>>>>
>>>>>>> java.lang.NoClassDefFoundError: org/keycloak/representations/A
>>>>>>>> ccessTokenResponse
>>>>>>>
>>>>>>> at java.lang.Class.getDeclaredMethods0(Native Method)
>>>>>>>
>>>>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
>>>>>>>
>>>>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2902)
>>>>>>>
>>>>>>> at java.lang.Class.getMethods(Class.java:1615)
>>>>>>>
>>>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuil
>>>>>>>> der.java:48)
>>>>>>>
>>>>>>> at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuil
>>>>>>>> der.java:131)
>>>>>>>
>>>>>>> at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.pro
>>>>>>>> xy(ClientWebTarget.java:74)
>>>>>>>
>>>>>>> at org.keycloak.admin.client.token.TokenManager.<init>(TokenMan
>>>>>>>> ager.java:55)
>>>>>>>
>>>>>>> at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
>>>>>>>
>>>>>>> at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:106)
>>>>>>>
>>>>>>>
>>>>>> I have added keycloak-admin-client-3.4.3.Final.jar in ear lib & set
>>>>>> dependency to following modules:
>>>>>>
>>>>>>> <module name="org.keycloak.keycloak-adapter-spi"/>
>>>>>>
>>>>>> <module name="org.keycloak.keycloak-adapter-core"/>
>>>>>>
>>>>>> <module name="org.keycloak.keycloak-common"/>
>>>>>>
>>>>>> <module name="org.keycloak.keycloak-core"/>
>>>>>>
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Life is like this: "Just when we get all the answers of life.... God
>>>>> changes the question paper....
>>>>>
>>>>> Valsaraj Viswanathan
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Life is like this: "Just when we get all the answers of life.... God
>>>> changes the question paper....
>>>>
>>>> Valsaraj Viswanathan
>>>>
>>>
>>>
>>>
>>> --
>>> Life is like this: "Just when we get all the answers of life.... God
>>> changes the question paper....
>>>
>>> Valsaraj Viswanathan
>>>
>>
>>
>>
>> --
>> Life is like this: "Just when we get all the answers of life.... God
>> changes the question paper....
>>
>> Valsaraj Viswanathan
>>
>
>
>
> --
> Life is like this: "Just when we get all the answers of life.... God
> changes the question paper....
>
> Valsaraj Viswanathan
>



-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From atx at binaryninja.de  Wed May 23 03:08:37 2018
From: atx at binaryninja.de (Anton G.)
Date: Wed, 23 May 2018 09:08:37 +0200
Subject: [keycloak-user] Join Multiple LDAP
Message-ID: <c8446e84-8f6e-4306-af02-ea07f946813b@email.android.com>


From triton.oidc at gmail.com  Wed May 23 05:00:27 2018
From: triton.oidc at gmail.com (triton oidc)
Date: Wed, 23 May 2018 09:00:27 +0000
Subject: [keycloak-user] Writing new way to login
Message-ID: <CAGE7c6C7aXtqXqkuOHe+UvtVuRWqLHhc98PU1pzNN8O8S7ukWA@mail.gmail.com>

Hi,

in my current scenario, i wish to write a new way for user to login.
I saw an example that seems pretty simple to start with :
PassThroughAuthenticator, the user is hardcoded in the class and it already
implements Authenticator and AuthenticatorFactory

I've been trying to use this example is my keycloak

Looking at the configuration xml, I saw some lines containing spi.
like mentioned in the doc
<https://www.keycloak.org/docs/3.3/server_development/topics/providers.html>


I guess i need to put the PROVIDER_ID  ("testsuite-dummy-passthrough" in my
example)
somewhere in the XML, then it will appear in the UI in Authentication /
flow / execution / Provider

I tried this, but it's not showing in the UI after a restart
           <spi name="dummy-login">

<default-provider>testsuite-dummy-passthrough</default-provider>
                <provider name="default" enabled="true"/>
            </spi>

1) am i looking in the right direction for filling the XML, or did i miss
any step
2) am i looking in the correct menu in the UI

Thanks for any help

I'll keep trying in the meantime

Amaury

From ashutosh.kanthi at exfo.com  Wed May 23 06:14:40 2018
From: ashutosh.kanthi at exfo.com (Ashutosh Kanthi)
Date: Wed, 23 May 2018 10:14:40 +0000
Subject: [keycloak-user] Keycloak user session time out
Message-ID: <4D2B736E058FB9498FF049DBC89C8F95CBEC00CC@SPQCMBX01.exfo.com>

Hi,

We want to implement one functionality with regard to session timeout in keycloak i.e. if session timeout is reaching near, then user should be notified of the same.
Does anyone know whether it is possible to do this in Keycloak? And if is possible the how to do this?

Thanks & regards,

Ashutosh Kanthi

From ashutosh.kanthi at exfo.com  Wed May 23 06:15:52 2018
From: ashutosh.kanthi at exfo.com (Ashutosh Kanthi)
Date: Wed, 23 May 2018 10:15:52 +0000
Subject: [keycloak-user] Keycloak user session time out
Message-ID: <4D2B736E058FB9498FF049DBC89C8F95CBEC00DC@SPQCMBX01.exfo.com>

Hi,

We want to implement one functionality with regard to session timeout in keycloak i.e. if session timeout is reaching near, then user should be notified of the same.
Does anyone know whether it is possible to do this in Keycloak? And if is possible then how to do this?

Thanks & regards,

Ashutosh Kanthi

From uo67113 at gmail.com  Wed May 23 07:46:17 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 23 May 2018 13:46:17 +0200
Subject: [keycloak-user] Stuck in infinite loop | Keycloak
In-Reply-To: <CAA-7KZ_OJU4Tk1N0F9fm--DfYWy9fJiRjhLGp5ptNmL7JAcLjA@mail.gmail.com>
References: <CAA-7KZ_OJU4Tk1N0F9fm--DfYWy9fJiRjhLGp5ptNmL7JAcLjA@mail.gmail.com>
Message-ID: <CACp70MkG+2t3PpckiNCRZVFpX7fOLmgDEdnRmADZnhm5_rhexA@mail.gmail.com>

Hello Pulkit,

Usually this "infinite loop" issue happens because there is a typo in the
SAML configuration. I can suggest you to have a look at your SP
configuration in keycloak and check if the entityID matches the one that is
being sent by your SP in the authorization request. Also it can be related
with the IdP public key and/or SP private key. Check that in both sides
they are correctly registered.

Hope it helps,

Luis


2018-05-23 6:55 GMT+02:00 Pulkit Srivastava <pulkitsrivastavajd at gmail.com>:

> Hi,
> I am new to keycloak and using keycloak as an IDP. I am being redirected
> from my application to keycloak which if correct as per requirement. But
> after authentication at keycloak my application gets stuck in an infinite
> redirection loop between the url's mentioned below.
>
> http://localhost:8080/auth/realms/demo/login-actions/
> authenticate?client_id=https%3A%2F%2Flocalhost%
> 2Faaconversion-1.0.0%2Fsaml%2Fmetadata&tab_id=3iROWfTkFvU
>
>
> https://localhost/aaconversion-1.0.0/unauthorized
>
> I have checked all the keycloak configurations but unable to figure out
> what's happening wrong. Please help.
>
> Thanks,
> Pulkit
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From carreraariel at gmail.com  Wed May 23 08:11:37 2018
From: carreraariel at gmail.com (Ariel Carrera)
Date: Wed, 23 May 2018 09:11:37 -0300
Subject: [keycloak-user] Keycloak user session time out
In-Reply-To: <4D2B736E058FB9498FF049DBC89C8F95CBEC00DC@SPQCMBX01.exfo.com>
References: <4D2B736E058FB9498FF049DBC89C8F95CBEC00DC@SPQCMBX01.exfo.com>
Message-ID: <CAFzO_6eOoK2t-t=pOc3St6C_ZfrdRAwoOP12fvv2qeFuMcLhDA@mail.gmail.com>

Maybe you can do it modifying keycloak?s adapter or using with sse, browser
notifications or phone notifications (android, iOS...)

El El mi?, 23 may. 2018 a las 08:40, Ashutosh Kanthi <
ashutosh.kanthi at exfo.com> escribi?:

> Hi,
>
> We want to implement one functionality with regard to session timeout in
> keycloak i.e. if session timeout is reaching near, then user should be
> notified of the same.
> Does anyone know whether it is possible to do this in Keycloak? And if is
> possible then how to do this?
>
> Thanks & regards,
>
> Ashutosh Kanthi
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-- 
Ariel Carrera

From pnowak.pierre at gmail.com  Wed May 23 09:18:15 2018
From: pnowak.pierre at gmail.com (Pierre Nowak)
Date: Wed, 23 May 2018 15:18:15 +0200
Subject: [keycloak-user] group management
Message-ID: <CAHgxc_yawWhodYuU_oQYzRfOLYxZiSawDv4U_oX-m0v3uqR-7g@mail.gmail.com>

Hello,

I am struggling with setting up fine grained group management.

I would like to give access a specific user to the following actions on a
specific group:

- view only users in a specific group (don't see the whole list of users)
- manage subgroups of a specific group (can add and delete subgroups). Do
not see all the group list !
- add users to my subgroups

When I try to set this up this gives me the view of all the groups.

Pierre

From milan.molbio at gmail.com  Wed May 23 10:16:20 2018
From: milan.molbio at gmail.com (milan.molbio)
Date: Wed, 23 May 2018 07:16:20 -0700 (MST)
Subject: [keycloak-user] Additional attributes for an authorization
 request
In-Reply-To: <CAJrcDBcW=HhC4yEwkD0=rBH8WBYWGbLNEz2hSOVygJpKQUSMdQ@mail.gmail.com>
References: <CADjvtpRWwr0vZTJJp3Kte+XZxnT0R4p1H89WHdAQh7za0P8F_g@mail.gmail.com>
	<CAJrcDBekHcxnyiVvnYJBFZuFgkQQRfT3mOc0DPh=HOiQq8FHqA@mail.gmail.com>
	<CADjvtpSWagKrL9in08sr4vchZcQyCqJweJBWz2U0qpwk2JO0LQ@mail.gmail.com>
	<CAJrcDBcW=HhC4yEwkD0=rBH8WBYWGbLNEz2hSOVygJpKQUSMdQ@mail.gmail.com>
Message-ID: <1527084980656-0.post@n6.nabble.com>

Hi Pedro,

any news about this? I think KC was at v2.5 at the time, and now we're at
v4. Is it now possible to pass extra arguments to the evaluation context
(and access them from a JavaScript policy)? 

regards,
Milan


On Fri, Feb 3, 2017 at 6:26 PM, Scott Elliott &lt;scottpelliott@&gt;
wrote:

> The example I've been given is evaluating whether or not a request has
> permission to make a change to a value by a particular amount.  Sounds
> like
> an application function, but I don't necessarily want to have to change
> the
> application whenever some policy decision needs to be made or changed
> (like
> for now, it's based on one value, but in the future, it could be several
> values).  Ideally, I guess, the ability to pass additional data (say,
> JSON)
> with the request that the Evaluation API could access, so it would be up
> to
> the caller and policy to decide what's needed to grant the request.
>

I see. There is a very fragile line betweem business rules and security
policies. For instance, what you want could be achieved with Drools/JBoss
BRMS and also by an externalized authorization system like what we are
proposing.

What you are asking makes a lot of sense as this is something common for
protocols such as XACML. And will make our policies a lot more
"contextualized" as you have control over the data that determine how your
policies are evaluated. Like I said, you still have the option to use
protocol mappers to push things into the token and use them in your
policies. But "runtime" data like what you mentioned is not something you
can do right now. But we'll get there ...


In the future we want to support resource attributes. I think that would
also help to cover more use cases. For instance, considering your use case
where you need to authorize access based on an dynamic attribute. We may
have a "amount" attribute on the resource and a general permission
associated with this resource that tells that only the owner is allowed to
access. When you receive permissions for the resource you could also get
the attributes associated with it and then perform local checks in your
application (probably using the AuthorizationContext). In this case, if you
change the "amount" on the KC server you won't need to change your
application. Just an idea.


>
> On Fri, Feb 3, 2017 at 12:26 PM Pedro Igor Silva &lt;psilva@&gt;
> wrote:
>
>> Hi Scott,
>>
>> You can't pass additional attributes along with an authorization request.
>> However, that is something we want to support on future versions.
>>
>> Right now, the information you get is basically what is in an access
>> token. So whatever you push as a claim (e.g.: using mappers) it will be
>> available to your policies.
>>
>> That is an important addition to our API in order to push more context to
>> policies, as you are requesting.
>>
>>
>>
>> Regards.
>> Pedro Igor
>>
>> On Thu, Feb 2, 2017 at 2:18 PM, Scott Elliott &lt;scottpelliott@&gt;
>> wrote:
>>
>> Would there be any way to pass additional attributes to an authorization
>> request, and access
>> it
>> in a Javascript or rules based policy? I see that what is available in
>> the
>> Evaluation API currently is pretty limited.
>>





--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From psilva at redhat.com  Wed May 23 10:44:58 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 23 May 2018 11:44:58 -0300
Subject: [keycloak-user] group management
In-Reply-To: <CAHgxc_yawWhodYuU_oQYzRfOLYxZiSawDv4U_oX-m0v3uqR-7g@mail.gmail.com>
References: <CAHgxc_yawWhodYuU_oQYzRfOLYxZiSawDv4U_oX-m0v3uqR-7g@mail.gmail.com>
Message-ID: <CAJrcDBc7HjZroTZDN8JK27VYxc89WVV54M7A_u4UZZ+LhS0DaA@mail.gmail.com>

On Wed, May 23, 2018 at 10:18 AM, Pierre Nowak <pnowak.pierre at gmail.com>
wrote:

> Hello,
>
> I am struggling with setting up fine grained group management.
>
> I would like to give access a specific user to the following actions on a
> specific group:
>
> - view only users in a specific group (don't see the whole list of users)


If you setup the permission "view-members
<http://localhost:8180/auth/admin/master/console/#/realms/fine-grained-admin/clients/ff57b14d-a4b8-4fa6-9eac-d810eee910db/authz/resource-server/permission/scope/9ea51106-a970-44f0-80c2-4df8416422df>"
for a Group, you should be able to restrict which users are show
accordingly with a policy. You should also make sure your user (accessing
the admin console) is assigned with "query-users". Make sure "view-users"
and "manage-users" are not assigned with the user otherwise you will see
all users.


> - manage subgroups of a specific group (can add and delete subgroups). Do
> not see all the group list !
>

I think this is not supported at the moment. I would need to take a look.
We have other RFEs and issues around this, mabe you can fill a JIRA for
this particular one.


> - add users to my subgroups
>

If you setup the permission "manage-membership
<http://localhost:8180/auth/admin/master/console/#/realms/fine-grained-admin/clients/ff57b14d-a4b8-4fa6-9eac-d810eee910db/authz/resource-server/permission/scope/b312385b-6516-4755-88de-aa922f525343>"
for a Group, you should be able to restrict who can add/remove users from a
group.


>
> When I try to set this up this gives me the view of all the groups.
>
> Pierre
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Wed May 23 10:54:39 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 23 May 2018 11:54:39 -0300
Subject: [keycloak-user] Additional attributes for an authorization
	request
In-Reply-To: <1527084980656-0.post@n6.nabble.com>
References: <CADjvtpRWwr0vZTJJp3Kte+XZxnT0R4p1H89WHdAQh7za0P8F_g@mail.gmail.com>
	<CAJrcDBekHcxnyiVvnYJBFZuFgkQQRfT3mOc0DPh=HOiQq8FHqA@mail.gmail.com>
	<CADjvtpSWagKrL9in08sr4vchZcQyCqJweJBWz2U0qpwk2JO0LQ@mail.gmail.com>
	<CAJrcDBcW=HhC4yEwkD0=rBH8WBYWGbLNEz2hSOVygJpKQUSMdQ@mail.gmail.com>
	<1527084980656-0.post@n6.nabble.com>
Message-ID: <CAJrcDBdB+7cKXMZbRx8w=VoZk_ryVtakTmwMfPGCrzFgvVnanw@mail.gmail.com>

Hey,

Yeah, we have added support for that
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
.

Also added support for resource attributes
https://www.keycloak.org/docs/latest/authorization_services/index.html#resource-attributes
.

Regards.
Pedro Igor


On Wed, May 23, 2018 at 11:16 AM, milan.molbio <milan.molbio at gmail.com>
wrote:

> Hi Pedro,
>
> any news about this? I think KC was at v2.5 at the time, and now we're at
> v4. Is it now possible to pass extra arguments to the evaluation context
> (and access them from a JavaScript policy)?
>
> regards,
> Milan
>
>
> On Fri, Feb 3, 2017 at 6:26 PM, Scott Elliott &lt;scottpelliott@&gt;
> wrote:
>
> > The example I've been given is evaluating whether or not a request has
> > permission to make a change to a value by a particular amount.  Sounds
> > like
> > an application function, but I don't necessarily want to have to change
> > the
> > application whenever some policy decision needs to be made or changed
> > (like
> > for now, it's based on one value, but in the future, it could be several
> > values).  Ideally, I guess, the ability to pass additional data (say,
> > JSON)
> > with the request that the Evaluation API could access, so it would be up
> > to
> > the caller and policy to decide what's needed to grant the request.
> >
>
> I see. There is a very fragile line betweem business rules and security
> policies. For instance, what you want could be achieved with Drools/JBoss
> BRMS and also by an externalized authorization system like what we are
> proposing.
>
> What you are asking makes a lot of sense as this is something common for
> protocols such as XACML. And will make our policies a lot more
> "contextualized" as you have control over the data that determine how your
> policies are evaluated. Like I said, you still have the option to use
> protocol mappers to push things into the token and use them in your
> policies. But "runtime" data like what you mentioned is not something you
> can do right now. But we'll get there ...
>
>
> In the future we want to support resource attributes. I think that would
> also help to cover more use cases. For instance, considering your use case
> where you need to authorize access based on an dynamic attribute. We may
> have a "amount" attribute on the resource and a general permission
> associated with this resource that tells that only the owner is allowed to
> access. When you receive permissions for the resource you could also get
> the attributes associated with it and then perform local checks in your
> application (probably using the AuthorizationContext). In this case, if you
> change the "amount" on the KC server you won't need to change your
> application. Just an idea.
>
>
> >
> > On Fri, Feb 3, 2017 at 12:26 PM Pedro Igor Silva &lt;psilva@&gt;
> > wrote:
> >
> >> Hi Scott,
> >>
> >> You can't pass additional attributes along with an authorization
> request.
> >> However, that is something we want to support on future versions.
> >>
> >> Right now, the information you get is basically what is in an access
> >> token. So whatever you push as a claim (e.g.: using mappers) it will be
> >> available to your policies.
> >>
> >> That is an important addition to our API in order to push more context
> to
> >> policies, as you are requesting.
> >>
> >>
> >>
> >> Regards.
> >> Pedro Igor
> >>
> >> On Thu, Feb 2, 2017 at 2:18 PM, Scott Elliott &lt;scottpelliott@&gt;
> >> wrote:
> >>
> >> Would there be any way to pass additional attributes to an authorization
> >> request, and access
> >> it
> >> in a Javascript or rules based policy? I see that what is available in
> >> the
> >> Evaluation API currently is pretty limited.
> >>
>
>
>
>
>
> --
> Sent from: http://keycloak-user.88327.x6.nabble.com/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From raisandeepkmr at gmail.com  Wed May 23 12:06:17 2018
From: raisandeepkmr at gmail.com (Sandeep Rai)
Date: Wed, 23 May 2018 18:06:17 +0200
Subject: [keycloak-user] Fwd: User Attributes not added in token
In-Reply-To: <CAHanGkL2t_kjkLS3YvmFi1YpOzrn3Wi-1idDyY23ck0op_aEzg@mail.gmail.com>
References: <CAHanGkL2t_kjkLS3YvmFi1YpOzrn3Wi-1idDyY23ck0op_aEzg@mail.gmail.com>
Message-ID: <CAHanGkK+cq9pW9w6TAYm_+Lvps2y5AR2CyD3py1Ftz06hnxG1g@mail.gmail.com>

Hi Community,
Also does this depend on the database rights ? As I only have read rights
to the db. But getAttributes should just add whatever we provide as
attribute into the token ?
Regards

---------- Forwarded message ---------
From: Sandeep Rai <raisandeepkmr at gmail.com>
Date: Wed, 23 May 2018, 02:46
Subject: User Attributes not added in token
To: <keycloak-user at lists.jboss.org>


Hi Community,
I'm new to keycloak. And trying to federate login via external database.
While federating username and password validation trough JPA I'm trying to
add user attribute to the token.
To achieve that all I'm doing is adding the attribute in getAtrributes
method. As I'm expecting it then adds to the token. But after successful
validation the token I get does not have the 'phone' attribute
Is there something I'm missing ?
Do I have to add this attribute any other way ?

@Override
public Map<String, List<String>> getAttributes() {
    Map<String, List<String>> attrs = super.getAttributes();
    MultivaluedHashMap<String, String> all = new MultivaluedHashMap<>();
    all.putAll(attrs);
    all.add("phone", userEntity.getMOBILE_NO());
    return all;
}

Kind Regards

From subodhcjoshi82 at gmail.com  Wed May 23 13:10:43 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Wed, 23 May 2018 22:40:43 +0530
Subject: [keycloak-user] How to access custom attribute/Client Mapper in
	Login Page?
In-Reply-To: <CAFss9rpj_x1Ss+XbK=F9dq_88PC2D6LU8qpRXAen_0kJgW30Vw@mail.gmail.com>
References: <CAFss9rpj_x1Ss+XbK=F9dq_88PC2D6LU8qpRXAen_0kJgW30Vw@mail.gmail.com>
Message-ID: <CAFss9rrRp0dDpsd_G+1LZz8gQVQHh+qW-6zVWaRO0YfNUVShnQ@mail.gmail.com>

Any hint ?

On Mon, 21 May 2018, 16:51 Subodh Joshi, <subodhcjoshi82 at gmail.com> wrote:

> Hi ,
> We have created our own theme for keycloak and we are able to access
> realm-name/client-name via this code
>
>> <div id="parent">
>>
>>         <div id="pro-fam-name">
>>
>>                 ${msg("loginTitleHtml",(realm.displayNameHtml!''))?no_esc}
>>
>>         </div>
>>
>>         <div id="pro-des"> ${client.name!''} </div>
>>
>>         <div id="version"> ${client.description!''} </div>
>>
>>     </div>
>>
>
>
> Now we will want to access some custom attribute or client mapper into
> same login page before user login.
> As i know Keycloak wont support to add attribute in realm level any other
> way to do this?
> Is this possible to achieve this in keycloak version 3.4.1.Final ? We
> want to achieve this in our JS application so according to
> realm/tenant-name we have diffrent-2 login page.
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>

From ichandrabhatta at yahoo.com  Wed May 23 18:06:22 2018
From: ichandrabhatta at yahoo.com (Indira Chandrabhatta)
Date: Wed, 23 May 2018 22:06:22 +0000 (UTC)
Subject: [keycloak-user] User Federation (OpenLDAP) - User's Group
	Membership empty
References: <1396137605.1011338.1527113182139.ref@mail.yahoo.com>
Message-ID: <1396137605.1011338.1527113182139@mail.yahoo.com>


I have a fresh successful installation of keycloak (version Keycloak 4.0.0.Beta1)in a docker environment.
I was able to sync with OpenLDAP server. I can login as an LDAP user without any issues. 
I created an LDAP Mapper - (Mapper type group-ldap-mapper). The groups get imported with out any issues. I can see the members of the group when I click on the Groups-->testgroup---> edit --> members. 

But I have an issue with the user group membership. When I click on Users --> Groups,  Group Membership is empty. I don't see the LDAP groups automatically assigned to the user even though the user is already a member of a couple of groups in OpenLDAP.

I looked every where possible but could not find a solution.

Any help is greatly appreciated.

Best Regards
Indira

From uo67113 at gmail.com  Thu May 24 03:08:35 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Thu, 24 May 2018 09:08:35 +0200
Subject: [keycloak-user] Keycloak user session time out
In-Reply-To: <CAFzO_6eOoK2t-t=pOc3St6C_ZfrdRAwoOP12fvv2qeFuMcLhDA@mail.gmail.com>
References: <4D2B736E058FB9498FF049DBC89C8F95CBEC00DC@SPQCMBX01.exfo.com>
	<CAFzO_6eOoK2t-t=pOc3St6C_ZfrdRAwoOP12fvv2qeFuMcLhDA@mail.gmail.com>
Message-ID: <CACp70M=frpeYqFGu=wC2Dike1gt=xhQcB_nY86NCowDbgoiQsg@mail.gmail.com>

Hello Ashutosh,

Perhaps it would be useful if you could describe your scenario a bit more.
E.g, me I am using the SAML2 java keycloak adapter [1]. In this scenario I
have two sessions, the Service Provider and the Identity Provider one. The
Service Provider is an application deployed in apache-tomcat. If you have
something like this you could think in use [2] and/or [3]. This listeners
can notifiy you when sessions have been activated/deactivated or attributes
changed.

Hope it helps,

Luis


[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2
[2]
https://tomcat.apache.org/tomcat-9.0-doc/servletapi/javax/servlet/http/HttpSessionAttributeListener.html
[3]
https://tomcat.apache.org/tomcat-9.0-doc/servletapi/javax/servlet/http/HttpSessionActivationListener.html






2018-05-23 14:11 GMT+02:00 Ariel Carrera <carreraariel at gmail.com>:
>
> Maybe you can do it modifying keycloak?s adapter or using with sse,
browser
> notifications or phone notifications (android, iOS...)
>
> El El mi?, 23 may. 2018 a las 08:40, Ashutosh Kanthi <
> ashutosh.kanthi at exfo.com> escribi?:
>
> > Hi,
> >
> > We want to implement one functionality with regard to session timeout in
> > keycloak i.e. if session timeout is reaching near, then user should be
> > notified of the same.
> > Does anyone know whether it is possible to do this in Keycloak? And if
is
> > possible then how to do this?
> >
> > Thanks & regards,
> >
> > Ashutosh Kanthi
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> --
> Ariel Carrera
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




--

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From lists at merit.unu.edu  Thu May 24 03:50:56 2018
From: lists at merit.unu.edu (mj)
Date: Thu, 24 May 2018 09:50:56 +0200
Subject: [keycloak-user] SessionNotOnOrAfter attribute
In-Reply-To: <c553e567-3a08-7252-aa31-20d817116f39@merit.unu.edu>
References: <c553e567-3a08-7252-aa31-20d817116f39@merit.unu.edu>
Message-ID: <86b25e0e-f3e8-890b-bfed-1259d49e8207@merit.unu.edu>

Anyone..?

Was I asking a dumb question..?

MJ

On 05/22/2018 01:28 PM, lists wrote:
> Hi,
> 
> We are using keycloak as our IdP, and I am requested to add the
> SessionNotOnOrAfter attibute to our SAML2 accesstoken.
> 
> I can't find it in keycloak. Is is supported..?
> 
> Thanks,
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From lists at stefan-hesse.net  Thu May 24 06:25:28 2018
From: lists at stefan-hesse.net (Stefan Hesse)
Date: Thu, 24 May 2018 12:25:28 +0200
Subject: [keycloak-user] Create scopes from the REST API
In-Reply-To: <CAJrcDBfhbx4+moN8D5VRGw12=wDpj2hPwUNVzgxpbXeL8C5JTg@mail.gmail.com>
References: <85f81974-48eb-82d5-0976-6e1678a0a093@stefan-hesse.net>
	<CAJrcDBfhbx4+moN8D5VRGw12=wDpj2hPwUNVzgxpbXeL8C5JTg@mail.gmail.com>
Message-ID: <50d9e518-d042-10a0-3271-0caafb166051@stefan-hesse.net>

Thanks for the input, for those interested in how to actually do this
from the CLI:

./kcadm.sh create clients/[client_id]/authz/resource-server/scope -r
[realm_name] -s name=[scope_name] -s displayName=[displayName]

The URL can be deduced using the documentation:
https://www.keycloak.org/docs/3.0/server_admin/topics/admin-cli.html#_basic_operations_and_resource_uris

In order to use it with any REST-Client.


On 05/22/2018 03:20 PM, Pedro Igor Silva wrote:
> You can use Keycloak Admin Java Client to manage scopes. Here is an
> example [1].
>
> But yeah, we are missing docs for authz services related resources in
> rest-api docs.
>
> [1]?org.keycloak.testsuite.admin.client.authorization.AbstractAuthorizationTest#createScope?
>
> On Tue, May 22, 2018 at 9:43 AM, Stefan Hesse <lists at stefan-hesse.net
> <mailto:lists at stefan-hesse.net>> wrote:
>
>     Hello,
>
>     I am looking for a way to create a scope from the REST-API:
>     https://www.keycloak.org/docs-api/4.0/rest-api/index.html#_scoperepresentation
>     <https://www.keycloak.org/docs-api/4.0/rest-api/index.html#_scoperepresentation>
>
>     But I simply can't find the appropriate resource in the doc.
>
>     We need this, because we use Keycloak to mange permissions for "apps",
>     which are supposed to "register" them-self in keycloak, in order
>     to link
>     them to users.
>
>     Best Regards
>
>     Stefan
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From pulkitsrivastavajd at gmail.com  Thu May 24 08:10:46 2018
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Thu, 24 May 2018 17:40:46 +0530
Subject: [keycloak-user] Exception in keycloak
Message-ID: <CAA-7KZ-ytJ+zQeJsK_Q8_vZwmsdpFm1G7B=krMhQGxMXqEDwPQ@mail.gmail.com>

Hi,
I am getting below exception while getting redirected from keycloak to my
application.

Any idea how to resolve this.


org.opensaml.ws.security.SecurityPolicyException: Validation of protocol
message signature failed

Incoming SAML message is invalid.

Thanks,
Pulkit

From jblashka at redhat.com  Thu May 24 11:58:23 2018
From: jblashka at redhat.com (Jared Blashka)
Date: Thu, 24 May 2018 11:58:23 -0400
Subject: [keycloak-user] SessionNotOnOrAfter attribute
In-Reply-To: <86b25e0e-f3e8-890b-bfed-1259d49e8207@merit.unu.edu>
References: <c553e567-3a08-7252-aa31-20d817116f39@merit.unu.edu>
	<86b25e0e-f3e8-890b-bfed-1259d49e8207@merit.unu.edu>
Message-ID: <CALO-DfCYkOwbTvZM8geVTSmhF2q8jJuMYBDEhouv+HNx2XvZ_g@mail.gmail.com>

Keycloak still doesn't have this afaik. I submitted a PR for this a long
time ago but never got around to creating tests and the PR was eventually
rejected. https://github.com/keycloak/keycloak/pull/3250/files

Feel free to contribute though!

Jared

On Thu, May 24, 2018 at 3:50 AM, mj <lists at merit.unu.edu> wrote:

> Anyone..?
>
> Was I asking a dumb question..?
>
> MJ
>
> On 05/22/2018 01:28 PM, lists wrote:
> > Hi,
> >
> > We are using keycloak as our IdP, and I am requested to add the
> > SessionNotOnOrAfter attibute to our SAML2 accesstoken.
> >
> > I can't find it in keycloak. Is is supported..?
> >
> > Thanks,
> > MJ
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From kalyanibharatha at gmail.com  Thu May 24 12:36:50 2018
From: kalyanibharatha at gmail.com (kalyani bharatha)
Date: Thu, 24 May 2018 22:06:50 +0530
Subject: [keycloak-user] (no subject)
Message-ID: <CAOPN+uiRMG0-ThSFi+PVwnWTV-W3ySgJqjs9g-QnTFuYpBXQ4w@mail.gmail.com>

kalyanibharatha at gmail.com

From sthorger at redhat.com  Thu May 24 13:17:05 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 24 May 2018 19:17:05 +0200
Subject: [keycloak-user] Keycloak 4.0.0.Final released
Message-ID: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>

To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
Highlights
Fuse 7 Adapter

There's now support for Fuse 7.
Cordova options in JavaScript adapter

It's now possible to pass Cordova specific options to login and other
methods in the JavaScript adapter. Thanks to loorent
<https://github.com/looorent> for the contribution.
Search by user id on admin console

If you wanted to search by a user by id in the admin console you had to
edit the URL. It's now possible to do it directly in the user search field.
More...

The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3>
.
Upgrading

Before you upgrade remember to backup your database and check the upgrade
guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
anything that may have changed.

From thomas.darimont at googlemail.com  Thu May 24 13:24:12 2018
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 24 May 2018 19:24:12 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final released
In-Reply-To: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
References: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
Message-ID: <CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>

Congrats!

The blog says 4.0.0.Beta3 is this now the final 4.0.0 version?

Cheers,
Thomas

Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 24. Mai 2018, 19:18:

> To download the release go to the Keycloak homepage
> <http://www.keycloak.org/downloads>.
> Highlights
> Fuse 7 Adapter
>
> There's now support for Fuse 7.
> Cordova options in JavaScript adapter
>
> It's now possible to pass Cordova specific options to login and other
> methods in the JavaScript adapter. Thanks to loorent
> <https://github.com/looorent> for the contribution.
> Search by user id on admin console
>
> If you wanted to search by a user by id in the admin console you had to
> edit the URL. It's now possible to do it directly in the user search field.
> More...
>
> The full list of resolved issues is available in JIRA
> <
> https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3
> >
> .
> Upgrading
>
> Before you upgrade remember to backup your database and check the upgrade
> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
> anything that may have changed.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From sthorger at redhat.com  Thu May 24 13:27:47 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 24 May 2018 19:27:47 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final released
In-Reply-To: <CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>
References: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
	<CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>
Message-ID: <CAJgngAe1h_4s-upZxmn=P5bCHSkh1_M3tL_-dLsH9hrzOSWYuA@mail.gmail.com>

It's indeed Beta3 that was released and not Final. Final will be next
though!

On 24 May 2018 at 19:24, Thomas Darimont <thomas.darimont at googlemail.com>
wrote:

> Congrats!
>
> The blog says 4.0.0.Beta3 is this now the final 4.0.0 version?
>
> Cheers,
> Thomas
>
> Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 24. Mai 2018,
> 19:18:
>
>> To download the release go to the Keycloak homepage
>> <http://www.keycloak.org/downloads>.
>> Highlights
>> Fuse 7 Adapter
>>
>> There's now support for Fuse 7.
>> Cordova options in JavaScript adapter
>>
>> It's now possible to pass Cordova specific options to login and other
>> methods in the JavaScript adapter. Thanks to loorent
>> <https://github.com/looorent> for the contribution.
>> Search by user id on admin console
>>
>> If you wanted to search by a user by id in the admin console you had to
>> edit the URL. It's now possible to do it directly in the user search
>> field.
>> More...
>>
>> The full list of resolved issues is available in JIRA
>> <https://issues.jboss.org/issues/?jql=project%20%3D%
>> 20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3>
>> .
>> Upgrading
>>
>> Before you upgrade remember to backup your database and check the upgrade
>> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
>> anything that may have changed.
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>

From sengstrom at ena.com  Thu May 24 14:58:37 2018
From: sengstrom at ena.com (Stefan Engstrom)
Date: Thu, 24 May 2018 18:58:37 +0000
Subject: [keycloak-user] KeyCloak and Azure Active Directory /
	response_type
In-Reply-To: <E355863A-D523-425B-B72C-09B44DBB73F7@contoso.com>
References: <E355863A-D523-425B-B72C-09B44DBB73F7@contoso.com>
Message-ID: <BN6PR02MB233720984DAE57524A4FBF74B76A0@BN6PR02MB2337.namprd02.prod.outlook.com>

I'm running in to this exact issue - curious if there are any insights? The redirect from microsoftonline.com contains a "code" element but keycloak chokes on trading this for an access_token. I have a parallel IDP to google which returns an element of that name (code) and that piece works just fine.

________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Robin Diederen <diederen at nlcom.nl>
Sent: Monday, January 8, 2018 5:03:53 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] KeyCloak and Azure Active Directory / response_type

Hello all,

I?m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number of in-house clients and Azure AD as identity backend.

After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon hitting my client with my browser, KeyCloak redirects me to the Microsoft login page. Logging in works fine and my client / app is correctly recognized by Microsoft. However, when redirected back to KeyCloak, I?m presented with an error.

Upon further investigation I?ve noticed that KeyCloak reports this error in its logs: ?Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.?. This seems to be related to the response_type attribute, which is to be set from KeyCloak upon calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak include this parameter with the preffered value, being ?response_type=token_id?. KeyCloak however does include ?response_type=code?, yet Microsoft doesn?t seem to like this.

So here?s my question: how can I instruct KeyCloak to include this parameter to make it work with AzureAD? I?ve tried a number of settings in the client page, such as implicit and standard flow enabed / disabled, however, to no avail.

Any help is greatly appreciated.
Best, Robin
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From diederen at nlcom.nl  Thu May 24 17:04:03 2018
From: diederen at nlcom.nl (Robin Diederen)
Date: Thu, 24 May 2018 21:04:03 +0000
Subject: [keycloak-user] KeyCloak and Azure Active Directory /
	response_type
In-Reply-To: <BN6PR02MB233720984DAE57524A4FBF74B76A0@BN6PR02MB2337.namprd02.prod.outlook.com>
References: <E355863A-D523-425B-B72C-09B44DBB73F7@contoso.com>
	<BN6PR02MB233720984DAE57524A4FBF74B76A0@BN6PR02MB2337.namprd02.prod.outlook.com>
Message-ID: <1AF2FAC6-003B-42A6-8E07-7CD163CFAB27@nlcom.nl>

Hello Stefan,



A few weeks after I asked this question we got this working. A Microsoft support engineer solved the issue ? turns out that by using different endpoints for AAD, the issue was resolved. We?re using https://login.microsoftonline.com/<id goes here>/oauth2/authorize and https://login.microsoftonline.com/<id goes here>/oauth2/token as auth and token URLs. 



Furthermore, we have:

- logout url = blank

- backchannel logout = off

- disable user info = off

- user info url = blank

- issuer = blank

- default scopes = blank

- validate signatures = off



Cliend ID and secret should be filled with the corresponding data from the MS portal. 



Hope this helps! If not, feel free to drop me a line ?.



Best, Robin



Van: Stefan Engstrom <sengstrom at ena.com>



Datum: donderdag 24 mei 2018 om 20:58



Aan: "diederen at nlcom.nl" <diederen at nlcom.nl>, "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>



Onderwerp: Re: KeyCloak and Azure Active Directory / response_type







I'm running in to this exact issue - curious if there are any insights??The redirect from microsoftonline.com contains a "code" element but keycloak chokes on trading this for an access_token. I have a parallel IDP to google?which returns an element of that name (code) and that piece works just fine.







From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Robin Diederen <diederen at nlcom.nl>



Sent: Monday, January 8, 2018 5:03:53 AM



To: keycloak-user at lists.jboss.org



Subject: [keycloak-user] KeyCloak and Azure Active Directory / response_type 



?



Hello all,







I?m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number of in-house clients and Azure AD as identity backend.







After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon hitting my client with my browser, KeyCloak redirects me to the Microsoft login page. Logging in works fine and my client / app is correctly recognized by Microsoft. However, when redirected back to KeyCloak, I?m presented with an error.







Upon further investigation I?ve noticed that KeyCloak reports this error in its logs: ?Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.?. This seems to be related to the response_type attribute, which is to be set from KeyCloak upon calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak include this parameter with the preffered value, being ?response_type=token_id?. KeyCloak however does include ?response_type=code?, yet Microsoft doesn?t seem to like this.







So here?s my question: how can I instruct KeyCloak to include this parameter to make it work with AzureAD? I?ve tried a number of settings in the client page, such as implicit and standard flow enabed / disabled, however, to no avail.







Any help is greatly appreciated.



Best, Robin



_______________________________________________



keycloak-user mailing list



keycloak-user at lists.jboss.org



https://lists.jboss.org/mailman/listinfo/keycloak-user






From juanjo.vazquez.delgado at tecsisa.com  Thu May 24 18:51:28 2018
From: juanjo.vazquez.delgado at tecsisa.com (=?UTF-8?Q?Juan_Jos=C3=A9_V=C3=A1zquez_Delgado?=)
Date: Fri, 25 May 2018 00:51:28 +0200
Subject: [keycloak-user] Patterns in Resource URI's
Message-ID: <CAC8EeWBTdrpd3-6DW8SfC8S-osnsbiZ-MCi88oj5-Vogk+A=kQ@mail.gmail.com>

Hello everyone. I'm currently assessing KC Authz services and I stumbled
across a use case that I'm not sure how to solve. I've found previous
similar discussions but I couldn't find the answer that might apply
directly to it. Basically, I have a web service that acts as resource
server, following the UMA terminology, and I want to protect it using KC.
This ws publishes several endpoints that follow a multi-tenant arrangement.
Something like this:

/{org_id}/products
/{org_id}/product/{id}
...
etc

The ID Token obtained through the authentication OIDC flow carries the
`org_id` data so I could provide this as additional claim to the token
endpoint in order to get a proper RPT. However, I would like not to have to
create a different resource per organization and uri, but just the same
patterns as in the endpoints:

/{org_id}/products
/{org_id}/product/{id}

I haven't found any information about whether it's possible to define a
pattern also in the resource uri so that I can use it from the Evaluation
API during the RPT issuance. I'm sure I'm missing something relevant here,
but so far I couldn't find other solution than creating as many resources
as organizations exist and that could be a maintanance burden in the
future. Maybe it's just as simple as parsing the resource name, in JS or
Drools Rules, in order to retrieve the `org_id` from the resource name.

Any help would be appreciated. Thanks!.

From ebenzacar at gmail.com  Thu May 24 22:02:35 2018
From: ebenzacar at gmail.com (Eric B)
Date: Thu, 24 May 2018 22:02:35 -0400
Subject: [keycloak-user] How to force a re-authentication using the Keycloak
	Filter Adapter
Message-ID: <CA+T+PjEio4XzMHFcXLjzgi+=uOQHKHped8DxRnU2bkOsU1_0Yw@mail.gmail.com>

I'm securing a webapp in Wildfly using the Keycloak Servlet Filter Adapter (
https://www.keycloak.org/docs/3.3/securing_apps/topics/oidc/java/servlet-filter-adapter.html)
rather than the Wildfly container adapter.

Overall the filter is great and works very well.  However, I've been trying
to figure out how I can leverage it to force a reauthentication by my
application.  As per the OIDC specs, I know I can pass 'prompt=login' to a
call to Keycloak to force the user to reauthenticate himself, but not sure
how to leverage the adapter to do this for me.

I've noticed some special PreAuthentication hooks in the adapter to handle
callbacks from Keycloak and tried to see if there was anything there, but
they do not seem to handle this type of case.

Are there any special URL parameters I can use that would be recognized and
intercepted by the filter and force a user to reauthenticate themselves?

Thanks,

Eric

From subodhcjoshi82 at gmail.com  Thu May 24 23:08:34 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 25 May 2018 08:38:34 +0530
Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final released
In-Reply-To: <CAJgngAe1h_4s-upZxmn=P5bCHSkh1_M3tL_-dLsH9hrzOSWYuA@mail.gmail.com>
References: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
	<CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>
	<CAJgngAe1h_4s-upZxmn=P5bCHSkh1_M3tL_-dLsH9hrzOSWYuA@mail.gmail.com>
Message-ID: <CAFss9rq+N+qj1U7VGqcT6XGUkYiSwow-MLvsnFFGxe2V1tuPSA@mail.gmail.com>

Any idea when Final release will happen?

On Thu, May 24, 2018 at 11:06 PM Stian Thorgersen <sthorger at redhat.com>
wrote:

> It's indeed Beta3 that was released and not Final. Final will be next
> though!
>
> On 24 May 2018 at 19:24, Thomas Darimont <thomas.darimont at googlemail.com>
> wrote:
>
> > Congrats!
> >
> > The blog says 4.0.0.Beta3 is this now the final 4.0.0 version?
> >
> > Cheers,
> > Thomas
> >
> > Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 24. Mai 2018,
> > 19:18:
> >
> >> To download the release go to the Keycloak homepage
> >> <http://www.keycloak.org/downloads>.
> >> Highlights
> >> Fuse 7 Adapter
> >>
> >> There's now support for Fuse 7.
> >> Cordova options in JavaScript adapter
> >>
> >> It's now possible to pass Cordova specific options to login and other
> >> methods in the JavaScript adapter. Thanks to loorent
> >> <https://github.com/looorent> for the contribution.
> >> Search by user id on admin console
> >>
> >> If you wanted to search by a user by id in the admin console you had to
> >> edit the URL. It's now possible to do it directly in the user search
> >> field.
> >> More...
> >>
> >> The full list of resolved issues is available in JIRA
> >> <https://issues.jboss.org/issues/?jql=project%20%3D%
> >> 20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3>
> >> .
> >> Upgrading
> >>
> >> Before you upgrade remember to backup your database and check the
> upgrade
> >> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
> >> anything that may have changed.
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From subodhcjoshi82 at gmail.com  Thu May 24 23:18:20 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 25 May 2018 08:48:20 +0530
Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final released
In-Reply-To: <CAFss9rq+N+qj1U7VGqcT6XGUkYiSwow-MLvsnFFGxe2V1tuPSA@mail.gmail.com>
References: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
	<CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>
	<CAJgngAe1h_4s-upZxmn=P5bCHSkh1_M3tL_-dLsH9hrzOSWYuA@mail.gmail.com>
	<CAFss9rq+N+qj1U7VGqcT6XGUkYiSwow-MLvsnFFGxe2V1tuPSA@mail.gmail.com>
Message-ID: <CAFss9roTS4zJx+9Xd5kT5JUEdoCpeQhXbh5nu-A+WuBBZ4-gJA@mail.gmail.com>

 Any idea when Final release will happen?

On Fri, May 25, 2018 at 8:38 AM Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> Any idea when Final release will happen?
>
> On Thu, May 24, 2018 at 11:06 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> It's indeed Beta3 that was released and not Final. Final will be next
>> though!
>>
>> On 24 May 2018 at 19:24, Thomas Darimont <thomas.darimont at googlemail.com>
>> wrote:
>>
>> > Congrats!
>> >
>> > The blog says 4.0.0.Beta3 is this now the final 4.0.0 version?
>> >
>> > Cheers,
>> > Thomas
>> >
>> > Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 24. Mai 2018,
>> > 19:18:
>> >
>> >> To download the release go to the Keycloak homepage
>> >> <http://www.keycloak.org/downloads>.
>> >> Highlights
>> >> Fuse 7 Adapter
>> >>
>> >> There's now support for Fuse 7.
>> >> Cordova options in JavaScript adapter
>> >>
>> >> It's now possible to pass Cordova specific options to login and other
>> >> methods in the JavaScript adapter. Thanks to loorent
>> >> <https://github.com/looorent> for the contribution.
>> >> Search by user id on admin console
>> >>
>> >> If you wanted to search by a user by id in the admin console you had to
>> >> edit the URL. It's now possible to do it directly in the user search
>> >> field.
>> >> More...
>> >>
>> >> The full list of resolved issues is available in JIRA
>> >> <https://issues.jboss.org/issues/?jql=project%20%3D%
>> >> 20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3>
>> >> .
>> >> Upgrading
>> >>
>> >> Before you upgrade remember to backup your database and check the
>> upgrade
>> >> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
>> >> anything that may have changed.
>> >> _______________________________________________
>> >> keycloak-dev mailing list
>> >> keycloak-dev at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>


-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From keycloaklist at ulise.de  Fri May 25 01:37:39 2018
From: keycloaklist at ulise.de (Uli SE)
Date: Fri, 25 May 2018 07:37:39 +0200
Subject: [keycloak-user] Best Practice m2m
Message-ID: <49102e66-8bc7-f562-3f66-e44e2b7f1919@ulise.de>

Hi,

we are developing a quite big angular + jboss-rest application with 
Keycloak OIC as auth layer. We are passing a brunch of user(login) 
specific information in a bearer token from angular to the rest-services 
when calling them.

Now we have the situation, that some (automated/cyclic) services has to 
call some other services on behalf of an user without the user has 
logged in before - but with some login information.

How do you solve such situations? Should we use persistant tokens or is 
some kind of impersonation a better solution?

Many rhansk for discussion,

Uli



From sthorger at redhat.com  Fri May 25 02:34:05 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 25 May 2018 08:34:05 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final released
In-Reply-To: <CAFss9rq+N+qj1U7VGqcT6XGUkYiSwow-MLvsnFFGxe2V1tuPSA@mail.gmail.com>
References: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
	<CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>
	<CAJgngAe1h_4s-upZxmn=P5bCHSkh1_M3tL_-dLsH9hrzOSWYuA@mail.gmail.com>
	<CAFss9rq+N+qj1U7VGqcT6XGUkYiSwow-MLvsnFFGxe2V1tuPSA@mail.gmail.com>
Message-ID: <CAJgngAe1u00bXLX8_oBEJPFwzr3y9A1r8dda2VHVNq9hKnb-VA@mail.gmail.com>

It should be around 3 weeks after Beta3

On 25 May 2018 at 05:08, Subodh Joshi <subodhcjoshi82 at gmail.com> wrote:

> Any idea when Final release will happen?
>
> On Thu, May 24, 2018 at 11:06 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> It's indeed Beta3 that was released and not Final. Final will be next
>> though!
>>
>> On 24 May 2018 at 19:24, Thomas Darimont <thomas.darimont at googlemail.com>
>> wrote:
>>
>> > Congrats!
>> >
>> > The blog says 4.0.0.Beta3 is this now the final 4.0.0 version?
>> >
>> > Cheers,
>> > Thomas
>> >
>> > Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 24. Mai 2018,
>> > 19:18:
>> >
>> >> To download the release go to the Keycloak homepage
>> >> <http://www.keycloak.org/downloads>.
>> >> Highlights
>> >> Fuse 7 Adapter
>> >>
>> >> There's now support for Fuse 7.
>> >> Cordova options in JavaScript adapter
>> >>
>> >> It's now possible to pass Cordova specific options to login and other
>> >> methods in the JavaScript adapter. Thanks to loorent
>> >> <https://github.com/looorent> for the contribution.
>> >> Search by user id on admin console
>> >>
>> >> If you wanted to search by a user by id in the admin console you had to
>> >> edit the URL. It's now possible to do it directly in the user search
>> >> field.
>> >> More...
>> >>
>> >> The full list of resolved issues is available in JIRA
>> >> <https://issues.jboss.org/issues/?jql=project%20%3D%
>> >> 20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3>
>> >> .
>> >> Upgrading
>> >>
>> >> Before you upgrade remember to backup your database and check the
>> upgrade
>> >> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
>> >> anything that may have changed.
>> >> _______________________________________________
>> >> keycloak-dev mailing list
>> >> keycloak-dev at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
>

From subodhcjoshi82 at gmail.com  Fri May 25 02:34:31 2018
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Fri, 25 May 2018 12:04:31 +0530
Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final released
In-Reply-To: <CAJgngAe1u00bXLX8_oBEJPFwzr3y9A1r8dda2VHVNq9hKnb-VA@mail.gmail.com>
References: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
	<CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>
	<CAJgngAe1h_4s-upZxmn=P5bCHSkh1_M3tL_-dLsH9hrzOSWYuA@mail.gmail.com>
	<CAFss9rq+N+qj1U7VGqcT6XGUkYiSwow-MLvsnFFGxe2V1tuPSA@mail.gmail.com>
	<CAJgngAe1u00bXLX8_oBEJPFwzr3y9A1r8dda2VHVNq9hKnb-VA@mail.gmail.com>
Message-ID: <CAFss9rp0-2FGewdaQQFp5SGNCki1hRQyRE9kJ0S8BLT1pGL-hg@mail.gmail.com>

Great, thanks for the update.

On Fri, May 25, 2018 at 12:04 PM Stian Thorgersen <sthorger at redhat.com>
wrote:

> It should be around 3 weeks after Beta3
>
> On 25 May 2018 at 05:08, Subodh Joshi <subodhcjoshi82 at gmail.com> wrote:
>
>> Any idea when Final release will happen?
>>
>> On Thu, May 24, 2018 at 11:06 PM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> It's indeed Beta3 that was released and not Final. Final will be next
>>> though!
>>>
>>> On 24 May 2018 at 19:24, Thomas Darimont <thomas.darimont at googlemail.com
>>> >
>>> wrote:
>>>
>>> > Congrats!
>>> >
>>> > The blog says 4.0.0.Beta3 is this now the final 4.0.0 version?
>>> >
>>> > Cheers,
>>> > Thomas
>>> >
>>> > Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 24. Mai 2018,
>>> > 19:18:
>>> >
>>> >> To download the release go to the Keycloak homepage
>>> >> <http://www.keycloak.org/downloads>.
>>> >> Highlights
>>> >> Fuse 7 Adapter
>>> >>
>>> >> There's now support for Fuse 7.
>>> >> Cordova options in JavaScript adapter
>>> >>
>>> >> It's now possible to pass Cordova specific options to login and other
>>> >> methods in the JavaScript adapter. Thanks to loorent
>>> >> <https://github.com/looorent> for the contribution.
>>> >> Search by user id on admin console
>>> >>
>>> >> If you wanted to search by a user by id in the admin console you had
>>> to
>>> >> edit the URL. It's now possible to do it directly in the user search
>>> >> field.
>>> >> More...
>>> >>
>>> >> The full list of resolved issues is available in JIRA
>>> >> <https://issues.jboss.org/issues/?jql=project%20%3D%
>>> >> 20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3>
>>> >> .
>>> >> Upgrading
>>> >>
>>> >> Before you upgrade remember to backup your database and check the
>>> upgrade
>>> >> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
>>> >> anything that may have changed.
>>> >> _______________________________________________
>>> >> keycloak-dev mailing list
>>> >> keycloak-dev at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> >>
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> --
>> Subodh Chandra Joshi
>> subodh1_joshi82 at yahoo.co.in
>> http://www.trendsinnews.com
>>
>
>

-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From uo67113 at gmail.com  Fri May 25 05:38:11 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Fri, 25 May 2018 11:38:11 +0200
Subject: [keycloak-user] Exception in keycloak
In-Reply-To: <CAA-7KZ-ytJ+zQeJsK_Q8_vZwmsdpFm1G7B=krMhQGxMXqEDwPQ@mail.gmail.com>
References: <CAA-7KZ-ytJ+zQeJsK_Q8_vZwmsdpFm1G7B=krMhQGxMXqEDwPQ@mail.gmail.com>
Message-ID: <CACp70M=OfoXT=QM=M0mbSZ-xKQdn6pKCxM2e4GU7ibBdAiQUoQ@mail.gmail.com>

Hello Pulkit,

mmm, may I ask you to check the xml namespace of the IdP response? Look for
xmlns:samlp atribute of samlp:Response element.

E.g. this is how my IdP (ADFS[1]) responses look like:
https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a

Hope it helps,

Luis

ps: perhaps it would be a good idea if you provide a bit more of details on
your scenario/setup. It is not a matter of amount of data but being
specific ;)


[1] https://en.wikipedia.org/wiki/Active_Directory_Federation_Services









2018-05-24 14:10 GMT+02:00 Pulkit Srivastava <pulkitsrivastavajd at gmail.com>:

> Hi,
> I am getting below exception while getting redirected from keycloak to my
> application.
>
> Any idea how to resolve this.
>
>
> org.opensaml.ws.security.SecurityPolicyException: Validation of protocol
> message signature failed
>
> Incoming SAML message is invalid.
>
> Thanks,
> Pulkit
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From pierredupontdal at gmail.com  Fri May 25 06:03:00 2018
From: pierredupontdal at gmail.com (Pierre Dupont)
Date: Fri, 25 May 2018 12:03:00 +0200
Subject: [keycloak-user] SAML signing AuthnRequest results in
	invalid_signature (SigAlg was null)
Message-ID: <CAAmbA4exBzpGx_V1Pi2QjQoii_F2np0j9Y10UPQWcV+MOhieUA@mail.gmail.com>

Hi everyone,

I'm using Keycloak 4.0.0.Beta2, and I'm trying to sign AuthnRequests from a
Service Provider (Ruby Omniauth) to Keycloak.

On Keycloak, I have set the "Client Signature Required" to On.

I have set Ominauth parameters with the following values :
"security" => {
        "authn_requests_signed" => true,
        "embed_sign" => true,
        "digest_method" => "XMLSecurity::Document::SHA1",
        "signature_method" => "XMLSecurity::Document::RSA_SHA1",
}

I also have copied-pasted the SAML keys from Keycloak to the SP.

When initiating a SAML request at the SP, I am redirected to an error page
with "Invalid requester" on Keycloak.
In the logs, I got the following :
08:49:19,057 ERROR [org.keycloak.protocol.saml.SamlService] (default
task-64) request validation failed: org.keycloak.common.VerificationException:
SigAlg was null
    at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(
SamlProtocolUtils.java:135)
    at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.
verifySignature(SamlService.java:518)
    at org.keycloak.protocol.saml.SamlService$BindingProtocol.
handleSamlRequest(SamlService.java:233)
    ...
08:49:19,058 WARN  [org.keycloak.events] (default task-64)
type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=10.42.128.4, error=invalid_signature

It seems that Keycloak can't read the Signature Algorithm value. I checked
the SAML data, and the SignatureMethod is set :
<ds:SignatureMethod Algorithm="XMLSecurity::Document::RSA_SHA1" />

I checked my parameters, certificates (tried to use new ones), but I always
get this error.

What am I doing wrong ? Does anyone managed to sign their AuthnRequests or
encountered the same errors ? I haven't found anything similar on the
internet.

Thanks in advance,
Regards,

Pierre Dupont

From lists at merit.unu.edu  Fri May 25 07:43:35 2018
From: lists at merit.unu.edu (mj)
Date: Fri, 25 May 2018 13:43:35 +0200
Subject: [keycloak-user] SessionNotOnOrAfter attribute
In-Reply-To: <CALO-DfCYkOwbTvZM8geVTSmhF2q8jJuMYBDEhouv+HNx2XvZ_g@mail.gmail.com>
References: <c553e567-3a08-7252-aa31-20d817116f39@merit.unu.edu>
	<86b25e0e-f3e8-890b-bfed-1259d49e8207@merit.unu.edu>
	<CALO-DfCYkOwbTvZM8geVTSmhF2q8jJuMYBDEhouv+HNx2XvZ_g@mail.gmail.com>
Message-ID: <b87c0fb5-377c-1aff-8f8c-92303dfe3834@merit.unu.edu>

Hi Jared,

Thanks for confirming that it is not something we are simply overlooking..!

MJ

From sergey at shimkiv.com  Fri May 25 08:19:58 2018
From: sergey at shimkiv.com (Serhii Shymkiv)
Date: Fri, 25 May 2018 15:19:58 +0300
Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final released
In-Reply-To: <CAFss9rp0-2FGewdaQQFp5SGNCki1hRQyRE9kJ0S8BLT1pGL-hg@mail.gmail.com>
References: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
	<CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>
	<CAJgngAe1h_4s-upZxmn=P5bCHSkh1_M3tL_-dLsH9hrzOSWYuA@mail.gmail.com>
	<CAFss9rq+N+qj1U7VGqcT6XGUkYiSwow-MLvsnFFGxe2V1tuPSA@mail.gmail.com>
	<CAJgngAe1u00bXLX8_oBEJPFwzr3y9A1r8dda2VHVNq9hKnb-VA@mail.gmail.com>
	<CAFss9rp0-2FGewdaQQFp5SGNCki1hRQyRE9kJ0S8BLT1pGL-hg@mail.gmail.com>
Message-ID: <CAD7UjAPiNM8DOzjMKRJZqHMa+Z91fW6C00MhNDjm=tKpmgRdzQ@mail.gmail.com>

Hey Guys,
something wrong has happened with the dist binaries ?

https://downloads.jboss.org/keycloak/4.0.0.Beta3/keycloak-4.0.0.Beta3.zip
=> HTTP 404

On Fri, May 25, 2018 at 9:34 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
wrote:

> Great, thanks for the update.
>
> On Fri, May 25, 2018 at 12:04 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> > It should be around 3 weeks after Beta3
> >
> > On 25 May 2018 at 05:08, Subodh Joshi <subodhcjoshi82 at gmail.com> wrote:
> >
> >> Any idea when Final release will happen?
> >>
> >> On Thu, May 24, 2018 at 11:06 PM Stian Thorgersen <sthorger at redhat.com>
> >> wrote:
> >>
> >>> It's indeed Beta3 that was released and not Final. Final will be next
> >>> though!
> >>>
> >>> On 24 May 2018 at 19:24, Thomas Darimont <thomas.darimont at googlemail.
> com
> >>> >
> >>> wrote:
> >>>
> >>> > Congrats!
> >>> >
> >>> > The blog says 4.0.0.Beta3 is this now the final 4.0.0 version?
> >>> >
> >>> > Cheers,
> >>> > Thomas
> >>> >
> >>> > Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 24. Mai 2018,
> >>> > 19:18:
> >>> >
> >>> >> To download the release go to the Keycloak homepage
> >>> >> <http://www.keycloak.org/downloads>.
> >>> >> Highlights
> >>> >> Fuse 7 Adapter
> >>> >>
> >>> >> There's now support for Fuse 7.
> >>> >> Cordova options in JavaScript adapter
> >>> >>
> >>> >> It's now possible to pass Cordova specific options to login and
> other
> >>> >> methods in the JavaScript adapter. Thanks to loorent
> >>> >> <https://github.com/looorent> for the contribution.
> >>> >> Search by user id on admin console
> >>> >>
> >>> >> If you wanted to search by a user by id in the admin console you had
> >>> to
> >>> >> edit the URL. It's now possible to do it directly in the user search
> >>> >> field.
> >>> >> More...
> >>> >>
> >>> >> The full list of resolved issues is available in JIRA
> >>> >> <https://issues.jboss.org/issues/?jql=project%20%3D%
> >>> >> 20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3>
> >>> >> .
> >>> >> Upgrading
> >>> >>
> >>> >> Before you upgrade remember to backup your database and check the
> >>> upgrade
> >>> >> guide <http://www.keycloak.org/docs/latest/upgrading/index.html>
> for
> >>> >> anything that may have changed.
> >>> >> _______________________________________________
> >>> >> keycloak-dev mailing list
> >>> >> keycloak-dev at lists.jboss.org
> >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>> >>
> >>> >
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> >> --
> >> Subodh Chandra Joshi
> >> subodh1_joshi82 at yahoo.co.in
> >> http://www.trendsinnews.com
> >>
> >
> >
>
> --
> Subodh Chandra Joshi
> subodh1_joshi82 at yahoo.co.in
> http://www.trendsinnews.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Best regards,
Serhii Shymkiv.

From psilva at redhat.com  Fri May 25 08:38:07 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 25 May 2018 09:38:07 -0300
Subject: [keycloak-user] Best Practice m2m
In-Reply-To: <49102e66-8bc7-f562-3f66-e44e2b7f1919@ulise.de>
References: <49102e66-8bc7-f562-3f66-e44e2b7f1919@ulise.de>
Message-ID: <CAJrcDBd+wZJDZij-YDHtXmJ+8gEkWTtJVd0iAWAasG3UyTkp7w@mail.gmail.com>

On Fri, May 25, 2018 at 2:37 AM, Uli SE <keycloaklist at ulise.de> wrote:

> Hi,
>
> we are developing a quite big angular + jboss-rest application with
> Keycloak OIC as auth layer. We are passing a brunch of user(login)
> specific information in a bearer token from angular to the rest-services
> when calling them.
>
> Now we have the situation, that some (automated/cyclic) services has to
> call some other services on behalf of an user without the user has
> logged in before - but with some login information.
>
> How do you solve such situations? Should we use persistant tokens or is
> some kind of impersonation a better solution?
>

I think none of these approaches will work for you. And what you need is
someway to allow your backend services to obtain an access/refresh tokens.
I think this is something that Google Sign-In does with their hybrid
server-side flow using a one-time code [1].

Other can give their feedback about this, but I'm not sure how to properly
solve this problem without a specific funcionality in Keycloak side.

[1] https://developers.google.com/identity/sign-in/web/server-side-flow


>
> Many rhansk for discussion,
>
> Uli
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From uo67113 at gmail.com  Fri May 25 08:39:03 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Fri, 25 May 2018 14:39:03 +0200
Subject: [keycloak-user] SAML signing AuthnRequest results in
 invalid_signature (SigAlg was null)
In-Reply-To: <CAAmbA4exBzpGx_V1Pi2QjQoii_F2np0j9Y10UPQWcV+MOhieUA@mail.gmail.com>
References: <CAAmbA4exBzpGx_V1Pi2QjQoii_F2np0j9Y10UPQWcV+MOhieUA@mail.gmail.com>
Message-ID: <CACp70MkD1nWyy600hw-y-ZX8gKqv5RB-gpU_UFE7VAW0_nL2VA@mail.gmail.com>

Hello Pierre,

mmm, If I am not wrong, usually for signature methods SAML uses the URI
identifier [1]. E.g. my IdP (ADFS) likes "
http://www.w3.org/2000/09/xmldsig#rsa-sha1". You can have look at this
example: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a

Hope it helps,

Luis

[1] https://www.w3.org/TR/xmlsec-algorithms/
[2]

2018-05-25 12:03 GMT+02:00 Pierre Dupont <pierredupontdal at gmail.com>:

> Hi everyone,
>
> I'm using Keycloak 4.0.0.Beta2, and I'm trying to sign AuthnRequests from a
> Service Provider (Ruby Omniauth) to Keycloak.
>
> On Keycloak, I have set the "Client Signature Required" to On.
>
> I have set Ominauth parameters with the following values :
> "security" => {
>         "authn_requests_signed" => true,
>         "embed_sign" => true,
>         "digest_method" => "XMLSecurity::Document::SHA1",
>         "signature_method" => "XMLSecurity::Document::RSA_SHA1",
> }
>
> I also have copied-pasted the SAML keys from Keycloak to the SP.
>
> When initiating a SAML request at the SP, I am redirected to an error page
> with "Invalid requester" on Keycloak.
> In the logs, I got the following :
> 08:49:19,057 ERROR [org.keycloak.protocol.saml.SamlService] (default
> task-64) request validation failed: org.keycloak.common.
> VerificationException:
> SigAlg was null
>     at org.keycloak.protocol.saml.SamlProtocolUtils.
> verifyRedirectSignature(
> SamlProtocolUtils.java:135)
>     at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.
> verifySignature(SamlService.java:518)
>     at org.keycloak.protocol.saml.SamlService$BindingProtocol.
> handleSamlRequest(SamlService.java:233)
>     ...
> 08:49:19,058 WARN  [org.keycloak.events] (default task-64)
> type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
> ipAddress=10.42.128.4, error=invalid_signature
>
> It seems that Keycloak can't read the Signature Algorithm value. I checked
> the SAML data, and the SignatureMethod is set :
> <ds:SignatureMethod Algorithm="XMLSecurity::Document::RSA_SHA1" />
>
> I checked my parameters, certificates (tried to use new ones), but I always
> get this error.
>
> What am I doing wrong ? Does anyone managed to sign their AuthnRequests or
> encountered the same errors ? I haven't found anything similar on the
> internet.
>
> Thanks in advance,
> Regards,
>
> Pierre Dupont
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From psilva at redhat.com  Fri May 25 08:44:11 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 25 May 2018 09:44:11 -0300
Subject: [keycloak-user] Patterns in Resource URI's
In-Reply-To: <CAC8EeWBTdrpd3-6DW8SfC8S-osnsbiZ-MCi88oj5-Vogk+A=kQ@mail.gmail.com>
References: <CAC8EeWBTdrpd3-6DW8SfC8S-osnsbiZ-MCi88oj5-Vogk+A=kQ@mail.gmail.com>
Message-ID: <CAJrcDBcU_sZejiYKnznM3c5aBgfCNCZMDTMZU2hMtLZNfwn62Q@mail.gmail.com>

Hi Juan,

Recently, we have added support for Claim Information Points [1].
Basically, these are component on the policy enforcer side that can be
configured to send additional claims to your policies. They allow you to
extract different information from the request as well from the access
token.

Would that work for you ?

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point

On Thu, May 24, 2018 at 7:51 PM, Juan Jos? V?zquez Delgado <
juanjo.vazquez.delgado at tecsisa.com> wrote:

> Hello everyone. I'm currently assessing KC Authz services and I stumbled
> across a use case that I'm not sure how to solve. I've found previous
> similar discussions but I couldn't find the answer that might apply
> directly to it. Basically, I have a web service that acts as resource
> server, following the UMA terminology, and I want to protect it using KC.
> This ws publishes several endpoints that follow a multi-tenant arrangement.
> Something like this:
>
> /{org_id}/products
> /{org_id}/product/{id}
> ...
> etc
>
> The ID Token obtained through the authentication OIDC flow carries the
> `org_id` data so I could provide this as additional claim to the token
> endpoint in order to get a proper RPT. However, I would like not to have to
> create a different resource per organization and uri, but just the same
> patterns as in the endpoints:
>
> /{org_id}/products
> /{org_id}/product/{id}
>
> I haven't found any information about whether it's possible to define a
> pattern also in the resource uri so that I can use it from the Evaluation
> API during the RPT issuance. I'm sure I'm missing something relevant here,
> but so far I couldn't find other solution than creating as many resources
> as organizations exist and that could be a maintanance burden in the
> future. Maybe it's just as simple as parsing the resource name, in JS or
> Drools Rules, in order to retrieve the `org_id` from the resource name.
>
> Any help would be appreciated. Thanks!.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri May 25 09:10:53 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 25 May 2018 15:10:53 +0200
Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final released
In-Reply-To: <CAD7UjAPiNM8DOzjMKRJZqHMa+Z91fW6C00MhNDjm=tKpmgRdzQ@mail.gmail.com>
References: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
	<CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>
	<CAJgngAe1h_4s-upZxmn=P5bCHSkh1_M3tL_-dLsH9hrzOSWYuA@mail.gmail.com>
	<CAFss9rq+N+qj1U7VGqcT6XGUkYiSwow-MLvsnFFGxe2V1tuPSA@mail.gmail.com>
	<CAJgngAe1u00bXLX8_oBEJPFwzr3y9A1r8dda2VHVNq9hKnb-VA@mail.gmail.com>
	<CAFss9rp0-2FGewdaQQFp5SGNCki1hRQyRE9kJ0S8BLT1pGL-hg@mail.gmail.com>
	<CAD7UjAPiNM8DOzjMKRJZqHMa+Z91fW6C00MhNDjm=tKpmgRdzQ@mail.gmail.com>
Message-ID: <CAJgngAfeXag71A8JQ-1OUmCeRLPR3AXyST7x28FbY26qK1tMmQ@mail.gmail.com>

Thanks for letting me know. I had to rework the release jobs a bit and the
upload part wasn't done properly. Fixed now and the bits are being uploaded
right now. Everything should be there in ~30 min.

On 25 May 2018 at 14:19, Serhii Shymkiv <sergey at shimkiv.com> wrote:

> Hey Guys,
> something wrong has happened with the dist binaries ?
>
> https://downloads.jboss.org/keycloak/4.0.0.Beta3/keycloak-4.0.0.Beta3.zip
> => HTTP 404
>
> On Fri, May 25, 2018 at 9:34 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
> wrote:
>
>> Great, thanks for the update.
>>
>> On Fri, May 25, 2018 at 12:04 PM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>> > It should be around 3 weeks after Beta3
>> >
>> > On 25 May 2018 at 05:08, Subodh Joshi <subodhcjoshi82 at gmail.com> wrote:
>> >
>> >> Any idea when Final release will happen?
>> >>
>> >> On Thu, May 24, 2018 at 11:06 PM Stian Thorgersen <sthorger at redhat.com
>> >
>> >> wrote:
>> >>
>> >>> It's indeed Beta3 that was released and not Final. Final will be next
>> >>> though!
>> >>>
>> >>> On 24 May 2018 at 19:24, Thomas Darimont <
>> thomas.darimont at googlemail.com
>> >>> >
>> >>> wrote:
>> >>>
>> >>> > Congrats!
>> >>> >
>> >>> > The blog says 4.0.0.Beta3 is this now the final 4.0.0 version?
>> >>> >
>> >>> > Cheers,
>> >>> > Thomas
>> >>> >
>> >>> > Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 24. Mai
>> 2018,
>> >>> > 19:18:
>> >>> >
>> >>> >> To download the release go to the Keycloak homepage
>> >>> >> <http://www.keycloak.org/downloads>.
>> >>> >> Highlights
>> >>> >> Fuse 7 Adapter
>> >>> >>
>> >>> >> There's now support for Fuse 7.
>> >>> >> Cordova options in JavaScript adapter
>> >>> >>
>> >>> >> It's now possible to pass Cordova specific options to login and
>> other
>> >>> >> methods in the JavaScript adapter. Thanks to loorent
>> >>> >> <https://github.com/looorent> for the contribution.
>> >>> >> Search by user id on admin console
>> >>> >>
>> >>> >> If you wanted to search by a user by id in the admin console you
>> had
>> >>> to
>> >>> >> edit the URL. It's now possible to do it directly in the user
>> search
>> >>> >> field.
>> >>> >> More...
>> >>> >>
>> >>> >> The full list of resolved issues is available in JIRA
>> >>> >> <https://issues.jboss.org/issues/?jql=project%20%3D%
>> >>> >> 20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3>
>> >>> >> .
>> >>> >> Upgrading
>> >>> >>
>> >>> >> Before you upgrade remember to backup your database and check the
>> >>> upgrade
>> >>> >> guide <http://www.keycloak.org/docs/latest/upgrading/index.html>
>> for
>> >>> >> anything that may have changed.
>> >>> >> _______________________________________________
>> >>> >> keycloak-dev mailing list
>> >>> >> keycloak-dev at lists.jboss.org
>> >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >>> >>
>> >>> >
>> >>> _______________________________________________
>> >>> keycloak-user mailing list
>> >>> keycloak-user at lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>
>> >>
>> >>
>> >> --
>> >> Subodh Chandra Joshi
>> >> subodh1_joshi82 at yahoo.co.in
>> >> http://www.trendsinnews.com
>> >>
>> >
>> >
>>
>> --
>> Subodh Chandra Joshi
>> subodh1_joshi82 at yahoo.co.in
>> http://www.trendsinnews.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Best regards,
> Serhii Shymkiv.
>

From sergey at shimkiv.com  Fri May 25 09:22:23 2018
From: sergey at shimkiv.com (Serhii Shymkiv)
Date: Fri, 25 May 2018 16:22:23 +0300
Subject: [keycloak-user] [keycloak-dev] Keycloak 4.0.0.Final released
In-Reply-To: <CAJgngAfeXag71A8JQ-1OUmCeRLPR3AXyST7x28FbY26qK1tMmQ@mail.gmail.com>
References: <CAJgngAej937e=C007OvqkfjJttugx207dJyh0yzh6zZCMyPDKA@mail.gmail.com>
	<CAK-7U1hJK=53biUjb95yJzFWJsJVxtpF8+s2G_sED8SBrLQUhA@mail.gmail.com>
	<CAJgngAe1h_4s-upZxmn=P5bCHSkh1_M3tL_-dLsH9hrzOSWYuA@mail.gmail.com>
	<CAFss9rq+N+qj1U7VGqcT6XGUkYiSwow-MLvsnFFGxe2V1tuPSA@mail.gmail.com>
	<CAJgngAe1u00bXLX8_oBEJPFwzr3y9A1r8dda2VHVNq9hKnb-VA@mail.gmail.com>
	<CAFss9rp0-2FGewdaQQFp5SGNCki1hRQyRE9kJ0S8BLT1pGL-hg@mail.gmail.com>
	<CAD7UjAPiNM8DOzjMKRJZqHMa+Z91fW6C00MhNDjm=tKpmgRdzQ@mail.gmail.com>
	<CAJgngAfeXag71A8JQ-1OUmCeRLPR3AXyST7x28FbY26qK1tMmQ@mail.gmail.com>
Message-ID: <CAD7UjANnR_nueDy1mKG-LScyBX0YSzfnNmzDqp4jJngwd1OBeQ@mail.gmail.com>

Thanks a lot!

--
Best regards,
Sergey Shimkiv.

On Fri, May 25, 2018, 16:10 Stian Thorgersen <sthorger at redhat.com> wrote:

> Thanks for letting me know. I had to rework the release jobs a bit and the
> upload part wasn't done properly. Fixed now and the bits are being uploaded
> right now. Everything should be there in ~30 min.
>
> On 25 May 2018 at 14:19, Serhii Shymkiv <sergey at shimkiv.com> wrote:
>
>> Hey Guys,
>> something wrong has happened with the dist binaries ?
>>
>> https://downloads.jboss.org/keycloak/4.0.0.Beta3/keycloak-4.0.0.Beta3.zip
>> => HTTP 404
>>
>> On Fri, May 25, 2018 at 9:34 AM, Subodh Joshi <subodhcjoshi82 at gmail.com>
>> wrote:
>>
>>> Great, thanks for the update.
>>>
>>> On Fri, May 25, 2018 at 12:04 PM Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>> > It should be around 3 weeks after Beta3
>>> >
>>> > On 25 May 2018 at 05:08, Subodh Joshi <subodhcjoshi82 at gmail.com>
>>> wrote:
>>> >
>>> >> Any idea when Final release will happen?
>>> >>
>>> >> On Thu, May 24, 2018 at 11:06 PM Stian Thorgersen <
>>> sthorger at redhat.com>
>>> >> wrote:
>>> >>
>>> >>> It's indeed Beta3 that was released and not Final. Final will be next
>>> >>> though!
>>> >>>
>>> >>> On 24 May 2018 at 19:24, Thomas Darimont <
>>> thomas.darimont at googlemail.com
>>> >>> >
>>> >>> wrote:
>>> >>>
>>> >>> > Congrats!
>>> >>> >
>>> >>> > The blog says 4.0.0.Beta3 is this now the final 4.0.0 version?
>>> >>> >
>>> >>> > Cheers,
>>> >>> > Thomas
>>> >>> >
>>> >>> > Stian Thorgersen <sthorger at redhat.com> schrieb am Do., 24. Mai
>>> 2018,
>>> >>> > 19:18:
>>> >>> >
>>> >>> >> To download the release go to the Keycloak homepage
>>> >>> >> <http://www.keycloak.org/downloads>.
>>> >>> >> Highlights
>>> >>> >> Fuse 7 Adapter
>>> >>> >>
>>> >>> >> There's now support for Fuse 7.
>>> >>> >> Cordova options in JavaScript adapter
>>> >>> >>
>>> >>> >> It's now possible to pass Cordova specific options to login and
>>> other
>>> >>> >> methods in the JavaScript adapter. Thanks to loorent
>>> >>> >> <https://github.com/looorent> for the contribution.
>>> >>> >> Search by user id on admin console
>>> >>> >>
>>> >>> >> If you wanted to search by a user by id in the admin console you
>>> had
>>> >>> to
>>> >>> >> edit the URL. It's now possible to do it directly in the user
>>> search
>>> >>> >> field.
>>> >>> >> More...
>>> >>> >>
>>> >>> >> The full list of resolved issues is available in JIRA
>>> >>> >> <https://issues.jboss.org/issues/?jql=project%20%3D%
>>> >>> >> 20keycloak%20and%20fixVersion%20%3D%204.0.0.Beta3>
>>> >>> >> .
>>> >>> >> Upgrading
>>> >>> >>
>>> >>> >> Before you upgrade remember to backup your database and check the
>>> >>> upgrade
>>> >>> >> guide <http://www.keycloak.org/docs/latest/upgrading/index.html>
>>> for
>>> >>> >> anything that may have changed.
>>> >>> >> _______________________________________________
>>> >>> >> keycloak-dev mailing list
>>> >>> >> keycloak-dev at lists.jboss.org
>>> >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> >>> >>
>>> >>> >
>>> >>> _______________________________________________
>>> >>> keycloak-user mailing list
>>> >>> keycloak-user at lists.jboss.org
>>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>>
>>> >>
>>> >>
>>> >> --
>>> >> Subodh Chandra Joshi
>>> >> subodh1_joshi82 at yahoo.co.in
>>> >> http://www.trendsinnews.com
>>> >>
>>> >
>>> >
>>>
>>> --
>>> Subodh Chandra Joshi
>>> subodh1_joshi82 at yahoo.co.in
>>> http://www.trendsinnews.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>> Best regards,
>> Serhii Shymkiv.
>>
>
>

From juanjo.vazquez.delgado at tecsisa.com  Fri May 25 09:59:35 2018
From: juanjo.vazquez.delgado at tecsisa.com (=?UTF-8?Q?Juan_Jos=C3=A9_V=C3=A1zquez_Delgado?=)
Date: Fri, 25 May 2018 15:59:35 +0200
Subject: [keycloak-user] Patterns in Resource URI's
In-Reply-To: <CAJrcDBcU_sZejiYKnznM3c5aBgfCNCZMDTMZU2hMtLZNfwn62Q@mail.gmail.com>
References: <CAC8EeWBTdrpd3-6DW8SfC8S-osnsbiZ-MCi88oj5-Vogk+A=kQ@mail.gmail.com>
	<CAJrcDBcU_sZejiYKnznM3c5aBgfCNCZMDTMZU2hMtLZNfwn62Q@mail.gmail.com>
Message-ID: <CAC8EeWC9u4MmsFXx=2e85R1zCAnwAUwz-UaaEDb_80Skx3QfVw@mail.gmail.com>

It might work indeed, but the thing is that I'm not using the
out-of-the-box policy enforcers as we don't have a JavaEE or Spring
architecture. Our solution is based on Scala, Akka and Play so our plan is
just to take advantage of the Rest API's and probably to tailor our own
policy enforcers. In fact, we might share part of this work if this makes
sense.

So, I suppose that the solution you propose is still valid even though we'd
probably need to re-implement the logic that extracts and provides the
additional claims that should be available during the authorization
process. After that, we'd provide this contextual information through the
`claim_token` parameter as it's described in documentation here [1]. Is
this assumption correct?. Please, excuse me if the question might be naive
but I'm still learning the KC nuances. Excellent tool and work BTW.

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions

El vie., 25 may. 2018 a las 14:44, Pedro Igor Silva (<psilva at redhat.com>)
escribi?:

> Hi Juan,
>
> Recently, we have added support for Claim Information Points [1].
> Basically, these are component on the policy enforcer side that can be
> configured to send additional claims to your policies. They allow you to
> extract different information from the request as well from the access
> token.
>
> Would that work for you ?
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
>
> On Thu, May 24, 2018 at 7:51 PM, Juan Jos? V?zquez Delgado <
> juanjo.vazquez.delgado at tecsisa.com> wrote:
>
>> Hello everyone. I'm currently assessing KC Authz services and I stumbled
>> across a use case that I'm not sure how to solve. I've found previous
>> similar discussions but I couldn't find the answer that might apply
>> directly to it. Basically, I have a web service that acts as resource
>> server, following the UMA terminology, and I want to protect it using KC.
>> This ws publishes several endpoints that follow a multi-tenant
>> arrangement.
>> Something like this:
>>
>> /{org_id}/products
>> /{org_id}/product/{id}
>> ...
>> etc
>>
>> The ID Token obtained through the authentication OIDC flow carries the
>> `org_id` data so I could provide this as additional claim to the token
>> endpoint in order to get a proper RPT. However, I would like not to have
>> to
>> create a different resource per organization and uri, but just the same
>> patterns as in the endpoints:
>>
>> /{org_id}/products
>> /{org_id}/product/{id}
>>
>> I haven't found any information about whether it's possible to define a
>> pattern also in the resource uri so that I can use it from the Evaluation
>> API during the RPT issuance. I'm sure I'm missing something relevant here,
>> but so far I couldn't find other solution than creating as many resources
>> as organizations exist and that could be a maintanance burden in the
>> future. Maybe it's just as simple as parsing the resource name, in JS or
>> Drools Rules, in order to retrieve the `org_id` from the resource name.
>>
>> Any help would be appreciated. Thanks!.
>>
> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --

Juan Jos? V?zquez Delgado

CTO

Tecsisa

C/Quintanavides, 19

Parque V?a Norte

Edificio 4, Planta 3, Oficina H

28050 Madrid

T: +34 91 182 04 70

F: +34 91 447 05 11

E: juanjo.vazquez.delgado at tecsisa.com

W: www.tecsisa.com

From ebenzacar at gmail.com  Fri May 25 10:13:20 2018
From: ebenzacar at gmail.com (Eric B)
Date: Fri, 25 May 2018 10:13:20 -0400
Subject: [keycloak-user] How to force a re-authentication using the
 Keycloak Filter Adapter
In-Reply-To: <CACp70M=0SveY-7NJGobAtmfiHJxrnFega8nnUguJ0pPEJ+Rz+A@mail.gmail.com>
References: <CA+T+PjEio4XzMHFcXLjzgi+=uOQHKHped8DxRnU2bkOsU1_0Yw@mail.gmail.com>
	<CACp70M=0SveY-7NJGobAtmfiHJxrnFega8nnUguJ0pPEJ+Rz+A@mail.gmail.com>
Message-ID: <CA+T+PjHbGOQWV4ssENWBHOQcNHb06QtGrhh6yX1sF47tad3SsQ@mail.gmail.com>

Thanks Luis, but I think that is specific to SAML and not OIDC.
Additionally, I'm not looking to force authentication at every request;
just in specific circumstances when I want an additional layer of
validation.

Thanks,

Eric


On Fri, May 25, 2018 at 3:15 AM, Luis Rodr?guez Fern?ndez <uo67113 at gmail.com
> wrote:

> Hello Eric,
>
> I still have to try it myself, but perhaps "forceAuthentication=true" in
> your keycloak.xml configuration adaptor could help on this[1]
>
> Hope it helps,
>
> Luis
>
> [1] https://www.keycloak.org/docs/latest/securing_apps/
> index.html#_saml-general-config
>
> 2018-05-25 4:02 GMT+02:00 Eric B <ebenzacar at gmail.com>:
>
>> I'm securing a webapp in Wildfly using the Keycloak Servlet Filter
>> Adapter (
>> https://www.keycloak.org/docs/3.3/securing_apps/topics/oidc/
>> java/servlet-filter-adapter.html)
>> rather than the Wildfly container adapter.
>>
>> Overall the filter is great and works very well.  However, I've been
>> trying
>> to figure out how I can leverage it to force a reauthentication by my
>> application.  As per the OIDC specs, I know I can pass 'prompt=login' to a
>> call to Keycloak to force the user to reauthenticate himself, but not sure
>> how to leverage the adapter to do this for me.
>>
>> I've noticed some special PreAuthentication hooks in the adapter to handle
>> callbacks from Keycloak and tried to see if there was anything there, but
>> they do not seem to handle this type of case.
>>
>> Are there any special URL parameters I can use that would be recognized
>> and
>> intercepted by the filter and force a user to reauthenticate themselves?
>>
>> Thanks,
>>
>> Eric
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>

From psilva at redhat.com  Fri May 25 10:21:39 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 25 May 2018 11:21:39 -0300
Subject: [keycloak-user] Patterns in Resource URI's
In-Reply-To: <CAC8EeWC9u4MmsFXx=2e85R1zCAnwAUwz-UaaEDb_80Skx3QfVw@mail.gmail.com>
References: <CAC8EeWBTdrpd3-6DW8SfC8S-osnsbiZ-MCi88oj5-Vogk+A=kQ@mail.gmail.com>
	<CAJrcDBcU_sZejiYKnznM3c5aBgfCNCZMDTMZU2hMtLZNfwn62Q@mail.gmail.com>
	<CAC8EeWC9u4MmsFXx=2e85R1zCAnwAUwz-UaaEDb_80Skx3QfVw@mail.gmail.com>
Message-ID: <CAJrcDBd8b7=AcY=MV_9_GxRdb8nPQBCp80apVGxdt860t12CCw@mail.gmail.com>

On Fri, May 25, 2018 at 10:59 AM, Juan Jos? V?zquez Delgado <
juanjo.vazquez.delgado at tecsisa.com> wrote:

> It might work indeed, but the thing is that I'm not using the
> out-of-the-box policy enforcers as we don't have a JavaEE or Spring
> architecture. Our solution is based on Scala, Akka and Play so our plan is
> just to take advantage of the Rest API's and probably to tailor our own
> policy enforcers. In fact, we might share part of this work if this makes
> sense.
>
> So, I suppose that the solution you propose is still valid even though
> we'd probably need to re-implement the logic that extracts and provides the
> additional claims that should be available during the authorization
> process. After that, we'd provide this contextual information through the
> `claim_token` parameter as it's described in documentation here [1]. Is
> this assumption correct?. Please, excuse me if the question might be naive
> but I'm still learning the KC nuances. Excellent tool and work BTW.
>
> [1] https://www.keycloak.org/docs/latest/authorization_services/
> index.html#_service_obtaining_permissions
>

It depens on how you are obtaining permissions from the token endpoint. You
can use `claim_token` in case you are not using UMA thus not sending
tickets. In this case, the resource server just need to build a JSON
(key-values) and Base64 encode it.

If using UMA you can also send these claims as part of the permission
request (permission endpoint).

We need to write more examples and doc around this. Will work on that
before going into Final.


>
> El vie., 25 may. 2018 a las 14:44, Pedro Igor Silva (<psilva at redhat.com>)
> escribi?:
>
>> Hi Juan,
>>
>> Recently, we have added support for Claim Information Points [1].
>> Basically, these are component on the policy enforcer side that can be
>> configured to send additional claims to your policies. They allow you to
>> extract different information from the request as well from the access
>> token.
>>
>> Would that work for you ?
>>
>> [1] https://www.keycloak.org/docs/latest/authorization_
>> services/index.html#_enforcer_claim_information_point
>>
>> On Thu, May 24, 2018 at 7:51 PM, Juan Jos? V?zquez Delgado <
>> juanjo.vazquez.delgado at tecsisa.com> wrote:
>>
>>> Hello everyone. I'm currently assessing KC Authz services and I stumbled
>>> across a use case that I'm not sure how to solve. I've found previous
>>> similar discussions but I couldn't find the answer that might apply
>>> directly to it. Basically, I have a web service that acts as resource
>>> server, following the UMA terminology, and I want to protect it using KC.
>>> This ws publishes several endpoints that follow a multi-tenant
>>> arrangement.
>>> Something like this:
>>>
>>> /{org_id}/products
>>> /{org_id}/product/{id}
>>> ...
>>> etc
>>>
>>> The ID Token obtained through the authentication OIDC flow carries the
>>> `org_id` data so I could provide this as additional claim to the token
>>> endpoint in order to get a proper RPT. However, I would like not to have
>>> to
>>> create a different resource per organization and uri, but just the same
>>> patterns as in the endpoints:
>>>
>>> /{org_id}/products
>>> /{org_id}/product/{id}
>>>
>>> I haven't found any information about whether it's possible to define a
>>> pattern also in the resource uri so that I can use it from the Evaluation
>>> API during the RPT issuance. I'm sure I'm missing something relevant
>>> here,
>>> but so far I couldn't find other solution than creating as many resources
>>> as organizations exist and that could be a maintanance burden in the
>>> future. Maybe it's just as simple as parsing the resource name, in JS or
>>> Drools Rules, in order to retrieve the `org_id` from the resource name.
>>>
>>> Any help would be appreciated. Thanks!.
>>>
>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> --
>
> Juan Jos? V?zquez Delgado
>
> CTO
>
> Tecsisa
>
> C/Quintanavides, 19
> <https://maps.google.com/?q=C/Quintanavides,+19&entry=gmail&source=g>
>
> Parque V?a Norte
>
> Edificio 4, Planta 3, Oficina H
>
> 28050 Madrid
>
> T: +34 91 182 04 70
>
> F: +34 91 447 05 11
>
> E: juanjo.vazquez.delgado at tecsisa.com
>
> W: www.tecsisa.com
>

From hmlnarik at redhat.com  Fri May 25 10:28:42 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Fri, 25 May 2018 16:28:42 +0200
Subject: [keycloak-user] S3_ping authentication problem
In-Reply-To: <CAPyFshY5q_n2AZ-PzixoCnZec7=YMXeojz-emvoXrqQdwMWbuw@mail.gmail.com>
References: <CAPyFshY5q_n2AZ-PzixoCnZec7=YMXeojz-emvoXrqQdwMWbuw@mail.gmail.com>
Message-ID: <CAMvXD=FKkyDJUC6tFxLBJg0ot58ysHnOK5_RN_21GL3xq-f+eg@mail.gmail.com>

You might be hitting this JGroups bug [1]. See Amazon documentation on S3
endpoints [2] for regions that support Version 2 signatures. Note that it
might be possible to use new NATIVE_S3_PING protocol but this one has not
yet been incorporated into Keycloak due to this WildFly issue [3]. As a
workaround, you might be able to use other discovery protocol, e.g.
JDBC_PING.

[1] https://issues.jboss.org/browse/JGRP-1914
[2] https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
[3] https://issues.jboss.org/browse/WFLY-8770

On Thu, May 17, 2018 at 10:44 PM, For Ever <forsudden at gmail.com> wrote:

> Hello Everyone:
>
>                   I'm trying to etup clustering with S3_ping.  I'm getting
> the below error message when starting up Keycloak in standalone clustered
> mode.
>
>
>
>
> NOTE:
>
>             I did a test as the user on my Linux node using awscli.  The
> username on the Linux box is the same as the IAM user in AWS.  I gave
> list,read and write permisison(Policy) for the user in IAM
>
> 20:37:04,480 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([
>     ("subsystem" => "jgroups"),
>     ("channel" => "ee")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"
> org.wildfly.clustering.jgroups.channel.ee" => "java.io.IOException: bucket
> 's3-ping-keycloak-sothebys-dev' could not be accessed (rsp=403
> (Forbidden).
> Maybe the bucket is owned by somebody else or the authentication failed
>     Caused by: java.io.IOException: bucket 's3-ping-keycloak-sothebys-dev'
> could not be accessed (rsp=403 (Forbidden). Maybe the bucket is owned by
> somebody else or the authentication failed"}}
>
>
>
>
> ###standaline-ha.xml snippet.
>
> <stack name="tcp">
>                     <transport type="TCP" socket-binding="jgroups-tcp"/>
>                     <socket-protocol type="MPING"
> socket-binding="jgroups-mping"/>
>                     <protocol type="MERGE3"/>
>                     <protocol type="S3_PING">
>                         <property name="access_key">
>                             blahblah
>                         </property>
>                         <property name="secret_access_key">
>                            blahblah
>                         </property>
>                         <property name="location">
>                            s3-ping-somebucket
>                         </property>
>                     </protocol>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

From juanjo.vazquez.delgado at tecsisa.com  Fri May 25 10:37:21 2018
From: juanjo.vazquez.delgado at tecsisa.com (=?UTF-8?Q?Juan_Jos=C3=A9_V=C3=A1zquez_Delgado?=)
Date: Fri, 25 May 2018 16:37:21 +0200
Subject: [keycloak-user] Patterns in Resource URI's
In-Reply-To: <CAJrcDBd8b7=AcY=MV_9_GxRdb8nPQBCp80apVGxdt860t12CCw@mail.gmail.com>
References: <CAC8EeWBTdrpd3-6DW8SfC8S-osnsbiZ-MCi88oj5-Vogk+A=kQ@mail.gmail.com>
	<CAJrcDBcU_sZejiYKnznM3c5aBgfCNCZMDTMZU2hMtLZNfwn62Q@mail.gmail.com>
	<CAC8EeWC9u4MmsFXx=2e85R1zCAnwAUwz-UaaEDb_80Skx3QfVw@mail.gmail.com>
	<CAJrcDBd8b7=AcY=MV_9_GxRdb8nPQBCp80apVGxdt860t12CCw@mail.gmail.com>
Message-ID: <CAC8EeWDunmFoxnw_f88TWfi0gvXiFMAkMr6=eNF67O=uL=22MA@mail.gmail.com>

Got it. In fact, I've just seen a test that shows how to push these claims
in the context of an UMA interchange flow [1]. I think this is the case
you're talking about. I'll explore these solutions. Thank you so much for
your help!.

BTW, it seems that something it's wrong with the Admin API documentation
endpoint [2].

[1]
https://github.com/keycloak/keycloak/blob/e960642399f0f135faa59ba30c3f7b5cc7f2a3c7/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaPermissionTicketPushedClaimsTest.java
[2] https://www.keycloak.org/docs-api/4.0/rest-api/index.html

El vie., 25 may. 2018 a las 16:21, Pedro Igor Silva (<psilva at redhat.com>)
escribi?:

> On Fri, May 25, 2018 at 10:59 AM, Juan Jos? V?zquez Delgado <
> juanjo.vazquez.delgado at tecsisa.com> wrote:
>
>> It might work indeed, but the thing is that I'm not using the
>> out-of-the-box policy enforcers as we don't have a JavaEE or Spring
>> architecture. Our solution is based on Scala, Akka and Play so our plan is
>> just to take advantage of the Rest API's and probably to tailor our own
>> policy enforcers. In fact, we might share part of this work if this makes
>> sense.
>>
>> So, I suppose that the solution you propose is still valid even though
>> we'd probably need to re-implement the logic that extracts and provides the
>> additional claims that should be available during the authorization
>> process. After that, we'd provide this contextual information through the
>> `claim_token` parameter as it's described in documentation here [1]. Is
>> this assumption correct?. Please, excuse me if the question might be naive
>> but I'm still learning the KC nuances. Excellent tool and work BTW.
>>
>> [1]
>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>>
>
> It depens on how you are obtaining permissions from the token endpoint.
> You can use `claim_token` in case you are not using UMA thus not sending
> tickets. In this case, the resource server just need to build a JSON
> (key-values) and Base64 encode it.
>
> If using UMA you can also send these claims as part of the permission
> request (permission endpoint).
>
> We need to write more examples and doc around this. Will work on that
> before going into Final.
>
>
>>
>> El vie., 25 may. 2018 a las 14:44, Pedro Igor Silva (<psilva at redhat.com>)
>> escribi?:
>>
>>> Hi Juan,
>>>
>>> Recently, we have added support for Claim Information Points [1].
>>> Basically, these are component on the policy enforcer side that can be
>>> configured to send additional claims to your policies. They allow you to
>>> extract different information from the request as well from the access
>>> token.
>>>
>>> Would that work for you ?
>>>
>>> [1]
>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
>>>
>>> On Thu, May 24, 2018 at 7:51 PM, Juan Jos? V?zquez Delgado <
>>> juanjo.vazquez.delgado at tecsisa.com> wrote:
>>>
>>>> Hello everyone. I'm currently assessing KC Authz services and I stumbled
>>>> across a use case that I'm not sure how to solve. I've found previous
>>>> similar discussions but I couldn't find the answer that might apply
>>>> directly to it. Basically, I have a web service that acts as resource
>>>> server, following the UMA terminology, and I want to protect it using
>>>> KC.
>>>> This ws publishes several endpoints that follow a multi-tenant
>>>> arrangement.
>>>> Something like this:
>>>>
>>>> /{org_id}/products
>>>> /{org_id}/product/{id}
>>>> ...
>>>> etc
>>>>
>>>> The ID Token obtained through the authentication OIDC flow carries the
>>>> `org_id` data so I could provide this as additional claim to the token
>>>> endpoint in order to get a proper RPT. However, I would like not to
>>>> have to
>>>> create a different resource per organization and uri, but just the same
>>>> patterns as in the endpoints:
>>>>
>>>> /{org_id}/products
>>>> /{org_id}/product/{id}
>>>>
>>>> I haven't found any information about whether it's possible to define a
>>>> pattern also in the resource uri so that I can use it from the
>>>> Evaluation
>>>> API during the RPT issuance. I'm sure I'm missing something relevant
>>>> here,
>>>> but so far I couldn't find other solution than creating as many
>>>> resources
>>>> as organizations exist and that could be a maintanance burden in the
>>>> future. Maybe it's just as simple as parsing the resource name, in JS or
>>>> Drools Rules, in order to retrieve the `org_id` from the resource name.
>>>>
>>>> Any help would be appreciated. Thanks!.
>>>>
>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> --
>>
>> Juan Jos? V?zquez Delgado
>>
>> CTO
>>
>> Tecsisa
>>
>> C/Quintanavides, 19
>> <https://maps.google.com/?q=C/Quintanavides,+19&entry=gmail&source=g>
>>
>> Parque V?a Norte
>>
>> Edificio 4, Planta 3, Oficina H
>>
>> 28050 Madrid
>>
>> T: +34 91 182 04 70 <+34%20911%2082%2004%2070>
>>
>> F: +34 91 447 05 11 <+34%20914%2047%2005%2011>
>>
>> E: juanjo.vazquez.delgado at tecsisa.com
>>
>> W: www.tecsisa.com
>>
>

From psilva at redhat.com  Fri May 25 12:17:18 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 25 May 2018 13:17:18 -0300
Subject: [keycloak-user] Patterns in Resource URI's
In-Reply-To: <CAC8EeWDunmFoxnw_f88TWfi0gvXiFMAkMr6=eNF67O=uL=22MA@mail.gmail.com>
References: <CAC8EeWBTdrpd3-6DW8SfC8S-osnsbiZ-MCi88oj5-Vogk+A=kQ@mail.gmail.com>
	<CAJrcDBcU_sZejiYKnznM3c5aBgfCNCZMDTMZU2hMtLZNfwn62Q@mail.gmail.com>
	<CAC8EeWC9u4MmsFXx=2e85R1zCAnwAUwz-UaaEDb_80Skx3QfVw@mail.gmail.com>
	<CAJrcDBd8b7=AcY=MV_9_GxRdb8nPQBCp80apVGxdt860t12CCw@mail.gmail.com>
	<CAC8EeWDunmFoxnw_f88TWfi0gvXiFMAkMr6=eNF67O=uL=22MA@mail.gmail.com>
Message-ID: <CAJrcDBedY3B_gS7y96eA-BZMEkHfyeuGRpCZ9qA0w4YEh91KXQ@mail.gmail.com>

On Fri, May 25, 2018 at 11:37 AM, Juan Jos? V?zquez Delgado <
juanjo.vazquez.delgado at tecsisa.com> wrote:

> Got it. In fact, I've just seen a test that shows how to push these claims
> in the context of an UMA interchange flow [1]. I think this is the case
> you're talking about. I'll explore these solutions. Thank you so much for
> your help!.
>

Yeah, it is.


>
> BTW, it seems that something it's wrong with the Admin API documentation
> endpoint [2].
>

Thanks for the heads up.


>
> [1] https://github.com/keycloak/keycloak/blob/
> e960642399f0f135faa59ba30c3f7b5cc7f2a3c7/testsuite/
> integration-arquillian/tests/base/src/test/java/org/
> keycloak/testsuite/authz/UmaPermissionTicketPushedClaimsTest.java
> [2] https://www.keycloak.org/docs-api/4.0/rest-api/index.html
>
> El vie., 25 may. 2018 a las 16:21, Pedro Igor Silva (<psilva at redhat.com>)
> escribi?:
>
>> On Fri, May 25, 2018 at 10:59 AM, Juan Jos? V?zquez Delgado <
>> juanjo.vazquez.delgado at tecsisa.com> wrote:
>>
>>> It might work indeed, but the thing is that I'm not using the
>>> out-of-the-box policy enforcers as we don't have a JavaEE or Spring
>>> architecture. Our solution is based on Scala, Akka and Play so our plan is
>>> just to take advantage of the Rest API's and probably to tailor our own
>>> policy enforcers. In fact, we might share part of this work if this makes
>>> sense.
>>>
>>> So, I suppose that the solution you propose is still valid even though
>>> we'd probably need to re-implement the logic that extracts and provides the
>>> additional claims that should be available during the authorization
>>> process. After that, we'd provide this contextual information through the
>>> `claim_token` parameter as it's described in documentation here [1]. Is
>>> this assumption correct?. Please, excuse me if the question might be naive
>>> but I'm still learning the KC nuances. Excellent tool and work BTW.
>>>
>>> [1] https://www.keycloak.org/docs/latest/authorization_services/
>>> index.html#_service_obtaining_permissions
>>>
>>
>> It depens on how you are obtaining permissions from the token endpoint.
>> You can use `claim_token` in case you are not using UMA thus not sending
>> tickets. In this case, the resource server just need to build a JSON
>> (key-values) and Base64 encode it.
>>
>> If using UMA you can also send these claims as part of the permission
>> request (permission endpoint).
>>
>> We need to write more examples and doc around this. Will work on that
>> before going into Final.
>>
>>
>>>
>>> El vie., 25 may. 2018 a las 14:44, Pedro Igor Silva (<psilva at redhat.com>)
>>> escribi?:
>>>
>>>> Hi Juan,
>>>>
>>>> Recently, we have added support for Claim Information Points [1].
>>>> Basically, these are component on the policy enforcer side that can be
>>>> configured to send additional claims to your policies. They allow you to
>>>> extract different information from the request as well from the access
>>>> token.
>>>>
>>>> Would that work for you ?
>>>>
>>>> [1] https://www.keycloak.org/docs/latest/authorization_
>>>> services/index.html#_enforcer_claim_information_point
>>>>
>>>> On Thu, May 24, 2018 at 7:51 PM, Juan Jos? V?zquez Delgado <
>>>> juanjo.vazquez.delgado at tecsisa.com> wrote:
>>>>
>>>>> Hello everyone. I'm currently assessing KC Authz services and I
>>>>> stumbled
>>>>> across a use case that I'm not sure how to solve. I've found previous
>>>>> similar discussions but I couldn't find the answer that might apply
>>>>> directly to it. Basically, I have a web service that acts as resource
>>>>> server, following the UMA terminology, and I want to protect it using
>>>>> KC.
>>>>> This ws publishes several endpoints that follow a multi-tenant
>>>>> arrangement.
>>>>> Something like this:
>>>>>
>>>>> /{org_id}/products
>>>>> /{org_id}/product/{id}
>>>>> ...
>>>>> etc
>>>>>
>>>>> The ID Token obtained through the authentication OIDC flow carries the
>>>>> `org_id` data so I could provide this as additional claim to the token
>>>>> endpoint in order to get a proper RPT. However, I would like not to
>>>>> have to
>>>>> create a different resource per organization and uri, but just the same
>>>>> patterns as in the endpoints:
>>>>>
>>>>> /{org_id}/products
>>>>> /{org_id}/product/{id}
>>>>>
>>>>> I haven't found any information about whether it's possible to define a
>>>>> pattern also in the resource uri so that I can use it from the
>>>>> Evaluation
>>>>> API during the RPT issuance. I'm sure I'm missing something relevant
>>>>> here,
>>>>> but so far I couldn't find other solution than creating as many
>>>>> resources
>>>>> as organizations exist and that could be a maintanance burden in the
>>>>> future. Maybe it's just as simple as parsing the resource name, in JS
>>>>> or
>>>>> Drools Rules, in order to retrieve the `org_id` from the resource name.
>>>>>
>>>>> Any help would be appreciated. Thanks!.
>>>>>
>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>> --
>>>
>>> Juan Jos? V?zquez Delgado
>>>
>>> CTO
>>>
>>> Tecsisa
>>>
>>> C/Quintanavides, 19
>>> <https://maps.google.com/?q=C/Quintanavides,+19&entry=gmail&source=g>
>>>
>>> Parque V?a Norte
>>>
>>> Edificio 4, Planta 3, Oficina H
>>>
>>> 28050 Madrid
>>>
>>> T: +34 91 182 04 70 <+34%20911%2082%2004%2070>
>>>
>>> F: +34 91 447 05 11 <+34%20914%2047%2005%2011>
>>>
>>> E: juanjo.vazquez.delgado at tecsisa.com
>>>
>>> W: www.tecsisa.com
>>>
>>

From pnowak.pierre at gmail.com  Fri May 25 12:53:24 2018
From: pnowak.pierre at gmail.com (Pierre Nowak)
Date: Fri, 25 May 2018 18:53:24 +0200
Subject: [keycloak-user] Keycloak Security Proxy forbidden & no logout
Message-ID: <CAHgxc_xwrNwwg8TuJ11WVR63jLtYAVt3nvjx5iByFUtFDfB21A@mail.gmail.com>

Hello,

I tried to setup a simple keycloak + KSP to secure some simple http server
I created:
- 1 client (test_role)
- 1 role (test_role)
- 1 user
- 1 role mapping of this user on the role created before
- 1 KSP with this config:
               "resource": "test_role"
                ...
               "pattern":"/*",
               "roles-allowed":["test_role" ]

When I login to KSP It works, but if I logout the session in the admin
console, it doesnt logout.
Is there a way to create a logout button on the simple http server based on
the KSP headers or the session cookie? So that auth is managed by KSP but
still with a logout button availalbe on my http server behind it.

Furthermore If I remove the role mapping and try to login, I do get an http
forbidden request at the client url, but no login error message at the
keycloak url that says that  I dont have the rights to login to this client

Is this normal behaviour or did I miss something ?

From ritesh.garg at outlook.com  Fri May 25 16:35:01 2018
From: ritesh.garg at outlook.com (Ritesh Garg)
Date: Fri, 25 May 2018 20:35:01 +0000
Subject: [keycloak-user] Logout via admin API causes offline token to go
	stale
In-Reply-To: <mailman.9752.1527259056.4799.keycloak-user@lists.jboss.org>
References: <mailman.9752.1527259056.4799.keycloak-user@lists.jboss.org>
Message-ID: <CY1PR0201MB0588D8F78BFB377207C75203F0690@CY1PR0201MB0588.namprd02.prod.outlook.com>

Hi,

I have made an interesting observation with Keycloak 3.4.3. The offline token for a user is considered stale if the user sessions are logged out using Admin API. I have not checked if this happens when the user triggers logout *without* admin involvement. One thing to note here is that we have ?revoke refresh token? enabled. Offline token validity is in days.

Here are the steps I followed:

1. Generated an access token for a user using API.

2. Generated an offline token for the same user using API with scope as offline_access.

3. Generated an admin access token using the API.

4. Using admin token, triggered a logout on the user id with /users/{userid}/logout API.

5. Checked the web console to verify that the user sessions are gone but consents tab still has offline token.

6. Tried to get an access token using the offline token from step 2 with grant as refresh_token and got a stale token error.

Is this expected?

Thanks,
Ritesh


From ntle at castortech.com  Fri May 25 17:30:18 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Fri, 25 May 2018 17:30:18 -0400
Subject: [keycloak-user] Enforce username not editable
Message-ID: <CAJVRZt-AM6wkoM6Xqdxux_nWWTK6CzMoMnZ0F29Uny0L42DC6A@mail.gmail.com>

Hello,

I have "Email as username" on, "Edit username" off in my realm login
config. So i assume the user cannot change email but I just test login to
the self service portal
? *http://localhost:8180/auth/realms/myrealm/account/
<http://localhost:8180/auth/realms/bigrealm/account/>* ?and change my
email, the result is that both my email and username got changed. I'm using
4.0 beta2. Is this a bug?

Thai

-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From clehingue at gmail.com  Sat May 26 19:25:26 2018
From: clehingue at gmail.com (Christophe Lehingue)
Date: Sun, 27 May 2018 01:25:26 +0200
Subject: [keycloak-user] Example for xamarin/keycloak
Message-ID: <CADf9yZODyoH31VWwVfbD5wZ3A+gQirP=HGH598cgpgWjeKOFJA@mail.gmail.com>

Hello,

Would anyone have an example of using keycloak with xamarin (for IOS
and Android platforms)

Thank you in advance.

Regards,
Titoff002

From clehingue at gmail.com  Sat May 26 19:29:31 2018
From: clehingue at gmail.com (Christophe Lehingue)
Date: Sun, 27 May 2018 01:29:31 +0200
Subject: [keycloak-user] can I use these versions in production
Message-ID: <CADf9yZNzpTofsmg+Fur+4DNMJdsyEsveaVY9YLneUWBHn3Us1g@mail.gmail.com>

Hello,

Can 4.0.0.1 or 4.0.0.2 or 4.0.0.3 be used for production ?

Thanks

From marc.boorshtein at tremolosecurity.com  Sun May 27 12:29:18 2018
From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein)
Date: Sun, 27 May 2018 12:29:18 -0400
Subject: [keycloak-user] Running keycloak on OpenShift Origin,
	can't login to admin console
Message-ID: <CAH2S7UAu5ONMeJErW=wMOrLsAVewkkrgnk9zvdz7D0QV-bH-3Q@mail.gmail.com>

I'm trying to get kc running on OpenShift Origin 3.9.  The latest
container for dockerhub
(https://hub.docker.com/r/jboss/keycloak-openshift/) looks to be on
4.0.0.beta2.  Here are the steps i took:

1.  created a deployment using the container image
2.  added environment variables to use mysql
3.  added environment variables for a keycloak admin username and password
4.  set the command to "start-keycloak.sh -b=0.0.0.0"
5.  Service for 8080 was created by openshift, added a route

When I try to login to the admin console, I get an invalid redirect_url error:

16:13:19,624 WARN [org.keycloak.events] (default task-6)
type=LOGIN_ERROR, realmId=master, clientId=security-admin-console,
userId=null, ipAddress=10.128.0.1, error=invalid_redirect_uri,
redirect_uri=https://kc-demo.domain.com/auth/admin/master/console/

am i missing a config?

Thanks

From marc.boorshtein at tremolosecurity.com  Sun May 27 13:03:49 2018
From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein)
Date: Sun, 27 May 2018 13:03:49 -0400
Subject: [keycloak-user] Running keycloak on OpenShift Origin,
	can't login to admin console
In-Reply-To: <CAH2S7UAu5ONMeJErW=wMOrLsAVewkkrgnk9zvdz7D0QV-bH-3Q@mail.gmail.com>
References: <CAH2S7UAu5ONMeJErW=wMOrLsAVewkkrgnk9zvdz7D0QV-bH-3Q@mail.gmail.com>
Message-ID: <CAH2S7UAmim2tbbUnjbLxDGObjtuRmeOYLamJPmGtN7EGHcOyfA@mail.gmail.com>

found the answer here - https://issues.jboss.org/browse/KEYCLOAK-5899

Added PROXY_ADDRESS_FORWARDING with value true to the deployment and
we're up and running
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
(703) 828-4902
Twitter - @mlbiam / @tremolosecurity


On Sun, May 27, 2018 at 12:29 PM, Marc Boorshtein
<marc.boorshtein at tremolosecurity.com> wrote:
> I'm trying to get kc running on OpenShift Origin 3.9.  The latest
> container for dockerhub
> (https://hub.docker.com/r/jboss/keycloak-openshift/) looks to be on
> 4.0.0.beta2.  Here are the steps i took:
>
> 1.  created a deployment using the container image
> 2.  added environment variables to use mysql
> 3.  added environment variables for a keycloak admin username and password
> 4.  set the command to "start-keycloak.sh -b=0.0.0.0"
> 5.  Service for 8080 was created by openshift, added a route
>
> When I try to login to the admin console, I get an invalid redirect_url error:
>
> 16:13:19,624 WARN [org.keycloak.events] (default task-6)
> type=LOGIN_ERROR, realmId=master, clientId=security-admin-console,
> userId=null, ipAddress=10.128.0.1, error=invalid_redirect_uri,
> redirect_uri=https://kc-demo.domain.com/auth/admin/master/console/
>
> am i missing a config?
>
> Thanks

From pulkitsrivastavajd at gmail.com  Mon May 28 03:36:39 2018
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Mon, 28 May 2018 13:06:39 +0530
Subject: [keycloak-user] Keycloak + NoSQL
In-Reply-To: <CAF83W6LNwVrVnMB_yvybM0AR=QpKs6HzUyozwY0WY4VG3X+EeQ@mail.gmail.com>
References: <CAA-7KZ_MzcEkhpKqc89MuSWJ7SURORbLGqXwkurDyd43Y-0w0Q@mail.gmail.com>
	<CAF83W6JBeWtjqgN41OPgti+fQ_x0Zt7YAKMfB2rBG6AFx25JvA@mail.gmail.com>
	<CAA-7KZ-OSmnquXogWJ1CNhrFqp-M_-FyoyTraG68g328TSjEZg@mail.gmail.com>
	<CAA-7KZ-VELVG2dLLJA99WvPsEZt1Yx77KNvmAfY3F_BOOJqEWA@mail.gmail.com>
	<CAF83W6LNwVrVnMB_yvybM0AR=QpKs6HzUyozwY0WY4VG3X+EeQ@mail.gmail.com>
Message-ID: <CAA-7KZ_45hb--Ss1U8CB0VY2K3qYy26e1PzGdhKwO6G2ZG0e6w@mail.gmail.com>

Thanks for the prompt reply.

I found the following blog regarding removing support for MongoDB which is
a NoSQL db  :
https://blog.keycloak.org/2017/02/removing-mongo-support-from-keycloak.html

I am worried since i am also going to integrate a NoSQL db(amazon dynamo
db) with keycloak. Is there a possibility that I might also face the same
problems the blog talks about with little or no support from Keycloak
support team.

Also, do we have anyone from the keycloak users, who have tried integrating
amazon dynamo db with Keycloak and has been successful in doing so.

Thanks,
Pulkit

From pierredupontdal at gmail.com  Mon May 28 04:32:29 2018
From: pierredupontdal at gmail.com (Pierre Dupont)
Date: Mon, 28 May 2018 10:32:29 +0200
Subject: [keycloak-user] SAML signing AuthnRequest results in
	invalid_signature (SigAlg was null)
Message-ID: <CAAmbA4dpNzh+gPQEYCPVEU5-RBerawCaPvmbgnMXd1e0gS3_Bg@mail.gmail.com>

Hi Luis,

Thank you for your answer. I tried your suggestion, following the provided
example.
My SAML request has changed, but I still get the same error, i.e SigAlg was
null.
My guess is that Keycloak doesn't manage to read the value in the SAML
request.

Here is my SAML request (retrieved with SAML Tracer on Firefox) :
<samlp:AuthnRequest AssertionConsumerServiceURL="..." Destination="..." ID=
"_5c3e604e-7dad-443e-9b10-5cbe2d685081" IssueInstant="2018-05-28T07:26:17Z"
Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp
="urn:oasis:names:tc:SAML:2.0:protocol" >
<saml:Issuer>...</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
<ds:Reference URI="#_5c3e604e-7dad-443e-9b10-5cbe2d685081">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi md"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:NameIDPolicy AllowCreate="true" Format=
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
</samlp:AuthnRequest>

As expected, I have the correct values for SignatureMethod and
DigestMethod. I'm short of ideas.

Thanks in advance,

Pierre

Date: Fri, 25 May 2018 14:39:03 +0200
From: Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
Subject: Re: [keycloak-user] SAML signing AuthnRequest results in
        invalid_signature (SigAlg was null)
To: keycloak-user at lists.jboss.org
Message-ID:
        <CACp70MkD1nWyy600hw-y-ZX8gKqv5RB-gpU_UFE7VAW0_nL2VA at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hello Pierre,

mmm, If I am not wrong, usually for signature methods SAML uses the URI
identifier [1]. E.g. my IdP (ADFS) likes "
http://www.w3.org/2000/09/xmldsig#rsa-sha1". You can have look at this
example: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac3025a

Hope it helps,

Luis

[1] https://www.w3.org/TR/xmlsec-algorithms/
[2]

From laurent.latour at arjo-solutions.com  Mon May 28 04:56:10 2018
From: laurent.latour at arjo-solutions.com (Laurent LATOUR)
Date: Mon, 28 May 2018 08:56:10 +0000
Subject: [keycloak-user] login error email in keycloak
Message-ID: <VI1PR0802MB2272B7E43264F088E7EF5682AE6E0@VI1PR0802MB2272.eurprd08.prod.outlook.com>

Hi,



Using keycloak v2.5.5, when a user enters an invalid password on login (using rest api), an email is sent to him saying

?A failed login attempt was detected to your account on <date> from <ip address>. If this was not you, please contact an admin.?

After upgrading to keycloak v3.4.3, this email isn?t sent anymore.

So my question is: is it possible to configure this email sending on login error somewhere ?


Thanks.

Laurent


From abhi.raghav007 at gmail.com  Mon May 28 06:25:07 2018
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Mon, 28 May 2018 15:55:07 +0530
Subject: [keycloak-user] login error email in keycloak
In-Reply-To: <VI1PR0802MB2272B7E43264F088E7EF5682AE6E0@VI1PR0802MB2272.eurprd08.prod.outlook.com>
References: <VI1PR0802MB2272B7E43264F088E7EF5682AE6E0@VI1PR0802MB2272.eurprd08.prod.outlook.com>
Message-ID: <CAJmz6fsyvd5ceqP2YVWCdDuQRA116B5LSo9kT8cuzzdxBToXYQ@mail.gmail.com>

 Yes, to get the email on unsuccessful login, you need to select the
*email *event listener under
*Events --> Config --> Event Listeners. *

Also you can configure to listen for some events and exclude the one you
dont want emails.

Right now it supports only 4 types of events.

Add this in your standalone.xml file under list of  SPIs and just restart
your keycloak server -

<spi name="eventsListener">
                <provider name="email" enabled="true">
                    <properties>
                        <property name="exclude-events"
value="[&quot;UPDATE_TOTP&quot;,&quot;REMOVE_TOTP&quot;]"/>
                    </properties>
                </provider>
 </spi>



*- Best Regards*
   Abhishek Raghav







On Mon, May 28, 2018 at 2:26 PM, Laurent LATOUR <
laurent.latour at arjo-solutions.com> wrote:

> Hi,
>
>
>
> Using keycloak v2.5.5, when a user enters an invalid password on login
> (using rest api), an email is sent to him saying
>
> ?A failed login attempt was detected to your account on <date> from <ip
> address>. If this was not you, please contact an admin.?
>
> After upgrading to keycloak v3.4.3, this email isn?t sent anymore.
>
> So my question is: is it possible to configure this email sending on login
> error somewhere ?
>
>
> Thanks.
>
> Laurent
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From uo67113 at gmail.com  Mon May 28 10:45:42 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Mon, 28 May 2018 16:45:42 +0200
Subject: [keycloak-user] SAML signing AuthnRequest results in
 invalid_signature (SigAlg was null)
In-Reply-To: <CAAmbA4c3C4KWyuJWuASfZ9F5PRiUpjKcgghfOCHPH2Xv_32DBg@mail.gmail.com>
References: <CAAmbA4dpNzh+gPQEYCPVEU5-RBerawCaPvmbgnMXd1e0gS3_Bg@mail.gmail.com>
	<CACp70MminF2bQ06zOY_REE=7J8DSnspDMX6194mi13BFMwNNTw@mail.gmail.com>
	<CAAmbA4c3C4KWyuJWuASfZ9F5PRiUpjKcgghfOCHPH2Xv_32DBg@mail.gmail.com>
Message-ID: <CACp70MmBSTMK4xmMK73muzyAim0ijL5Hsk1uoTVawEeu1koBHA@mail.gmail.com>

Hello Pierre,

mmm, for a production use I would go for
https://www.keycloak.org/archive/downloads-3.4.3.html.

Hope it helps,

Luis









2018-05-28 16:26 GMT+02:00 Pierre Dupont <pierredupontdal at gmail.com>:

> Hello Luis,
>
> I checked the XML file, the requestBinding is POST, but that was a good
> hint :
> Keycloak is waiting for a SigAlg parameter as an HTTP parameter. I had a
> parameter (embed_sign) in my SP config which was embedding these parameters
> in the AuthnRequest instead of passing them as HTTP parameters.
>
> However, I got another error, which is an NullPointerException.
> I think it is the same as this one : https://issues.jboss.org/
> browse/KEYCLOAK-7032
> It seems the only solution is to use an older version of Keycloak, unless
> you have a better solution.
>
> In any case, thank you for your help and your time.
>
> Best regards,
> Pierre
>
>
>
> On Mon, May 28, 2018 at 12:17 PM, Luis Rodr?guez Fern?ndez <
> uo67113 at gmail.com> wrote:
>
>> Hello Pierre,
>>
>> It looks correct to me, or at least very similar to mine:
>> https://gist.github.com/lurodrig/0c26b2000a725946b3ecc7994543d918
>>
>> I do think that the problem is that your IdP is expecting a GET for the
>> authnRequest and what your SP is doing is a POST. What is the value of your
>> IDP.SingleSignOnService.requestBinding in your keycloak.xml? Me I have
>> something like this:
>>
>>  <IDP entityID="idp"
>>              signatureAlgorithm="RSA_SHA256"
>>              signatureCanonicalizationMethod="http://www.w3.org/2001/10/
>> xml-exc-c14n#">
>>             <SingleSignOnService signRequest="true"
>>                                  validateResponseSignature="true"
>>                                  validateAssertionSignature="false"
>>                                  requestBinding="POST"
>>
>> Hope it helps,
>>
>> Luis
>>
>>
>>
>>
>>
>> 2018-05-28 10:32 GMT+02:00 Pierre Dupont <pierredupontdal at gmail.com>:
>>
>>> Hi Luis,
>>>
>>> Thank you for your answer. I tried your suggestion, following the
>>> provided
>>> example.
>>> My SAML request has changed, but I still get the same error, i.e SigAlg
>>> was
>>> null.
>>> My guess is that Keycloak doesn't manage to read the value in the SAML
>>> request.
>>>
>>> Here is my SAML request (retrieved with SAML Tracer on Firefox) :
>>> <samlp:AuthnRequest AssertionConsumerServiceURL="..." Destination="..."
>>> ID=
>>> "_5c3e604e-7dad-443e-9b10-5cbe2d685081" IssueInstant="2018-05-28T07:26
>>> :17Z"
>>> Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>>> xmlns:samlp
>>> ="urn:oasis:names:tc:SAML:2.0:protocol" >
>>> <saml:Issuer>...</saml:Issuer>
>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> <ds:SignedInfo>
>>> <ds:CanonicalizationMethod Algorithm="
>>> http://www.w3.org/2001/10/xml-exc-c14n#" />
>>> <ds:SignatureMethod Algorithm="http://www.w3.org/2
>>> 000/09/xmldsig#rsa-sha1"
>>> />
>>> <ds:Reference URI="#_5c3e604e-7dad-443e-9b10-5cbe2d685081">
>>> <ds:Transforms>
>>> <ds:Transform Algorithm="
>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>> <ec:InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi md"
>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
>>> </ds:Transform>
>>> </ds:Transforms>
>>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>> <ds:DigestValue>...</ds:DigestValue>
>>> </ds:Reference>
>>> </ds:SignedInfo>
>>> <ds:SignatureValue>...</ds:SignatureValue>
>>> <ds:KeyInfo>
>>> <ds:X509Data>
>>> <ds:X509Certificate>...</ds:X509Certificate>
>>> </ds:X509Data>
>>> </ds:KeyInfo>
>>> </ds:Signature>
>>> <samlp:NameIDPolicy AllowCreate="true" Format=
>>> "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
>>> </samlp:AuthnRequest>
>>>
>>> As expected, I have the correct values for SignatureMethod and
>>> DigestMethod. I'm short of ideas.
>>>
>>> Thanks in advance,
>>>
>>> Pierre
>>>
>>> Date: Fri, 25 May 2018 14:39:03 +0200
>>> From: Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
>>> Subject: Re: [keycloak-user] SAML signing AuthnRequest results in
>>>         invalid_signature (SigAlg was null)
>>> To: keycloak-user at lists.jboss.org
>>> Message-ID:
>>>         <CACp70MkD1nWyy600hw-y-ZX8gKqv5RB-gpU_UFE7VAW0_nL2VA at mail.gm
>>> ail.com>
>>> Content-Type: text/plain; charset="UTF-8"
>>>
>>> Hello Pierre,
>>>
>>> mmm, If I am not wrong, usually for signature methods SAML uses the URI
>>> identifier [1]. E.g. my IdP (ADFS) likes "
>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1". You can have look at this
>>> example: https://gist.github.com/lurodrig/34fa5092da4cef85d1f3cfaa2ac
>>> 3025a
>>>
>>> Hope it helps,
>>>
>>> Luis
>>>
>>> [1] https://www.w3.org/TR/xmlsec-algorithms/
>>> [2]
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>>
>> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>>
>> - Samuel Beckett
>>
>
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From iain.clarke at empala.com  Mon May 28 10:55:37 2018
From: iain.clarke at empala.com (iain.clarke at empala.com)
Date: Mon, 28 May 2018 07:55:37 -0700
Subject: [keycloak-user] Looking for install help.
Message-ID: <034901d3f693$f0bdc3b0$d2394b10$@empala.com>

 

I'm looking for help with implementing Keycloak on my AWS environment.  Is
there a list of implementation partners who are Keycloak experts?

 

I want a simple setup for a PoC and then moving to a clustered Docker / ECS
setup for Production if PoC is successful.

 

Thanks,

Iain

 


From matthew.broadhead at nbmlaw.co.uk  Mon May 28 11:09:47 2018
From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead)
Date: Mon, 28 May 2018 17:09:47 +0200
Subject: [keycloak-user] forgot password redirect
Message-ID: <831667d6-b181-f664-7092-c066ee71b6fc@nbmlaw.co.uk>

if a user clicks forgot password and enters their email address they are 
sent a password reset email.? however this password reset email doesn't 
contain a redirect_uri to help them get back to the webapp. shouldn't 
this be autodetected by keycloak?? because they must already be in the 
context of a particular webapp?? do i need to change a setting somewhere?

From vinayatoz at gmail.com  Mon May 28 12:50:26 2018
From: vinayatoz at gmail.com (Vinay)
Date: Mon, 28 May 2018 12:50:26 -0400
Subject: [keycloak-user] Password Reset Email - Security Risk
Message-ID: <CAAgt2fVqiF-eftYi40H=+7pHXS8fOnkohzB8o+MFefbOBXj7mg@mail.gmail.com>

Hi,

When using password reset function an email is sent to the user in order to
change the password. There is no limitation in number of password change
requests a user can do and a malicious user could generate a number of
requests and hence as many email to the victim's email inbox. This is a
potential security risk.

Is there a way to stop this ?

-Vinay

From getankur86 at gmail.com  Mon May 28 13:16:03 2018
From: getankur86 at gmail.com (Ankur Singhal)
Date: Mon, 28 May 2018 22:46:03 +0530
Subject: [keycloak-user] Fetch QR Code - TOTP REST API
Message-ID: <CAM64y=KDyXzYTEsycCGpu_SmrPgrRhj7ewRFo1E9Ja+C2fMAQQ@mail.gmail.com>

Hi All,



I have my own login page, wish to integrate this with Keycloak OTP
Functionality.

Looking for REST API for below flows.



1.)    User Enters username/password and login.

2.)    If *CONFIGURE_OTP* action is configured, REST API return with QR
Code (image/secret).

3.)    User scans and submits the OTP.

4.)    Subsequent login just return to enter OTP if no action configured.
Thanks
Ankur

From pulkitsrivastavajd at gmail.com  Tue May 29 01:50:21 2018
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Tue, 29 May 2018 11:20:21 +0530
Subject: [keycloak-user] Keycloak + NoSQL
In-Reply-To: <CAA-7KZ_45hb--Ss1U8CB0VY2K3qYy26e1PzGdhKwO6G2ZG0e6w@mail.gmail.com>
References: <CAA-7KZ_MzcEkhpKqc89MuSWJ7SURORbLGqXwkurDyd43Y-0w0Q@mail.gmail.com>
	<CAF83W6JBeWtjqgN41OPgti+fQ_x0Zt7YAKMfB2rBG6AFx25JvA@mail.gmail.com>
	<CAA-7KZ-OSmnquXogWJ1CNhrFqp-M_-FyoyTraG68g328TSjEZg@mail.gmail.com>
	<CAA-7KZ-VELVG2dLLJA99WvPsEZt1Yx77KNvmAfY3F_BOOJqEWA@mail.gmail.com>
	<CAF83W6LNwVrVnMB_yvybM0AR=QpKs6HzUyozwY0WY4VG3X+EeQ@mail.gmail.com>
	<CAA-7KZ_45hb--Ss1U8CB0VY2K3qYy26e1PzGdhKwO6G2ZG0e6w@mail.gmail.com>
Message-ID: <CAA-7KZ8T5bw__2S9RAczHVwDkFKgRrqHanxOy72R3Xsdo4tT-A@mail.gmail.com>

Hey,
Any pointer to this?

Thanks,
Pulkit

On Mon, May 28, 2018 at 1:06 PM, Pulkit Srivastava <
pulkitsrivastavajd at gmail.com> wrote:

> Thanks for the prompt reply.
>
> I found the following blog regarding removing support for MongoDB which is
> a NoSQL db  : https://blog.keycloak.org/2017/02/removing-mongo-
> support-from-keycloak.html
>
> I am worried since i am also going to integrate a NoSQL db(amazon dynamo
> db) with keycloak. Is there a possibility that I might also face the same
> problems the blog talks about with little or no support from Keycloak
> support team.
>
> Also, do we have anyone from the keycloak users, who have tried
> integrating amazon dynamo db with Keycloak and has been successful in doing
> so.
>
> Thanks,
> Pulkit
>
>

From sthorger at redhat.com  Tue May 29 03:50:27 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 29 May 2018 09:50:27 +0200
Subject: [keycloak-user] Keycloak + NoSQL
In-Reply-To: <CAA-7KZ8T5bw__2S9RAczHVwDkFKgRrqHanxOy72R3Xsdo4tT-A@mail.gmail.com>
References: <CAA-7KZ_MzcEkhpKqc89MuSWJ7SURORbLGqXwkurDyd43Y-0w0Q@mail.gmail.com>
	<CAF83W6JBeWtjqgN41OPgti+fQ_x0Zt7YAKMfB2rBG6AFx25JvA@mail.gmail.com>
	<CAA-7KZ-OSmnquXogWJ1CNhrFqp-M_-FyoyTraG68g328TSjEZg@mail.gmail.com>
	<CAA-7KZ-VELVG2dLLJA99WvPsEZt1Yx77KNvmAfY3F_BOOJqEWA@mail.gmail.com>
	<CAF83W6LNwVrVnMB_yvybM0AR=QpKs6HzUyozwY0WY4VG3X+EeQ@mail.gmail.com>
	<CAA-7KZ_45hb--Ss1U8CB0VY2K3qYy26e1PzGdhKwO6G2ZG0e6w@mail.gmail.com>
	<CAA-7KZ8T5bw__2S9RAczHVwDkFKgRrqHanxOy72R3Xsdo4tT-A@mail.gmail.com>
Message-ID: <CAJgngAcJM35aiCRm=qxQscYkb6oa8_Mn_RQkXwACQihs9BXqfA@mail.gmail.com>

I would not recommend trying to completely replace the DB layer with NoSQL.
That would mean you'd need to store realms, clients, roles, etc.. This also
regularly change from release to release so you would have to update your
implementation regularly.

For users only the user storage SPI is a supported API and we will maintain
backwards compatibility there. Although, personally I would rather just use
the same relational db for both rather than having to maintain both a
relational db and a NoSQL db.

On 29 May 2018 at 07:50, Pulkit Srivastava <pulkitsrivastavajd at gmail.com>
wrote:

> Hey,
> Any pointer to this?
>
> Thanks,
> Pulkit
>
> On Mon, May 28, 2018 at 1:06 PM, Pulkit Srivastava <
> pulkitsrivastavajd at gmail.com> wrote:
>
> > Thanks for the prompt reply.
> >
> > I found the following blog regarding removing support for MongoDB which
> is
> > a NoSQL db  : https://blog.keycloak.org/2017/02/removing-mongo-
> > support-from-keycloak.html
> >
> > I am worried since i am also going to integrate a NoSQL db(amazon dynamo
> > db) with keycloak. Is there a possibility that I might also face the same
> > problems the blog talks about with little or no support from Keycloak
> > support team.
> >
> > Also, do we have anyone from the keycloak users, who have tried
> > integrating amazon dynamo db with Keycloak and has been successful in
> doing
> > so.
> >
> > Thanks,
> > Pulkit
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sinsn_619 at abv.bg  Tue May 29 06:48:55 2018
From: sinsn_619 at abv.bg (Pedro Pedro)
Date: Tue, 29 May 2018 13:48:55 +0300 (EEST)
Subject: [keycloak-user] Realms and LDAP
Message-ID: <130610930.215573.1527590935461.JavaMail.apache@nm83.abv.bg>

Hi 
  When creating new realm in Keycloak I would like to create a new objectclass=organizationalUnit in LDAP,  
  so this will be a dedicated to storing the users for the newly created realm.  
  Is that possible to achieve with Keycloak?  
  Regards. 

From triton.oidc at gmail.com  Tue May 29 10:17:20 2018
From: triton.oidc at gmail.com (triton oidc)
Date: Tue, 29 May 2018 14:17:20 +0000
Subject: [keycloak-user] Writing new way to login
In-Reply-To: <CAGE7c6C7aXtqXqkuOHe+UvtVuRWqLHhc98PU1pzNN8O8S7ukWA@mail.gmail.com>
References: <CAGE7c6C7aXtqXqkuOHe+UvtVuRWqLHhc98PU1pzNN8O8S7ukWA@mail.gmail.com>
Message-ID: <CAGE7c6D0E9ZDVknCsyu-u2s4ZJXtbKpEd4xRfmuQuDMs3fRn_A@mail.gmail.com>

Hi,

i made some progress,
This implementation was not in the existing keycloak package, therefore i
need to create a jar
i managed to build a jar with the implementation "PassThroughAuthenticator".
It is displayed in the interface.
I selected it for an authentication.
However when i try to authenticate the user, I got a
"Failed authentication:
org.keycloak.authentication.AuthenticationFlowException"

The Class i use is comging is coming from this one :
https://github.com/keycloak/keycloak/blob/a743600b344763ce2e7f70a625f590a8425fc5f3/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/forms/PassThroughAuthenticator.java

The only change are the package name and the logger.

I put a log in the getID() method, i get logs
however the one I put in the

> method authenticate(AuthenticationFlowContext context)

Are never reached.

In the UI, i see a "Invalid username or password."
The display error in the log after the stack trace is :
"error=invalid_user_credentials"

- Is it possible to use this authentication method, or is it just for test
purposes ?
- Or did i missed something and i need another action for the "authenticate"
method to be use ?

Thanks for any help


On Wed, May 23, 2018 at 9:00 AM, triton oidc <triton.oidc at gmail.com> wrote:

> Hi,
>
> in my current scenario, i wish to write a new way for user to login.
> I saw an example that seems pretty simple to start with :
> PassThroughAuthenticator, the user is hardcoded in the class and it
> already implements Authenticator and AuthenticatorFactory
>
> I've been trying to use this example is my keycloak
>
> Looking at the configuration xml, I saw some lines containing spi.
> like mentioned in the doc
> <https://www.keycloak.org/docs/3.3/server_development/topics/providers.html>
>
>
> I guess i need to put the PROVIDER_ID  ("testsuite-dummy-passthrough" in
> my example)
> somewhere in the XML, then it will appear in the UI in Authentication /
> flow / execution / Provider
>
> I tried this, but it's not showing in the UI after a restart
>            <spi name="dummy-login">
>                 <default-provider>testsuite-dummy-passthrough</default-
> provider>
>                 <provider name="default" enabled="true"/>
>             </spi>
>
> 1) am i looking in the right direction for filling the XML, or did i miss
> any step
> 2) am i looking in the correct menu in the UI
>
> Thanks for any help
>
> I'll keep trying in the meantime
>
> Amaury
>

From pnowak.pierre at gmail.com  Tue May 29 12:18:36 2018
From: pnowak.pierre at gmail.com (Pierre Nowak)
Date: Tue, 29 May 2018 18:18:36 +0200
Subject: [keycloak-user] keycloak security proxy client roles constraints
Message-ID: <CAHgxc_xQc48iw5E46JtMbaNuef3sHv+bFzUDFLFGNwWqY9r90Q@mail.gmail.com>

Hello,

I am not able to set url constraints based on client roles.

If I use realm roles it works
If you have a role "user" in realms and a "user" role in a client
"client_test"
How do you call the client_test "user" role ? I tried "client_test/user"
but doesn't work.
If I delete the "user" realm role it doesnt work either :/

"roles-allowed": [

                        "user"
                    ]

From pritiguleria10 at gmail.com  Tue May 29 12:33:27 2018
From: pritiguleria10 at gmail.com (priti guleria)
Date: Tue, 29 May 2018 22:03:27 +0530
Subject: [keycloak-user] LDAP with SAML Identity provider
Message-ID: <CADFbsZJMzA2LGg76HoGsd9B+UcTiYZ=FNG=pQnACSyspD4u_Dw@mail.gmail.com>

 Hi Team,

I am trying to use LDAP as SAML 2.0 Identity provider.
Can someone please guide me what should be the value of  Single Sign-On
Service URL?
If you can provide some example it will be very helpful.

Regards,
Priti

From aechols at bfcsaz.com  Tue May 29 12:51:25 2018
From: aechols at bfcsaz.com (Aaron Echols)
Date: Tue, 29 May 2018 09:51:25 -0700
Subject: [keycloak-user] LDAP with SAML Identity provider
In-Reply-To: <CADFbsZJMzA2LGg76HoGsd9B+UcTiYZ=FNG=pQnACSyspD4u_Dw@mail.gmail.com>
References: <CADFbsZJMzA2LGg76HoGsd9B+UcTiYZ=FNG=pQnACSyspD4u_Dw@mail.gmail.com>
Message-ID: <CAHj77GUxciUo4LYP1Dn+UKZCZ2baRFXcAZW2HJpxaDBQ1E4frQ@mail.gmail.com>

Hi Priti,

I found the following information on the mailing lists. I'm thinking it
should be good still, I'll be working on this over the summer or over the
our education institutes fall break. Please share if it works for you or
not. Thanks :)

http://lists.jboss.org/pipermail/keycloak-user/2016-December/008783.html

On Tue, May 29, 2018 at 9:34 AM priti guleria <pritiguleria10 at gmail.com>
wrote:

>  Hi Team,
>
> I am trying to use LDAP as SAML 2.0 Identity provider.
> Can someone please guide me what should be the value of  Single Sign-On
> Service URL?
> If you can provide some example it will be very helpful.
>
> Regards,
> Priti
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ShengHong.Pan at halliburton.com  Tue May 29 12:59:01 2018
From: ShengHong.Pan at halliburton.com (Sheng Hong Pan)
Date: Tue, 29 May 2018 16:59:01 +0000
Subject: [keycloak-user] issue with keycloak password reset confirmation page
Message-ID: <C8C6980ECAF09F449AF026CA1D850AA087B23E@NP1EXMB102.corp.halliburton.com>

Hello,

We are using forgot password feature in keycloak. After resetting password, it does not show account updated confirmation page (see below). Instead, it logs user into the application. I'm wondering if anyone has solution or suggestion on it.

[cid:image001.png at 01D3F744.13CDD650]

Steps to reproduce:


1.      Request password reset via Forgot Password on login page

2.      Copy/Paste reset password link into the same browser window where the request is submitted

3.      Type in new password and submit

Thanks.

-Sheng

----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient.  Any review, use, distribution, or disclosure by others is strictly prohibited.  If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 183412 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180529/8fe54b2f/attachment-0001.png 

From alex at puredanger.com  Tue May 29 13:11:29 2018
From: alex at puredanger.com (Alex Miller)
Date: Tue, 29 May 2018 12:11:29 -0500
Subject: [keycloak-user] API docs?
Message-ID: <CAOdgdgzEsOEvXUnAthA8ed4CDiUejoGGK5bS-SAWnsx96WGBUA@mail.gmail.com>

Hi, I'm just starting to look at KeyCloak. The links to the Javadoc and
REST API docs at https://www.keycloak.org/documentation.html are both 404.
Anyone have a pointer to those or can fix?

Thanks,
Alex

From bruno at abstractj.org  Tue May 29 13:22:55 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 29 May 2018 14:22:55 -0300
Subject: [keycloak-user] API docs?
In-Reply-To: <CAOdgdgzEsOEvXUnAthA8ed4CDiUejoGGK5bS-SAWnsx96WGBUA@mail.gmail.com>
References: <CAOdgdgzEsOEvXUnAthA8ed4CDiUejoGGK5bS-SAWnsx96WGBUA@mail.gmail.com>
Message-ID: <CAM5SUC6qJPdtQx2RHux8A9PKU+B1ghDGMvjR1LP2UwLRbuqTFw@mail.gmail.com>

Tested here, that's a bug. Would you mind to file a Jira?

On Tue, May 29, 2018, 2:11 PM Alex Miller <alex at puredanger.com> wrote:

> Hi, I'm just starting to look at KeyCloak. The links to the Javadoc and
> REST API docs at https://www.keycloak.org/documentation.html are both 404.
> Anyone have a pointer to those or can fix?
>
> Thanks,
> Alex
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From alex at puredanger.com  Tue May 29 13:39:04 2018
From: alex at puredanger.com (Alex Miller)
Date: Tue, 29 May 2018 12:39:04 -0500
Subject: [keycloak-user] API docs?
In-Reply-To: <CAM5SUC6qJPdtQx2RHux8A9PKU+B1ghDGMvjR1LP2UwLRbuqTFw@mail.gmail.com>
References: <CAOdgdgzEsOEvXUnAthA8ed4CDiUejoGGK5bS-SAWnsx96WGBUA@mail.gmail.com>
	<CAM5SUC6qJPdtQx2RHux8A9PKU+B1ghDGMvjR1LP2UwLRbuqTFw@mail.gmail.com>
Message-ID: <CAOdgdgz-WYUPtWki3Ks-W+5Ok0CW7AdMvEcp9Ea3B9rUcJV=1A@mail.gmail.com>

Filed at https://issues.jboss.org/browse/KEYCLOAK-7461

On Tue, May 29, 2018 at 12:22 PM, Bruno Oliveira <bruno at abstractj.org>
wrote:

> Tested here, that's a bug. Would you mind to file a Jira?
>
> On Tue, May 29, 2018, 2:11 PM Alex Miller <alex at puredanger.com> wrote:
>
>> Hi, I'm just starting to look at KeyCloak. The links to the Javadoc and
>> REST API docs at https://www.keycloak.org/documentation.html are both
>> 404.
>> Anyone have a pointer to those or can fix?
>>
>> Thanks,
>> Alex
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From haikalrios at gmail.com  Tue May 29 14:38:45 2018
From: haikalrios at gmail.com (Haikal Rios)
Date: Tue, 29 May 2018 14:38:45 -0400
Subject: [keycloak-user] Keycloak with apache in front
Message-ID: <8CCFCA3D-E11E-4E34-9814-872533A9D020@gmail.com>

Version: 3.4.3

Hello everybody,


I am trying to use keycloak in my application. My structure is apache em front and one server with my application e other server for keycloak

There is ssl in Apache.

When I open my application it is call the login page in keycloak, but when I put login/password and click in log in button My browse is directed to the local address, the same address  that is configured in httpconf section virtual host

ProxyPass "/auth/"  "http://localhost:8180/auth/ <http://localhost:8180/auth/>"
ProxyPassReverse "/auth/"  "http://localhost:8180/auth <http://localhost:8180/auth>/?

Anyone have idea about this problem? Maybe is configuration apache, maybe not.

From yossi.baruch at iucc.ac.il  Wed May 30 02:30:43 2018
From: yossi.baruch at iucc.ac.il (Yossi Baruch)
Date: Wed, 30 May 2018 06:30:43 +0000
Subject: [keycloak-user] FreeIPA --> Keycloak --> simplesamlphp --> edugain
Message-ID: <VI1PR03MB30699B1DDC9010A80854306DBF6C0@VI1PR03MB3069.eurprd03.prod.outlook.com>

Hi,

I'm using Keycloak to connect to FreeIPA and create a user federation, I'm mapping several attributes from FreeIPA, among them is eduPersonTargetedID (EPTID). This EPTID is used to connect to a saml client and then as one of the attributes used in the edugain inter-federation.

The issue is that EPTID should be an array and not a single value, I get errors from the inter-federation that this EPTID is not structured right, I think that usually this EPTID is generated whenever the saml client connects but I have no idea how to do so.

Anyone has an opinion about this? Has mitigated this In the past?


[https://ci3.googleusercontent.com/proxy/7W7WLuvZjirS7ZgZCSisfzJizY7_Rc_hUy9DuIOC088v_670fQpK0J-xmTdjXc05GyNzRwUDVPzMIGXH9IytuClaNK4RMTLwvMo0VusyQ0I1zno=s0-d-e1-ft#http://www.iucc.ac.il/wp-content/uploads/2013/04/IUCCLogo.png]
Sincerely Yours,
Yossi Baruch, IT specialist
office:           +972-3-646-0569
fax:               +972-3-646-0557
E-Mail:          yossi.baruch at iucc.ac.il<mailto:yossi.baruch at iucc.ac.il>
Website:       www.iucc.ac.il<http://www.iucc.ac.il/>

"May The Force Be With You." ? Master Yoda

"I'm trying to free your mind... But I can only show you the door. You're the one that has to walk through it." ? Morpheus

"We are continually faced with a series of great opportunities brilliantly disguised as insoluble problems." - John W. Gardner

"Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light." - ?Dylan Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2920 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180530/37edfce9/attachment.jpg 

From kevin.berendsen at pharmapartners.nl  Wed May 30 07:56:14 2018
From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen)
Date: Wed, 30 May 2018 11:56:14 +0000
Subject: [keycloak-user] Keycloak with apache in front
In-Reply-To: <8CCFCA3D-E11E-4E34-9814-872533A9D020@gmail.com>
References: <8CCFCA3D-E11E-4E34-9814-872533A9D020@gmail.com>
Message-ID: <3e9ccd341d484533aa5176c52f66cfe9@FERB.ppg.lan>

Hi!

You're almost there. You need to add a small thing to the configuration of your Keycloak instance as described in the documentation. Look at the "X-Forwarded-For HTTP Config" snippet. Assumingly you're missing: " proxy-address-forwarding="true" " in your HTTP listener.

[1] https://www.keycloak.org/docs/3.4/server_installation/index.html#identifying-client-ip-addresses 


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Haikal Rios
Sent: Tuesday, May 29, 2018 8:39 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Keycloak with apache in front

Version: 3.4.3

Hello everybody,


I am trying to use keycloak in my application. My structure is apache em front and one server with my application e other server for keycloak

There is ssl in Apache.

When I open my application it is call the login page in keycloak, but when I put login/password and click in log in button My browse is directed to the local address, the same address  that is configured in httpconf section virtual host

ProxyPass "/auth/"  "http://localhost:8180/auth/ <http://localhost:8180/auth/>"
ProxyPassReverse "/auth/"  "http://localhost:8180/auth <http://localhost:8180/auth>/?

Anyone have idea about this problem? Maybe is configuration apache, maybe not.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From uo67113 at gmail.com  Wed May 30 11:38:10 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 30 May 2018 17:38:10 +0200
Subject: [keycloak-user] Keycloak user session time out
In-Reply-To: <4D2B736E058FB9498FF049DBC89C8F95CBEC14A3@SPQCMBX01.exfo.com>
References: <4D2B736E058FB9498FF049DBC89C8F95CBEC00DC@SPQCMBX01.exfo.com>
	<CAFzO_6eOoK2t-t=pOc3St6C_ZfrdRAwoOP12fvv2qeFuMcLhDA@mail.gmail.com>
	<CACp70M=frpeYqFGu=wC2Dike1gt=xhQcB_nY86NCowDbgoiQsg@mail.gmail.com>
	<4D2B736E058FB9498FF049DBC89C8F95CBEC14A3@SPQCMBX01.exfo.com>
Message-ID: <CACp70Mk76ihSEBocs7yShJGnYDBNep57L9yoVhMgFQ_krbX8VQ@mail.gmail.com>

Hello Ashutosh,

I must to admit that I do not know if it is possible. Maybe you can find
something useful in the keycloak REST API:
https://www.keycloak.org/docs-api/4.0/rest-api/index.html

Anyway you will need to also keep in mind your application session, unless
it never expires :)

Cheers,

Luis



2018-05-30 8:55 GMT+02:00 Ashutosh Kanthi <ashutosh.kanthi at exfo.com>:

> Hi Luis,
>
> Just to clarify more on my requirement.
>
> I want to show an info, before the session runs in a timeout, so that the
> user can react and not be logged out. For this I need to read the session
> timeout that is configured in the keycloak. Is there a possibility to get
> the timeout value through Keycloak API?
>
> Thanks & regards,
> Ashutosh Kanthi
>
> -----Original Message-----
> From: Ashutosh Kanthi
> Sent: Wednesday, May 30, 2018 11:18 AM
> To: 'Luis Rodr?guez Fern?ndez'
> Subject: RE: [keycloak-user] Keycloak user session time out
>
> Hi Luis,
>
> Thanks for your response.
>
> As per my scenario, I am more concerned about keycloak session. I trying
> to find out that is there any way to have push mechanism in Keycloak so
> that keycloak would tell the client (idle user) that session timeout is
> reaching near.
>
> Thanks & regards,
> Ashutosh Kanthi
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] On Behalf Of Luis Rodr?guez Fern?ndez
> Sent: Thursday, May 24, 2018 12:39 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Keycloak user session time out
>
> Hello Ashutosh,
>
> Perhaps it would be useful if you could describe your scenario a bit more.
> E.g, me I am using the SAML2 java keycloak adapter [1]. In this scenario I
> have two sessions, the Service Provider and the Identity Provider one. The
> Service Provider is an application deployed in apache-tomcat. If you have
> something like this you could think in use [2] and/or [3]. This listeners
> can notifiy you when sessions have been activated/deactivated or attributes
> changed.
>
> Hope it helps,
>
> Luis
>
>
> [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#saml-2
> [2]
> https://tomcat.apache.org/tomcat-9.0-doc/servletapi/javax/servlet/http/
> HttpSessionAttributeListener.html
> [3]
> https://tomcat.apache.org/tomcat-9.0-doc/servletapi/javax/servlet/http/
> HttpSessionActivationListener.html
>
>
>
>
>
>
> 2018-05-23 14:11 GMT+02:00 Ariel Carrera <carreraariel at gmail.com>:
> >
> > Maybe you can do it modifying keycloak?s adapter or using with sse,
> browser
> > notifications or phone notifications (android, iOS...)
> >
> > El El mi?, 23 may. 2018 a las 08:40, Ashutosh Kanthi <
> > ashutosh.kanthi at exfo.com> escribi?:
> >
> > > Hi,
> > >
> > > We want to implement one functionality with regard to session
> > > timeout in keycloak i.e. if session timeout is reaching near, then
> > > user should be notified of the same.
> > > Does anyone know whether it is possible to do this in Keycloak? And
> > > if
> is
> > > possible then how to do this?
> > >
> > > Thanks & regards,
> > >
> > > Ashutosh Kanthi
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > --
> > Ariel Carrera
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From vinayatoz at gmail.com  Wed May 30 12:40:41 2018
From: vinayatoz at gmail.com (Vinay)
Date: Wed, 30 May 2018 12:40:41 -0400
Subject: [keycloak-user] LDAP failover
Message-ID: <CAAgt2fV_Dt3sEQ251duT-77PXQJGK5P6rw6CV0sspMXfCwQk1Q@mail.gmail.com>

Does keycloak provide LDAP failover i.e. provide two LDAP URLs while
creating an LDAP provider so that users can be search on both primary and
secondary LDAP server ? This is required for high availability ?

From rudreshsj at gmail.com  Wed May 30 19:33:51 2018
From: rudreshsj at gmail.com (Rudresh Shashikant)
Date: Thu, 31 May 2018 06:33:51 +0700
Subject: [keycloak-user] Frontend connecting to middleware protected by
 keycloak-nodejs-connect (intended usage)
Message-ID: <CAOZjnH6k_SdMoXEcRkjpOiT7-eSpG1u+uyObynke44VbnwpbBQ@mail.gmail.com>

Need to share some context and setup before asking my question, so please
excuse the wall of text. =)

My app:
`frontend` is a SPA served as a static resource from NGINX (http://frontend)
`keycloak` server running on http://keycloak
`middleware` is a NodeJS app that frontend communicates with as API
endpoint (eg: http://middleware). Middleware is using
keycloak-nodejs-connect (https://github.com/keycloak/keycloak-nodejs-connect)
to protect the API endpoint

setup code in middleware looks like this:
```
const session = require('express-session')
const memoryStore = new session.MemoryStore()

app.use(session({
  secret: 'mySecret',
  resave: false,
  saveUninitialized: true,
  store: memoryStore
}))

const keycloak = require('./auth/keycloak')
app.use(keycloak.middleware({
  logout: '/logout'
}))
```

The setup in auth/keycloak.js is:
```
const keycloakConfig = {
  'realm': 'realmName',
  'auth-server-url': `http://keycloak/auth`,
  'ssl-required': 'external',
  'resource': 'clientName',
  'credentials': {
    'secret': 'aaaaaaaa-bbbb-cccc-dddd-1a49c9dfbbef'
  }
}

module.exports = new Keycloak({store: memoryStore, responseType: 'code'},
keycloakConfig)
```

when a user clicks "/login" link from frontend, the frontend spawns a new
tab and the new tab calls http://middleware/login. The motivation is for
the existing state in UI to not be touched, all redirects etc happen in a
new window. The code in middleware looks like this:
```
app.get('/login', keycloak.protect(), (req, res) => {
  const keycloakTokens = JSON.parse(req.session['keycloak-token'])
  const userInfo = JSON.stringify(decodeToken(keycloakTokens))
  res.status(200).send(`<html><head>
        <script type="text/javascript">
            window.opener.postMessage(${userInfo}, 'http://frontend')
            window.close()
        </script>
    </head></html>`)
})

const decodeToken = ({id_token}) => {
  const payload = JSON.parse(atob(id_token.split('.')[1]))
  return payload
}
```

So the idea is that after the OIDC dance, the middleware will respond
asking the new tab to postMessage to the opener (parent) with the contents
of the id_token JWT.

Assumption 1: the session in the cookie connect.sid is what the middleware
uses to ensure the user is still authenticated. Is this assumption accurate?

there is a event listener in frontend that watches for the `postMessage`
and saves the information sent (id_token) to localStorage.

Question 1: is this a correct way of doing login given the setup described
above?

I think i'm definitely missing something because another protected route in
middleware causes redirect to keycloak again telling me that middleware
does not know the frontend is authenticated.

Question 2: how would logout work in this case? just clear the browser
cookies?

I tried the example app (
https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example)
but that has a different architecture, the browser points to the middleware
domain.

please let me know if you are looking for more code snippets or details.
Happy to provide.

Regards,
Rudy.

From raisandeepkmr at gmail.com  Wed May 30 20:25:21 2018
From: raisandeepkmr at gmail.com (Sandeep Rai)
Date: Thu, 31 May 2018 02:25:21 +0200
Subject: [keycloak-user] Modify roles in Token after user login SPI
Message-ID: <CAHanGkKAJhwS_cUtffRZ7fTt43tPU9Kee=Vis0m1Dz=AmNnn6Q@mail.gmail.com>

Hi Community,
I'm trying to add more roles into the token after the token has been
generated following the isValid() return of the Authentication SPI.

I have a application which has SMS otp functionality. After the user has
verified the OTP I want to grant more roles to the user by adding those
roles into the token. But how do I modify the existing token or even renew
it with new roles ?
Is there a endpoint I can use to do so ? Or anyother ProviderInterface that
I can use to achieve this ?
Regards

From haikalrios at gmail.com  Thu May 31 00:44:49 2018
From: haikalrios at gmail.com (Haikal Rios)
Date: Thu, 31 May 2018 00:44:49 -0400
Subject: [keycloak-user] Keycloak with apache in front
In-Reply-To: <8CCFCA3D-E11E-4E34-9814-872533A9D020@gmail.com>
References: <8CCFCA3D-E11E-4E34-9814-872533A9D020@gmail.com>
Message-ID: <9D894160-8CD2-4DAF-85C8-70F67BF91030@gmail.com>

Hello,

I can?t do work it.

Maybe you don't know what I mean. I will try explained better.

I am using apache in front by proxy mode. The request arrive in apache after this it send for server responsible for request.

My application is running in a server and keycloak in other but both use apache.


When I open application its work. My app send request for keycloak that show the authentication page, so good. But when a press login button the URL send the page is server local, the same server  in http.conf see below. 


> ProxyPass "/auth/"  "http://localhost:8180/auth/ <http://localhost:8180/auth/>"
> ProxyPassReverse "/auth/"  "http://localhost:8180/auth <http://localhost:8180/auth>/?\

Maybe this problem is in apache configuration, maybe not, anybody have opinion about whats happing ?\



Haikal Rios

> On May 29, 2018, at 2:38 PM, Haikal Rios <haikalrios at gmail.com> wrote:
> 
> Version: 3.4.3
> 
> Hello everybody,
> 
> 
> I am trying to use keycloak in my application. My structure is apache em front and one server with my application e other server for keycloak
> 
> There is ssl in Apache.
> 
> When I open my application it is call the login page in keycloak, but when I put login/password and click in log in button My browse is directed to the local address, the same address  that is configured in httpconf section virtual host
> 
> ProxyPass "/auth/"  "http://localhost:8180/auth/ <http://localhost:8180/auth/>"
> ProxyPassReverse "/auth/"  "http://localhost:8180/auth <http://localhost:8180/auth>/?
> 
> Anyone have idea about this problem? Maybe is configuration apache, maybe not.


From mposolda at redhat.com  Thu May 31 02:15:05 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 31 May 2018 08:15:05 +0200
Subject: [keycloak-user] LDAP failover
In-Reply-To: <CAAgt2fV_Dt3sEQ251duT-77PXQJGK5P6rw6CV0sspMXfCwQk1Q@mail.gmail.com>
References: <CAAgt2fV_Dt3sEQ251duT-77PXQJGK5P6rw6CV0sspMXfCwQk1Q@mail.gmail.com>
Message-ID: <b9ab8bdc-1e0d-958f-f359-da874e4fbc56@redhat.com>

JNDI itself supports it per the docs: 
https://docs.oracle.com/javase/1.5.0/docs/guide/jndi/jndi-ldap-gl.html#url .

So it's possible that if you just configure "Connection URL" and add 
more URLs, the failover will just work. But I never tried to test it, so 
no guarantee...

Marek

On 30/05/18 18:40, Vinay wrote:
> Does keycloak provide LDAP failover i.e. provide two LDAP URLs while
> creating an LDAP provider so that users can be search on both primary and
> secondary LDAP server ? This is required for high availability ?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From lists at merit.unu.edu  Thu May 31 04:16:47 2018
From: lists at merit.unu.edu (mj)
Date: Thu, 31 May 2018 10:16:47 +0200
Subject: [keycloak-user] LDAP failover
In-Reply-To: <b9ab8bdc-1e0d-958f-f359-da874e4fbc56@redhat.com>
References: <CAAgt2fV_Dt3sEQ251duT-77PXQJGK5P6rw6CV0sspMXfCwQk1Q@mail.gmail.com>
	<b9ab8bdc-1e0d-958f-f359-da874e4fbc56@redhat.com>
Message-ID: <6cd56993-0c49-fb1f-cdbf-8e6322662976@merit.unu.edu>



On 30/05/18 18:40, Vinay wrote:
> Does keycloak provide LDAP failover i.e. provide two LDAP URLs while
> creating an LDAP provider so that users can be search on both primary and
> secondary LDAP server ? This is required for high availability ?

What we do: have a local haproxy configured with your ldap servers, and 
haproxy will do the ldap failover. And then we make keycloak talk to the 
haproxy on localhost.

Works for us.

MJ

From lists at merit.unu.edu  Thu May 31 04:21:03 2018
From: lists at merit.unu.edu (mj)
Date: Thu, 31 May 2018 10:21:03 +0200
Subject: [keycloak-user] Keycloak with apache in front
In-Reply-To: <9D894160-8CD2-4DAF-85C8-70F67BF91030@gmail.com>
References: <8CCFCA3D-E11E-4E34-9814-872533A9D020@gmail.com>
	<9D894160-8CD2-4DAF-85C8-70F67BF91030@gmail.com>
Message-ID: <5984d1d3-645d-a490-33d8-3f0ea755595a@merit.unu.edu>

This apache2 vhost.conf (under debian 8) works for us:

> <VirtualHost *:443>
>                 ServerAdmin webmaster at company.com
>                 ServerName keycloak.company.com
>                 DocumentRoot /var/www/html
> 
>     RewriteEngine On
>     RewriteCond %{REQUEST_URI} ^/$
>     RewriteRule ^/.*$ https://id.company.com/auth/realms/domain/account
> 
>     ProxyPreserveHost       On
>     ProxyVia                Off
>     ProxyRequests           Off
>     ProxyPass               /       "http://localhost:8080/"
>     ProxyPassReverse        /       "http://localhost:8080/"
> 
>     RequestHeader set X-Forwarded-Proto "https"
>     RequestHeader set X-Forwarded-Port "443"
> 
> <Proxy *>
>     Order deny,allow
>     Allow from all
> </Proxy>
> 
>                 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
>                 # error, crit, alert, emerg.
>                 # It is also possible to configure the loglevel for particular
>                 # modules, e.g.
>                 LogLevel debug ssl:warn
> 
>                 ErrorLog ${APACHE_LOG_DIR}/keycloak-error.log
>                 CustomLog ${APACHE_LOG_DIR}/keycloak-access.log combined
> 
> 
>                 #   SSL Engine Switch:
>                 #   Enable/Disable SSL for this virtual host.
>                 SSLEngine on
>                 SSLCertificateFile      /etc/ssl/apache2/cert.pem
>                 SSLCertificateKeyFile /etc/ssl/apache2/cert.key
>                 SSLCertificateChainFile /etc/ssl/apache2/fullchain.pem
> 
> </VirtualHost>

Perhaps it will help you.

MJ

From lemso at free.fr  Thu May 31 04:51:05 2018
From: lemso at free.fr (=?UTF-8?Q?Lamine_L=C3=A9o_Keita?=)
Date: Thu, 31 May 2018 10:51:05 +0200
Subject: [keycloak-user] Fwd: user session not shared in cluster with
	keycloak 3.4.3
In-Reply-To: <CALBYMMKhykggo5mhoX8-t-cHKiqtCQtX7hukFkmSEfv3qe5Ydg@mail.gmail.com>
References: <CALBYMMKhykggo5mhoX8-t-cHKiqtCQtX7hukFkmSEfv3qe5Ydg@mail.gmail.com>
Message-ID: <CALBYMM+0RoLKXPNba7XxP83suLQKEC4Xc_br0LUKb73QpB6ToQ@mail.gmail.com>

Hi Team,

I encoutred some issues with keycloak cluster config.

It's like everything is fine but user sessions are not shared and that show
there is an issue.
To verify, I logged in in each Keycloak server on master realm with one
user and I look to number of session on master realm.
There I see only one session on each server instead of 2 sessions.

When I logged in Infinispan console I can see that both server are sharing
2 entries on session cache.

I have Two remote sites :

site3 .  and     site5

On each site I have a infinispan 9.2.3 Running and a Keycloak 3.4.3

As you can see in site5 logs, infinispan server see each others.

Please find attach my configuration files and my logs files.

Any help would be appreciate.

Thanks
Lemso
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak.zip
Type: application/zip
Size: 36729 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180531/b9e3bb27/attachment-0001.zip 

From valsarajpv at gmail.com  Thu May 31 05:02:37 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 31 May 2018 14:32:37 +0530
Subject: [keycloak-user] LDAP failover
In-Reply-To: <6cd56993-0c49-fb1f-cdbf-8e6322662976@merit.unu.edu>
References: <CAAgt2fV_Dt3sEQ251duT-77PXQJGK5P6rw6CV0sspMXfCwQk1Q@mail.gmail.com>
	<b9ab8bdc-1e0d-958f-f359-da874e4fbc56@redhat.com>
	<6cd56993-0c49-fb1f-cdbf-8e6322662976@merit.unu.edu>
Message-ID: <CAOA-0XsNBFTOO2XKAM46Vs1OeWN6y4S-X+Qkr7QaCHb-c4zOdw@mail.gmail.com>

In case have multiple HAProxy, it can be configured like Marek suggested?

On Thu 31 May, 2018, 1:48 PM mj, <lists at merit.unu.edu> wrote:

>
>
> On 30/05/18 18:40, Vinay wrote:
> > Does keycloak provide LDAP failover i.e. provide two LDAP URLs while
> > creating an LDAP provider so that users can be search on both primary and
> > secondary LDAP server ? This is required for high availability ?
>
> What we do: have a local haproxy configured with your ldap servers, and
> haproxy will do the ldap failover. And then we make keycloak talk to the
> haproxy on localhost.
>
> Works for us.
>
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From lists at merit.unu.edu  Thu May 31 05:25:02 2018
From: lists at merit.unu.edu (mj)
Date: Thu, 31 May 2018 11:25:02 +0200
Subject: [keycloak-user] LDAP failover
In-Reply-To: <CAOA-0XsNBFTOO2XKAM46Vs1OeWN6y4S-X+Qkr7QaCHb-c4zOdw@mail.gmail.com>
References: <CAAgt2fV_Dt3sEQ251duT-77PXQJGK5P6rw6CV0sspMXfCwQk1Q@mail.gmail.com>
	<b9ab8bdc-1e0d-958f-f359-da874e4fbc56@redhat.com>
	<6cd56993-0c49-fb1f-cdbf-8e6322662976@merit.unu.edu>
	<CAOA-0XsNBFTOO2XKAM46Vs1OeWN6y4S-X+Qkr7QaCHb-c4zOdw@mail.gmail.com>
Message-ID: <fcbc9085-acbe-7f81-6cd1-9efad3928af5@merit.unu.edu>

we don't require multiple haproxies, so no idea.

mj

On 05/31/2018 11:02 AM, valsaraj pv wrote:
> In case have multiple HAProxy, it can be configured like Marek suggested?
> 
> On Thu 31 May, 2018, 1:48 PM mj, <lists at merit.unu.edu 
> <mailto:lists at merit.unu.edu>> wrote:
> 
> 
> 
>     On 30/05/18 18:40, Vinay wrote:
>      > Does keycloak provide LDAP failover i.e. provide two LDAP URLs while
>      > creating an LDAP provider so that users can be search on both
>     primary and
>      > secondary LDAP server ? This is required for high availability ?
> 
>     What we do: have a local haproxy configured with your ldap servers, and
>     haproxy will do the ldap failover. And then we make keycloak talk to
>     the
>     haproxy on localhost.
> 
>     Works for us.
> 
>     MJ
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From valsarajpv at gmail.com  Thu May 31 08:41:21 2018
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 31 May 2018 18:11:21 +0530
Subject: [keycloak-user] Programmatically login as a user
Message-ID: <CAOA-0XthaB45e2iMfwLv0oMHQCLHn_9s93KNP1chOAog1xFWXw@mail.gmail.com>

Hi,

I have web application login via Keycloak working fine. But for a
background processing like reading messages from a queue, need to login as
a dedicated queue user behind the scenes. For this we can't redirect to
login page. Earlier it was done pro grammatically  by using JAAS login
context and passing login module & credentials. Now when we switch to KC,
what is the appropriate model to do this?
Please advice!

Thanks!

From jdennis at redhat.com  Thu May 31 11:08:39 2018
From: jdennis at redhat.com (John Dennis)
Date: Thu, 31 May 2018 11:08:39 -0400
Subject: [keycloak-user] SAML signing AuthnRequest results in
 invalid_signature (SigAlg was null)
In-Reply-To: <CAAmbA4exBzpGx_V1Pi2QjQoii_F2np0j9Y10UPQWcV+MOhieUA@mail.gmail.com>
References: <CAAmbA4exBzpGx_V1Pi2QjQoii_F2np0j9Y10UPQWcV+MOhieUA@mail.gmail.com>
Message-ID: <e800971d-5120-813f-b57b-b711993e61ad@redhat.com>

On 05/25/2018 06:03 AM, Pierre Dupont wrote:
> Hi everyone,
> 
> I'm using Keycloak 4.0.0.Beta2, and I'm trying to sign AuthnRequests from a
> Service Provider (Ruby Omniauth) to Keycloak.
> 
> On Keycloak, I have set the "Client Signature Required" to On.
> 
> I have set Ominauth parameters with the following values :
> "security" => {
>          "authn_requests_signed" => true,
>          "embed_sign" => true,
>          "digest_method" => "XMLSecurity::Document::SHA1",
>          "signature_method" => "XMLSecurity::Document::RSA_SHA1",
> }
> 
> I also have copied-pasted the SAML keys from Keycloak to the SP.
> 
> When initiating a SAML request at the SP, I am redirected to an error page
> with "Invalid requester" on Keycloak.
> In the logs, I got the following :
> 08:49:19,057 ERROR [org.keycloak.protocol.saml.SamlService] (default
> task-64) request validation failed: org.keycloak.common.VerificationException:
> SigAlg was null
>      at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(
> SamlProtocolUtils.java:135)
>      at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.
> verifySignature(SamlService.java:518)
>      at org.keycloak.protocol.saml.SamlService$BindingProtocol.
> handleSamlRequest(SamlService.java:233)
>      ...
> 08:49:19,058 WARN  [org.keycloak.events] (default task-64)
> type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
> ipAddress=10.42.128.4, error=invalid_signature
> 
> It seems that Keycloak can't read the Signature Algorithm value. I checked
> the SAML data, and the SignatureMethod is set :
> <ds:SignatureMethod Algorithm="XMLSecurity::Document::RSA_SHA1" />
> 
> I checked my parameters, certificates (tried to use new ones), but I always
> get this error.
> 
> What am I doing wrong ? Does anyone managed to sign their AuthnRequests or
> encountered the same errors ? I haven't found anything similar on the
> internet.

The value you're sending for SignatureAlgorithm is bogus. Refer to the 
xml signature spec for valid values:

https://www.w3.org/TR/xmldsig-core/#sec-SignatureAlg


-- 
John Dennis

From gianluca.frediani at outlook.com  Thu May 31 11:18:15 2018
From: gianluca.frediani at outlook.com (Gianluca Frediani)
Date: Thu, 31 May 2018 15:18:15 +0000
Subject: [keycloak-user] User impersonation from Javascript adapter
Message-ID: <HE1PR0802MB2619119709EC83DE725F6C77F2630@HE1PR0802MB2619.eurprd08.prod.outlook.com>

Hi all,
I'm trying to use the impersonation feature of Keycloak from a web application using the Javascript adapter.

The idea is that a user (with the impersonation permission) can specify a user id of another user, click a button, and then he navigates the web application as the specified user (this is similar to what happens when you click "Impersonate" on the Admin Console).

I haven't found any example of how to implement this feature, and I haven't found any specific method in the Javascript adapter. The best solution I've have found so far is to call the token exchange API, obtain new tokens, and then call again the init method of the keycloak instance. However, this is only working when the checkLoginIframe is disabled. If the iframe is present the user is logged out and redirected to the login page.

I just want to know if there is a better way to do implement this feature, and I think that should be nice to have a working example. Furthermore, it would be nice to have a "impersonate" method directly on the keycloak adapter that performs all the required operations (call the token exchange API, re-sets all tokens, and so on). For the last point I can contribute if necessary.

Regards,
Gianluca


From adrianmoya at gmail.com  Thu May 31 11:36:13 2018
From: adrianmoya at gmail.com (Adrian Moya)
Date: Thu, 31 May 2018 10:36:13 -0500
Subject: [keycloak-user] Convert Bearer Token to Principal (Java+Spring+WS)
Message-ID: <CANkvPBqPFsXn-DrQ3ymfyiQUaza=M7xGAE=TJRuyDCenrkp3Yg@mail.gmail.com>

Hi! I'm trying to secure a websocket endpoint using the recommendations
from spring's documentation at
https://github.com/spring-projects/spring-framework/blob/master/src/docs/asciidoc/web/websocket.adoc#token-authentication

I can get the Bearer token in the Stomp Message Header but I don't know how
to convert it to a Principal. Is there a way to actually do this? Here's a
code snippet of what's expected:

if (StompCommand.CONNECT.equals(accessor.getCommand())) {
    Authentication user = ... ; // access authentication header(s)
    accessor.setUser(user);
}


-- 
Adrian E. Moya G.

From ritesh.garg at outlook.com  Thu May 31 12:08:04 2018
From: ritesh.garg at outlook.com (Ritesh Garg)
Date: Thu, 31 May 2018 16:08:04 +0000
Subject: [keycloak-user] Logout via admin API causes offline token to go
	stale
In-Reply-To: <CY1PR0201MB0588D8F78BFB377207C75203F0690@CY1PR0201MB0588.namprd02.prod.outlook.com>
References: <mailman.9752.1527259056.4799.keycloak-user@lists.jboss.org>,
	<CY1PR0201MB0588D8F78BFB377207C75203F0690@CY1PR0201MB0588.namprd02.prod.outlook.com>
Message-ID: <CY1PR0201MB0588FE0E666D479DDC11FC9AF0630@CY1PR0201MB0588.namprd02.prod.outlook.com>

Any insights on this.

Thanks,
Ritesh

> On May 25, 2018, at 4:35 PM, Ritesh Garg <ritesh.garg at outlook.com> wrote:
> 
> Hi,
> 
> I have made an interesting observation with Keycloak 3.4.3. The offline token for a user is considered stale if the user sessions are logged out using Admin API. I have not checked if this happens when the user triggers logout *without* admin involvement. One thing to note here is that we have ?revoke refresh token? enabled. Offline token validity is in days.
> 
> Here are the steps I followed:
> 
> 1. Generated an access token for a user using API.
> 
> 2. Generated an offline token for the same user using API with scope as offline_access.
> 
> 3. Generated an admin access token using the API.
> 
> 4. Using admin token, triggered a logout on the user id with /users/{userid}/logout API.
> 
> 5. Checked the web console to verify that the user sessions are gone but consents tab still has offline token.
> 
> 6. Tried to get an access token using the offline token from step 2 with grant as refresh_token and got a stale token error.
> 
> Is this expected?
> 
> Thanks,
> Ritesh


From getankur86 at gmail.com  Thu May 31 13:36:03 2018
From: getankur86 at gmail.com (Ankur Singhal)
Date: Thu, 31 May 2018 23:06:03 +0530
Subject: [keycloak-user] Keycloak - 2FA Factor - QR Code - Rest API
Message-ID: <CAM64y=LmTzar-=mg2-XP-B4-uE7E64OJ-g3zHqg0iMZgFH3amw@mail.gmail.com>

 Hi All,
<https://stackoverflow.com/questions/50319327/keycloak-multi-2fa-factor-otp-qr-code-custom-login-screen-rest-api#>

I have *my own Login page where user enters username/password.* This
username/password are used to login through Keycloak Rest API.

http://localhost:8080/auth/realms/Demo/protocol/openid-connect/token

input - {username,password,grant_type,client_secret,client_id}

And in response i get access token.

Now i wish to enable Authenticator (Google Authenticator). I have enabled
it from backend. Now if user wishes to login thorugh my application, my
login page i need to get below details.

1.) Somehow i need to include QR Code that appears on keycloak login page
post username/password validation to show on my login screen for the first
time login once user enter username/password. So do we have any API which
return Keycloak QR code image in response.

2.) Subsequent login i will have OTP field, so need a REST api to pass OTP
along with username/password.

Please help with REST API if keycloak has any. Integrating through
Javascript.

Similar flow as described in use case 1 here
<http://lists.jboss.org/pipermail/keycloak-user/2018-February/013254.html>

Just want to use keycloak as a database, doing all operation for me, input
will be my screen. I do want redirection of URL's while login in and yet
should be standalone deployed.

https://stackoverflow.com/questions/50319327/keycloak-
multi-2fa-factor-otp-qr-code-custom-login-screen-rest-api


Thanks
Ankur

From sthorger at redhat.com  Thu May 31 16:48:02 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 31 May 2018 22:48:02 +0200
Subject: [keycloak-user] Keycloak on OpenShift
Message-ID: <CAJgngAfzGSQLjDC8EF+_KRE12a8em=PK4boCdxUcsc+7Lr6TgQ@mail.gmail.com>

I wrote up a blog post and did a screencast showing how to deploy Keycloak
on OpenShift. Of course I also deployed and secure a Node.js service and a
HTML5 application for good measures.

The blog post is here:
https://blog.keycloak.org/2018/05/keycloak-on-openshift.html

And for those that prefer a screencast here you go:
https://youtu.be/9zUWqbK3BqI.

This OpenShift thing is really nice! The more I use it the more I like it.