From pulkitsrivastavajd at gmail.com Thu Nov 1 01:05:53 2018 From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava) Date: Thu, 1 Nov 2018 10:35:53 +0530 Subject: [keycloak-user] User Federation for Admin Users In-Reply-To: References: Message-ID: Any pointer on this.? On Wed, Oct 24, 2018 at 10:28 AM Pulkit Srivastava < pulkitsrivastavajd at gmail.com> wrote: > Hi, > Is it possible to use an external user federation for admin users in > keycloak. These users should be able to login to keycloak admin. > > Thanks, > Pulkit > From kkcmadhu at yahoo.com Thu Nov 1 01:03:28 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Thu, 1 Nov 2018 05:03:28 +0000 (UTC) Subject: [keycloak-user] keycloak not starting up and timing out on HHH000397: Using ASTQueryTranslatorFactory In-Reply-To: <26978704.17718110.1540974608806@mail.yahoo.com> References: <26978704.17718110.1540974608806.ref@mail.yahoo.com> <26978704.17718110.1540974608806@mail.yahoo.com> Message-ID: <1349018991.18157268.1541048608516@mail.yahoo.com> Any opinion from experts? Sent from Yahoo Mail on Android On Wed, 31 Oct 2018 at 2:00 PM, Madhu wrote: Any idea whats going wrong here? I have recently set up keycloak in HA and was able to bring up 2 nodes and things were working fine. After a day or two , I stoped one node and was never to bring up keycloak back. The start up of keycloak times out with here [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 57) HHH000397: Using ASTQueryTranslatorFactory Steps tried :stopped the second node in cluster and tried bringing up both nodes again -> did not succeed (same error)tried bring up keycloak on standalone mode (not HA) -> did not succeed (same error)tried increasing the timeout to -Djboss.as.management.blocking.timeout=600? (same error) I have about some 350 odd realms in my db (could that be the reason??)Will keycloak try to validate/migrate data etc on startup ?? I am asking this as i see these lines prior to the timeouts 08:17:25,264 INFO? [org.hibernate.Version] (ServerService Thread Pool -- 58) HHH000412: Hibernate Core {5.1.10.Final}08:17:25,266 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 58) HHH000206: hibernate.properties not found08:17:25,268 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 58) HHH000021: Bytecode provider name : javassist08:17:25,302 INFO? [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 58) HCANN000001: Hibernate Commons Annotations {5.0.1.Final}08:17:25,438 INFO? [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 58) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect08:17:25,485 INFO? [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 58) Envers integration enabled? : true08:17:26,026 INFO? [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 58) HV000001: Hibernate Validator 5.3.5.Final08:17:26,628 INFO? [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 58) HHH000397: Using ASTQueryTranslatorFactory The actual exceptin is a Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) with different cause each time (possibly based on what thread is doing at? ----------------------------Exception-----------------------------------------------------------------------------------------------------------------08:01:19,392 INFO? [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 57) HHH000204: Processing PersistenceUnitInfo [? ? ? ? name: keycloak-default? ? ? ? ...]08:01:19,440 INFO? [org.hibernate.Version] (ServerService Thread Pool -- 57) HHH000412: Hibernate Core {5.1.10.Final}08:01:19,442 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 57) HHH000206: hibernate.properties not found08:01:19,443 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 57) HHH000021: Bytecode provider name : javassist08:01:19,472 INFO? [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 57) HCANN000001: Hibernate Commons Annotations {5.0.1.Final}08:01:19,889 INFO? [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 57) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect08:01:19,936 INFO? [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 57) Envers integration enabled? : true08:01:20,425 INFO? [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 57) HV000001: Hibernate Validator 5.3.5.Final08:01:21,242 INFO? [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 57) HHH000397: Using ASTQueryTranslatorFactory08:06:16,695 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:e in state? RUN08:06:16,702 WARN? [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]08:06:16,703 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:e08:06:22,093 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 in state? RUN08:06:22,094 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012095: Abort of action id 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 invoked while multiple threads active within it.08:06:22,095 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012381: Action id 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 completed with multiple threads - thread ServerService Thread Pool -- 57 was in progress with java.net.SocketInputStream.socketRead0(Native Method)java.net.SocketInputStream.socketRead(SocketInputStream.java:116)java.net.SocketInputStream.read(SocketInputStream.java:171)java.net.SocketInputStream.read(SocketInputStream.java:141)com.mysql.cj.protocol.ReadAheadInputStream.fill(ReadAheadInputStream.java:107)com.mysql.cj.protocol.ReadAheadInputStream.readFromUnderlyingStreamIfNecessary(ReadAheadInputStream.java:150)com.mysql.cj.protocol.ReadAheadInputStream.read(ReadAheadInputStream.java:180)java.io.FilterInputStream.read(FilterInputStream.java:133)com.mysql.cj.protocol.FullReadInputStream.readFully(FullReadInputStream.java:64)com.mysql.cj.protocol.a.SimplePacketReader.readHeader(SimplePacketReader.java:63)com.mysql.cj.protocol.a.SimplePacketReader.readHeader(SimplePacketReader.java:45)com.mysql.cj.protocol.a.TimeTrackingPacketReader.readHeader(TimeTrackingPacketReader.java:52)com.mysql.cj.protocol.a.TimeTrackingPacketReader.readHeader(TimeTrackingPacketReader.java:41)com.mysql.cj.protocol.a.MultiPacketReader.readHeader(MultiPacketReader.java:54)com.mysql.cj.protocol.a.MultiPacketReader.readHeader(MultiPacketReader.java:44)com.mysql.cj.protocol.a.NativeProtocol.readMessage(NativeProtocol.java:557)com.mysql.cj.protocol.a.NativeProtocol.checkErrorMessage(NativeProtocol.java:735)com.mysql.cj.protocol.a.NativeProtocol.sendCommand(NativeProtocol.java:674)com.mysql.cj.protocol.a.NativeProtocol.sendQueryPacket(NativeProtocol.java:966)com.mysql.cj.NativeSession.execSQL(NativeSession.java:1165)com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:937)com.mysql.cj.jdbc.ClientPreparedStatement.executeQuery(ClientPreparedStatement.java:1019)org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504)org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.getResultSet(AbstractLoadPlanBasedLoader.java:434)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:186)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121)org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86)org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88)org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688)org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75)org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004)org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567)org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563)org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132)org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:161)org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:146)org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)org.hibernate.collection.internal.AbstractPersistentCollection.readSize(AbstractPersistentCollection.java:145)org.hibernate.collection.internal.PersistentMap.size(PersistentMap.java:123)java.util.HashMap.putMapEntries(HashMap.java:501)java.util.HashMap.putAll(HashMap.java:785)org.keycloak.models.jpa.ClientScopeAdapter.getAttributes(ClientScopeAdapter.java:309)org.keycloak.models.cache.infinispan.entities.CachedClientScope.(CachedClientScope.java:56)org.keycloak.models.cache.infinispan.RealmCacheSession.getClientScopeById(RealmCacheSession.java:1147)org.keycloak.models.jpa.RealmAdapter.getClientScopes(RealmAdapter.java:1779)org.keycloak.models.cache.infinispan.entities.CachedRealm.cacheClientScopes(CachedRealm.java:285)org.keycloak.models.cache.infinispan.entities.CachedRealm.(CachedRealm.java:232)org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)org.keycloak.services.managers.ApplianceBootstrap.isNewInstall(ApplianceBootstrap.java:46)org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:211)org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136)sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)java.lang.reflect.Constructor.newInstance(Constructor.java:423)org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$807/210507936.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$808/1397988528.call(Unknown Source)io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)java.util.concurrent.FutureTask.run(FutureTask.java:266)java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)java.lang.Thread.run(Thread.java:748)org.jboss.threads.JBossThread.run(JBossThread.java:320) 08:06:22,096 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012108: CheckedAction::check - atomic action 0:ffffac1f12aa:-1fdf5642:5bd9614a:19 aborting with 1 threads active!08:06:22,098 WARN? [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4]08:06:22,099 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffffac1f12aa:-1fdf5642:5bd9614a:1908:06:22,101 WARN? [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 57) SQL Error: 0, SQLState: null08:06:22,101 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 57) IJ031070: Transaction cannot proceed: STATUS_ROLLEDBACK08:06:22,103 WARN? [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 57) ARJUNA012077: Abort called on already aborted atomic action 0:ffffac1f12aa:-1fdf5642:5bd9614a:1908:06:22,129 WARN? [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 57) ARJUNA012077: Abort called on already aborted atomic action 0:ffffac1f12aa:-1fdf5642:5bd9614a:e08:06:22,135 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 57) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84)? ? ? ? at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)? ? ? ? at java.util.concurrent.FutureTask.run(FutureTask.java:266)? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)? ? ? ? at java.lang.Thread.run(Thread.java:748)? ? ? ? at org.jboss.threads.JBossThread.run(JBossThread.java:320)Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)? ? ? ? at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)? ? ? ? at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)? ? ? ? at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)? ? ? ? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)? ? ? ? at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)? ? ? ? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)? ? ? ? at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)? ? ? ? at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)? ? ? ? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)? ? ? ? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)? ? ? ? ... 6 moreCaused by: org.hibernate.exception.GenericJDBCException: could not prepare statement? ? ? ? at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182)? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148)? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.prepareQueryStatement(AbstractLoadPlanBasedLoader.java:241)? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:185)? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121)? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86)? ? ? ? at org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88)? ? ? ? at org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688)? ? ? ? at org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75)? ? ? ? at org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004)? ? ? ? at org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567)? ? ? ? at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)? ? ? ? at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563)? ? ? ? at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132)? ? ? ? at org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:277)? ? ? ? at org.keycloak.models.jpa.ClientScopeAdapter.getProtocolMappers(ClientScopeAdapter.java:104)? ? ? ? at org.keycloak.models.cache.infinispan.entities.CachedClientScope.(CachedClientScope.java:50)? ? ? ? at org.keycloak.models.cache.infinispan.RealmCacheSession.getClientScopeById(RealmCacheSession.java:1147)? ? ? ? at org.keycloak.models.jpa.RealmAdapter.getClientScopes(RealmAdapter.java:1779)? ? ? ? at org.keycloak.models.cache.infinispan.entities.CachedRealm.cacheClientScopes(CachedRealm.java:285)? ? ? ? at org.keycloak.models.cache.infinispan.entities.CachedRealm.(CachedRealm.java:232)? ? ? ? at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)? ? ? ? at org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)? ? ? ? at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)? ? ? ? at org.keycloak.services.managers.ApplianceBootstrap.isNewInstall(ApplianceBootstrap.java:46)? ? ? ? at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:211)? ? ? ? at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)? ? ? ? at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)? ? ? ? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)? ? ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)? ? ? ? ... 28 moreCaused by: java.sql.SQLException: IJ031070: Transaction cannot proceed: STATUS_ROLLEDBACK? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.checkTransactionActive(WrapperDataSource.java:245)? ? ? ? at org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransactionActive(WrappedConnection.java:1928)? ? ? ? at org.jboss.jca.adapters.jdbc.WrappedConnection.checkStatus(WrappedConnection.java:1943)? ? ? ? at org.jboss.jca.adapters.jdbc.WrappedConnection.checkTransaction(WrappedConnection.java:1917)? ? ? ? at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:447)? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146)? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172)? ? ? ? ... 61 more 08:06:22,168 INFO? [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal08:06:22,196 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? Caused by: org.hibernate.exception.GenericJDBCException: could not prepare statement? ? Caused by: java.sql.SQLException: IJ031070: Transaction cannot proceed: STATUS_ROLLEDBACK"}}08:06:22,218 INFO? [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:/jboss/datasources/KeycloakDS] From yann.chen at gaiaworks.cn Thu Nov 1 01:27:22 2018 From: yann.chen at gaiaworks.cn (Yann Chen) Date: Thu, 1 Nov 2018 13:27:22 +0800 Subject: [keycloak-user] Keycloak get access token performance test encounter out of memory Message-ID: <001201d471a3$917726e0$b46574a0$@gaiaworks.cn>+562B14D13D7C5FDF Hello, Below is my keycloak start parameters(domain): I use jmeter to do the performance test by invoke the get accesstoken . Concurrence 300 per second. 1st time I can see the QPS is around 1200 , but a few seconds later , it QPS is down to 600. Then I stop the test , and start the 2nd round test. I found the QPS is only 400 , and also the value is always going down. At last I saw the log out of memory error like below: Is there any solution on this ? Thanks & Best Regards Yann Chen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 22836 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181101/d33b87cd/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 14766 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181101/d33b87cd/attachment-0003.png From csekar at redhat.com Thu Nov 1 01:35:13 2018 From: csekar at redhat.com (K Chandra Sekar) Date: Thu, 1 Nov 2018 11:05:13 +0530 Subject: [keycloak-user] Integration keycloak with application UI Message-ID: Hey, I want to integrate application with Keycloak IAM system.I am trying to use KeyCloak to protect my application using OpenID connect.But I want to use application's login UI and don't want to direct user to keycloak login UI page to authenticate.Keycloak has Spring boot adapter which does the job it still it directs to the keycloak UI for login.I searched for any api to use from my app UI but i am nit getting anything and i am struck here.Kindly suggest me a a workaround or solution so that i can move forward.Anticipating a positive reply. Thanks and regards, K.Chandra Sekar From bojan.milosavljevic95 at gmail.com Thu Nov 1 05:27:58 2018 From: bojan.milosavljevic95 at gmail.com (=?UTF-8?Q?Bojan_Milosavljevi=C4=87?=) Date: Thu, 1 Nov 2018 10:27:58 +0100 Subject: [keycloak-user] PKCE and Keycloak In-Reply-To: References: Message-ID: Great, thanks! This is fantastic! Thank you very much! Wish you all the best, Bojan On Wed, Oct 31, 2018 at 6:48 PM Nalyvayko, Peter wrote: > Hi Bojan, > We've been using PKCE so yes, PKCE support is enabled by default > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> On Behalf Of Bojan Milosavljevic > Sent: Wednesday, October 31, 2018 5:59 AM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] PKCE and Keycloak > > Hello, > Is PKCE (if my adapter supports PKCE of course) automatically supported by > default by Keycloak or do I have to implement it myself? > Thank you. > Kind regards, > Bojan Milosavljevic. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kuba at ufiseru.cz Thu Nov 1 06:30:12 2018 From: kuba at ufiseru.cz (=?utf-8?B?SmFrdWIgRmnFoWVy?=) Date: Thu, 01 Nov 2018 10:30:12 +0000 Subject: [keycloak-user] allow only specific group of users to be authenticated for a specific client Message-ID: <41a4364a74f0cf493d24b21d7f9a116f@ufiseru.cz> Hi, I'm struggling with understanding of how authorization and permissions work in Keycloak. Very simply put: in a single realm I have a number of Clients (also called Applications in the Keycloak's user-facing account console). All Clients use OICD. I also have a number of Users. Clients are "dumb", i.e. they only consume the identity from Keycloak and have no authorization mechanisms available. I want to have control over which subset of users can "use" specific Clients. I want to authorize Users to use specific Clients (or authorize Clients to authenticate only specific users) and I want all of this to be performed by Keycloak alone. Example: current state: two users ("uA" and "uB"), one Client ("cX"). Both users can see cX in their respective application lists on their Keycloak account consoles (and the column "Granted permissions" states "Full access") and both can authenticate (i.e. login) to the Client. Client happily accepts both logins as it has no own authorization mechanism. desired state: only user uA can login to cX, user uB cannot login to cX and does not see cX in his application list, or at least does not have "Full access" in "Granted permissions". If user uB tries to login to cX, the login fails somehow (graceful refusal would be nice but I'd be happy with anything at the moment). The best would be if I could control this through user groups, i.e. only users in group "gX" can login to Client "cX". I've been playing with roles, scopes, permissions, custom authentication scripts and I even tried to superficially reverse engineer the difference between an admin user and a regular user, which is the only case where I can see a difference in the Application list (i.e a regular user does not see and cannot login to the "Security Admin Console" application) but have failed to achieve the desired state or even approach it. I know I'm probably thinking about this all wrong so I'd be happy even for a slight push into the right direction. thanks, -jakub. -- Jakub Fi?er Linux | DevOps | Security From henning.waack at codecentric.de Thu Nov 1 07:00:10 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Thu, 1 Nov 2018 12:00:10 +0100 Subject: [keycloak-user] How to increase logging In-Reply-To: References: Message-ID: Are you trying to increase Logging for Keycloak running on Wildfly? Or for your application protected by some Keycloak Java Adapter? Am Mi., 31. Okt. 2018 um 22:43 Uhr schrieb Saranya Mahalingam < smahalingam at anaconda.com>: > Hello, > > Authentication component is not coming up. I don't see any errors in logs. > So thought of improving the logs using JAVA_OPTS like: > > name: JAVA_OPTS > value: -Dkeycloak.logging.level=debug > > But I don't see any changes in the logs even after setting the above value. > Tried few other options too without success. Do you have any suggestions > here? Let me know if you need any other information. > > Thanks, > Saranya > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From henning.waack at codecentric.de Thu Nov 1 07:26:34 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Thu, 1 Nov 2018 12:26:34 +0100 Subject: [keycloak-user] Integration keycloak with application UI In-Reply-To: References: Message-ID: Hi Chandra. It is not recommended to not use the KC login pages. OIDC is build on browser redirects (for browser applications). So you should just theme your KC pages so that it fits with your CD and leave things as they are. See https://lists.jboss.org/pipermail/keycloak-user/2016-December/008873.html for example. Greetings Henning Am Do., 1. Nov. 2018 um 06:37 Uhr schrieb K Chandra Sekar : > Hey, > > I want to integrate application with Keycloak IAM system.I am trying to use > KeyCloak to protect my application using OpenID connect.But I want to use > application's login UI and don't want to direct user to keycloak login UI > page to authenticate.Keycloak has Spring boot adapter which does the job it > still it directs to the keycloak UI for login.I searched for any api to use > from my app UI but i am nit getting anything and i am struck here.Kindly > suggest me a a workaround or solution so that i can move > forward.Anticipating a positive reply. > > Thanks and regards, > K.Chandra Sekar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From psilva at redhat.com Thu Nov 1 08:30:16 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 1 Nov 2018 09:30:16 -0300 Subject: [keycloak-user] Keycloak get access token performance test encounter out of memory In-Reply-To: <5bda8f41.1c69fb81.d93e1.d8eeSMTPIN_ADDED_BROKEN@mx.google.com> References: <5bda8f41.1c69fb81.d93e1.d8eeSMTPIN_ADDED_BROKEN@mx.google.com> Message-ID: Hi, Ideally, you should configure your JVM accordingly with the load you are expecting/testing. I would suggest you to try/compare different results with different settings before reporting any performance issue. If running in a docker container, check your JVM ergonomics configuration. Regards. Pedro Igor On Thu, Nov 1, 2018 at 2:29 AM Yann Chen wrote: > Hello, > > > > Below is my keycloak start parameters(domain): > > > > > > I use jmeter to do the performance test by invoke the get accesstoken . > > Concurrence 300 per second. > > > > 1st time I can see the QPS is around 1200 , but a few seconds later , it > QPS > is down to 600. > > > > Then I stop the test , and start the 2nd round test. > > > > I found the QPS is only 400 , and also the value is always going down. > > > > At last I saw the log out of memory error like below: > > > > > > > > Is there any solution on this ? > > > > Thanks & Best Regards > > > > Yann Chen > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From smahalingam at anaconda.com Thu Nov 1 09:31:27 2018 From: smahalingam at anaconda.com (Saranya Mahalingam) Date: Thu, 1 Nov 2018 08:31:27 -0500 Subject: [keycloak-user] How to increase logging In-Reply-To: References: Message-ID: Hello, Thank you for getting back. Our application use Keycloak for Identity and Access Management. On Thu, Nov 1, 2018 at 6:00 AM Henning Waack wrote: > Are you trying to increase Logging for Keycloak running on Wildfly? Or for > your application protected by some Keycloak Java Adapter? > > Am Mi., 31. Okt. 2018 um 22:43 Uhr schrieb Saranya Mahalingam < > smahalingam at anaconda.com>: > >> Hello, >> >> Authentication component is not coming up. I don't see any errors in logs. >> So thought of improving the logs using JAVA_OPTS like: >> >> name: JAVA_OPTS >> value: -Dkeycloak.logging.level=debug >> >> But I don't see any changes in the logs even after setting the above >> value. >> Tried few other options too without success. Do you have any suggestions >> here? Let me know if you need any other information. >> >> Thanks, >> Saranya >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- > > Henning Waack | IT Consultant > > > codecentric AG | Hochstra?e 11 > > | > > > 42697 > Solingen > > |Deutschland > > > > tel: +49 (0)151 108 515 29 > > www.codecentric.de | blog.codecentric.de | www.meettheexperts.de > > Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal > > Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns > Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz > > Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche > und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige > Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie > bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. > beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen > evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist > nicht gestattet. > From pnalyvayko at agi.com Thu Nov 1 11:32:00 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 1 Nov 2018 15:32:00 +0000 Subject: [keycloak-user] PKCE and Keycloak In-Reply-To: References: , Message-ID: FYI http://blog.keycloak.org/2017/04/keycloak-310cr1-released.html ________________________________________ From: Bojan Milosavljevi? [bojan.milosavljevic95 at gmail.com] Sent: Thursday, November 1, 2018 5:27 AM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] PKCE and Keycloak Great, thanks! This is fantastic! Thank you very much! Wish you all the best, Bojan On Wed, Oct 31, 2018 at 6:48 PM Nalyvayko, Peter > wrote: Hi Bojan, We've been using PKCE so yes, PKCE support is enabled by default -----Original Message----- From: keycloak-user-bounces at lists.jboss.org

> On Behalf Of Bojan Milosavljevic Sent: Wednesday, October 31, 2018 5:59 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] PKCE and Keycloak Hello, Is PKCE (if my adapter supports PKCE of course) automatically supported by default by Keycloak or do I have to implement it myself? Thank you. Kind regards, Bojan Milosavljevic. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Kevin.Fox at pnnl.gov Thu Nov 1 11:41:08 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Thu, 1 Nov 2018 15:41:08 +0000 Subject: [keycloak-user] Integration keycloak with application UI In-Reply-To: References: , Message-ID: <1A3C52DFCD06494D8528644858247BF01C223E71@EX10MBOX03.pnnl.gov> One of the big selling points of oidc is that it removes the need for most components to ever handle a password. It centralizes that part to only the component that must handle it does. This offers significant security benefits. I would not try and work around this. Its an important feature. Thanks, Kevin ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Henning Waack [henning.waack at codecentric.de] Sent: Thursday, November 01, 2018 4:26 AM To: csekar at redhat.com Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Integration keycloak with application UI Hi Chandra. It is not recommended to not use the KC login pages. OIDC is build on browser redirects (for browser applications). So you should just theme your KC pages so that it fits with your CD and leave things as they are. See https://lists.jboss.org/pipermail/keycloak-user/2016-December/008873.html for example. Greetings Henning Am Do., 1. Nov. 2018 um 06:37 Uhr schrieb K Chandra Sekar : > Hey, > > I want to integrate application with Keycloak IAM system.I am trying to use > KeyCloak to protect my application using OpenID connect.But I want to use > application's login UI and don't want to direct user to keycloak login UI > page to authenticate.Keycloak has Spring boot adapter which does the job it > still it directs to the keycloak UI for login.I searched for any api to use > from my app UI but i am nit getting anything and i am struck here.Kindly > suggest me a a workaround or solution so that i can move > forward.Anticipating a positive reply. > > Thanks and regards, > K.Chandra Sekar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From pnalyvayko at agi.com Thu Nov 1 13:17:00 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 1 Nov 2018 17:17:00 +0000 Subject: [keycloak-user] Integration keycloak with application UI In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C223E71@EX10MBOX03.pnnl.gov> References: , , <1A3C52DFCD06494D8528644858247BF01C223E71@EX10MBOX03.pnnl.gov> Message-ID: Chandra, You may want to consider using resource owner password flow (direct grant in keycloak nomeclature) if you are absolutely bent on providing your own login pages. The flow is typically reserved for trusted clients so the users will have to trust your app My $0.02 ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Fox, Kevin M [Kevin.Fox at pnnl.gov] Sent: Thursday, November 1, 2018 11:41 AM To: Henning Waack; csekar at redhat.com Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Integration keycloak with application UI One of the big selling points of oidc is that it removes the need for most components to ever handle a password. It centralizes that part to only the component that must handle it does. This offers significant security benefits. I would not try and work around this. Its an important feature. Thanks, Kevin ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Henning Waack [henning.waack at codecentric.de] Sent: Thursday, November 01, 2018 4:26 AM To: csekar at redhat.com Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Integration keycloak with application UI Hi Chandra. It is not recommended to not use the KC login pages. OIDC is build on browser redirects (for browser applications). So you should just theme your KC pages so that it fits with your CD and leave things as they are. See https://lists.jboss.org/pipermail/keycloak-user/2016-December/008873.html for example. Greetings Henning Am Do., 1. Nov. 2018 um 06:37 Uhr schrieb K Chandra Sekar : > Hey, > > I want to integrate application with Keycloak IAM system.I am trying to use > KeyCloak to protect my application using OpenID connect.But I want to use > application's login UI and don't want to direct user to keycloak login UI > page to authenticate.Keycloak has Spring boot adapter which does the job it > still it directs to the keycloak UI for login.I searched for any api to use > from my app UI but i am nit getting anything and i am struck here.Kindly > suggest me a a workaround or solution so that i can move > forward.Anticipating a positive reply. > > Thanks and regards, > K.Chandra Sekar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mandy.fung at tasktop.com Thu Nov 1 16:02:31 2018 From: mandy.fung at tasktop.com (Mandy Fung) Date: Thu, 1 Nov 2018 13:02:31 -0700 Subject: [keycloak-user] Cannot Migrate Database from 3.2.0 to 4.5.0 Message-ID: Hello Keycloakers, We are currently running into an issue when upgrading Keycloak from 3.2.0 to 4.5.0 directly. The issue appears to be related to the database migration specifically and from a change introduced in August 2018 which references a previously dropped column. Here is the Jira issue containing some more details with the error and some more analysis: https://issues.jboss.org/browse/KEYCLOAK-8702 Is there anything we can do to help expedite the resolution of this issue aside from the details we have provided on the ticket? Best regards, Mandy -- *Mandy Fung **|* Software Engineer 1 *| *Tasktop *email: *mandy.fung at tasktop.com From rmbyrd at dstsystems.com Thu Nov 1 17:39:08 2018 From: rmbyrd at dstsystems.com (Byrd, Rob M) Date: Thu, 1 Nov 2018 21:39:08 +0000 Subject: [keycloak-user] Data filtering in SQL Message-ID: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> I am comparing OPA authorization to Keycloak - how could I enforce Keycloak policy in the SQL closest to the data for good performance, including returning subsets of lists? OPA discusses this at https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4. Thanks! Rob Byrd DST Solutions Lead SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 t: (816) 435-7286 | m (816) 509-0119 rmbyrd at dstsystems.com | www.ssctech.com Follow us: [cid:image001.png at 01D412C1.A14C5770] | [cid:image002.png at 01D412C1.A14C5770] | [cid:image003.png at 01D412C1.A14C5770] Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 588 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181101/d4191353/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 607 bytes Desc: image002.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181101/d4191353/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 566 bytes Desc: image003.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181101/d4191353/attachment-0005.png From andreas.lau at outlook.com Thu Nov 1 22:28:51 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Fri, 2 Nov 2018 02:28:51 +0000 Subject: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources In-Reply-To: <09AC28A0-AC9B-43EF-8684-F20F6F4E69C7@outlook.com> References: <09AC28A0-AC9B-43EF-8684-F20F6F4E69C7@outlook.com> Message-ID: Hey, I forgot to bounce back to the list. Sorry ________________________________ Von: Andreas Lau Gesendet: 30. Oktober 2018 23:08:06 MEZ An: Dmitry Telegin

Betreff: Re: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources Hello Dmitry, thanks for your response and informations. My problem with that many calls of the resolve methode was not a performance concern in first place. I was surprised for sure and I did indeed thought that I mad a mistake somewhere following the instructions. As you pointed out the behavior is not wrong. The resolver should be called that many times. That's OK I'm fine with this. The first call to the jsf page is not a problem at all, because in the URL we have set the parameter who determines which keycloak.json file has to be used. But I have a problem at the time where the jsf loading process starts to load the resources. It fires get request with the URL to the resources the jsf needs. But now I have lost my scope because the URL used to load the resource has no identifier in it. How should I determine which keycloak.json I should take? Cheers, Andreas Am 30. Oktober 2018 06:29:56 MEZ schrieb Dmitry Telegin

: Hello Andreas, I'm afraid this is by design - one of the reasons may be Java EE programmatic security [1], where the application can instigate login even from the resources not protected by web.xml security constraints. But I don't think you should be bothered - in your resolver, there is a cache for KeycloakDeployments, and cache calls are cheap (and you will always have a cache hit, except for the very first invocation). Even if there had been the code to determine whether the resolver should or should not kick in, according to web.xml rules, - this code would have been more expensive, let alone it would have broken programmatic security. If you are super determined, you can craft a simple performance test using e.g. Gatling [2] - I'm pretty sure the results for resolver vs. no resolver will differ insignificantly. [1] https://docs.oracle.com/javaee/7/tutorial/security-webtier003.htm [2] https://gatling.io/ Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-10-27 at 07:21 +0000, Andreas Lau wrote: Hey guys, sorry for bouncing that topic again, but this issue currently is a show stopper for us. We need to have multi-tenancy for our application, but as it works now it is not feasible. So we desparatly ask for your help. Am 24. Oktober 2018 17:16:23 MESZ schrieb Andreas Lau : Hello, we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support multiple clients using multi tenancy. We followed the instructions of the documentation [1] to build up a CustomKeycloakConfigResolver. We configured the web.xml like this: [web.xml] ...

portal

/portal/*

user

public

/portal/pages/willkommen.jsf

/portal/pages/logout.jsf

KEYCLOAK

user

...

keycloak.config.resolver

de.sample.security.MandantBasedKeycloakConfigResolver

> Betreff: Re: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources > > Hello Dmitry, > > thanks for your response and informations. My problem with that many calls of the resolve methode was not a performance concern in first place. I was surprised for sure and I did indeed thought that I mad a mistake somewhere following the instructions. > > As you pointed out the behavior is not wrong. The resolver should be called that many times. That's OK I'm fine with this. > The first call to the jsf page is not a problem at all, because in the URL we have set the parameter who determines which keycloak.json file has to be used. But I have a problem at the time where the jsf loading process starts to load the resources. > It fires get request with the URL to the resources the jsf needs. But now I have lost my scope because the URL used to load the resource has no identifier in it. How should I determine which keycloak.json I should take? > > Cheers, > Andreas > > Am 30. Oktober 2018 06:29:56 MEZ schrieb Dmitry Telegin

: > > Hello Andreas, > > I'm afraid this is by design - one of the reasons may be Java EE programmatic security [1], where the application can instigate login even from the resources not protected by web.xml security constraints. > > But I don't think you should be bothered - in your resolver, there is a cache for KeycloakDeployments, and cache calls are cheap (and you will always have a cache hit, except for the very first invocation). > > Even if there had been the code to determine whether the resolver should or should not kick in, according to web.xml rules, - this code would have been more expensive, let alone it would have broken programmatic security. If you are super determined, you can craft a simple performance test using e.g. Gatling [2] - I'm pretty sure the results for resolver vs. no resolver will differ insignificantly. > > [1] https://docs.oracle.com/javaee/7/tutorial/security-webtier003.htm > [2] https://gatling.io/ > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Sat, 2018-10-27 at 07:21 +0000, Andreas Lau wrote: > Hey guys, sorry for bouncing that topic again, but this issue currently is a show stopper for us. We need to have multi-tenancy for our application, but as it works now it is not feasible. > So we desparatly ask for your help. > > Am 24. Oktober 2018 17:16:23 MESZ schrieb Andreas Lau : > > Hello, > we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support multiple clients using multi tenancy. We followed the instructions of the documentation [1] to build up a CustomKeycloakConfigResolver. > We configured the web.xml like this: > [web.xml] > > ... > > ? > ? portal > ? /portal/* > ? > ? > ? user > ? > > > ? > ? public > ? /portal/pages/willkommen.jsf > ? /portal/pages/logout.jsf > ? > > > > ?KEYCLOAK > > > > ?user > > ... > > ?keycloak.config.resolver > ?de.sample.security.MandantBasedKeycloakConfigResolver > > ... > > > As you can see everything under portal is restricted with two exceptions. The code of MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code [2]. In our example we consider that the url has a query parameter that provides an id which we can map to a corresponding keycloak.json file. A sample would be "https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1". > > After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for every resource that is loaded through get requests to display the site. I did not expect that many invocation, since the resources are not protected. > > Can you please tell me if this behaviour is correct? What is my error in adopting the mulity tenancy sample? How can we prevent/workaround that many calls? > While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a potentially similar problem. Here they use keycloak to secure a spring boot application and have troubles when a sso redirection occurs. > > Regards, > Andreas > > [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy > > [2] public KeycloakDeployment resolve(HttpFacade.Request request) { > > ????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" + counter++); > ????????final String mandantId = request.getFirstParam("kId"); > ????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):" + mandantId); > ????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" + request.getURI()); > > ????????if (mandantId == null || mandantId.isEmpty()) { > ????????????// throw new IllegalStateException("Not able to resolve realm for parameter kId - Parameter not found!"); > ????????????return null; > ????????} > > ????????KeycloakDeployment deployment = cache.get(mandantId); > ????????if (deployment == null) { > > ????????????String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId); > > ????????????InputStream is = getClass().getResourceAsStream("/" + keycloakConfigFilename); > ????????????if (is == null) { > ????????????????// throw new IllegalStateException("Not able to find the file /" + keycloakConfigFilename); > ????????????????return null; > ????????????} > ????????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:" + (is == null)); > > ????????????deployment = KeycloakDeploymentBuilder.build(is); > ????????????cache.put(mandantId, deployment); > ????????} > > ????????return deployment; > ????} > > [3] > 17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0 > 17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 > 17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 > 17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 > 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 > 17:28:50,933 INFO??[stdout] (default task-4) INIT Willkommen > 17:28:50,933 INFO??[stdout] (default task-4) initialized mandant <<<<<<<<<<<<< > > 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3 > 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null > 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1 > 17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! > at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] > at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] > > ....... > > 17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43 > 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null > 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout > 17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling request to /SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! > at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] > at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] > at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] > ________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > ________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Nov 2 00:49:27 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 02 Nov 2018 07:49:27 +0300 Subject: [keycloak-user] Multitenant KeycloakConfigResolver In-Reply-To: <6545e127-cf80-befc-39ca-64e33f2a3232@gmail.com> References: <6545e127-cf80-befc-39ca-64e33f2a3232@gmail.com> Message-ID: <1541134167.10131.3.camel@acutus.pro> Hello Vagelis, Please see my answer to exactly the same question: http://lists.jboss.org/pipermail/keycloak-user/2018-October/016026.html TL;DR: this is by design, but you shouldn't be worried. For unsecured URLs you can simply return new KeycloakDeployment() from your resolver. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-10-30 at 09:19 +0200, Vagelis Savvas wrote: > Hello, > > in a multitenant app on Wildfly 14.0.1 with a bearer-only REST API to? > protect I would like some URLs > to not be secured. So I would like my custom KeycloakConfigResolver? > implementation > to not be called when those URLs are hit but it is. The reason I don't? > want my KeycloakConfigResolver to be called is simply because > I have no clue as to what to return in that case: its a non-secured REST? > endpoint so a Keycloak realm doesn't make sense in my understanding. > My setup follows the docs: I've installed the adapter for Wildfly and? > the web.xml has the necessary setup for not securing some URLs (no? > auth-constraint for those URLs) > Also in jboss-web.xml the security-domain element isn't defined,? > although I don't know if that plays any role. > My final goal is to have some URLs secured by using the JBoss specific? > @SecurityDomain and the standard @RolesAllowed etc annotations. > Can you please shed some light on this matter? I'd greatly appreciate? > any detailed explanation of the mechanisms involved in this area. > > Cheers, > Vagelis > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Nov 2 01:21:58 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 02 Nov 2018 08:21:58 +0300 Subject: [keycloak-user] Data filtering in SQL In-Reply-To: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> References: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> Message-ID: <1541136118.4390.1.camel@acutus.pro> Hello Rob, If I get it right, it's all about generating SQL WHERE clause from Keycloak policies? I think this is doable, as Keycloak has a well-defined object model for authorization policies, and it's easy to obtain policy definitions in JSON format. I think Pedro Igor will tell you more about that. You should pay attention to the following: - there are differences in semantics between OPA and Keycloak policies. For example, Keycloak policies do not operate HTTP methods but rather use more generic notion of scopes; - not every policy type can be easily converted to a WHERE clause. It should be trivial for User/Group/Role policies, but is virtually impossible for Script and Rules, as they are just blackboxes that evaluate to true or false. Unless of course your DBMS has a built-in JavaScript engine :) Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-11-01 at 21:39 +0000, Byrd, Rob M wrote: > I am comparing OPA authorization to Keycloak - how could I enforce Keycloak policy in the SQL closest to the data for good performance, including returning subsets of lists???OPA discusses this at https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4. > > Thanks! > > Rob Byrd > DST > Solutions Lead > SS&C Technologies Inc.???|???1055 Broadway, Kansas City, MO 64105 > t: (816) 435-7286??| m (816) 509-0119 > rmbyrd at dstsystems.com??|??www.ssctech.com; > > > Follow us: [cid:image001.png at 01D412C1.A14C5770] ??|??[cid:image002.png at 01D412C1.A14C5770] ??|??[cid:image003.png at 01D412C1.A14C5770] > > > > Please consider the environment before printing this email and any attachments. > > This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Fri Nov 2 03:28:11 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 2 Nov 2018 12:58:11 +0530 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? Message-ID: I am referring to Keycloak Javascript adapter as mentioned in : https://www.keycloak.org/docs/4.5/securing_apps/index.html#_javascript_adapter I have a confidential client and I have downloaded keycloak-oidc.json containing client secret. Now I am not sure how secure is it to keep this file containing client-secret at the client side. Am I being over concerned? From vagelis.savvas at gmail.com Fri Nov 2 05:09:37 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Fri, 2 Nov 2018 11:09:37 +0200 Subject: [keycloak-user] Multitenant KeycloakConfigResolver In-Reply-To: <1541134167.10131.3.camel@acutus.pro> References: <6545e127-cf80-befc-39ca-64e33f2a3232@gmail.com> <1541134167.10131.3.camel@acutus.pro> Message-ID: <2c40a114-7d04-ec2f-1887-860c220e5585@gmail.com> Hello Dmitry, thanx for the reply. Currently I do indeed just return a new KeycloakDeployment() as you suggest. This approach may stop working though, take a look at [1]. That said, I don't know if this code will be eventually included in Keycloak. Cheers, Vagelis On 02/11/2018 06:49, Dmitry Telegin wrote: > Hello Vagelis, > > Please see my answer to exactly the same question: http://lists.jboss.org/pipermail/keycloak-user/2018-October/016026.html > > TL;DR: this is by design, but you shouldn't be worried. For unsecured URLs you can simply return new KeycloakDeployment() from your resolver. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Tue, 2018-10-30 at 09:19 +0200, Vagelis Savvas wrote: >> Hello, >> >> in a multitenant app on Wildfly 14.0.1 with a bearer-only REST API to >> protect I would like some URLs >> to not be secured. So I would like my custom KeycloakConfigResolver >> implementation >> to not be called when those URLs are hit but it is. The reason I don't >> want my KeycloakConfigResolver to be called is simply because >> I have no clue as to what to return in that case: its a non-secured REST >> endpoint so a Keycloak realm doesn't make sense in my understanding. >> My setup follows the docs: I've installed the adapter for Wildfly and >> the web.xml has the necessary setup for not securing some URLs (no >> auth-constraint for those URLs) >> Also in jboss-web.xml the security-domain element isn't defined, >> although I don't know if that plays any role. >> My final goal is to have some URLs secured by using the JBoss specific >> @SecurityDomain and the standard @RolesAllowed etc annotations. >> Can you please shed some light on this matter? I'd greatly appreciate >> any detailed explanation of the mechanisms involved in this area. >> >> Cheers, >> Vagelis >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Fri Nov 2 05:32:00 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 2 Nov 2018 10:32:00 +0100 Subject: [keycloak-user] keycloak-gatekeeper bearer-only In-Reply-To: <146EC91A-1009-4042-B839-25210CE33BD1@gmail.com> References: <146EC91A-1009-4042-B839-25210CE33BD1@gmail.com> Message-ID: Hi Eric, I'm a beginner like you so please consider my responses accordingly. 1. Often your scenario is similar to a front end app accessing the REST API. You can find an example of how to do this here: https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter. First the user logs in to the front end app, which gets the token and uses it for calls to the backend. IMPORTANT: You need to include the backend's client id in the front end's aud claim: https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak#file-notes.md Another hurdle you might find using Gatekeeper in this AJAX setup is CORS. I believe Gatekeeper has a bug and isn't sending the correct headers: https://issues.jboss.org/browse/KEYCLOAK-8722 2. I have the same question as you. After reading the docs, I think the answer is NO. If your back end stack does not have a Keycloak adapter (are you using PHP like me?) then you would have to do all the UMA calls "manually". There are UMA2 specifications out there which would guide us, but I think it's a lot of work. There's also the Gluu oxd project which seems similar to Keycloak Gatekeeper, but I doubt oxd is interoperable with Keycloak. 3. I think that normally a REST service should work with a bearer only client, which expects the token and does not do authentication redirection. You could instruct your API consumers to get the token directly from Keycloak (using a confidential client?) before hitting your Gatekeeper endpoint. Once again, keep in mind that by default the token retrieved from one client won't work to hit a different client unless you set up the aud claim properly. Hopefully an expert will join and correct me. Regards, Geoffrey Cleaves On Wed, 31 Oct 2018 at 23:00, Eric Boyd Ramirez wrote: > Dear All, > I am trying to test Keycloak-gatekeeper, have read the docs I could find > (keaycloak-proxy as well) but I still have a few questions: > > 1- I am trying to secure a number of REST APIs, configured behind > bearer-only clients. I think I need to first get a access token trough a > confidential client using a 'grant-type=password' request and then do a > second request to the REST client resource. Is this the right approach, how > would I implement this using Keycloak-Gatekeeper?. > > 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access. > Is there a way to use Keycloak's authorization settings to manage access to > a client's resource (i.e. policies, permissions, uma-ticket, etc.)? > > 3- How do I set up multiple clients, do I have to run and configure > separate instances of Keycloak-Gatekeeper? > > Thanks in advance for your time and help. > > Regards, > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From vagelis.savvas at gmail.com Fri Nov 2 05:42:44 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Fri, 2 Nov 2018 11:42:44 +0200 Subject: [keycloak-user] Multitenant KeycloakConfigResolver In-Reply-To: <2c40a114-7d04-ec2f-1887-860c220e5585@gmail.com> References: <6545e127-cf80-befc-39ca-64e33f2a3232@gmail.com> <1541134167.10131.3.camel@acutus.pro> <2c40a114-7d04-ec2f-1887-860c220e5585@gmail.com> Message-ID: <135fae93-f0a1-6bf7-51cd-58016c0be0bf@gmail.com> And the [1] as promised :-) https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java#L63 On 02/11/2018 11:09, Vagelis Savvas wrote: > Hello Dmitry, > thanx for the reply. > Currently I do indeed just return a new KeycloakDeployment() as you > suggest. > This approach may stop working though, take a look at [1]. > That said, I don't know if this code will be eventually included in > Keycloak. > > Cheers, > Vagelis > > On 02/11/2018 06:49, Dmitry Telegin wrote: >> Hello Vagelis, >> >> Please see my answer to exactly the same question: >> http://lists.jboss.org/pipermail/keycloak-user/2018-October/016026.html >> >> TL;DR: this is by design, but you shouldn't be worried. For unsecured >> URLs you can simply return new KeycloakDeployment() from your resolver. >> >> Cheers, >> Dmitry Telegin >> CTO, Acutus s.r.o. >> Keycloak Consulting and Training >> >> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> +42 (022) 888-30-71 >> E-mail: info at acutus.pro >> >> On Tue, 2018-10-30 at 09:19 +0200, Vagelis Savvas wrote: >>> Hello, >>> >>> in a multitenant app on Wildfly 14.0.1 with a bearer-only REST API to >>> protect I would like some URLs >>> to not be secured. So I would like my custom KeycloakConfigResolver >>> implementation >>> to not be called when those URLs are hit but it is. The reason I don't >>> want my KeycloakConfigResolver to be called is simply because >>> I have no clue as to what to return in that case: its a non-secured >>> REST >>> endpoint so a Keycloak realm doesn't make sense in my understanding. >>> My setup follows the docs: I've installed the adapter for Wildfly and >>> the web.xml has the necessary setup for not securing some URLs (no >>> auth-constraint for those URLs) >>> Also in jboss-web.xml the security-domain element isn't defined, >>> although I don't know if that plays any role. >>> My final goal is to have some URLs secured by using the JBoss specific >>> @SecurityDomain and the standard @RolesAllowed etc annotations. >>> Can you please shed some light on this matter? I'd greatly appreciate >>> any detailed explanation of the mechanisms involved in this area. >>> >>> Cheers, >>> Vagelis >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > From ronald.demneri at amdtia.com Fri Nov 2 06:30:39 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Fri, 2 Nov 2018 10:30:39 +0000 Subject: [keycloak-user] filter group claim in token per client Message-ID: Hello everyone, Is there a way to filter the groups a user is a member of per client, based on clientId (which is part of the group name(s) in AD). Let's say that user Ronald is member of group_client1, group_client2 and group_client3, so using a group mapper, the token will contain a claim like group:["group_client1", "group_client2", "group_client3"]. Upon logging in to client1 app, I want to customize the group claim so that it contains only the respective group_client1 value. Thanks in advance, Ronald From bruno at abstractj.org Fri Nov 2 11:05:34 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 2 Nov 2018 12:05:34 -0300 Subject: [keycloak-user] keycloak-gatekeeper bearer-only In-Reply-To: <146EC91A-1009-4042-B839-25210CE33BD1@gmail.com> References: <146EC91A-1009-4042-B839-25210CE33BD1@gmail.com> Message-ID: Hi Eric, we're still polishing the docs and fixing some high priority issues. The README files and the docs will change in the next release. Few answers inline. On Wed, Oct 31, 2018 at 6:57 PM Eric Boyd Ramirez wrote: > > Dear All, > I am trying to test Keycloak-gatekeeper, have read the docs I could find (keaycloak-proxy as well) but I still have a few questions: > > 1- I am trying to secure a number of REST APIs, configured behind bearer-only clients. I think I need to first get a access token trough a confidential client using a 'grant-type=password' request and then do a second request to the REST client resource. Is this the right approach, how would I implement this using Keycloak-Gatekeeper?. I believe Geoffrey answered already. But I hope to include your scenario to the quickstarts too. > > 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access. Is there a way to use Keycloak's authorization settings to manage access to a client's resource (i.e. policies, permissions, uma-ticket, etc.)? Not at the moment, as far as I can tell. But I would appreciate if you file a feature request. In this way we don't miss this. > > 3- How do I set up multiple clients, do I have to run and configure separate instances of Keycloak-Gatekeeper? Yes, you have to configure and run multiple instances. Gatekeeper is more like a sidecar, instead of a proxy. > > Thanks in advance for your time and help. > > Regards, > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From bruno at abstractj.org Fri Nov 2 11:12:38 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 2 Nov 2018 12:12:38 -0300 Subject: [keycloak-user] keycloak-gatekeeper bearer-only In-Reply-To: References: <146EC91A-1009-4042-B839-25210CE33BD1@gmail.com> Message-ID: Hi Geoffrey, On Fri, Nov 2, 2018 at 6:34 AM Geoffrey Cleaves wrote: > > Hi Eric, > > I'm a beginner like you so please consider my responses accordingly. > > 1. Often your scenario is similar to a front end app accessing the REST > API. You can find an example of how to do this here: > https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter. > First the user logs in to the front end app, which gets the token and uses > it for calls to the backend. IMPORTANT: You need to include the backend's > client id in the front end's aud claim: > https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak#file-notes.md > > Another hurdle you might find using Gatekeeper in this AJAX setup is CORS. > I believe Gatekeeper has a bug and isn't sending the correct headers: > https://issues.jboss.org/browse/KEYCLOAK-8722 > > 2. I have the same question as you. After reading the docs, I think the > answer is NO. If your back end stack does not have a Keycloak adapter (are > you using PHP like me?) then you would have to do all the UMA calls > "manually". There are UMA2 specifications out there which would guide us, > but I think it's a lot of work. There's also the Gluu oxd > project which seems similar to Keycloak > Gatekeeper, but I doubt oxd is interoperable with Keycloak. You are correct about this. It's a lot of work :) But nothing stops us from planning an capture it on Jiras. Feel free to do this if possible. > > 3. I think that normally a REST service should work with a bearer only > client, which expects the token and does not do authentication redirection. > You could instruct your API consumers to get the token directly from > Keycloak (using a confidential client?) before hitting your Gatekeeper > endpoint. Once again, keep in mind that by default the token retrieved from > one client won't work to hit a different client unless you set up the aud > claim properly. Like I mentioned to Eric, the scope of gatekeeper is to act more as sidecar, instead of a proxy. So you pretty much need to deploy one gatekeeper per client. > > Hopefully an expert will join and correct me. > > Regards, > Geoffrey Cleaves > > > > > > > > On Wed, 31 Oct 2018 at 23:00, Eric Boyd Ramirez > wrote: > > > Dear All, > > I am trying to test Keycloak-gatekeeper, have read the docs I could find > > (keaycloak-proxy as well) but I still have a few questions: > > > > 1- I am trying to secure a number of REST APIs, configured behind > > bearer-only clients. I think I need to first get a access token trough a > > confidential client using a 'grant-type=password' request and then do a > > second request to the REST client resource. Is this the right approach, how > > would I implement this using Keycloak-Gatekeeper?. > > > > 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access. > > Is there a way to use Keycloak's authorization settings to manage access to > > a client's resource (i.e. policies, permissions, uma-ticket, etc.)? > > > > 3- How do I set up multiple clients, do I have to run and configure > > separate instances of Keycloak-Gatekeeper? > > > > Thanks in advance for your time and help. > > > > Regards, > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From bruno at abstractj.org Fri Nov 2 11:14:24 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 2 Nov 2018 12:14:24 -0300 Subject: [keycloak-user] Keycloak Gatekeeper CORS problem In-Reply-To: References: Message-ID: Thanks for reporting this Geoffrey. I marked you Jira issue for triage, in this way we can investigate better. On Wed, Oct 31, 2018 at 2:08 PM Geoffrey Cleaves wrote: > > I'm having a problem accessing a REST service protected by Gatekeeper via > AJAX. I have tried many different combinations of settings in the config > file to no avail. I suspect the Gatekeeper has a bug. > > I can access the protected endpoint directly (via Gatekeeper) with no issue > as there is no CORS. I can use the AJAX method successfully when I use a > Chrome plugin to enable CORS for these endpoints. > > The message from Chrome is: > > Access to XMLHttpRequest at 'http://domain.com:3001/endpoint.php' from > origin 'http://domain2.com:8888' has been blocked by CORS policy: Response > to preflight request doesn't pass access control check: No > 'Access-Control-Allow-Origin' header is present on the requested resource. > > I see that Chrome only sends an OPTIONS request to Gatekeeper, which does > not respond with a Access-Control-Allow-Origin header at all, despite my > config settings below. > > > My config.yml file looks like this: > > client-id: {id} > client-secret: {secret} > discovery-url: {keyclock end point} > enable-default-deny: true > encryption_key: {32characters} > listen: 0.0.0.0:3000 > redirection-url: http://domain2.com:3001 > upstream-url: http://localhost:8888 > secure-cookie: false > verbose: true > #preserve-host: true > resources: > - uri: /admin* > methods: > - GET > roles: > - test-php-api:test1 > - client:test2 > require-any-role: true > groups: > - admins > - users > - uri: /endpoint.php > roles: > - test-php-api:test1 > - uri: /backend* > roles: > - test-php-api:test1 > - uri: /public/* > white-listed: true > - uri: /favicon > white-listed: true > - uri: /css/* > white-listed: true > - uri: /img/* > white-listed: true > cors-origins: > - '*' > cors-methods: > - GET > - POST > > > Any ideas? > > Geoff > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From psilva at redhat.com Fri Nov 2 11:27:40 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 2 Nov 2018 12:27:40 -0300 Subject: [keycloak-user] keycloak-gatekeeper bearer-only In-Reply-To: References: <146EC91A-1009-4042-B839-25210CE33BD1@gmail.com> Message-ID: On Fri, Nov 2, 2018 at 6:36 AM Geoffrey Cleaves wrote: > Hi Eric, > > I'm a beginner like you so please consider my responses accordingly. > > 1. Often your scenario is similar to a front end app accessing the REST > API. You can find an example of how to do this here: > > https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter > . > First the user logs in to the front end app, which gets the token and uses > it for calls to the backend. IMPORTANT: You need to include the backend's > client id in the front end's aud claim: > https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak#file-notes.md > > Another hurdle you might find using Gatekeeper in this AJAX setup is CORS. > I believe Gatekeeper has a bug and isn't sending the correct headers: > https://issues.jboss.org/browse/KEYCLOAK-8722 > > 2. I have the same question as you. After reading the docs, I think the > answer is NO. If your back end stack does not have a Keycloak adapter (are > you using PHP like me?) then you would have to do all the UMA calls > "manually". There are UMA2 specifications out there which would guide us, > but I think it's a lot of work. There's also the Gluu oxd > project which seems similar to Keycloak > Gatekeeper, but I doubt oxd is interoperable with Keycloak. > Yes, it is. We did recently a collaborative work with Gluu team to check interoperability. In fact, they used oxd to check that both Gluu and Keycloak ASs could be used to support UMA. > > 3. I think that normally a REST service should work with a bearer only > client, which expects the token and does not do authentication redirection. > You could instruct your API consumers to get the token directly from > Keycloak (using a confidential client?) before hitting your Gatekeeper > endpoint. Once again, keep in mind that by default the token retrieved from > one client won't work to hit a different client unless you set up the aud > claim properly. > > Hopefully an expert will join and correct me. > > Regards, > Geoffrey Cleaves > > > > > > > > On Wed, 31 Oct 2018 at 23:00, Eric Boyd Ramirez > > wrote: > > > Dear All, > > I am trying to test Keycloak-gatekeeper, have read the docs I could find > > (keaycloak-proxy as well) but I still have a few questions: > > > > 1- I am trying to secure a number of REST APIs, configured behind > > bearer-only clients. I think I need to first get a access token trough a > > confidential client using a 'grant-type=password' request and then do a > > second request to the REST client resource. Is this the right approach, > how > > would I implement this using Keycloak-Gatekeeper?. > > > > 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource > access. > > Is there a way to use Keycloak's authorization settings to manage access > to > > a client's resource (i.e. policies, permissions, uma-ticket, etc.)? > > > > 3- How do I set up multiple clients, do I have to run and configure > > separate instances of Keycloak-Gatekeeper? > > > > Thanks in advance for your time and help. > > > > Regards, > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bruno at abstractj.org Fri Nov 2 11:32:57 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 2 Nov 2018 12:32:57 -0300 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? In-Reply-To: References: Message-ID: I believe you're missing an important step from the docs. The docs state that Javascript clients should be configured as public clients. I don't think it's a good idea to store client secret into web apps, it's really unsafe. On Fri, Nov 2, 2018 at 4:28 AM Bruce Wings wrote: > > I am referring to Keycloak Javascript adapter as mentioned in : > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_javascript_adapter > > I have a confidential client and I have downloaded keycloak-oidc.json > containing client secret. Now I am not sure how secure is it to keep this > file containing client-secret at the client side. > > Am I being over concerned? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From geoff at opticks.io Fri Nov 2 11:35:49 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 2 Nov 2018 16:35:49 +0100 Subject: [keycloak-user] Ability for users to manage their own resources Message-ID: How can we enable the ability for users to manage their own resources as described in section *8.3.3. Managing Access to Users Resources* at this link https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_user_managed_access ? This picture looks so nice : https://www.keycloak.org/docs/latest/authorization_services/keycloak-images/service/account-my-resource.png I am using a confidential client with Authorization enabled on Keycloak 4.5.0 Final. I have used the UMA2 endpoints directly to create a resource owned by a user, yet that user (me :) can't see the My Resources screen. Any help is appreciated! Geoff From ulrik.sjolin at gmail.com Fri Nov 2 11:39:44 2018 From: ulrik.sjolin at gmail.com (=?UTF-8?Q?Ulrik_Sj=C3=B6lin?=) Date: Sat, 3 Nov 2018 00:39:44 +0900 Subject: [keycloak-user] Bug? Shared UMA resource not accessible Message-ID: Hello there, I wonder if anyone is experiencing this problem and if anyone out there has a workaround (I am running 4.5.0). The problem I have comes up in a really simple situation: JDoe has 1 resource (JDoeResource) that he shares with Alice (scope: JDoeScope). Alice tries to access that resource with permission=JDoeResource#JDoeScope. This fails with a ?400 bad request? when it should return the resource in question. I wonder if this is [KEYCLOAK-8448] that I am seeing. When alice tries to access the resource with permission=#JDoeScope or by just specifying permission=#JDoeScope everything works fine. Below there is a small script that recreates and demonstrates the problem. Any help in this matter would be greatly appreciated. Best Regards, Ulrik Sj?lin In order to run the script below you need to have the tools ?jwt-cli? and ?jq? installed. #!/bin/bash export host=keycloak export port=8080 export realm=myrealm export resource_server_client_id=my-service export resource_server_client_secret=88888888-8888-8888-8888-888888888888 export username=alice export password=alice export resource_owner=jdoe export resource_name=JDoeResource export scope=JDoeScope export access_token=\ `curl --silent \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -d client_id=${resource_server_client_id} \ -d client_secret=${resource_server_client_secret} \ -d username=${username} \ -d password=${password} \ -d grant_type=password \ | jq -r ".access_token"` export result=\ `curl --silent -X GET \ http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set?name=${resource_name} \ -H "Authorization: Bearer ${access_token}" \ | jq -r ".[0]"` if [ "$result" = "null" ]; then export new_id=`curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set \ -H "content-type: application/json" \ -H "Authorization: Bearer ${access_token}" \ --data @<(cat <{ "name":"${resource_name}", "type":"Entities", "owner":"${resource_owner}", "ownerManagedAccess":"true", "resource_scopes":["JDoeScope"] } EOF ) | jq -r "._id"` echo "Created resource with id: ${new_id}" echo "Log in with user ${resource_owner} into keycloak" echo "and share ${resource_name} with ${username}" echo "When that is done, run this script again" else echo "Found resource with id: ${result}" resource_id=$result fi export result=\ `curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=${resource_server_client_id}" \ --data "permission=#${scope}" \ | jq -r ".access_token"` export result=`jwt $result | grep ${resource_name}` echo "permission=#${scope}: ${result}" export result=\ `curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=${resource_server_client_id}" \ --data "permission=${resource_id}#${scope}" \ | jq -r ".access_token"` export result=`jwt $result | grep ${resource_name}` echo "permission=${resource_id}#${scope}: $result" export result=\ `curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=${resource_server_client_id}" \ --data "permission=${resource_name}#${scope}" \ | jq -r ".access_token"` export result=`jwt $result | grep ${resource_name}` echo "permission=${resource_name}#${scope}: ${result}" From psilva at redhat.com Fri Nov 2 11:45:27 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 2 Nov 2018 12:45:27 -0300 Subject: [keycloak-user] Ability for users to manage their own resources In-Reply-To: References: Message-ID: Hi, We should highlight this in docs, but "open the realm settings page in Keycloak Administration Console and enable the User-Managed Access switch". Regards. Pedro Igor On Fri, Nov 2, 2018 at 12:42 PM Geoffrey Cleaves wrote: > How can we enable the ability for users to manage their own resources as > described in section *8.3.3. Managing Access to Users Resources* at this > link > > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_user_managed_access > ? This picture looks so nice : > > https://www.keycloak.org/docs/latest/authorization_services/keycloak-images/service/account-my-resource.png > > I am using a confidential client with Authorization enabled on Keycloak > 4.5.0 Final. I have used the UMA2 endpoints directly to create a resource > owned by a user, yet that user (me :) can't see the My Resources screen. > > Any help is appreciated! > > Geoff > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Fri Nov 2 11:50:11 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 2 Nov 2018 12:50:11 -0300 Subject: [keycloak-user] Ability for users to manage their own resources In-Reply-To: References: Message-ID: Btw, I know we can improve that page and that was the initial version we wanted to push to our community. Please, let us know your ideas that could improve UX. There is some work going on with v2 of Account Service that is much neater, hope to get back to this task soon... On Fri, Nov 2, 2018 at 12:42 PM Geoffrey Cleaves wrote: > How can we enable the ability for users to manage their own resources as > described in section *8.3.3. Managing Access to Users Resources* at this > link > > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_user_managed_access > ? This picture looks so nice : > > https://www.keycloak.org/docs/latest/authorization_services/keycloak-images/service/account-my-resource.png > > I am using a confidential client with Authorization enabled on Keycloak > 4.5.0 Final. I have used the UMA2 endpoints directly to create a resource > owned by a user, yet that user (me :) can't see the My Resources screen. > > Any help is appreciated! > > Geoff > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Fri Nov 2 11:53:20 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 2 Nov 2018 12:53:20 -0300 Subject: [keycloak-user] Bug? Shared UMA resource not accessible In-Reply-To: References: Message-ID: Hi, For UMA protected resources you should use the resource id within the "permission" parameter. The reason being that the server could not infer the correct resource based on the name. Another option is using the regular UMA flow with permission tickets. Regards. Pedro Igor On Fri, Nov 2, 2018 at 12:49 PM Ulrik Sj?lin wrote: > Hello there, > > I wonder if anyone is experiencing this problem and if anyone out > there has a workaround (I am running 4.5.0). > > The problem I have comes up in a really simple situation: > JDoe has 1 resource (JDoeResource) that he shares with Alice (scope: > JDoeScope). > > Alice tries to access that resource with > permission=JDoeResource#JDoeScope. This fails with a ?400 bad request? > when > it should return the resource in question. I wonder if this is > [KEYCLOAK-8448] that I am seeing. > > When alice tries to access the resource with > permission=#JDoeScope or by just specifying > permission=#JDoeScope > everything works fine. > > Below there is a small script that recreates and demonstrates the problem. > > Any help in this matter would be greatly appreciated. > > Best Regards, > > Ulrik Sj?lin > > > In order to run the script below you need to have the tools ?jwt-cli? > and ?jq? installed. > > #!/bin/bash > export host=keycloak > export port=8080 > export realm=myrealm > export resource_server_client_id=my-service > export resource_server_client_secret=88888888-8888-8888-8888-888888888888 > export username=alice > export password=alice > export resource_owner=jdoe > export resource_name=JDoeResource > export scope=JDoeScope > > export access_token=\ > `curl --silent \ > http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token > \ > -d client_id=${resource_server_client_id} \ > -d client_secret=${resource_server_client_secret} \ > -d username=${username} \ > -d password=${password} \ > -d grant_type=password \ > | jq -r ".access_token"` > > export result=\ > `curl --silent -X GET \ > http:// > ${host}:${port}/auth/realms/${realm}/authz/protection/resource_set?name=${resource_name} > \ > -H "Authorization: Bearer ${access_token}" \ > | jq -r ".[0]"` > > if [ "$result" = "null" ]; then > export new_id=`curl --silent -X POST \ > http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set > \ > -H "content-type: application/json" \ > -H "Authorization: Bearer ${access_token}" \ > --data @<(cat <{ > "name":"${resource_name}", > "type":"Entities", > "owner":"${resource_owner}", > "ownerManagedAccess":"true", > "resource_scopes":["JDoeScope"] > } > EOF > ) | jq -r "._id"` > > echo "Created resource with id: ${new_id}" > echo "Log in with user ${resource_owner} into keycloak" > echo "and share ${resource_name} with ${username}" > echo "When that is done, run this script again" > else > echo "Found resource with id: ${result}" > resource_id=$result > fi > > export result=\ > `curl --silent -X POST \ > http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token > \ > -H "Authorization: Bearer ${access_token}" \ > --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ > --data "audience=${resource_server_client_id}" \ > --data "permission=#${scope}" \ > | jq -r ".access_token"` > > export result=`jwt $result | grep ${resource_name}` > echo "permission=#${scope}: ${result}" > > export result=\ > `curl --silent -X POST \ > http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token > \ > -H "Authorization: Bearer ${access_token}" \ > --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ > --data "audience=${resource_server_client_id}" \ > --data "permission=${resource_id}#${scope}" \ > | jq -r ".access_token"` > > export result=`jwt $result | grep ${resource_name}` > echo "permission=${resource_id}#${scope}: $result" > > export result=\ > `curl --silent -X POST \ > http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token > \ > -H "Authorization: Bearer ${access_token}" \ > --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ > --data "audience=${resource_server_client_id}" \ > --data "permission=${resource_name}#${scope}" \ > | jq -r ".access_token"` > > export result=`jwt $result | grep ${resource_name}` > echo "permission=${resource_name}#${scope}: ${result}" > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Fri Nov 2 11:54:00 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 2 Nov 2018 16:54:00 +0100 Subject: [keycloak-user] keycloak-gatekeeper bearer-only In-Reply-To: References: <146EC91A-1009-4042-B839-25210CE33BD1@gmail.com> Message-ID: "Yes, it is. We did recently a collaborative work with Gluu team to check interoperability. In fact, they used oxd to check that both Gluu and Keycloak ASs could be used to support UMA." That's very interesting, Pedro. oxd does appear have PHP adapters. In your opinion, is it viable to use oxd as the missing Keycloak PHP adapter? On Fri, 2 Nov 2018 at 16:27, Pedro Igor Silva wrote: > > > >> >> > Yes, it is. We did recently a collaborative work with Gluu team to check > interoperability. In fact, they used oxd to check that both Gluu and > Keycloak ASs could be used to support UMA. > > >> >> 3. I think that normally a REST service should work with a bearer only >> client, which expects the token and does not do authentication >> redirection. >> You could instruct your API consumers to get the token directly from >> Keycloak (using a confidential client?) before hitting your Gatekeeper >> endpoint. Once again, keep in mind that by default the token retrieved >> from >> one client won't work to hit a different client unless you set up the aud >> claim properly. >> >> Hopefully an expert will join and correct me. >> >> Regards, >> Geoffrey Cleaves >> >> >> >> >> >> >> >> On Wed, 31 Oct 2018 at 23:00, Eric Boyd Ramirez < >> eric.ramirez.sv at gmail.com> >> wrote: >> >> > Dear All, >> > I am trying to test Keycloak-gatekeeper, have read the docs I could find >> > (keaycloak-proxy as well) but I still have a few questions: >> > >> > 1- I am trying to secure a number of REST APIs, configured behind >> > bearer-only clients. I think I need to first get a access token trough a >> > confidential client using a 'grant-type=password' request and then do a >> > second request to the REST client resource. Is this the right approach, >> how >> > would I implement this using Keycloak-Gatekeeper?. >> > >> > 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource >> access. >> > Is there a way to use Keycloak's authorization settings to manage >> access to >> > a client's resource (i.e. policies, permissions, uma-ticket, etc.)? >> > >> > 3- How do I set up multiple clients, do I have to run and configure >> > separate instances of Keycloak-Gatekeeper? >> > >> > Thanks in advance for your time and help. >> > >> > Regards, >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From testoauth55 at gmail.com Fri Nov 2 12:43:46 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Fri, 2 Nov 2018 22:13:46 +0530 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? In-Reply-To: References:

Message-ID: Bruno, Thanks for the reply. However, my project contains Rest Apis that I have secured with jetty adapter and confidential client ( as keycloak Authorization works only for confidential client and not public clients). My angular app is accessing these rest api. Therefore I used the same confidential client oidc Json in my angular app too. Am I approaching the keycloak setup in a wrong way? On Friday, November 2, 2018, Bruno Oliveira wrote: > I believe you're missing an important step from the docs. The docs > state that Javascript clients should be configured as public clients. > I don't think it's a good idea to store client secret into web apps, > it's really unsafe. > > On Fri, Nov 2, 2018 at 4:28 AM Bruce Wings wrote: > > > > I am referring to Keycloak Javascript adapter as mentioned in : > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_ > javascript_adapter > > > > I have a confidential client and I have downloaded keycloak-oidc.json > > containing client secret. Now I am not sure how secure is it to keep this > > file containing client-secret at the client side. > > > > Am I being over concerned? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > - abstractj > From eric.ramirez.sv at gmail.com Fri Nov 2 12:51:39 2018 From: eric.ramirez.sv at gmail.com (Eric Boyd Ramirez) Date: Fri, 2 Nov 2018 10:51:39 -0600 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? In-Reply-To: References: Message-ID: <8E6265AD-A055-4A7A-BDFD-9AB19E834819@gmail.com> Hi Bruce, I am fairly new to Keycloak myself, so I am giving my opinion in hopes some else can double check. The JS adapter is designed to work with Public clients, siting on the the client side, the idea is that the a user/person would have to enter his/her credentials to in order to login. Confidential clients generate an installation JSON or XML configuration object which is meant to be installed on the server side/ Application server. The user accessing this application does not receive this configuration. Hope this helps. > On Nov 2, 2018, at 1:28 AM, Bruce Wings wrote: > > I am referring to Keycloak Javascript adapter as mentioned in : > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_javascript_adapter > > I have a confidential client and I have downloaded keycloak-oidc.json > containing client secret. Now I am not sure how secure is it to keep this > file containing client-secret at the client side. > > Am I being over concerned? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From eric.ramirez.sv at gmail.com Fri Nov 2 13:23:32 2018 From: eric.ramirez.sv at gmail.com (Eric Boyd Ramirez) Date: Fri, 2 Nov 2018 11:23:32 -0600 Subject: [keycloak-user] keycloak-gatekeeper bearer-only In-Reply-To: References: <146EC91A-1009-4042-B839-25210CE33BD1@gmail.com> Message-ID: Thanks everyone for your replies, it definitely cleared things up for me. It seems that as a ?generic? adapter Keycloak-Gatekeeper has limited functionality, its a matter of finding the right use case to take advantage of this tool. Regards, > On Nov 2, 2018, at 9:27 AM, Pedro Igor Silva wrote: > > > > On Fri, Nov 2, 2018 at 6:36 AM Geoffrey Cleaves > wrote: > Hi Eric, > > I'm a beginner like you so please consider my responses accordingly. > > 1. Often your scenario is similar to a front end app accessing the REST > API. You can find an example of how to do this here: > https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter . > First the user logs in to the front end app, which gets the token and uses > it for calls to the backend. IMPORTANT: You need to include the backend's > client id in the front end's aud claim: > https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak#file-notes.md > > Another hurdle you might find using Gatekeeper in this AJAX setup is CORS. > I believe Gatekeeper has a bug and isn't sending the correct headers: > https://issues.jboss.org/browse/KEYCLOAK-8722 > > 2. I have the same question as you. After reading the docs, I think the > answer is NO. If your back end stack does not have a Keycloak adapter (are > you using PHP like me?) then you would have to do all the UMA calls > "manually". There are UMA2 specifications out there which would guide us, > but I think it's a lot of work. There's also the Gluu oxd > > project which seems similar to Keycloak > Gatekeeper, but I doubt oxd is interoperable with Keycloak. > > Yes, it is. We did recently a collaborative work with Gluu team to check interoperability. In fact, they used oxd to check that both Gluu and Keycloak ASs could be used to support UMA. > > > 3. I think that normally a REST service should work with a bearer only > client, which expects the token and does not do authentication redirection. > You could instruct your API consumers to get the token directly from > Keycloak (using a confidential client?) before hitting your Gatekeeper > endpoint. Once again, keep in mind that by default the token retrieved from > one client won't work to hit a different client unless you set up the aud > claim properly. > > Hopefully an expert will join and correct me. > > Regards, > Geoffrey Cleaves > > > > > > > > On Wed, 31 Oct 2018 at 23:00, Eric Boyd Ramirez > > wrote: > > > Dear All, > > I am trying to test Keycloak-gatekeeper, have read the docs I could find > > (keaycloak-proxy as well) but I still have a few questions: > > > > 1- I am trying to secure a number of REST APIs, configured behind > > bearer-only clients. I think I need to first get a access token trough a > > confidential client using a 'grant-type=password' request and then do a > > second request to the REST client resource. Is this the right approach, how > > would I implement this using Keycloak-Gatekeeper?. > > > > 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access. > > Is there a way to use Keycloak's authorization settings to manage access to > > a client's resource (i.e. policies, permissions, uma-ticket, etc.)? > > > > 3- How do I set up multiple clients, do I have to run and configure > > separate instances of Keycloak-Gatekeeper? > > > > Thanks in advance for your time and help. > > > > Regards, > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From andreas.lau at outlook.com Fri Nov 2 15:25:27 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Fri, 2 Nov 2018 19:25:27 +0000 Subject: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources In-Reply-To: <1541133909.10131.1.camel@acutus.pro> References: <09AC28A0-AC9B-43EF-8684-F20F6F4E69C7@outlook.com> <1541133909.10131.1.camel@acutus.pro> Message-ID: Hello Dmitry, thanks for your help, this is exactly I was looking for and so simple :). Yes the resources are just static stuff that is needed to display the site properly. Nothing that is relevant to security. It's simple if the main page is authenticated the resources don't have to be checked again. Thinking more about it I would like to know if there is a way to recognize that the page, that gets called, is called from a logged in state. Actually we might be able to access the access token of the header right? From my current understanding I would not need to get a particular config (so I could return the default new KeycloakDeployment()) if I am successfully logged in and call further pages from "within". Am I right? Thanks again, regards Andreas. Am 2. November 2018 05:45:09 MEZ schrieb Dmitry Telegin

: Andreas, Could you please elaborate on the nature of the resources your JSF is accessing? If those are static images/CSS/etc. and they do not require authentication, you can simply return new KeycloakDeployment(), a dummy unconfigured instance (you can't return null from the resolver as it will result in an NPE). If those are REST resources that need authentication, you'll probably need to propagate kId somehow to that services, like in a HTTP header or URL param, and process it in the resolver. Good luck, Dmitry On Fri, 2018-11-02 at 02:28 +0000, Andreas Lau wrote: Hey, I forgot to bounce back to the list. Sorry ________________________________ Von: Andreas Lau Gesendet: 30. Oktober 2018 23:08:06 MEZ An: Dmitry Telegin

portal

/portal/*

user

public

/portal/pages/willkommen.jsf

/portal/pages/logout.jsf

KEYCLOAK

user

...

keycloak.config.resolver

de.sample.security.MandantBasedKeycloakConfigResolver

... As you can see everything under portal is restricted with two exceptions. The code of MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code [2]. In our example we consider that the url has a query parameter that provides an id which we can map to a corresponding keycloak.json file. A sample would be "https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1". After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for every resource that is loaded through get requests to display the site. I did not expect that many invocation, since the resources are not protected. Can you please tell me if this behaviour is correct? What is my error in adopting the mulity tenancy sample? How can we prevent/workaround that many calls? While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a potentially similar problem. Here they use keycloak to secure a spring boot application and have troubles when a sso redirection occurs. Regards, Andreas [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy [2] public KeycloakDeployment resolve(HttpFacade.Request request) { LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" + counter++); final String mandantId = request.getFirstParam("kId"); LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):" + mandantId); LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" + request.getURI()); if (mandantId == null || mandantId.isEmpty()) { // throw new IllegalStateException("Not able to resolve realm for parameter kId - Parameter not found!"); return null; } KeycloakDeployment deployment = cache.get(mandantId); if (deployment == null) { String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId); InputStream is = getClass().getResourceAsStream("/" + keycloakConfigFilename); if (is == null) { // throw new IllegalStateException("Not able to find the file /" + keycloakConfigFilename); return null; } LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:" + (is == null)); deployment = KeycloakDeploymentBuilder.build(is); cache.put(mandantId, deployment); } return deployment; } [3] 17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0 17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,933 INFO [stdout] (default task-4) INIT Willkommen 17:28:50,933 INFO [stdout] (default task-4) initialized mandant <<<<<<<<<<<<< 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1 17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] ....... 17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout 17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling request to /SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] ________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Fri Nov 2 20:33:15 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Sat, 3 Nov 2018 06:03:15 +0530 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? In-Reply-To: <8E6265AD-A055-4A7A-BDFD-9AB19E834819@gmail.com> References: <8E6265AD-A055-4A7A-BDFD-9AB19E834819@gmail.com> Message-ID: Thanks Eric for the reply. But If I use a separate public client for my angular app, I am not able to access my Rest Api with the generated token, that's why I had to use confidential client Json that I used to secure my server. Any idea, what is the right approach in case of server client architecture? ( My project contains Rest Apis that I have secured with jetty adapter and confidential client ( as keycloak Authorization works only for confidential client and not public clients). My angular app is accessing these rest api. Therefore I used the same confidential client oidc Json in my angular app too. ) On Friday, November 2, 2018, Eric Boyd Ramirez wrote: > Hi Bruce, > I am fairly new to Keycloak myself, so I am giving my opinion in hopes > some else can double check. > The JS adapter is designed to work with Public clients, siting on the the > client side, the idea is that the a user/person would have to enter his/her > credentials to in order to login. > > Confidential clients generate an installation JSON or XML configuration > object which is meant to be installed on the server side/ Application > server. The user accessing this application does not receive this > configuration. > > Hope this helps. > > > On Nov 2, 2018, at 1:28 AM, Bruce Wings wrote: > > > > I am referring to Keycloak Javascript adapter as mentioned in : > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_ > javascript_adapter > > > > I have a confidential client and I have downloaded keycloak-oidc.json > > containing client secret. Now I am not sure how secure is it to keep this > > file containing client-secret at the client side. > > > > Am I being over concerned? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From geoff at opticks.io Sat Nov 3 04:06:03 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sat, 3 Nov 2018 09:06:03 +0100 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? In-Reply-To: References: <8E6265AD-A055-4A7A-BDFD-9AB19E834819@gmail.com> Message-ID: Bruce, here's how I fixed the issue you're describing. I think it's a unfortunate omission in the docs (which are generally quite good). You need to include the backend client ID in the front end clients aud claim. https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak On Sat, Nov 3, 2018, 01:45 Bruce Wings Thanks Eric for the reply. > > But If I use a separate public client for my angular app, I am not able to > access my Rest Api with the generated token, that's why I had to use > confidential client Json that I used to secure my server. Any idea, what is > the right approach in case of server client architecture? > > ( My project contains Rest Apis that I have secured with jetty adapter and > confidential client ( as keycloak Authorization works only for confidential > client and not public clients). My angular app is accessing these rest api. > Therefore I used the same confidential client oidc Json in my angular app > too. ) > > > > On Friday, November 2, 2018, Eric Boyd Ramirez > wrote: > > > Hi Bruce, > > I am fairly new to Keycloak myself, so I am giving my opinion in hopes > > some else can double check. > > The JS adapter is designed to work with Public clients, siting on the the > > client side, the idea is that the a user/person would have to enter > his/her > > credentials to in order to login. > > > > Confidential clients generate an installation JSON or XML configuration > > object which is meant to be installed on the server side/ Application > > server. The user accessing this application does not receive this > > configuration. > > > > Hope this helps. > > > > > On Nov 2, 2018, at 1:28 AM, Bruce Wings wrote: > > > > > > I am referring to Keycloak Javascript adapter as mentioned in : > > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_ > > javascript_adapter > > > > > > I have a confidential client and I have downloaded keycloak-oidc.json > > > containing client secret. Now I am not sure how secure is it to keep > this > > > file containing client-secret at the client side. > > > > > > Am I being over concerned? > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From eric.ramirez.sv at gmail.com Sat Nov 3 09:58:32 2018 From: eric.ramirez.sv at gmail.com (Eric Boyd Ramirez) Date: Sat, 3 Nov 2018 07:58:32 -0600 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? In-Reply-To: References: <8E6265AD-A055-4A7A-BDFD-9AB19E834819@gmail.com> Message-ID: <290B5BD5-8AD9-4947-AD8C-A92998B77F5E@gmail.com> Hi Bruce, further to Geoffrey's reply this example should get you started: https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee > On Nov 3, 2018, at 2:06 AM, Geoffrey Cleaves wrote: > > Bruce, here's how I fixed the issue you're describing. I think it's a unfortunate omission in the docs (which are generally quite good). You need to include the backend client ID in the front end clients aud claim. > > https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak > On Sat, Nov 3, 2018, 01:45 Bruce Wings wrote: > Thanks Eric for the reply. > > But If I use a separate public client for my angular app, I am not able to > access my Rest Api with the generated token, that's why I had to use > confidential client Json that I used to secure my server. Any idea, what is > the right approach in case of server client architecture? > > ( My project contains Rest Apis that I have secured with jetty adapter and > confidential client ( as keycloak Authorization works only for confidential > client and not public clients). My angular app is accessing these rest api. > Therefore I used the same confidential client oidc Json in my angular app > too. ) > > > > On Friday, November 2, 2018, Eric Boyd Ramirez > > wrote: > > > Hi Bruce, > > I am fairly new to Keycloak myself, so I am giving my opinion in hopes > > some else can double check. > > The JS adapter is designed to work with Public clients, siting on the the > > client side, the idea is that the a user/person would have to enter his/her > > credentials to in order to login. > > > > Confidential clients generate an installation JSON or XML configuration > > object which is meant to be installed on the server side/ Application > > server. The user accessing this application does not receive this > > configuration. > > > > Hope this helps. > > > > > On Nov 2, 2018, at 1:28 AM, Bruce Wings > wrote: > > > > > > I am referring to Keycloak Javascript adapter as mentioned in : > > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_ > > javascript_adapter > > > > > > I have a confidential client and I have downloaded keycloak-oidc.json > > > containing client secret. Now I am not sure how secure is it to keep this > > > file containing client-secret at the client side. > > > > > > Am I being over concerned? > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Sat Nov 3 12:41:10 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Sat, 3 Nov 2018 22:11:10 +0530 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? In-Reply-To: References: <8E6265AD-A055-4A7A-BDFD-9AB19E834819@gmail.com> Message-ID: Thanks Geoffrey, I believe this will solve my problem. However, I tried creating the mapper, but maybe I missed something cause I am still getting 401 if I login with front end. In the attached image, I have shared my config, can you give it a quick look and confirm this is how it is supposed to be? Name of my backend client in keycloak JettyApp: I have created Token claim name as - clientId and value as JettyApp. [image: image.png] On Sat, Nov 3, 2018 at 1:36 PM Geoffrey Cleaves wrote: > Bruce, here's how I fixed the issue you're describing. I think it's a > unfortunate omission in the docs (which are generally quite good). You need > to include the backend client ID in the front end clients aud claim. > > https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak > > On Sat, Nov 3, 2018, 01:45 Bruce Wings >> Thanks Eric for the reply. >> >> But If I use a separate public client for my angular app, I am not able to >> access my Rest Api with the generated token, that's why I had to use >> confidential client Json that I used to secure my server. Any idea, what >> is >> the right approach in case of server client architecture? >> >> ( My project contains Rest Apis that I have secured with jetty adapter >> and >> confidential client ( as keycloak Authorization works only for >> confidential >> client and not public clients). My angular app is accessing these rest >> api. >> Therefore I used the same confidential client oidc Json in my angular app >> too. ) >> >> >> >> On Friday, November 2, 2018, Eric Boyd Ramirez > > >> wrote: >> >> > Hi Bruce, >> > I am fairly new to Keycloak myself, so I am giving my opinion in hopes >> > some else can double check. >> > The JS adapter is designed to work with Public clients, siting on the >> the >> > client side, the idea is that the a user/person would have to enter >> his/her >> > credentials to in order to login. >> > >> > Confidential clients generate an installation JSON or XML configuration >> > object which is meant to be installed on the server side/ Application >> > server. The user accessing this application does not receive this >> > configuration. >> > >> > Hope this helps. >> > >> > > On Nov 2, 2018, at 1:28 AM, Bruce Wings >> wrote: >> > > >> > > I am referring to Keycloak Javascript adapter as mentioned in : >> > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_ >> > javascript_adapter >> > > >> > > I have a confidential client and I have downloaded keycloak-oidc.json >> > > containing client secret. Now I am not sure how secure is it to keep >> this >> > > file containing client-secret at the client side. >> > > >> > > Am I being over concerned? >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 57527 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181103/46e15784/attachment-0001.png -------------- next part -------------- A non-text attachment was scrubbed... Name: aud.JPG Type: image/jpeg Size: 53698 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181103/46e15784/attachment-0001.jpe From testoauth55 at gmail.com Sat Nov 3 13:00:33 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Sat, 3 Nov 2018 22:30:33 +0530 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? In-Reply-To: References: <8E6265AD-A055-4A7A-BDFD-9AB19E834819@gmail.com>

Message-ID: Geoffrey, I was able to get the config right. I have received the aud:JettyApp in generated token also, but I still get 401:Unauthorized for the backend app. Anything else needs to be done? Token (Partial): "jti": "b7b07046-5417-40d6-9338-1851a0f5e1e5", "exp": 1541292863, "nbf": 0, "iat": 1541264063, "iss": "http://localhost:7200/auth/realms/MyRealm", *"aud": "JettyApp",* "sub": "c801fc43-e7d3-4229-869c-cef19d049389", "typ": "Bearer", "azp": "Webapps", "nonce": "3ec36116-c8a3-482c-828e-6458ad179270", "auth_time": 1541264063, "session_state": "0b40b785-6956-4234-bcb5-96ff8fdcb822", "acr": "1", [image: image.png] On Sat, Nov 3, 2018 at 10:11 PM Bruce Wings wrote: > Thanks Geoffrey, > > I believe this will solve my problem. However, I tried creating the > mapper, but maybe I missed something cause I am still getting 401 if I > login with front end. > > In the attached image, I have shared my config, can you give it a quick > look and confirm this is how it is supposed to be? > > Name of my backend client in keycloak JettyApp: > > I have created Token claim name as - clientId and value as JettyApp. > > > [image: image.png] > > > On Sat, Nov 3, 2018 at 1:36 PM Geoffrey Cleaves wrote: > >> Bruce, here's how I fixed the issue you're describing. I think it's a >> unfortunate omission in the docs (which are generally quite good). You need >> to include the backend client ID in the front end clients aud claim. >> >> https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak >> >> On Sat, Nov 3, 2018, 01:45 Bruce Wings > >>> Thanks Eric for the reply. >>> >>> But If I use a separate public client for my angular app, I am not able >>> to >>> access my Rest Api with the generated token, that's why I had to use >>> confidential client Json that I used to secure my server. Any idea, what >>> is >>> the right approach in case of server client architecture? >>> >>> ( My project contains Rest Apis that I have secured with jetty adapter >>> and >>> confidential client ( as keycloak Authorization works only for >>> confidential >>> client and not public clients). My angular app is accessing these rest >>> api. >>> Therefore I used the same confidential client oidc Json in my angular app >>> too. ) >>> >>> >>> >>> On Friday, November 2, 2018, Eric Boyd Ramirez < >>> eric.ramirez.sv at gmail.com> >>> wrote: >>> >>> > Hi Bruce, >>> > I am fairly new to Keycloak myself, so I am giving my opinion in hopes >>> > some else can double check. >>> > The JS adapter is designed to work with Public clients, siting on the >>> the >>> > client side, the idea is that the a user/person would have to enter >>> his/her >>> > credentials to in order to login. >>> > >>> > Confidential clients generate an installation JSON or XML configuration >>> > object which is meant to be installed on the server side/ Application >>> > server. The user accessing this application does not receive this >>> > configuration. >>> > >>> > Hope this helps. >>> > >>> > > On Nov 2, 2018, at 1:28 AM, Bruce Wings >>> wrote: >>> > > >>> > > I am referring to Keycloak Javascript adapter as mentioned in : >>> > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_ >>> > javascript_adapter >>> > > >>> > > I have a confidential client and I have downloaded keycloak-oidc.json >>> > > containing client secret. Now I am not sure how secure is it to keep >>> this >>> > > file containing client-secret at the client side. >>> > > >>> > > Am I being over concerned? >>> > > _______________________________________________ >>> > > keycloak-user mailing list >>> > > keycloak-user at lists.jboss.org >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 53646 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181103/c8b561ad/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 57527 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181103/c8b561ad/attachment-0003.png From remy at grunblatt.org Sat Nov 3 15:15:22 2018 From: remy at grunblatt.org (=?UTF-8?Q?R=c3=a9my_Gr=c3=bcnblatt?=) Date: Sat, 3 Nov 2018 20:15:22 +0100 Subject: [keycloak-user] Backup strategies for Keycloak + Docker? Message-ID: <4e7e07a1-e09f-4a5d-8c67-489e392a466c@grunblatt.org> Hello, I'm wondering: what are your backup strategies for keycloak? I plan to use docker and keycloak, and of course I'll be backuping the data. The backup for the database side is ok: just launching psql in the container will do it. But for the keycloak side: do I need any backup? In there, https://www.keycloak.org/docs/2.5/server_admin/topics/export-import.html, a method for backuping the ? entire database ? is mentioned, and I was wondering if this would be useful in addition of the database (container) backup. I thought about modifying the entry point to include this backup (what I have done), but saving it to a volume is tricky as it seems keycloak is running with 1000/1000 uid/gid (which is the first non-root user on many linux distribution?). Any hints? How do you do it, in your production? R?my From geoff at opticks.io Sat Nov 3 19:56:08 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sun, 4 Nov 2018 00:56:08 +0100 Subject: [keycloak-user] How should my application users get a token to directly access my API? Message-ID: Let's say that in addition to letting my end users access my REST API via the single page web app, I also want to let the end users access the REST API in a machine-to-machine fashion. So that, for example, the end user could run a report every night automatically via cron/curl instead of generating the report via the front end SPA. My SPA gets tokens using keycloak.js and the Authorizaton Code Flow. But I don't think this is appropriate for the scenario above. Curl can't be entering a username/password into Keycloak's login page when a session expires. Are my end users to use the Resource Owner Password Credentials Grant? If so, which clientid/secret should be used? Thanks for shedding light on this. Geoff From info at patrick-hesse.de Sun Nov 4 10:09:55 2018 From: info at patrick-hesse.de (Patrick Hesse) Date: Sun, 04 Nov 2018 16:09:55 +0100 Subject: [keycloak-user] I need a Integrationtest example for keycloak 4.5 Message-ID: <5BDF0BC3.4080309@patrick-hesse.de> Hi all, i have her some sourcecode incl. IntegrationTests for a custom authenticator. This code was written by some other people. Now i must migrate this from Keycloak 3.0 to 4.5. I have migrated the authenticator, bute the migration for the IntegrationTests will not work. Where can i find a demo integrationTests with Arquillian. nice greetings Patrick Hesse From dt at acutus.pro Sun Nov 4 23:58:00 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 05 Nov 2018 07:58:00 +0300 Subject: [keycloak-user] Backup strategies for Keycloak + Docker? In-Reply-To: <4e7e07a1-e09f-4a5d-8c67-489e392a466c@grunblatt.org> References: <4e7e07a1-e09f-4a5d-8c67-489e392a466c@grunblatt.org> Message-ID: <1541393880.3650.1.camel@acutus.pro> Hello R?my, I think Keycloak-side export/import makes more sense when migrating between DB vendors, since the dump is in vendor-neutral JSON format. For backup purposes, doing a DB-side backup should be sufficient (let alone it's normally much faster than its Keycloak-side counterpart). Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-11-03 at 20:15 +0100, R?my Gr?nblatt wrote: > Hello, > > I'm wondering: what are your backup strategies for keycloak? > I plan to use docker and keycloak, and of course I'll be backuping the data. > The backup for the database side is ok: just launching psql in the > container will do it. > > But for the keycloak side: do I need any backup? In there, > https://www.keycloak.org/docs/2.5/server_admin/topics/export-import.html, > a method for backuping the ? entire database ? is mentioned, and I was > wondering if this would be useful in addition of the database > (container) backup. > I thought about modifying the entry point to include this backup (what I > have done), but saving it to a volume is tricky as it seems keycloak is > running with 1000/1000 uid/gid (which is the first non-root user on many > linux distribution?). > > Any hints? How do you do it, in your production? > > > R?my > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 5 00:36:17 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 05 Nov 2018 08:36:17 +0300 Subject: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources In-Reply-To: References: <09AC28A0-AC9B-43EF-8684-F20F6F4E69C7@outlook.com> <1541133909.10131.1.camel@acutus.pro> Message-ID: <1541396177.3650.5.camel@acutus.pro> Hi Andreas, you're welcome :) answers inline On Fri, 2018-11-02 at 19:25 +0000, Andreas Lau wrote: > Hello Dmitry, > > > > thanks for your help, this is exactly I was looking for and so simple > :). > > Yes the resources are just static stuff that is needed to display the > site properly. Nothing that is relevant to security. It's simple if > the main page is authenticated the resources don't have to be checked > again. > > > > Thinking more about it I would like to know if there is a way to > recognize that the page, that gets called, is called from a logged in > state. Actually we might be able to access the access token of the > header right? > > > > From my current understanding I would not need to get a particular > config (so I could return the default new KeycloakDeployment()) if I > am successfully logged in and call further pages from "within". Am I > right? I don't think this is a good idea. How should you detect a logged-in state from a resolver? Yep there is access token, but how would you validate it? You need realm public keys for that, where do you get them? If you return a dummy KeycloakDeployment, how should the underlying adapter validate the logged-in session, in the absence of realm config? As you see, there are more questions than answers here. I'm afraid you're risking to spend major time for minor optimizations. Remember, "Premature optimization is the root of all evil" (C) Donald Knuth :) Dmitry > Thanks again, regards > > Andreas.? > > > > Am 2. November 2018 05:45:09 MEZ schrieb Dmitry Telegin

o>: > > Andreas, > > > > Could you please elaborate on the nature of the resources your JSF > > is accessing? > > > > If those are static images/CSS/etc. and they do not require > > authentication, you can simply return new KeycloakDeployment(), a > > dummy unconfigured instance (you can't return null from the > > resolver as it will result in an NPE). > > > > If those are REST resources that need authentication, you'll > > probably need to propagate kId somehow to that services, like in a > > HTTP header or URL param, and process it in the resolver. > > > > Good luck, > > Dmitry > > > > On Fri, 2018-11-02 at 02:28 +0000, Andreas Lau wrote: > > > Hey, > > > I forgot to bounce back to the list. Sorry > > > > Von: Andreas Lau > > > Gesendet: 30. Oktober 2018 23:08:06 MEZ > > > > An: Dmitry Telegin

> > > Betreff: Re: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly- > > > adapter-dist-4.3.0.Final - KeycloakConfigResolver called on > > > unprotected Resources > > > > > > Hello Dmitry, > > > > > > thanks for your response and informations. My problem with that > > > many calls of the resolve methode was not a performance concern > > > in first place. I was surprised for sure and I did indeed thought > > > that I mad a mistake somewhere following the instructions. > > > > > > As you pointed out the behavior is not wrong. The resolver should > > > be called that many times. That's OK I'm fine with this. > > > The first call to the jsf page is not a problem at all, because > > > in the URL we have set the parameter who determines which > > > keycloak.json file has to be used. But I have a problem at the > > > time where the jsf loading process starts to load the resources. > > > It fires get request with the URL to the resources the jsf needs. > > > But now I have lost my scope because the URL used to load the > > > resource has no identifier in it. How should I determine which > > > keycloak.json I should take? > > > > > > Cheers, > > > Andreas > > > > > > Am 30. Oktober 2018 06:29:56 MEZ schrieb Dmitry Telegin

> > s.pro>: > > > > > > Hello Andreas, > > > > > > I'm afraid this is by design - one of the reasons may be Java EE > > > programmatic security [1], where the application can instigate > > > login even from the resources not protected by web.xml security > > > constraints. > > > > > > But I don't think you should be bothered - in your resolver, > > > there is a cache for KeycloakDeployments, and cache calls are > > > cheap (and you will always have a cache hit, except for the very > > > first invocation). > > > > > > Even if there had been the code to determine whether the resolver > > > should or should not kick in, according to web.xml rules, - this > > > code would have been more expensive, let alone it would have > > > broken programmatic security. If you are super determined, you > > > can craft a simple performance test using e.g. Gatling [2] - I'm > > > pretty sure the results for resolver vs. no resolver will differ > > > insignificantly. > > > > > > [1] https://docs.oracle.com/javaee/7/tutorial/security-webtier003 > > > .htm > > > [2] https://gatling.io/ > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Sat, 2018-10-27 at 07:21 +0000, Andreas Lau wrote: > > > Hey guys, sorry for bouncing that topic again, but this issue > > > currently is a show stopper for us. We need to have multi-tenancy > > > for our application, but as it works now it is not feasible. > > > So we desparatly ask for your help. > > > > > > Am 24. Oktober 2018 17:16:23 MESZ schrieb Andreas Lau > > u at outlook.com>: > > > > > > Hello, > > > we deployed a jsf primfaces application on a JBoss EAP 7.0 > > > System. We have to support multiple clients using multi tenancy. > > > We followed the instructions of the documentation [1] to build up > > > a CustomKeycloakConfigResolver. > > > We configured the web.xml like this: > > > [web.xml] > > > > > > ... > > > > > > ? > > > ? portal > > > ? /portal/* > > > ? > > > ? > > > ? user > > > ? > > > > > > > > > ? > > > ? public > > > ? /portal/pages/willkommen.jsf > > > ? /portal/pages/logout.jsf > > > ? > > > > > > > > > > > > ?KEYCLOAK > > > > > > > > > > > > ?user > > > > > > ... > > > > > > ?keycloak.config.resolver > > > ? > > value>de.sample.security.MandantBasedKeycloakConfigResolver > > m-value> > > > > > > ... > > > > > > > > > As you can see everything under portal is restricted with two > > > exceptions. The code of MandantBasedKeycloakConfigResolver is > > > straight forward and adapted to the example code [2]. In our > > > example we consider that the url has a query parameter that > > > provides an id which we can map to a corresponding keycloak.json > > > file. A sample would be "https://localhost:8443/SampleApp/portal/ > > > pages/willkommen.jsf?kId=1". > > > > > > After deployment I realized, that the KeycloakConfigResolver is > > > called 44 times (see log entries [3]). As it turns out the > > > KeycloakConfigResolver.resolve() methode is called for every > > > resource that is loaded through get requests to display the site. > > > I did not expect that many invocation, since the resources are > > > not protected. > > > > > > Can you please tell me if this behaviour is correct? What is my > > > error in adopting the mulity tenancy sample? How can we > > > prevent/workaround that many calls? > > > While researching I found a jira https://issues.jboss.org/browse/ > > > KEYCLOAK-8616 with a potentially similar problem. Here they use > > > keycloak to secure a spring boot application and have troubles > > > when a sso redirection occurs. > > > > > > Regards, > > > Andreas > > > > > > [1] https://www.keycloak.org/docs/latest/securing_apps/index.html > > > #_multi_tenancy > > > > > > [2] public KeycloakDeployment resolve(HttpFacade.Request request) > > > { > > > > > > ????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve( > > > ) - counter:" + counter++); > > > ????????final String mandantId = request.getFirstParam("kId"); > > > ????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve( > > > ) - requestFirstParam(kId):" + mandantId); > > > ????????LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve( > > > ) - uri:" + request.getURI()); > > > > > > ????????if (mandantId == null || mandantId.isEmpty()) { > > > ????????????// throw new IllegalStateException("Not able to > > > resolve realm for parameter kId - Parameter not found!"); > > > ????????????return null; > > > ????????} > > > > > > ????????KeycloakDeployment deployment = cache.get(mandantId); > > > ????????if (deployment == null) { > > > > > > ????????????String keycloakConfigFilename = > > > resolveKeycloakConfigFilename(mandantId); > > > > > > ????????????InputStream is = getClass().getResourceAsStream("/" + > > > keycloakConfigFilename); > > > ????????????if (is == null) { > > > ????????????????// throw new IllegalStateException("Not able to > > > find the file /" + keycloakConfigFilename); > > > ????????????????return null; > > > ????????????} > > > ????????????LOGGER.debug("MandantBasedKeycloakConfigResolver.reso > > > lve() - is IS==null?:" + (is == null)); > > > > > > ????????????deployment = KeycloakDeploymentBuilder.build(is); > > > ????????????cache.put(mandantId, deployment); > > > ????????} > > > > > > ????????return deployment; > > > ????} > > > > > > [3] > > > 17:28:43,281 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0 > > > 17:28:50,215 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - > > > requestFirstParam(kId):3 > > > 17:28:50,228 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https: > > > //localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 > > > 17:28:50,229 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - is > > > IS==null?:false > > > 17:28:50,496 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1 > > > 17:28:50,496 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - > > > requestFirstParam(kId):3 > > > 17:28:50,496 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https: > > > //localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 > > > 17:28:50,496 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2 > > > 17:28:50,496 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - > > > requestFirstParam(kId):3 > > > 17:28:50,496 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https: > > > //localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 > > > 17:28:50,933 INFO??[stdout] (default task-4) INIT Willkommen > > > 17:28:50,933 INFO??[stdout] (default task-4) initialized mandant > > > <<<<<<<<<<<<< > > > > > > 17:28:51,168 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3 > > > 17:28:51,168 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-5) MandantBasedKeycloakConfigResolver.resolve() - > > > requestFirstParam(kId):null > > > 17:28:51,168 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-5) MandantBasedKeycloakConfigResolver.resolve() - uri:https: > > > //localhost:8443/SampleApp/javax.faces.resource/components.css.js > > > f;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?l > > > n=primefaces&v=6.1 > > > 17:28:51,168 ERROR [io.undertow.request] (default task-5) > > > UT005023: Exception handling request to > > > /SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6Yi > > > dBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: > > > java.lang.IllegalStateException: Not able to resolve realm for > > > parameter kId - Parameter not found! > > > at > > > de.sample.security.MandantBasedKeycloakConfigResolver.resolve(Man > > > dantBasedKeycloakConfigResolver.java:46) [classes:] > > > at > > > org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment( > > > AdapterDeploymentContext.java:88) [keycloak-adapter-core- > > > 4.0.0.Final.jar:4.0.0.Final] > > > at > > > org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuth > > > ActionsHandler.java:107) [keycloak-adapter-core- > > > 4.0.0.Final.jar:4.0.0.Final] > > > at > > > org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuth > > > ActionsHandler.java:79) [keycloak-adapter-core- > > > 4.0.0.Final.jar:4.0.0.Final] > > > at > > > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handl > > > eRequest(ServletPreAuthActionsHandler.java:68) [keycloak- > > > undertow-adapter-4.0.0.Final.jar:4.0.0.Final] > > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predic > > > ateHandler.java:43) [undertow-core-1.3.31.Final-redhat- > > > 3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstReq > > > uest(ServletInitialHandler.java:285) [undertow-servlet- > > > 1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchReques > > > t(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final- > > > redhat-3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Ser > > > vletInitialHandler.java:81) [undertow-servlet-1.3.31.Final- > > > redhat-3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleReques > > > t(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final- > > > redhat-3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.server.Connectors.executeRootHandler(Connectors.java: > > > 324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final- > > > redhat-3] > > > at > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.ja > > > va:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final- > > > redhat-3] > > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecu > > > tor.java:1142) [rt.jar:1.8.0_112] > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExec > > > utor.java:617) [rt.jar:1.8.0_112] > > > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] > > > > > > ....... > > > > > > 17:28:51,824 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-50) MandantBasedKeycloakConfigResolver.resolve() - > > > counter:43 > > > 17:28:51,825 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-50) MandantBasedKeycloakConfigResolver.resolve() - > > > requestFirstParam(kId):null > > > 17:28:51,825 DEBUG > > > [de.sample.security.MandantBasedKeycloakConfigResolver] (default > > > task-50) MandantBasedKeycloakConfigResolver.resolve() - uri:https > > > ://localhost:8443/SampleApp/javax.faces.resource/customJs/customJ > > > avaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8q > > > Heh.localhost?ln=ultima-layout > > > 17:28:51,825 ERROR [io.undertow.request] (default task-50) > > > UT005023: Exception handling request to > > > /SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf; > > > jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: > > > java.lang.IllegalStateException: Not able to resolve realm for > > > parameter kId - Parameter not found! > > > at > > > de.sample.security.MandantBasedKeycloakConfigResolver.resolve(Man > > > dantBasedKeycloakConfigResolver.java:46) [classes:] > > > at > > > org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment( > > > AdapterDeploymentContext.java:88) [keycloak-adapter-core- > > > 4.0.0.Final.jar:4.0.0.Final] > > > at > > > org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuth > > > ActionsHandler.java:107) [keycloak-adapter-core- > > > 4.0.0.Final.jar:4.0.0.Final] > > > at > > > org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuth > > > ActionsHandler.java:79) [keycloak-adapter-core- > > > 4.0.0.Final.jar:4.0.0.Final] > > > at > > > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handl > > > eRequest(ServletPreAuthActionsHandler.java:68) [keycloak- > > > undertow-adapter-4.0.0.Final.jar:4.0.0.Final] > > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Predic > > > ateHandler.java:43) [undertow-core-1.3.31.Final-redhat- > > > 3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstReq > > > uest(ServletInitialHandler.java:285) [undertow-servlet- > > > 1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchReques > > > t(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final- > > > redhat-3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Ser > > > vletInitialHandler.java:81) [undertow-servlet-1.3.31.Final- > > > redhat-3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleReques > > > t(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final- > > > redhat-3.jar:1.3.31.Final-redhat-3] > > > at > > > io.undertow.server.Connectors.executeRootHandler(Connectors.java: > > > 324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final- > > > redhat-3] > > > at > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.ja > > > va:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final- > > > redhat-3] > > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecu > > > tor.java:1142) [rt.jar:1.8.0_112] > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExec > > > utor.java:617) [rt.jar:1.8.0_112] > > > at java.lang.Thread.run(Thread.java:745) > > > [rt.jar:1.8.0_112]keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-userkeycloak-us > > > er mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-userkeycloak-us > > > er mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From dt at acutus.pro Mon Nov 5 00:54:25 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 05 Nov 2018 08:54:25 +0300 Subject: [keycloak-user] filter group claim in token per client In-Reply-To: References: Message-ID: <1541397265.3650.7.camel@acutus.pro> Hello Ronald, As in the case with authentication, JavaScript is to the rescue again :) You can create a script mapper for groups that will do additional group filtering based on the client, and use it instead of the built-in one. To avoid explicitly configuring it for each and every client, you can create a Client Scope (can be called "Client Template" depending on the KC version), define the mapper in the scope, and add it do default scopes. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-11-02 at 10:30 +0000, Ronald Demneri wrote: > Hello everyone, > > Is there a way to filter the groups a user is a member of per client, based on clientId (which is part of the group name(s) in AD). Let's say that user Ronald is member of??group_client1, group_client2 and group_client3, so using a group mapper, the token will contain a claim like group:["group_client1", "group_client2", "group_client3"]. Upon logging in to client1 app, I want to customize the group claim so that it contains only the respective group_client1 value. > > Thanks in advance, > > Ronald > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From melissa.palmer at gmail.com Mon Nov 5 01:49:56 2018 From: melissa.palmer at gmail.com (melissa.palmer at gmail.com) Date: Sun, 4 Nov 2018 23:49:56 -0700 (MST) Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> Message-ID: <1541400596183-0.post@n6.nabble.com> Hi, I cannot find the "authz/servlet-authz-app" quickstart am looking under: https://github.com/keycloak/keycloak-quickstarts or https://github.com/keycloak/keycloak/tree/master/examples Also on your comment of "I'm really thinking about pushing a new example application with a permission model similar to github, it will be fun :) " this would be great!!! if you could do that. Thanks In Advance Melissa -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From sthorger at redhat.com Mon Nov 5 02:24:52 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 5 Nov 2018 08:24:52 +0100 Subject: [keycloak-user] Turkish translation review needed In-Reply-To: References: Message-ID: Anyone? On Wed, 31 Oct 2018 at 06:37, Stian Thorgersen wrote: > We have a PR for Turkish translations for Keycloak. Can someone from the > community review this please? > > https://github.com/keycloak/keycloak/pull/5678 > From sthorger at redhat.com Mon Nov 5 02:25:05 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 5 Nov 2018 08:25:05 +0100 Subject: [keycloak-user] Review Latvian translation In-Reply-To: References: Message-ID: Anyone? On Wed, 31 Oct 2018 at 06:36, Stian Thorgersen wrote: > We have a PR for Latvian translations for Keycloak. Can someone from the > community review it please? > > https://github.com/keycloak/keycloak/pull/5676 > From slaskawi at redhat.com Mon Nov 5 04:46:07 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Mon, 5 Nov 2018 10:46:07 +0100 Subject: [keycloak-user] Java 11 (Docker container base) In-Reply-To: <69c1088396cd4aa5aa8a661637dfcf37@zoomint.com> References: <564d3037b9974039868327e2ed2bee3d@zoomint.com> <1d8ec6c8800f46aa82e3ba96c8951086@zoomint.com> <69c1088396cd4aa5aa8a661637dfcf37@zoomint.com> Message-ID: I believe using the commercial Hotspot JVM provided by Oracle will not be an option. We will probably stick with OpenJDK. BTW, all JDK LTS releases will receive much longer updates. Please see this blog post for the reference: https://developers.redhat.com/blog/2018/09/24/the-future-of-java-and-openjdk-updates-without-oracle-support/ On Thu, Oct 25, 2018 at 4:37 PM Pavel Micka wrote: > It was mainly a question about how the support/updates will be handled - > if Keycloak will rely on ?community only? updates for Java 8 or if there > will be switch to new Java (updated by Oracle in the half-year window). > > I am sure that our customers will ask in reviews, how we have the security > updates are handled throughout our solution. And if all parts of our > solution rely only on secure resources. > > > > So the question should more be: Will Java under Keycloak be periodically > updated (without commercial support) after January 2019? > > > > Regards, > > > > Pavel > > > > *From:* Sebastian Laskawiec > *Sent:* Thursday, October 25, 2018 4:00 PM > *To:* Pavel Micka > *Cc:* Meissa M'baye Sakho ; keycloak-user < > keycloak-user at lists.jboss.org> > > > *Subject:* Re: [keycloak-user] Java 11 (Docker container base) > > > > From the support perspective, Red Hat offers extended support till June > 2023 [1]. > > > > Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess > we still have plenty of time to do the switch, so I wouldn't rush things > too much. > > > > BTW, why do you need JDK11, especially in the container? > > > > [1] https://access.redhat.com/articles/1299013 > > > > On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka > wrote: > > Sorry, end of january (my fault): > https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java > and OpenJDK will most probably start to diverge, as OpenJDK will not have > access to Oracle repos (afaik). So the speed of security fixes will depend > on willigness of community to fix the upcomming issues. > > Pavel > > From: Meissa M'baye Sakho > Sent: Tuesday, October 23, 2018 11:04 AM > To: Pavel Micka > Cc: keycloak-user > Subject: Re: [keycloak-user] Java 11 (Docker container base) > > Hello, > Pavel, where did you get the information that the official Java 8 support > will cease at the end of december? > https://access.redhat.com/articles/1299013 > https://www.oracle.com/technetwork/java/javase/eol-135779.html > Meissa > > Le lun. 22 oct. 2018 ? 16:33, Pavel Micka Pavel.Micka at zoomint.com>> a ?crit : > Hello everyone, > > What is the plan for Java 11 support? The point is that current versions > of Docker containers are based on OpenJDK 8, but the official Java 8 > support will cease at the end of December. Will Keycloak use Java 11 by > that time or will it rely on updates provided by the community. > > This is important to us, as Keycloak is important part of our app security. > > Thanks, > > Pavel > > // I have found this ticket in Jira, but it does not provide too many > details: https://issues.jboss.org/browse/KEYCLOAK-7811 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From ronald.demneri at amdtia.com Mon Nov 5 05:00:00 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Mon, 5 Nov 2018 10:00:00 +0000 Subject: [keycloak-user] filter group claim in token per client In-Reply-To: <1541397265.3650.7.camel@acutus.pro> References: <1541397265.3650.7.camel@acutus.pro> Message-ID: Hello Dmitry, Thanks for the response. In fact I tried that before posting here, created a custom script mapper for the client that I have configured. The problem is that the script will return a list of objects, not an array of strings, which is what I am expecting. What do I need to pay extra attention in order to solve this? Thanks in advance and Regards, Ronald -----Original Message----- From: Dmitry Telegin

; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] filter group claim in token per client Hello Dmitry, Thanks for the response. In fact I tried that before posting here, created a custom script mapper for the client that I have configured. The problem is that the script will return a list of objects, not an array of strings, which is what I am expecting. What do I need to pay extra attention in order to solve this? Thanks in advance and Regards, Ronald -----Original Message----- From: Dmitry Telegin

wrote ---- > Mathieu, Meissa, > > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml instead of standalone.xml by default. I guess this is why your truststore settings are being ignored. > > I've also tested Keycloak + LDAP + self-signed cert + truststore on a non-Docker deployment - it works pretty well, so definitely not a Keycloak bug per se. > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote: > > Hello Mathieu, > > did you manage to make it work? > > If yes, could you tell me how? > > Meissa > > > > > Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a ?crit : > > > > > Hello Marek. > > > > > > I've done that already but looks like it is completely ignored. > > > I have my custom truststore that have all my CA certificates (2), but I'm > > > still seeing the same issue. (SPI is enabled on the LDAPS settings on the > > > admin) > > > Is there a way to make sure it has been loaded correctly? (I don't see any > > > error when the application starts but it's not working as expected) > > > > > > Thanks. > > > Mathieu > > > > > > > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < > > > mposolda at redhat.com> wrote ---- > > > > You can configure the Truststore SPI, which is mentioned in our docs > > > > here: > > > > > > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > > > > > > > > Some additional notes around LDAP are here: > > > > > > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl > > > > > > > > Marek > > > > > > > > > > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > > > > Hello. > > > > > > > > > > What would be the recommended way to add a custom CA certificates ? > > > The documentation has a lot of different ways and so far none of them > > > worked : > > > > > > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a > > > container), I can see the certificates in the JKS store but looks like > > > they are completely ignored by the app server. > > > > > - Added custom SPI to load a custom JKS store, same, no error at > > > server start but they are completely ignored by the app server. > > > > > > > > > > This is the error I am getting : > > > > > > > > > > Caused by: sun.security.validator.ValidatorException: PKIX path > > > building failed: > > > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > > > valid certification path to requested target > > > > > at > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > > > > at > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > > > > at > > > sun.security.validator.Validator.validate(Validator.java:262) > > > > > at > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > > > > > > > at > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > > > > > > > at > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > > > > > > > at > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > > > > > > > ... 99 more > > > > > Caused by: > > > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > > > valid certification path to requested target > > > > > at > > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > > > > > > at > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > > > > > > at > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > > > at > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > > > > ... 105 more > > > > > > > > > > > > > > > Another option would be to disable certificate verification on LDAPS > > > as it's a trusted environment (last resort but well so far nothing else > > > worked), would there be a way to do that? > > > > > Connecting over LDAP is not an option a this prevent some features to > > > work like password reset. > > > > > > > > > > Thanks. > > > > > > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Mon Nov 5 06:31:10 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 5 Nov 2018 09:31:10 -0200 Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> <1541400596183-0.post@n6.nabble.com> Message-ID: Not yet, oops ... :) On Mon, Nov 5, 2018 at 9:15 AM Melissa Palmer wrote: > Thanks will take a look. Did you ever do a " example application with a > permission model similar to github" at all? > > On Mon, 5 Nov 2018 at 13:10, Pedro Igor Silva wrote: > >> This one >> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet >> ? >> >> On Mon, Nov 5, 2018 at 7:47 AM melissa.palmer at gmail.com < >> melissa.palmer at gmail.com> wrote: >> >>> Hi, >>> >>> I cannot find the "authz/servlet-authz-app" quickstart am looking under: >>> https://github.com/keycloak/keycloak-quickstarts >>> or >>> https://github.com/keycloak/keycloak/tree/master/examples >>> >>> Also on your comment of >>> "I'm really thinking about pushing a new example application with a >>> permission model similar to github, it will be fun :) " >>> this would be great!!! if you could do that. >>> >>> Thanks In Advance >>> Melissa >>> >>> >>> >>> >>> -- >>> Sent from: http://keycloak-user.88327.x6.nabble.com/ >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From jambo_mcd at yahoo.co.uk Mon Nov 5 07:34:06 2018 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Mon, 5 Nov 2018 12:34:06 +0000 (UTC) Subject: [keycloak-user] Keycloak realm certificates export In-Reply-To: <1540869193.2121.3.camel@acutus.pro> References: <366471873.18450736.1539868880248.ref@mail.yahoo.com> <366471873.18450736.1539868880248@mail.yahoo.com> <653502666.27637230.1540814185148@mail.yahoo.com> <1868981234.27918435.1540827277989@mail.yahoo.com> <1540869193.2121.3.camel@acutus.pro> Message-ID: <226622624.1563056.1541421246300@mail.yahoo.com> Hi Dmitry, Thanks for your response. I can confirm that this does provides the certs however this seems to be encrypted.? Do you know how we can recreate this to provide the value that is visible in Keycloak console? I need to be able to get the decrypted value of the cert so i can pass this over to another application.? Regards, Jamie On Tuesday, 30 October 2018, 03:13:17 GMT, Dmitry Telegin

wrote: Hello Jamie, Just FYU, there is also certificate endpoint that does not require authentication: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs (replace your server name, port and realm) Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-10-29 at 15:34 +0000, Jamie McDowell wrote: > I have managed to obtain just the certificate using the below command in case anyone needs this in future > ?/opt/jboss/keycloak/bin/kcadm get keys \--server \--realm master \--user \--password \-r | grep "certificate*" > Regards, > Jamie? > > ????On Monday, 29 October 2018, 11:56:25 GMT, Jamie McDowell wrote:?? > ? > ?Hi, > > I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates.? > Knox is used to decrypt singed JWT's. > Is this something that can be achieved? > I have tried running kcadm to pull the certificate details however i am unable to provide only the cert details which i would then want to output into another file. > Examples of kcadm? > /opt/jboss/keycloak/bin/kcadm get keys \--server \--realm master \--user \--password \-r > Regards, > Jamie???? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Mon Nov 5 08:40:55 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 5 Nov 2018 08:40:55 -0500 Subject: [keycloak-user] Account Page Fields In-Reply-To: <1540878764.3824.3.camel@acutus.pro> References: <1540878764.3824.3.camel@acutus.pro> Message-ID: <811a3326-b848-39b5-1f74-68a550bb2d50@redhat.com> On 10/30/2018 1:52 AM, Dmitry Telegin wrote: > Hello Aaron, > > I don't think this is easily doable with the current account UI. However, there are chances we will have it in the forthcoming rewrite thereof [1]. The revamped account UI should use REST APIs and be extensible with the means of React.js. > > This topic is of particular interest to me, as we in Mageia Linux are planning to migrate our IDM to Keycloak, and one of the problems to solve is to allow the users to upload their SSH pubkeys via the account UI. We're pretty determined to solve it, and to solve it soon, so stay tuned :) > > [1] https://issues.jboss.org/browse/KEYCLOAK-8421 That's right.? A proof of concept has already been built and merged into the code base.? You will indeed be able to create your own React components as extensions for the account console. It's hard to say when this will be ready for prime time, but I'm shooting for a code-complete version in the first quarter of 2019. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2018-10-26 at 15:35 -0700, Aaron Echols wrote: >> Hello All, >> >> How hard is to modify or add fields that could be modified in the users >> account page? It would be nice to add a personal email field to have be >> able to send their password reset email to. Currently, they can only send >> to their employee addresses, which if they forget their password, makes the >> email a moot point. Thank in advance for any ideas. :) >> -- >> *Aaron Echols* >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ulrik.lejon at mollyware.se Mon Nov 5 09:08:59 2018 From: ulrik.lejon at mollyware.se (Ulrik Lejon) Date: Mon, 5 Nov 2018 15:08:59 +0100 Subject: [keycloak-user] WFLYRS0015: No Servlet declaration found for JAX-RS application Message-ID: Hi, I'm currently investigating upgrading from version 3.3.0 to 3.4.2 (as a part of in the end upgrading to the latest 4.5 version). When I boot up version 3.4.2 on out test server I see the following warning in the log: WARN [org.jboss.as.jaxrs] (MSC service thread 1-7) WFLYRS0015: No Servlet declaration found for JAX-RS application. In custom-rest-endpoing-1.7.war either provide a class that extends javax.ws.rs.core.Application or declare a servlet class in web.xml. The custom-rest-endpoing.war is a realm-restapi-extension that we deploy to our Keycloak instance. Indeed we haven't subclassed javax.ws.rs.core.Application nor have we any web.xml. However, looking at the rest provider example ( https://github.com/keycloak/keycloak/tree/master/examples/providers/rest) I can't find anything about that there either. Is this warning anything I need to pay attention to? Cheers, Ulrik From lahari.guntha at tcs.com Mon Nov 5 09:13:42 2018 From: lahari.guntha at tcs.com (Lahari Guntha) Date: Mon, 5 Nov 2018 14:13:42 +0000 Subject: [keycloak-user] Keycloak got into Excited state because of Garbage Collector Issue Message-ID: <1541427223469.84685@tcs.com> ?Hi all, We are Using Keycloak to have SSO enabled for different applications. It was working fine. All of a sudden we were unable to access keycloak. After checking logs we came to know that "GC overhead limit exceeded". May I know how to resolve this Issue? Thanks and Regards, Lahari G =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you From graham.nixon at maximuscanada.ca Mon Nov 5 11:00:53 2018 From: graham.nixon at maximuscanada.ca (Graham Nixon) Date: Mon, 5 Nov 2018 16:00:53 +0000 Subject: [keycloak-user] Active Directory LDAP Server Signing required Message-ID: Hi. I'm new to Keycloak. A quick question on Keycloak version 4.3.0. I've searched the online documentation and forums but can't find an answer. Does Keycloak support Simple LDAP BIND over tcp 389 (no LDAPS/TLS) to Active Directory if the Active Directory Domain Controllers (the LDAP server) have LDAP server signing set to Require Signature? Cheers Graham Nixon Senior Systems Architect MAXIMUS Canada DeltaWare Division 176 Great George Street, Suite 300 Charlottetown, PE, Canada C1A 4K9 Office: 902.628.4598 graham.nixon at maximuscanada.ca Confidentiality Notice: This electronic transmission, and any documents attached to it, may contain confidential information belonging to the sender. This information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance upon the contents of this information is prohibited. If you have received this transmission in error, please notify the sender immediately and delete the message and all documents. From ulrik.sjolin at gmail.com Mon Nov 5 11:14:08 2018 From: ulrik.sjolin at gmail.com (=?UTF-8?Q?Ulrik_Sj=C3=B6lin?=) Date: Mon, 5 Nov 2018 08:14:08 -0800 Subject: [keycloak-user] Delegating sharing responsibilities for UMA resources? Message-ID: Hello, I find the request-response mechanism of UMA very interesting and think it would be very useful where I work. But I have not found a way to scale it? Is it possible for a resource owner to delegate the responsibilities for sharing resources to other users? Consider a large organisation that owns a large set or resources and has a large number of users. The organisation wants to have a group of admins to handle answering the?requests that comes in from the users asking for access to different resources. What is the best-practice way for handling a use case like this? Is it possible to assign a group as resource owner? Best Regards, Ulrik Sj?lin From oneal.kevin at gmail.com Mon Nov 5 12:48:43 2018 From: oneal.kevin at gmail.com (KevinO) Date: Mon, 5 Nov 2018 11:48:43 -0600 Subject: [keycloak-user] Disable Authentication for a Path Using the Spring Boot Adapter Message-ID: I've got a configuration setup similar to the doc https://www.keycloak.org/docs/1.9/securing_apps_guide/topics/oidc/java/spring-boot-adapter.html Is there a way to ignore security on certain paths? Eg security: ignored: /foo/* From psilva at redhat.com Mon Nov 5 13:01:20 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 5 Nov 2018 16:01:20 -0200 Subject: [keycloak-user] Delegating sharing responsibilities for UMA resources? In-Reply-To: References: Message-ID: Currently, you can not set groups as resource owners. However we have a User-Managed Policy API that can be used for what you are looking for. Please, take a look at this doc [1]. It supports not only group policies, but user, role and more complex policies using JS. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_authorization_uma_policy_api On Mon, Nov 5, 2018 at 2:24 PM Ulrik Sj?lin wrote: > Hello, > > I find the request-response mechanism of UMA very interesting and > think it would > be very useful where I work. But I have not found a way to scale it? > > Is it possible for a resource owner to delegate the responsibilities > for sharing > resources to other users? Consider a large organisation that owns a > large set or > resources and has a large number of users. The organisation wants to > have a group > of admins to handle answering the requests that comes in from the users > asking > for access to different resources. > > What is the best-practice way for handling a use case like this? > Is it possible to assign a group as resource owner? > > Best Regards, > > Ulrik Sj?lin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Tue Nov 6 03:58:41 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Tue, 6 Nov 2018 09:58:41 +0100 Subject: [keycloak-user] Keycloak got into Excited state because of Garbage Collector Issue In-Reply-To: <1541427223469.84685@tcs.com> References: <1541427223469.84685@tcs.com> Message-ID: Keycloak uses Infinispan (an in-memory caching solution), which consumes most of the heap for the JVM. The "GC overhead limit exceeded" tells you that the JVM was fighting for its live trying to release as much memory from the heap as it could and didn't succeed in a certain amount of time. The easiest solution is to increase your heap. Or a more complicated one - tune the eviction parameter on your caches. On Mon, Nov 5, 2018 at 3:23 PM Lahari Guntha wrote: > ?Hi all, > > > We are Using Keycloak to have SSO enabled for different applications. It > was working fine. All of a sudden we were unable to access keycloak. > > > After checking logs we came to know that "GC overhead limit exceeded". > > > May I know how to resolve this Issue? > > > Thanks and Regards, > > Lahari G > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From testoauth55 at gmail.com Tue Nov 6 04:13:56 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Tue, 6 Nov 2018 14:43:56 +0530 Subject: [keycloak-user] Proxy support in policy enforcement/authorization services Message-ID: As per the mailing list: http://lists.jboss.org/pipermail/keycloak-user/2016-December/008876.html There wasn't any support for proxy in case of policy enforcement. Since the thread is quite old, can someone from Keycloak team kindly confirm whether proxy support has been added yet or not? From testoauth55 at gmail.com Tue Nov 6 04:27:17 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Tue, 6 Nov 2018 14:57:17 +0530 Subject: [keycloak-user] Proxy support in policy enforcement/authorization services In-Reply-To: References: Message-ID: I think I may have got my previous post slightly wrong. Problem I am facing is that my keycloak server is running behind a proxy. My keycloak server is running on *pc-bruce:8100*, but I am accessing it through *pc-bruce:7100*. And I am able to run Jetty adapter as well as Keycloak Installed adapter with *pc-bruce:7100 *like this: { "realm": "myRealm", "auth-server-url": "http://pc-bruce:7100/auth", "ssl-required": "external", "resource": "myClient", "credentials": { "secret": "***********" }, "confidential-port": 0 } But as soon as I put *"policy-enforcer": {} *line in json to enable authorization, I get *Could not obtain configuration from server. This error does not come if either policy enforcer line is removed or if policy enforcer line is kept and port is changed to 8100 (original keycloak port )* Exception trace: java.lang.RuntimeException: Could not obtain configuration from server [ http://pc-bruce:7100/auth/realms/ myRealm /.well-known/uma2-configuration]. at org.keycloak.authorization.client.AuthzClient.(AuthzClient.java:242) at org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:85) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:66) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:144) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:170) at org.keycloak.adapters.jetty.core.AbstractKeycloakJettyAuthenticator.initializeKeycloak(AbstractKeycloakJettyAuthenticator.java:248) at org.keycloak.adapters.jetty.core.AbstractKeycloakJettyAuthenticator.setConfiguration(AbstractKeycloakJettyAuthenticator.java:174) at org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:384) at org.eclipse.jetty.security.ConstraintSecurityHandler.doStart(ConstraintSecurityHandler.java:449) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) at org.eclipse.jetty.server.session.SessionHandler.doStart(SessionHandler.java:116) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) at org.eclipse.jetty.server.handler.ScopedHandler.doStart(ScopedHandler.java:120) at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:784) at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:294) at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:741) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:163) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.server.Server.start(Server.java:387) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61) at org.eclipse.jetty.server.Server.doStart(Server.java:354) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) Caused by: java.lang.RuntimeException: Error executing http method [org.apache.http.client.methods.RequestBuilder at 72ec16f8]. Response : null at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:106) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50) at org.keycloak.authorization.client.AuthzClient.(AuthzClient.java:240) ... 43 more Caused by: java.net.ConnectException: Connection refused: connect at java.net.DualStackPlainSocketImpl.connect0(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:117) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:84) On Tue, Nov 6, 2018 at 2:43 PM Bruce Wings wrote: > As per the mailing list: > http://lists.jboss.org/pipermail/keycloak-user/2016-December/008876.html > > There wasn't any support for proxy in case of policy enforcement. Since > the thread is quite old, can someone from Keycloak team kindly confirm > whether proxy support has been added yet or not? > From nad.elbaba at gmail.com Tue Nov 6 04:38:52 2018 From: nad.elbaba at gmail.com (Nadim Elbaba) Date: Tue, 6 Nov 2018 10:38:52 +0100 Subject: [keycloak-user] Customize Execute Actions Email Subject Message-ID: Hello, I would like to customize the subject of the emails sent using "execute-actions-email" REST endpoint depending on the required actions, e.g. : - "Update your password" when the UPDATE_PASSWORD action is present - "Verify your e-mail" when only the VERIFY_EMAIL action is present The only solution I could think about was to provide a custom EmailTemplateProvider implementation by extending the FreeMarkerEmailTemplateProvider to override the "sendExecuteActions" method in order to use different properties for the email subject. Is there any simpler way ? Anyway, thanks for this wonderful IAM solution ! Cheers, Nadim From lyderic.dubut at enalean.com Tue Nov 6 04:54:09 2018 From: lyderic.dubut at enalean.com (Lyderic Dubut) Date: Tue, 06 Nov 2018 10:54:09 +0100 Subject: [keycloak-user] Users/Groups access restrictions Message-ID: Hi Keycloak peoples! I'm slowly introduce keycloak in production environnement, but I still do not Know how to restric permissions to users or groups. To picture my words, I have 3 Applications A,B and C All company people can access to the application A For the application B I want prohibit access to non-admin group member. So when a non-admin clic on OIDC button to login in app an redirect to keycloak, I wan't a message like "you don't have permissions". And for the application C all people can access except Bob because he have broken twice this application :-) It's posisble to do it? From ronald.demneri at amdtia.com Tue Nov 6 05:05:02 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Tue, 6 Nov 2018 10:05:02 +0000 Subject: [keycloak-user] filter group claim in token per client References: <1541397265.3650.7.camel@acutus.pro> Message-ID: Hello Dmitry, A colleague of mine helped solving the issue with the array, and I can see the filtered groups in the Access token. I also used token.getIssuedFor() to get the client name and make the evaluation of the filtered groups dynamic. The problem now is that this new claim is not present in the userinfo. This is the script that we came up with (configured both as client scopes (possibly define as a default client scope) as well as script mapper specific to this client for test purposes - claim names are different of course): [kcadmin at keycloak bin]$ ./kcadm.sh get client-scopes [ { "id" : "4ea94866-044e-4590-a2da-f25c980f08b4", "name" : "Filtered_Groups", "protocol" : "openid-connect", "attributes" : { "display.on.consent.screen" : "true" }, "protocolMappers" : [ { "id" : "7d3c521a-b291-4f43-ad87-6891ed9584d3", "name" : "Filtered Groups", "protocol" : "openid-connect", "protocolMapper" : "oidc-script-based-protocol-mapper", "consentRequired" : false, "config" : { "multivalued" : "true", "userinfo.token.claim" : "true", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "fGroup", "jsonType.label" : "String", "script" : "/** * Available variables: * user - the current user * realm - the current realm * token - the current token * userSession - the current userSession * keycloakSession - the current userSession */ //insert your code here... //So, first we need to know, how many names should be added to the new claim, var username = user ? user.username : \"anonymous\"; var groups = user.getGroups(); var group_array = groups.toArray(); //print(\"########################################## \" + username); var client = token.getIssuedFor(); //print(\"############################################ \" + client); var clUp = client.toUpperCase(); //print(clUp); var group_APP = \"APP-\" + clUp + \"-USERS\"; var group_ROL = \"ROL_SSO-\" + clUp + \"-ADMIN\"; var group_filtered = []; for (var i in group_array) { var gn = group_array[i].getName(); var gnUp = gn.toUpperCase(); if (gnUp === group_APP || gnUp === group_ROL) { group_filtered.push(\"/\" + gn); } } //Then we declare the new array. var l = group_filtered.length; var group_token = java.lang.reflect.Array.newInstance(java.lang.String.class, l); for (var f in group_filtered) { group_token[f] = group_filtered[f]; //print(group_token[f]); } //And submit the array as token token.setOtherClaims(\"fGroup\", group_token);" } } ] } This is the userinfo data for my account: { "sub": "bad7ff26-2a70-446f-a635-06fdbe1bec55", "Group": [ "/APP-App1-Users/TGR-Team-ABC", "/APP-App1-Users/TGR-Team-DEF", "/APP-App1-Users", "/APP-MySmallApp-Users" ], "email_verified": false, "name": "Ronald Demneri", "preferred_username": "u151302", "given_name": "Ronald", "family_name": "Demneri" The group claim is inserted by the group mapper created for this client, and the idea is to remove it once the script mapper works as expected. What do you think is going on? Is this behavior normal? Thanks in advance, Ronald -----Original Message----- From: Ronald Demneri Sent: 05.Nov.2018 12:12 PM To: 'Ronald Demneri' ; Dmitry Telegin

; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] filter group claim in token per client Hello, In the script authenticator there was authenticationSession which I used to get the clientId. There is no such variable in the script mapper, and If I define such mapper in the client template, I suppose I'd need some mechanism to get the client name and then make the filtering of the groups that need to be inserted in the token. How do I do that? Is there any documentation available for this online? Thanks again for your support! Ronald -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Ronald Demneri Sent: 05.Nov.2018 11:00 AM To: Dmitry Telegin

; 'keycloak-user at lists.jboss.org' Subject: RE: [keycloak-user] filter group claim in token per client Hello Dmitry, A colleague of mine helped solving the issue with the array, and I can see the filtered groups in the Access token. I also used token.getIssuedFor() to get the client name and make the evaluation of the filtered groups dynamic. The problem now is that this new claim is not present in the userinfo. This is the script that we came up with (configured both as client scopes (possibly define as a default client scope) as well as script mapper specific to this client for test purposes - claim names are different of course): [kcadmin at keycloak bin]$ ./kcadm.sh get client-scopes [ { "id" : "4ea94866-044e-4590-a2da-f25c980f08b4", "name" : "Filtered_Groups", "protocol" : "openid-connect", "attributes" : { "display.on.consent.screen" : "true" }, "protocolMappers" : [ { "id" : "7d3c521a-b291-4f43-ad87-6891ed9584d3", "name" : "Filtered Groups", "protocol" : "openid-connect", "protocolMapper" : "oidc-script-based-protocol-mapper", "consentRequired" : false, "config" : { "multivalued" : "true", "userinfo.token.claim" : "true", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "fGroup", "jsonType.label" : "String", "script" : "/** * Available variables: * user - the current user * realm - the current realm * token - the current token * userSession - the current userSession * keycloakSession - the current userSession */ //insert your code here... //So, first we need to know, how many names should be added to the new claim, var username = user ? user.username : \"anonymous\"; var groups = user.getGroups(); var group_array = groups.toArray(); //print(\"########################################## \" + username); var client = token.getIssuedFor(); //print(\"############################################ \" + client); var clUp = client.toUpperCase(); //print(clUp); var group_APP = \"APP-\" + clUp + \"-USERS\"; var group_ROL = \"ROL_SSO-\" + clUp + \"-ADMIN\"; var group_filtered = []; for (var i in group_array) { var gn = group_array[i].getName(); var gnUp = gn.toUpperCase(); if (gnUp === group_APP || gnUp === group_ROL) { group_filtered.push(\"/\" + gn); } } //Then we declare the new array. var l = group_filtered.length; var group_token = java.lang.reflect.Array.newInstance(java.lang.String.class, l); for (var f in group_filtered) { group_token[f] = group_filtered[f]; //print(group_token[f]); } //And submit the array as token token.setOtherClaims(\"fGroup\", group_token);" } } ] } This is the userinfo data for my account: { "sub": "bad7ff26-2a70-446f-a635-06fdbe1bec55", "Group": [ "/APP-App1-Users/TGR-Team-ABC", "/APP-App1-Users/TGR-Team-DEF", "/APP-App1-Users", "/APP-MySmallApp-Users" ], "email_verified": false, "name": "Ronald Demneri", "preferred_username": "u151302", "given_name": "Ronald", "family_name": "Demneri" The group claim is inserted by the group mapper created for this client, and the idea is to remove it once the script mapper works as expected. What do you think is going on? Is this behavior normal? Thanks in advance, Ronald -----Original Message----- From: Ronald Demneri Sent: 05.Nov.2018 12:12 PM To: 'Ronald Demneri' ; Dmitry Telegin

> wrote ---- > > Mathieu, Meissa, > > > > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml > instead of standalone.xml by default. I guess this is why your truststore > settings are being ignored. > > > > I've also tested Keycloak + LDAP + self-signed cert + truststore on a > non-Docker deployment - it works pretty well, so definitely not a Keycloak > bug per se. > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote: > > > Hello Mathieu, > > > did you manage to make it work? > > > If yes, could you tell me how? > > > Meissa > > > > > > > Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a > ?crit : > > > > > > > Hello Marek. > > > > > > > > I've done that already but looks like it is completely ignored. > > > > I have my custom truststore that have all my CA certificates (2), > but I'm > > > > still seeing the same issue. (SPI is enabled on the LDAPS settings > on the > > > > admin) > > > > Is there a way to make sure it has been loaded correctly? (I don't > see any > > > > error when the application starts but it's not working as expected) > > > > > > > > Thanks. > > > > Mathieu > > > > > > > > > > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < > > > > mposolda at redhat.com> wrote ---- > > > > > You can configure the Truststore SPI, which is mentioned in our > docs > > > > > here: > > > > > > > > > > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > > > > > > > > > > Some additional notes around LDAP are here: > > > > > > > > > > https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl > > > > > > > > > > Marek > > > > > > > > > > > > > > > On 01/10/18 13:27, Mathieu Poussin wrote: > > > > > > Hello. > > > > > > > > > > > > What would be the recommended way to add a custom CA > certificates ? > > > > The documentation has a lot of different ways and so far none of > them > > > > worked : > > > > > > > > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a > > > > container), I can see the certificates in the JKS store but looks > like > > > > they are completely ignored by the app server. > > > > > > - Added custom SPI to load a custom JKS store, same, no error > at > > > > server start but they are completely ignored by the app server. > > > > > > > > > > > > This is the error I am getting : > > > > > > > > > > > > Caused by: sun.security.validator.ValidatorException: PKIX > path > > > > building failed: > > > > sun.security.provider.certpath.SunCertPathBuilderException: unable > to find > > > > valid certification path to requested target > > > > > > at > > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > > > > > > at > > > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > > > > > > at > > > > sun.security.validator.Validator.validate(Validator.java:262) > > > > > > at > > > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > > > > > > > > > > at > > > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > > > > > > > > > > at > > > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > > > > > > > > > > at > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) > > > > > > > > > > > ... 99 more > > > > > > Caused by: > > > > sun.security.provider.certpath.SunCertPathBuilderException: unable > to find > > > > valid certification path to requested target > > > > > > at > > > > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > > > > > > > > > > > at > > > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > > > > > > > > > > > at > > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > > > > at > > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > > > > > > ... 105 more > > > > > > > > > > > > > > > > > > Another option would be to disable certificate verification on > LDAPS > > > > as it's a trusted environment (last resort but well so far nothing > else > > > > worked), would there be a way to do that? > > > > > > Connecting over LDAP is not an option a this prevent some > features to > > > > work like password reset. > > > > > > > > > > > > Thanks. > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From msakho at redhat.com Tue Nov 6 08:54:07 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 6 Nov 2018 14:54:07 +0100 Subject: [keycloak-user] Java 11 (Docker container base) In-Reply-To: References: <564d3037b9974039868327e2ed2bee3d@zoomint.com> <1d8ec6c8800f46aa82e3ba96c8951086@zoomint.com> <69c1088396cd4aa5aa8a661637dfcf37@zoomint.com> Message-ID: Openjdk 11 has been released. You'll need to have rhel 7.6 Le lun. 5 nov. 2018 ? 10:46, Sebastian Laskawiec a ?crit : > I believe using the commercial Hotspot JVM provided by Oracle will not be > an option. We will probably stick with OpenJDK. > > BTW, all JDK LTS releases will receive much longer updates. Please see > this blog post for the reference: > https://developers.redhat.com/blog/2018/09/24/the-future-of-java-and-openjdk-updates-without-oracle-support/ > > On Thu, Oct 25, 2018 at 4:37 PM Pavel Micka > wrote: > >> It was mainly a question about how the support/updates will be handled - >> if Keycloak will rely on ?community only? updates for Java 8 or if there >> will be switch to new Java (updated by Oracle in the half-year window). >> >> I am sure that our customers will ask in reviews, how we have the >> security updates are handled throughout our solution. And if all parts of >> our solution rely only on secure resources. >> >> >> >> So the question should more be: Will Java under Keycloak be periodically >> updated (without commercial support) after January 2019? >> >> >> >> Regards, >> >> >> >> Pavel >> >> >> >> *From:* Sebastian Laskawiec >> *Sent:* Thursday, October 25, 2018 4:00 PM >> *To:* Pavel Micka >> *Cc:* Meissa M'baye Sakho ; keycloak-user < >> keycloak-user at lists.jboss.org> >> >> >> *Subject:* Re: [keycloak-user] Java 11 (Docker container base) >> >> >> >> From the support perspective, Red Hat offers extended support till June >> 2023 [1]. >> >> >> >> Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess >> we still have plenty of time to do the switch, so I wouldn't rush things >> too much. >> >> >> >> BTW, why do you need JDK11, especially in the container? >> >> >> >> [1] https://access.redhat.com/articles/1299013 >> >> >> >> On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka >> wrote: >> >> Sorry, end of january (my fault): >> https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle >> Java and OpenJDK will most probably start to diverge, as OpenJDK will not >> have access to Oracle repos (afaik). So the speed of security fixes will >> depend on willigness of community to fix the upcomming issues. >> >> Pavel >> >> From: Meissa M'baye Sakho >> Sent: Tuesday, October 23, 2018 11:04 AM >> To: Pavel Micka >> Cc: keycloak-user >> Subject: Re: [keycloak-user] Java 11 (Docker container base) >> >> Hello, >> Pavel, where did you get the information that the official Java 8 support >> will cease at the end of december? >> https://access.redhat.com/articles/1299013 >> https://www.oracle.com/technetwork/java/javase/eol-135779.html >> Meissa >> >> Le lun. 22 oct. 2018 ? 16:33, Pavel Micka > > a ?crit : >> Hello everyone, >> >> What is the plan for Java 11 support? The point is that current versions >> of Docker containers are based on OpenJDK 8, but the official Java 8 >> support will cease at the end of December. Will Keycloak use Java 11 by >> that time or will it rely on updates provided by the community. >> >> This is important to us, as Keycloak is important part of our app >> security. >> >> Thanks, >> >> Pavel >> >> // I have found this ticket in Jira, but it does not provide too many >> details: https://issues.jboss.org/browse/KEYCLOAK-7811 >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From geoff at opticks.io Tue Nov 6 09:32:22 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 6 Nov 2018 15:32:22 +0100 Subject: [keycloak-user] RPT endpoint responds unexpectedly for resources created with an explicit _id In-Reply-To: References: Message-ID: The following attempt to change the _id results in 500 Server Error: curl -X PUT \ https://domain.com/realms/realm/authz/protection/resource_set/resource2 \ -H 'Authorization: Bearer 123' \ -H 'Content-Type: application/json' \ -H 'cache-control: no-cache' \ -d '{ "_id":"resource-2" }' But creating a new resource "resource-3" with the dash does resolve the issue. Now I get access_denied. Thanks On Tue, 6 Nov 2018 at 14:25, Pedro Igor Silva wrote: > I think I know what is happening. > > Although we support setting the _id when creating a resource, our code > assumes that ids have the same format as when auto-generated by Keycloak. > > In order to avoid unnecessary hits to the database when querying a > resource by name, we have a specific point in the code that only tries to > fetch the resource by id if it contains a "-". Otherwise, query by name. > That is why it is failing for you. > > If you try to change the id value to "resource-2" you should get things > working as expected. Can you try it out? > > Regards. > Pedro Igor > > On Tue, Nov 6, 2018 at 10:26 AM Geoffrey Cleaves wrote: > >> The token endpoint sends an unexpected response while using grant_type >> urn:ietf:params:oauth:grant-type:uma-ticket and a ticket with permissions >> to a resource created via the resource UMA endpoint that has an explicit >> _id. >> >> When access is denied, endpoint sends a HTTP 400 and invalid_resource / >> Resource with id [resource2] does not exist. instead of sending 403. The >> same test but using a resource which has the Keycloak-assigned _id returns >> 403 as expected. >> >> I believe the key point here is that the resource has been created using >> the resource_set endpoint and had the _id set explicitly instead of >> letting >> Keycloak assign the id. >> >> Could the issue be related the fact that my Keycloak Docker install began >> as 4.3.0.Final with the database being Postgres, and then I upgraded >> Keycloak to 4.5.0.Final by downloading the latest Docker image? Could any >> DB migrations have been missed which could cause this issue? >> >> To reproduce the issue, try the following: Create resources rA and rB via >> the resource_set endpoint. When creating rB, include a explicit _id. Then, >> using an auth_token which does not have access to rB, try getting a RPT >> which includes permissions to rB. Token end point will respond with 400 >> resource_not_found. But in fact the resource exists. >> >> I have opened Jira ticket: https://issues.jboss.org/browse/KEYCLOAK-8729 >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From ronald.demneri at amdtia.com Tue Nov 6 10:08:01 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Tue, 6 Nov 2018 15:08:01 +0000 Subject: [keycloak-user] filter group claim in token per client In-Reply-To: References: <1541397265.3650.7.camel@acutus.pro> Message-ID: Hello again, Upon testing login and experimenting where the claim should be inserted, I found out that the duplicate print() is a result of including the claim in both ID access tokens. The error comes as a result of including the claim in the userinfo token, and probably that is why the userinfo endpoint does not contain the claim when the client application requests it. Any idea how to solve it? Thanks in advance, Ronald -----Original Message----- From: Ronald Demneri Sent: 06.Nov.2018 12:01 PM To: Ronald Demneri ; Dmitry Telegin

; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] filter group claim in token per client So, I am looking at the logs and receive the following when going to App1 > Client Scopes > Evaluate: 2018-11-06 10:51:42,407 INFO [stdout] (default task-1892) ############################################ APP1 2018-11-06 10:51:42,407 INFO [stdout] (default task-1892) ############################################ 2018-11-06 10:51:42,407 INFO [stdout] (default task-1892) We are here!!! 2018-11-06 10:51:42,408 INFO [stdout] (default task-1892) ############################################ But when trying to actually log in to the client, I receive the following: 2018-11-06 10:52:20,465 INFO [stdout] (default task-1891) ############################################ APP1 2018-11-06 10:52:20,465 INFO [stdout] (default task-1891) ############################################ 2018-11-06 10:52:20,465 INFO [stdout] (default task-1891) We are here!!! 2018-11-06 10:52:20,466 INFO [stdout] (default task-1891) ############################################ 2018-11-06 10:52:20,474 INFO [stdout] (default task-1891) ############################################ APP1 2018-11-06 10:52:20,474 INFO [stdout] (default task-1891) ############################################ 2018-11-06 10:52:20,474 INFO [stdout] (default task-1891) We are here!!! 2018-11-06 10:52:20,475 INFO [stdout] (default task-1891) ############################################ 2018-11-06 10:52:20,691 ERROR [org.keycloak.protocol.oidc.mappers.ScriptBasedOIDCProtocolMapper] (default task-1891) Error during execution of ProtocolMapper script: org.keycloak.scripting.ScriptExecutionException: Could not execute script 'token-mapper-script_filteredGroupsMapper' problem was: TypeError: null has no such function "toUpperCase" in at line number 31 Line 31 is as follows: 31: var client = token.getIssuedFor().toUpperCase(); 32: print("############################################ " + client); So why does it display an error, when in fact it also displays the correct form of the clientId in upper case? And why is the log entry duplicated? ATM, I removed the client scope mapper and have recreated the script mapper only for this client. Regards, Ronald -----Original Message----- From: Ronald Demneri Sent: 06.Nov.2018 11:05 AM To: 'Ronald Demneri' ; 'Dmitry Telegin'

Sent: 05.Nov.2018 6:54 AM To: Ronald Demneri ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] filter group claim in token per client Hello Ronald, As in the case with authentication, JavaScript is to the rescue again :) You can create a script mapper for groups that will do additional group filtering based on the client, and use it instead of the built-in one. To avoid explicitly configuring it for each and every client, you can create a Client Scope (can be called "Client Template" depending on the KC version), define the mapper in the scope, and add it do default scopes. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-11-02 at 10:30 +0000, Ronald Demneri wrote: > Hello everyone, > > Is there a way to filter the groups a user is a member of per client, based on clientId (which is part of the group name(s) in AD). Let's say that user Ronald is member of??group_client1, group_client2 and group_client3, so using a group mapper, the token will contain a claim like group:["group_client1", "group_client2", "group_client3"]. Upon logging in to client1 app, I want to customize the group claim so that it contains only the respective group_client1 value. > > Thanks in advance, > > Ronald > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From t.rademacher at gmx.de Tue Nov 6 10:20:50 2018 From: t.rademacher at gmx.de (Tim Rademacher) Date: Tue, 6 Nov 2018 16:20:50 +0100 Subject: [keycloak-user] CEK key for alg:dir Message-ID: <063c01d475e4$4d424910$e7c6db30$@gmx.de> ...I suddenly had the idea, that the auth request returns the auth code that is then used to get an access token. So the auth code is just returned to its origin. So the "share secret" CEK is not a shared secret, but only known by the Keycloak server. So it makes sense, that I could not find the information, where to get the CEK, since the Keycloak server is the only one who needs it. Could someone please confirm? Thanks Tim Von: Tim Rademacher Gesendet: Dienstag, 6. November 2018 13:21 An: 'keycloak-user at lists.jboss.org' Betreff: CEK key for alg:dir Hi all, I am somewhat struggling with Keycloak (Version 4.5.0) and I would like to view the data return from an authorization request. I retrieve the token and would like to look into it. I see, there are 5 parts: 1. Header 2. CEK 3. Init Vector 4. Content (encrypted) 5. Auth Tag The header mentions the Algorithm to be DIR and the Encryption Algorithm tob e A128CBC-HS256. The RFC7518 says, that DIR means "Direct use of a shared symmetric key as the CEK". So I wonder, how would the shared key come to the client to decrypt the content? How would I be able to decrypt the token (where would I get the token from)? Thank you very much! Tim From Don.Reynolds at quest.com Tue Nov 6 10:27:17 2018 From: Don.Reynolds at quest.com (Don Reynolds (dreynold)) Date: Tue, 6 Nov 2018 15:27:17 +0000 Subject: [keycloak-user] Create user API in keycloak with default password In-Reply-To: References: Message-ID: Hello Shubham, Yes, this can be done. Easiest way to see is to turn on developer tools in the browser and watch the network traffic as you use "Users->Credentials" tab in the Keycloak admin console to set a non-temporary password for a user. Once you have created the user via the api, you can then call a second api call to " reset-password " to set the password. It should looks something like this: PUT PUT /admin/realms/{realm}/users/{id}/reset-password Request payload: {"type":"password","value":"Password01","temporary":false} The key is to set "temporary" to false. Otherwise the user will be prompted to change their password next time they log in. Hope that helps, Don > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org bounces at lists.jboss.org> On Behalf Of Shubham Akodiya > Sent: Tuesday, November 6, 2018 6:41 AM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Create user API in keycloak with default password > > Hi Team, > > Is there any API available for creating the user with default password ? > I've gone through the API - POST /{realm}/users > api/index.html#_users_resource> but didn't find the password setting field for > new user. > > > Thanks, > Shubham Akodiya > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From wolfgang.weber at bearingpoint.com Tue Nov 6 10:50:09 2018 From: wolfgang.weber at bearingpoint.com (Weber, Wolfgang) Date: Tue, 6 Nov 2018 15:50:09 +0000 Subject: [keycloak-user] Keycloak 5.4.0.Final: No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION In-Reply-To: References: Message-ID: The last hours I tried to deploy keycloak 4.5.0.Final without any success. Startup fail with "No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION". I did not find any information if this is a common Issue or if I missed something in my config. An installation of 4.4.0.Final starts without any issues. For me it seems to be related to [KEYCLOAK-8289] - Remove authorization services from product preview profile #5587 Exception: 15:45:43,248 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 51) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 more Caused by: java.lang.ExceptionInInitializerError at org.keycloak.protocol.docker.DockerAuthV2ProtocolFactory.isSupported(DockerAuthV2ProtocolFactory.java:76) at org.keycloak.services.DefaultKeycloakSessionFactory.isEnabled(DefaultKeycloakSessionFactory.java:238) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:216) at org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:78) at org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:326) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:117) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more Caused by: java.lang.RuntimeException: java.lang.IllegalArgumentException: No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION at org.keycloak.common.Profile.(Profile.java:120) at org.keycloak.common.Profile.(Profile.java:68) ... 42 more Caused by: java.lang.IllegalArgumentException: No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION at java.lang.Enum.valueOf(Enum.java:238) at org.keycloak.common.Profile$Feature.valueOf(Profile.java:35) at org.keycloak.common.Profile.(Profile.java:111) ... 43 more Yours, Wolfgang ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. From fabio.ebner at lumera.com.br Tue Nov 6 11:10:03 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Tue, 6 Nov 2018 14:10:03 -0200 Subject: [keycloak-user] How to refresh token Message-ID: Hown can I refresh a token? after he expires? tks From psilva at redhat.com Tue Nov 6 11:14:16 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 6 Nov 2018 14:14:16 -0200 Subject: [keycloak-user] Keycloak 5.4.0.Final: No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION In-Reply-To: References: Message-ID: Please, remove AUTHORIZATION from the list of profile features. I'll update docs accordingly. On Tue, Nov 6, 2018 at 1:58 PM Weber, Wolfgang < wolfgang.weber at bearingpoint.com> wrote: > The last hours I tried to deploy keycloak 4.5.0.Final without any > success. Startup fail with "No enum constant > org.keycloak.common.Profile.Feature.AUTHORIZATION". I did not find any > information if this is a common Issue or if I missed something in my > config. An installation of 4.4.0.Final starts without any issues. > > For me it seems to be related to [KEYCLOAK-8289] - Remove authorization > services from product preview profile #5587 > > Exception: > > 15:45:43,248 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool > -- 51) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > at org.jboss.threads.JBossThread.run(JBossThread.java:485) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct > public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) > at > org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) > at > io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) > at > io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) > ... 8 more > Caused by: java.lang.ExceptionInInitializerError > at > org.keycloak.protocol.docker.DockerAuthV2ProtocolFactory.isSupported(DockerAuthV2ProtocolFactory.java:76) > at > org.keycloak.services.DefaultKeycloakSessionFactory.isEnabled(DefaultKeycloakSessionFactory.java:238) > at > org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:216) > at > org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:78) > at > org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:326) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:117) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > ... 31 more > Caused by: java.lang.RuntimeException: java.lang.IllegalArgumentException: > No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION > at org.keycloak.common.Profile.(Profile.java:120) > at org.keycloak.common.Profile.(Profile.java:68) > ... 42 more > Caused by: java.lang.IllegalArgumentException: No enum constant > org.keycloak.common.Profile.Feature.AUTHORIZATION > at java.lang.Enum.valueOf(Enum.java:238) > at org.keycloak.common.Profile$Feature.valueOf(Profile.java:35) > at org.keycloak.common.Profile.(Profile.java:111) > ... 43 more > > > Yours, > Wolfgang > ________________________________ > BearingPoint Technology GmbH > Sitz: Premst?tten bei Graz > Firmenbuchgericht: Landesgericht f?r ZRS Graz > Firmenbuchnummer: FN 44354b > > The information in this email is confidential and may be legally > privileged. If you are not the intended recipient of this message, any > review, disclosure, copying, distribution, retention, or any action taken > or omitted to be taken in reliance on it is prohibited and may be unlawful. > If you are not the intended recipient, please reply to or forward a copy of > this message to the sender and delete the message, any attachments, and any > copies thereof from your system. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From uo67113 at gmail.com Tue Nov 6 11:16:51 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Tue, 6 Nov 2018 17:16:51 +0100 Subject: [keycloak-user] remote debugging keycloak docker image In-Reply-To: References: Message-ID: Hello Meissa, At the end of the day there should be no difference among debugging keycloak or any other java process. In essence is just about to expose the debug port outside your k8s cluster. This article [1] explains it very well. Hope it helps, Luis [1] https://itnext.io/remote-debugging-spring-boot-on-kubernetes-a5f96a40e5c0 El mar., 6 nov. 2018 a las 15:21, Meissa M'baye Sakho () escribi?: > Hello everyone, > I need to enable remote debugging on keycloak docker image. I'm using a > vanilla kubernetes. > Any input on that? > Regards, > Meissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From Rajib.Mitra at bedag.ch Tue Nov 6 11:26:34 2018 From: Rajib.Mitra at bedag.ch (Mitra Rajib, Bedag) Date: Tue, 6 Nov 2018 16:26:34 +0000 Subject: [keycloak-user] Welcome Email after Verification Success Message-ID: Hi! I use Keycloak for User-Registration and would like to send a realm-customized "Welcome"-Email after the user verified his email-account. The doc at https://www.keycloak.org/docs/3.2/server_admin/topics/events/login.html mentions 4 different type of email events, but none of these events fit my use-case. Is there any other way I can (easily) implement such a functionality ? Thanks, Rajib From rmbyrd at dstsystems.com Tue Nov 6 11:28:00 2018 From: rmbyrd at dstsystems.com (Byrd, Rob M) Date: Tue, 6 Nov 2018 16:28:00 +0000 Subject: [keycloak-user] Data filtering in SQL In-Reply-To: <1541136118.4390.1.camel@acutus.pro> References: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> <1541136118.4390.1.camel@acutus.pro> Message-ID: <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> (Hope this is the correct way to reply - let me know if not) Thanks. So my concern is really with the whole idea that an Enterprise Application's security constraints could really be all implemented based on url-patterns, is that what you guys are thinking? For example, mostly a user can visit most features (urls) in an application, but it is the subset of things they can see/do within the feature that is the crux of the security issue - and it does not seem feasible to architect urls in such a way that they can be used as the key to security. Thoughts? Thanks! Rob Byrd DST Solutions Lead SS&C Technologies Inc.?? |?? 1055 Broadway, Kansas City, MO 64105 t: (816) 435-7286??| m?(816) 509-0119 rmbyrd at dstsystems.com??|? www.ssctech.com Follow us: ?|? ?|? -----Original Message----- From: Dmitry Telegin [mailto:dt at acutus.pro] Sent: Friday, November 2, 2018 12:22 AM To: Byrd, Rob M ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Data filtering in SQL Hello Rob, If I get it right, it's all about generating SQL WHERE clause from Keycloak policies? I think this is doable, as Keycloak has a well-defined object model for authorization policies, and it's easy to obtain policy definitions in JSON format. I think Pedro Igor will tell you more about that. You should pay attention to the following: - there are differences in semantics between OPA and Keycloak policies. For example, Keycloak policies do not operate HTTP methods but rather use more generic notion of scopes; - not every policy type can be easily converted to a WHERE clause. It should be trivial for User/Group/Role policies, but is virtually impossible for Script and Rules, as they are just blackboxes that evaluate to true or false. Unless of course your DBMS has a built-in JavaScript engine :) Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-11-01 at 21:39 +0000, Byrd, Rob M wrote: > I am comparing OPA authorization to Keycloak - how could I enforce Keycloak policy in the SQL closest to the data for good performance, including returning subsets of lists???OPA discusses this at https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4. > > Thanks! > > Rob Byrd > DST > Solutions Lead > SS&C Technologies Inc.???|???1055 Broadway, Kansas City, MO 64105 > t: (816) 435-7286??| m (816) 509-0119 > rmbyrd at dstsystems.com??|??www.ssctech.com; > > > Follow us: [cid:image001.png at 01D412C1.A14C5770] ??|??[cid:image002.png at 01D412C1.A14C5770] ??|??[cid:image003.png at 01D412C1.A14C5770] > > > > Please consider the environment before printing this email and any attachments. > > This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. From geoff at opticks.io Tue Nov 6 12:34:22 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 6 Nov 2018 18:34:22 +0100 Subject: [keycloak-user] How to refresh token In-Reply-To: References: Message-ID: curl -X POST \ https://{domain}/auth/realms/{realm}/protocol/openid-connect/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=refresh_token&client_id={client_id}&client_secret={secret}&refresh_token={refresh_token}' On Tue, 6 Nov 2018 at 17:13, Fabio Ebner wrote: > Hown can I refresh a token? after he expires? > > tks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From nomb85 at gmail.com Tue Nov 6 15:31:34 2018 From: nomb85 at gmail.com (Nathan McBride) Date: Tue, 06 Nov 2018 15:31:34 -0500 Subject: [keycloak-user] Error Being Thrown with MySql Message-ID: <81FB9C4C-1758-4E6C-8656-5EB32A40DA8F@gmail.com> Hello everyone, Thank you for taking the time to read this and trying to help me. I?m new to KeyCloak as well as JBOSS. I created an AWS Lightsail account, the $5 / month plan, and am trying to use it for a KeyCloak server. I chose CentOS 7 as the operating system. I have been following the guide located here: http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mysql-backend I have followed all the steps and am at the point where KeyCloak is supposed to be started. But when I start it, it errors and it looks like it is a problem with the mysql connection. However, I have tested the credentials both locally and connecting remote with DataGrip and I?m not really sure what I did wrong. Any help is greatly appreciated. Thank you, Nate Here are the errors: 20:26:28,925 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 56) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) ??????????????? at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ??????????????? at java.util.concurrent.FutureTask.run(FutureTask.java:266) ??????????????? at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ??????????????? at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) ??????????????? at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) ??????????????? at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) ??????????????? at java.lang.Thread.run(Thread.java:748) ??????????????? at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) ??????????????? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) ??????????????? at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) ??????????????? at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) ??????????????? at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) ??????????????? at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) ??????????????? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) ??????????????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) ??????????????? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) ??????????????? at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) ??????????????? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) ??????????????? at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) ??????????????? at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) ??????????????? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) ??????????????? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) ??????????????? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) ??????????????? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ??????????????? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) ??????????????? at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ??????????????? ... 8 more Caused by: java.lang.RuntimeException: Failed to connect to database ??????????????? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) ??????????????? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) ??????????????? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) ??????????????? at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) ??????????????? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) ??????????????? at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) ??????????????? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) ??????????????? at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) ??????????????? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ??????????????? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ??????????????? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ??????????????? at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ??????????????? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ??????????????? ... 31 more Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] ??????????????? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) ??????????????? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) ??????????????? at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) ??????????????? at javax.naming.InitialContext.lookup(InitialContext.java:417) ??????????????? at javax.naming.InitialContext.lookup(InitialContext.java:417) ??????????????? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366) ??????????????? ... 43 more Caused by: java.lang.IllegalStateException ??????????????? at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:50) ??????????????? at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:148) ??????????????? at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46) ??????????????? at org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1110) ??????????????? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131) ??????????????? ... 52 more 20:26:28,938 INFO? [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal 20:26:28,953 INFO? [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = mysql 20:26:28,991 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) ??? Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) ??? Caused by: java.lang.RuntimeException: Failed to connect to database ??? Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] ??? Caused by: java.lang.IllegalStateException"}} 20:26:29,011 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending 20:26:29,014 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443 20:26:29,017 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0019: Host default-host stopping 20:26:29,021 INFO? [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] 20:26:29,029 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0003: Stopped realms cache from keycloak container 20:26:29,030 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0003: Stopped offlineClientSessions cache from keycloak container 20:26:29,030 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak container 20:26:29,031 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0003: Stopped clientSessions cache from keycloak container 20:26:29,032 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0003: Stopped authenticationSessions cache from keycloak container 20:26:29,032 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 46) WFLYCLINF0003: Stopped sessions cache from keycloak container 20:26:29,033 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 47) WFLYCLINF0003: Stopped authorization cache from keycloak container 20:26:29,034 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0003: Stopped loginFailures cache from keycloak container 20:26:29,034 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0003: Stopped actionTokens cache from keycloak container 20:26:29,035 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped offlineSessions cache from keycloak container 20:26:29,038 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped keys cache from keycloak container 20:26:29,062 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0003: Stopped work cache from keycloak container 20:26:29,068 INFO? [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = h2 20:26:29,088 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTP listener default suspending 20:26:29,089 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0003: Stopped client-mappings cache from ejb container 20:26:29,089 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 0.0.0.0:8080 20:26:29,091 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0004: Undertow 2.0.9.Final stopping 20:26:29,100 INFO? [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped authorizationRevisions cache from keycloak container 20:26:29,106 INFO? [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped realmRevisions cache from keycloak container 20:26:29,110 INFO? [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped userRevisions cache from keycloak container 20:26:29,111 INFO? [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: keycloak-server.war) in 170ms 20:26:29,149 INFO? [org.jboss.as.server] (ServerService Thread Pool -- 37) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 20:26:29,282 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: java.lang.NullPointerException ??????????????? at org.jboss.as.controller.AbstractControllerService.finishBoot(AbstractControllerService.java:534) ??????????????? at org.jboss.as.server.ServerService.finishBoot(ServerService.java:418) ??????????????? at org.jboss.as.server.ServerService.boot(ServerService.java:388) ??????????????? at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) ??????????????? at java.lang.Thread.run(Thread.java:748) From geoff at opticks.io Tue Nov 6 15:48:47 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 6 Nov 2018 21:48:47 +0100 Subject: [keycloak-user] Error Being Thrown with MySql In-Reply-To: <81FB9C4C-1758-4E6C-8656-5EB32A40DA8F@gmail.com> References: <81FB9C4C-1758-4E6C-8656-5EB32A40DA8F@gmail.com> Message-ID: I believe there is an unresolved (and un admitted) incompatibility with Mysql. Use postgres. On Tue, Nov 6, 2018, 21:40 Nathan McBride Hello everyone, > > > > Thank you for taking the time to read this and trying to help me. I?m new > to KeyCloak as well as JBOSS. > > > > I created an AWS Lightsail account, the $5 / month plan, and am trying to > use it for a KeyCloak server. I chose CentOS 7 as the operating system. > > > > I have been following the guide located here: > http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mysql-backend > > > > I have followed all the steps and am at the point where KeyCloak is > supposed to be started. But when I start it, it errors and it looks like it > is a problem with the mysql connection. However, I have tested the > credentials both locally and connecting remote with DataGrip and I?m not > really sure what I did wrong. > > > > Any help is greatly appreciated. > > > Thank you, > > > Nate > > > > Here are the errors: > > > > 20:26:28,925 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool > -- 56) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > > at java.lang.Thread.run(Thread.java:748) > > at org.jboss.threads.JBossThread.run(JBossThread.java:485) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct > public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) > > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) > > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) > > at > org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) > > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) > > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) > > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) > > at > io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) > > at > io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) > > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) > > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) > > ... 8 more > > Caused by: java.lang.RuntimeException: Failed to connect to database > > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) > > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) > > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) > > at > org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) > > at > org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) > > at > org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) > > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) > > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) > > at > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > at > java.lang.reflect.Constructor.newInstance(Constructor.java:423) > > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > > ... 31 more > > Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS > [Root exception is java.lang.IllegalStateException] > > at > org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) > > at > org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) > > at > org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) > > at > org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) > > at > org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) > > at > org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) > > at > org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) > > at > javax.naming.InitialContext.lookup(InitialContext.java:417) > > at > javax.naming.InitialContext.lookup(InitialContext.java:417) > > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366) > > ... 43 more > > Caused by: java.lang.IllegalStateException > > at > org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:50) > > at > org.jboss.as.naming.service.BinderService.getValue(BinderService.java:148) > > at > org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46) > > at > org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1110) > > at > org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131) > > ... 52 more > > > > 20:26:28,938 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > shutdown has been requested via an OS signal > > 20:26:28,953 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = mysql > > 20:26:28,991 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: > ([("deployment" => "keycloak-server.war")]) - failure description: > {"WFLYCTL0080: Failed services" => > {"jboss.undertow.deployment.default-server.default-host./auth" => > "java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > Caused by: java.lang.RuntimeException: Failed to connect to database > > Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS > [Root exception is java.lang.IllegalStateException] > > Caused by: java.lang.IllegalStateException"}} > > 20:26:29,011 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-2) WFLYUT0008: Undertow HTTPS listener https suspending > > 20:26:29,014 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to > 0.0.0.0:8443 > > 20:26:29,017 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-2) WFLYUT0019: Host default-host stopping > > 20:26:29,021 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-2) WFLYJCA0010: Unbound data source > [java:jboss/datasources/ExampleDS] > > 20:26:29,029 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 54) WFLYCLINF0003: Stopped realms cache from keycloak > container > > 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 58) WFLYCLINF0003: Stopped offlineClientSessions cache from > keycloak container > > 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak > container > > 20:26:29,031 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 57) WFLYCLINF0003: Stopped clientSessions cache from > keycloak container > > 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 48) WFLYCLINF0003: Stopped authenticationSessions cache from > keycloak container > > 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 46) WFLYCLINF0003: Stopped sessions cache from keycloak > container > > 20:26:29,033 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 47) WFLYCLINF0003: Stopped authorization cache from keycloak > container > > 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0003: Stopped loginFailures cache from keycloak > container > > 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 52) WFLYCLINF0003: Stopped actionTokens cache from keycloak > container > > 20:26:29,035 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 55) WFLYCLINF0003: Stopped offlineSessions cache from > keycloak container > > 20:26:29,038 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 55) WFLYCLINF0003: Stopped keys cache from keycloak container > > 20:26:29,062 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 59) WFLYCLINF0003: Stopped work cache from keycloak container > > 20:26:29,068 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service > thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = h2 > > 20:26:29,088 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-2) WFLYUT0008: Undertow HTTP listener default suspending > > 20:26:29,089 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 56) WFLYCLINF0003: Stopped client-mappings cache from ejb > container > > 20:26:29,089 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-2) WFLYUT0007: Undertow HTTP listener default stopped, was bound to > 0.0.0.0:8080 > > 20:26:29,091 INFO [org.wildfly.extension.undertow] (MSC service thread > 1-2) WFLYUT0004: Undertow 2.0.9.Final stopping > > 20:26:29,100 INFO [org.jboss.as.clustering.infinispan] (MSC service > thread 1-1) WFLYCLINF0003: Stopped authorizationRevisions cache from > keycloak container > > 20:26:29,106 INFO [org.jboss.as.clustering.infinispan] (MSC service > thread 1-1) WFLYCLINF0003: Stopped realmRevisions cache from keycloak > container > > 20:26:29,110 INFO [org.jboss.as.clustering.infinispan] (MSC service > thread 1-1) WFLYCLINF0003: Stopped userRevisions cache from keycloak > container > > 20:26:29,111 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-1) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: > keycloak-server.war) in 170ms > > 20:26:29,149 INFO [org.jboss.as.server] (ServerService Thread Pool -- 37) > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : > "keycloak-server.war") > > 20:26:29,282 ERROR [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0055: Caught exception during boot: java.lang.NullPointerException > > at > org.jboss.as.controller.AbstractControllerService.finishBoot(AbstractControllerService.java:534) > > at > org.jboss.as.server.ServerService.finishBoot(ServerService.java:418) > > at > org.jboss.as.server.ServerService.boot(ServerService.java:388) > > at > org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) > > at java.lang.Thread.run(Thread.java:748) > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nomb85 at gmail.com Tue Nov 6 15:51:06 2018 From: nomb85 at gmail.com (Nate M) Date: Tue, 6 Nov 2018 15:51:06 -0500 Subject: [keycloak-user] Error Being Thrown with MySql In-Reply-To: References: <81FB9C4C-1758-4E6C-8656-5EB32A40DA8F@gmail.com> Message-ID: I was really only able to get this far because of the guide. Do you have the steps to convert the setup to postgres? Thanks, Nate On Tue, Nov 6, 2018 at 3:49 PM Geoffrey Cleaves wrote: > I believe there is an unresolved (and un admitted) incompatibility with > Mysql. Use postgres. > > On Tue, Nov 6, 2018, 21:40 Nathan McBride >> Hello everyone, >> >> >> >> Thank you for taking the time to read this and trying to help me. I?m new >> to KeyCloak as well as JBOSS. >> >> >> >> I created an AWS Lightsail account, the $5 / month plan, and am trying to >> use it for a KeyCloak server. I chose CentOS 7 as the operating system. >> >> >> >> I have been following the guide located here: >> http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mysql-backend >> >> >> >> I have followed all the steps and am at the point where KeyCloak is >> supposed to be started. But when I start it, it errors and it looks like it >> is a problem with the mysql connection. However, I have tested the >> credentials both locally and connecting remote with DataGrip and I?m not >> really sure what I did wrong. >> >> >> >> Any help is greatly appreciated. >> >> >> Thank you, >> >> >> Nate >> >> >> >> Here are the errors: >> >> >> >> 20:26:28,925 ERROR [org.jboss.msc.service.fail] (ServerService Thread >> Pool -- 56) MSC000001: Failed to start service >> jboss.undertow.deployment.default-server.default-host./auth: >> org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./auth: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) >> >> at >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> >> at >> java.util.concurrent.FutureTask.run(FutureTask.java:266) >> >> at >> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) >> >> at >> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) >> >> at >> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) >> >> at >> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) >> >> at java.lang.Thread.run(Thread.java:748) >> >> at org.jboss.threads.JBossThread.run(JBossThread.java:485) >> >> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >> construct public >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> >> at >> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) >> >> at >> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) >> >> at >> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) >> >> at >> org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) >> >> at >> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) >> >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) >> >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >> >> at >> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >> >> at >> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >> >> at >> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >> >> at >> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) >> >> at >> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) >> >> at >> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) >> >> at >> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) >> >> at >> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) >> >> at >> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >> >> at >> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) >> >> at >> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) >> >> ... 8 more >> >> Caused by: java.lang.RuntimeException: Failed to connect to database >> >> at >> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) >> >> at >> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) >> >> at >> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) >> >> at >> org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) >> >> at >> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) >> >> at >> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) >> >> at >> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) >> >> at >> org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) >> >> at >> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >> >> at >> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >> >> at >> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >> >> at >> java.lang.reflect.Constructor.newInstance(Constructor.java:423) >> >> at >> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >> >> ... 31 more >> >> Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS >> [Root exception is java.lang.IllegalStateException] >> >> at >> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) >> >> at >> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) >> >> at >> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) >> >> at >> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) >> >> at >> org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) >> >> at >> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) >> >> at >> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) >> >> at >> javax.naming.InitialContext.lookup(InitialContext.java:417) >> >> at >> javax.naming.InitialContext.lookup(InitialContext.java:417) >> >> at >> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366) >> >> ... 43 more >> >> Caused by: java.lang.IllegalStateException >> >> at >> org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:50) >> >> at >> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:148) >> >> at >> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46) >> >> at >> org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1110) >> >> at >> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131) >> >> ... 52 more >> >> >> >> 20:26:28,938 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server >> shutdown has been requested via an OS signal >> >> 20:26:28,953 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service >> thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = mysql >> >> 20:26:28,991 ERROR [org.jboss.as.controller.management-operation] >> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >> ([("deployment" => "keycloak-server.war")]) - failure description: >> {"WFLYCTL0080: Failed services" => >> {"jboss.undertow.deployment.default-server.default-host./auth" => >> "java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> >> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >> construct public >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> >> Caused by: java.lang.RuntimeException: Failed to connect to database >> >> Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS >> [Root exception is java.lang.IllegalStateException] >> >> Caused by: java.lang.IllegalStateException"}} >> >> 20:26:29,011 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-2) WFLYUT0008: Undertow HTTPS listener https suspending >> >> 20:26:29,014 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to >> 0.0.0.0:8443 >> >> 20:26:29,017 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-2) WFLYUT0019: Host default-host stopping >> >> 20:26:29,021 INFO [org.jboss.as.connector.subsystems.datasources] (MSC >> service thread 1-2) WFLYJCA0010: Unbound data source >> [java:jboss/datasources/ExampleDS] >> >> 20:26:29,029 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 54) WFLYCLINF0003: Stopped realms cache from keycloak >> container >> >> 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 58) WFLYCLINF0003: Stopped offlineClientSessions cache from >> keycloak container >> >> 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak >> container >> >> 20:26:29,031 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 57) WFLYCLINF0003: Stopped clientSessions cache from >> keycloak container >> >> 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 48) WFLYCLINF0003: Stopped authenticationSessions cache from >> keycloak container >> >> 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 46) WFLYCLINF0003: Stopped sessions cache from keycloak >> container >> >> 20:26:29,033 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 47) WFLYCLINF0003: Stopped authorization cache from keycloak >> container >> >> 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 51) WFLYCLINF0003: Stopped loginFailures cache from keycloak >> container >> >> 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 52) WFLYCLINF0003: Stopped actionTokens cache from keycloak >> container >> >> 20:26:29,035 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 55) WFLYCLINF0003: Stopped offlineSessions cache from >> keycloak container >> >> 20:26:29,038 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 55) WFLYCLINF0003: Stopped keys cache from keycloak container >> >> 20:26:29,062 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 59) WFLYCLINF0003: Stopped work cache from keycloak container >> >> 20:26:29,068 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service >> thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = h2 >> >> 20:26:29,088 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-2) WFLYUT0008: Undertow HTTP listener default suspending >> >> 20:26:29,089 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 56) WFLYCLINF0003: Stopped client-mappings cache from ejb >> container >> >> 20:26:29,089 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-2) WFLYUT0007: Undertow HTTP listener default stopped, was bound to >> 0.0.0.0:8080 >> >> 20:26:29,091 INFO [org.wildfly.extension.undertow] (MSC service thread >> 1-2) WFLYUT0004: Undertow 2.0.9.Final stopping >> >> 20:26:29,100 INFO [org.jboss.as.clustering.infinispan] (MSC service >> thread 1-1) WFLYCLINF0003: Stopped authorizationRevisions cache from >> keycloak container >> >> 20:26:29,106 INFO [org.jboss.as.clustering.infinispan] (MSC service >> thread 1-1) WFLYCLINF0003: Stopped realmRevisions cache from keycloak >> container >> >> 20:26:29,110 INFO [org.jboss.as.clustering.infinispan] (MSC service >> thread 1-1) WFLYCLINF0003: Stopped userRevisions cache from keycloak >> container >> >> 20:26:29,111 INFO [org.jboss.as.server.deployment] (MSC service thread >> 1-1) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: >> keycloak-server.war) in 170ms >> >> 20:26:29,149 INFO [org.jboss.as.server] (ServerService Thread Pool -- >> 37) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >> "keycloak-server.war") >> >> 20:26:29,282 ERROR [org.jboss.as.server] (Controller Boot Thread) >> WFLYSRV0055: Caught exception during boot: java.lang.NullPointerException >> >> at >> org.jboss.as.controller.AbstractControllerService.finishBoot(AbstractControllerService.java:534) >> >> at >> org.jboss.as.server.ServerService.finishBoot(ServerService.java:418) >> >> at >> org.jboss.as.server.ServerService.boot(ServerService.java:388) >> >> at >> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) >> >> at java.lang.Thread.run(Thread.java:748) >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From ronald.demneri at amdtia.com Tue Nov 6 15:51:57 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Tue, 6 Nov 2018 20:51:57 +0000 Subject: [keycloak-user] filter group claim in token per client In-Reply-To: References: <1541397265.3650.7.camel@acutus.pro> , Message-ID: I configured the client to not use the userinfo endpoint for the group mapping. Instead I used the id token, and everything looks good now (no errors in the log, and the client gets the claim, and assigns permissions accordingly) . Anyhow, the question remains, is there a way to get the client id using the script mapper? Thanks in advance, Ronald Sent from my HTC ----- Reply message ----- From: "Ronald Demneri" To: "Ronald Demneri" , "Dmitry Telegin"

, "keycloak-user at lists.jboss.org" Subject: [keycloak-user] filter group claim in token per client Date: Tue, Nov 6, 2018 16:08 Hello again, Upon testing login and experimenting where the claim should be inserted, I found out that the duplicate print() is a result of including the claim in both ID access tokens. The error comes as a result of including the claim in the userinfo token, and probably that is why the userinfo endpoint does not contain the claim when the client application requests it. Any idea how to solve it? Thanks in advance, Ronald -----Original Message----- From: Ronald Demneri Sent: 06.Nov.2018 12:01 PM To: Ronald Demneri ; Dmitry Telegin

Message-ID: Well, I now see that the guide is quite recent. Maybe the mysql issue has been resolved. Sorry I can't be of more help. On Tue, Nov 6, 2018, 21:51 Nate M I was really only able to get this far because of the guide. Do you have > the steps to convert the setup to postgres? > > Thanks, > > Nate > > On Tue, Nov 6, 2018 at 3:49 PM Geoffrey Cleaves wrote: > >> I believe there is an unresolved (and un admitted) incompatibility with >> Mysql. Use postgres. >> >> On Tue, Nov 6, 2018, 21:40 Nathan McBride > >>> Hello everyone, >>> >>> >>> >>> Thank you for taking the time to read this and trying to help me. I?m >>> new to KeyCloak as well as JBOSS. >>> >>> >>> >>> I created an AWS Lightsail account, the $5 / month plan, and am trying >>> to use it for a KeyCloak server. I chose CentOS 7 as the operating system. >>> >>> >>> >>> I have been following the guide located here: >>> http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mysql-backend >>> >>> >>> >>> I have followed all the steps and am at the point where KeyCloak is >>> supposed to be started. But when I start it, it errors and it looks like it >>> is a problem with the mysql connection. However, I have tested the >>> credentials both locally and connecting remote with DataGrip and I?m not >>> really sure what I did wrong. >>> >>> >>> >>> Any help is greatly appreciated. >>> >>> >>> Thank you, >>> >>> >>> Nate >>> >>> >>> >>> Here are the errors: >>> >>> >>> >>> 20:26:28,925 ERROR [org.jboss.msc.service.fail] (ServerService Thread >>> Pool -- 56) MSC000001: Failed to start service >>> jboss.undertow.deployment.default-server.default-host./auth: >>> org.jboss.msc.service.StartException in service >>> jboss.undertow.deployment.default-server.default-host./auth: >>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) >>> >>> at >>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >>> >>> at >>> java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> >>> at >>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) >>> >>> at >>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) >>> >>> at >>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) >>> >>> at >>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) >>> >>> at java.lang.Thread.run(Thread.java:748) >>> >>> at >>> org.jboss.threads.JBossThread.run(JBossThread.java:485) >>> >>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>> construct public >>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> >>> at >>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) >>> >>> at >>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) >>> >>> at >>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) >>> >>> at >>> org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) >>> >>> at >>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) >>> >>> at >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) >>> >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >>> >>> at >>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >>> >>> at >>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >>> >>> at >>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >>> >>> at >>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) >>> >>> at >>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) >>> >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) >>> >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) >>> >>> at >>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) >>> >>> at >>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >>> >>> at >>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >>> >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) >>> >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) >>> >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) >>> >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) >>> >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) >>> >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) >>> >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) >>> >>> ... 8 more >>> >>> Caused by: java.lang.RuntimeException: Failed to connect to database >>> >>> at >>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) >>> >>> at >>> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) >>> >>> at >>> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) >>> >>> at >>> org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) >>> >>> at >>> org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) >>> >>> at >>> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) >>> >>> at >>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) >>> >>> at >>> org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) >>> >>> at >>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>> >>> at >>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>> >>> at >>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>> >>> at >>> java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>> >>> at >>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>> >>> ... 31 more >>> >>> Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS >>> [Root exception is java.lang.IllegalStateException] >>> >>> at >>> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) >>> >>> at >>> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) >>> >>> at >>> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) >>> >>> at >>> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) >>> >>> at >>> org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) >>> >>> at >>> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) >>> >>> at >>> org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) >>> >>> at >>> javax.naming.InitialContext.lookup(InitialContext.java:417) >>> >>> at >>> javax.naming.InitialContext.lookup(InitialContext.java:417) >>> >>> at >>> org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366) >>> >>> ... 43 more >>> >>> Caused by: java.lang.IllegalStateException >>> >>> at >>> org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:50) >>> >>> at >>> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:148) >>> >>> at >>> org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46) >>> >>> at >>> org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1110) >>> >>> at >>> org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131) >>> >>> ... 52 more >>> >>> >>> >>> 20:26:28,938 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server >>> shutdown has been requested via an OS signal >>> >>> 20:26:28,953 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service >>> thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = mysql >>> >>> 20:26:28,991 ERROR [org.jboss.as.controller.management-operation] >>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: >>> ([("deployment" => "keycloak-server.war")]) - failure description: >>> {"WFLYCTL0080: Failed services" => >>> {"jboss.undertow.deployment.default-server.default-host./auth" => >>> "java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> >>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>> construct public >>> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> >>> Caused by: java.lang.RuntimeException: Failed to connect to database >>> >>> Caused by: javax.naming.NameNotFoundException: >>> datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] >>> >>> Caused by: java.lang.IllegalStateException"}} >>> >>> 20:26:29,011 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-2) WFLYUT0008: Undertow HTTPS listener https suspending >>> >>> 20:26:29,014 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to >>> 0.0.0.0:8443 >>> >>> 20:26:29,017 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-2) WFLYUT0019: Host default-host stopping >>> >>> 20:26:29,021 INFO [org.jboss.as.connector.subsystems.datasources] (MSC >>> service thread 1-2) WFLYJCA0010: Unbound data source >>> [java:jboss/datasources/ExampleDS] >>> >>> 20:26:29,029 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 54) WFLYCLINF0003: Stopped realms cache from keycloak >>> container >>> >>> 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 58) WFLYCLINF0003: Stopped offlineClientSessions cache from >>> keycloak container >>> >>> 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak >>> container >>> >>> 20:26:29,031 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 57) WFLYCLINF0003: Stopped clientSessions cache from >>> keycloak container >>> >>> 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 48) WFLYCLINF0003: Stopped authenticationSessions cache from >>> keycloak container >>> >>> 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 46) WFLYCLINF0003: Stopped sessions cache from keycloak >>> container >>> >>> 20:26:29,033 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 47) WFLYCLINF0003: Stopped authorization cache from keycloak >>> container >>> >>> 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 51) WFLYCLINF0003: Stopped loginFailures cache from keycloak >>> container >>> >>> 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 52) WFLYCLINF0003: Stopped actionTokens cache from keycloak >>> container >>> >>> 20:26:29,035 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 55) WFLYCLINF0003: Stopped offlineSessions cache from >>> keycloak container >>> >>> 20:26:29,038 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 55) WFLYCLINF0003: Stopped keys cache from keycloak container >>> >>> 20:26:29,062 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 59) WFLYCLINF0003: Stopped work cache from keycloak container >>> >>> 20:26:29,068 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service >>> thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = h2 >>> >>> 20:26:29,088 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-2) WFLYUT0008: Undertow HTTP listener default suspending >>> >>> 20:26:29,089 INFO [org.jboss.as.clustering.infinispan] (ServerService >>> Thread Pool -- 56) WFLYCLINF0003: Stopped client-mappings cache from ejb >>> container >>> >>> 20:26:29,089 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-2) WFLYUT0007: Undertow HTTP listener default stopped, was bound to >>> 0.0.0.0:8080 >>> >>> 20:26:29,091 INFO [org.wildfly.extension.undertow] (MSC service thread >>> 1-2) WFLYUT0004: Undertow 2.0.9.Final stopping >>> >>> 20:26:29,100 INFO [org.jboss.as.clustering.infinispan] (MSC service >>> thread 1-1) WFLYCLINF0003: Stopped authorizationRevisions cache from >>> keycloak container >>> >>> 20:26:29,106 INFO [org.jboss.as.clustering.infinispan] (MSC service >>> thread 1-1) WFLYCLINF0003: Stopped realmRevisions cache from keycloak >>> container >>> >>> 20:26:29,110 INFO [org.jboss.as.clustering.infinispan] (MSC service >>> thread 1-1) WFLYCLINF0003: Stopped userRevisions cache from keycloak >>> container >>> >>> 20:26:29,111 INFO [org.jboss.as.server.deployment] (MSC service thread >>> 1-1) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: >>> keycloak-server.war) in 170ms >>> >>> 20:26:29,149 INFO [org.jboss.as.server] (ServerService Thread Pool -- >>> 37) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : >>> "keycloak-server.war") >>> >>> 20:26:29,282 ERROR [org.jboss.as.server] (Controller Boot Thread) >>> WFLYSRV0055: Caught exception during boot: java.lang.NullPointerException >>> >>> at >>> org.jboss.as.controller.AbstractControllerService.finishBoot(AbstractControllerService.java:534) >>> >>> at >>> org.jboss.as.server.ServerService.finishBoot(ServerService.java:418) >>> >>> at >>> org.jboss.as.server.ServerService.boot(ServerService.java:388) >>> >>> at >>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) >>> >>> at java.lang.Thread.run(Thread.java:748) >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From psilva at redhat.com Tue Nov 6 16:04:24 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 6 Nov 2018 19:04:24 -0200 Subject: [keycloak-user] Data filtering in SQL In-Reply-To: <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> References: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> <1541136118.4390.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> Message-ID: This not among the use cases we are trying to solve with Keycloak Authorization Services. But looking at one of the examples from that article: ?Pet owners can access their own pet?s profiles.? ?Veterinarians can access pet profiles from devices at the clinic.? You could have the same behavior if you API is designed in a way that you can enforce access to individual resources, in that case, the "pets". You can write policies saying that "Only Owner" can access "/api/petclinic/pet/{id}", as well make sure "Only Veterinarians" can access certain pets. You could even delegate to pet owners complete control over the permissions that govern access to information about their pets by using UMA. Note that we are resource-based, so you are basically telling Keycloak the resources you are protecting. Where they can represent the actual resource (e.g.: Pet Foo) or a generic resource representing a set of one or more resources (e.g.: Pet). What I mean is that you are not forced to create a resource in Keycloak for every single resource you want to protect, but just a single resource representing all resources you are protecting. Of course, as long as they share the same access policies. Regards. Pedro Igor On Tue, Nov 6, 2018 at 2:38 PM Byrd, Rob M wrote: > (Hope this is the correct way to reply - let me know if not) > > Thanks. So my concern is really with the whole idea that an Enterprise > Application's security constraints could really be all implemented based on > url-patterns, is that what you guys are thinking? > > For example, mostly a user can visit most features (urls) in an > application, but it is the subset of things they can see/do within the > feature that is the crux of the security issue - and it does not seem > feasible to architect urls in such a way that they can be used as the key > to security. Thoughts? > > Thanks! > > Rob Byrd > DST > Solutions Lead > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > t: (816) 435-7286 | m (816) 509-0119 > rmbyrd at dstsystems.com | www.ssctech.com > Follow us: | | > > -----Original Message----- > From: Dmitry Telegin [mailto:dt at acutus.pro] > Sent: Friday, November 2, 2018 12:22 AM > To: Byrd, Rob M ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Data filtering in SQL > > Hello Rob, > > If I get it right, it's all about generating SQL WHERE clause from > Keycloak policies? I think this is doable, as Keycloak has a well-defined > object model for authorization policies, and it's easy to obtain policy > definitions in JSON format. I think Pedro Igor will tell you more about > that. > > You should pay attention to the following: > - there are differences in semantics between OPA and Keycloak policies. > For example, Keycloak policies do not operate HTTP methods but rather use > more generic notion of scopes; > - not every policy type can be easily converted to a WHERE clause. It > should be trivial for User/Group/Role policies, but is virtually impossible > for Script and Rules, as they are just blackboxes that evaluate to true or > false. Unless of course your DBMS has a built-in JavaScript engine :) > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-11-01 at 21:39 +0000, Byrd, Rob M wrote: > > I am comparing OPA authorization to Keycloak - how could I enforce > Keycloak policy in the SQL closest to the data for good performance, > including returning subsets of lists? OPA discusses this at > https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 > . > > > > Thanks! > > > > Rob Byrd > > DST > > Solutions Lead > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > t: (816) 435-7286 | m (816) 509-0119 > > rmbyrd at dstsystems.com | www.ssctech.com< > http://www.ssctech.com/>; > > > > Follow us: [cid:image001.png at 01D412C1.A14C5770] < > https://www.linkedin.com/company/ss-c-technologies/ > > | [cid:image002.png at 01D412C1.A14C5770] < > https://twitter.com/ssctechnologies > > | [cid:image003.png at 01D412C1.A14C5770] < > https://www.facebook.com/ssctechnologies/> > > > > > > > > Please consider the environment before printing this email and any > attachments. > > > > This e-mail and any attachments are intended only for the individual or > company to which it is addressed and may contain information which is > privileged, confidential and prohibited from disclosure or unauthorized use > under applicable law. If you are not the intended recipient of this e-mail, > you are hereby notified that any use, dissemination, or copying of this > e-mail or the information contained in this e-mail is strictly prohibited > by the sender. If you have received this transmission in error, please > return the material received to the sender and delete all copies from your > system. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > Please consider the environment before printing this email and any > attachments. > > This e-mail and any attachments are intended only for the individual or > company to which it is addressed and may contain information which is > privileged, confidential and prohibited from disclosure or unauthorized use > under applicable law. If you are not the intended recipient of this e-mail, > you are hereby notified that any use, dissemination, or copying of this > e-mail or the information contained in this e-mail is strictly prohibited > by the sender. If you have received this transmission in error, please > return the material received to the sender and delete all copies from your > system. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vramik at redhat.com Tue Nov 6 18:02:00 2018 From: vramik at redhat.com (Vlasta Ramik) Date: Wed, 7 Nov 2018 00:02:00 +0100 Subject: [keycloak-user] Error Being Thrown with MySql In-Reply-To: <81FB9C4C-1758-4E6C-8656-5EB32A40DA8F@gmail.com> References: <81FB9C4C-1758-4E6C-8656-5EB32A40DA8F@gmail.com> Message-ID: <08363100-ac9a-15fe-dfa0-a3c61590ea4f@redhat.com> Hello, Can you check $JBOSS_HOME/standalone/configuration/standalone.xml if there is something like this within datasources subsystem? On 11/6/18 9:31 PM, Nathan McBride wrote: > Hello everyone, > > > > Thank you for taking the time to read this and trying to help me. I?m new to KeyCloak as well as JBOSS. > > > > I created an AWS Lightsail account, the $5 / month plan, and am trying to use it for a KeyCloak server. I chose CentOS 7 as the operating system. > > > > I have been following the guide located here: http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mysql-backend > > > > I have followed all the steps and am at the point where KeyCloak is supposed to be started. But when I start it, it errors and it looks like it is a problem with the mysql connection. However, I have tested the credentials both locally and connecting remote with DataGrip and I?m not really sure what I did wrong. > > > > Any help is greatly appreciated. > > > Thank you, > > > Nate > > > > Here are the errors: > > > > 20:26:28,925 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 56) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) > > ??????????????? at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > ??????????????? at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > ??????????????? at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > > ??????????????? at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > > ??????????????? at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > > ??????????????? at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > > ??????????????? at java.lang.Thread.run(Thread.java:748) > > ??????????????? at org.jboss.threads.JBossThread.run(JBossThread.java:485) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > ??????????????? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) > > ??????????????? at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) > > ??????????????? at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) > > ??????????????? at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) > > ??????????????? at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) > > ??????????????? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) > > ??????????????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > ??????????????? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > > ??????????????? at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > ??????????????? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > > ??????????????? at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) > > ??????????????? at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) > > ??????????????? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) > > ??????????????? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) > > ??????????????? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) > > ??????????????? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > > ??????????????? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > ??????????????? at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) > > ??????????????? ... 8 more > > Caused by: java.lang.RuntimeException: Failed to connect to database > > ??????????????? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) > > ??????????????? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) > > ??????????????? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) > > ??????????????? at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) > > ??????????????? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) > > ??????????????? at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) > > ??????????????? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) > > ??????????????? at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) > > ??????????????? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > > ??????????????? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > > ??????????????? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > ??????????????? at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > > ??????????????? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > > ??????????????? ... 31 more > > Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] > > ??????????????? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) > > ??????????????? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) > > ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) > > ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) > > ??????????????? at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) > > ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) > > ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) > > ??????????????? at javax.naming.InitialContext.lookup(InitialContext.java:417) > > ??????????????? at javax.naming.InitialContext.lookup(InitialContext.java:417) > > ??????????????? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366) > > ??????????????? ... 43 more > > Caused by: java.lang.IllegalStateException > > ??????????????? at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:50) > > ??????????????? at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:148) > > ??????????????? at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46) > > ??????????????? at org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1110) > > ??????????????? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131) > > ??????????????? ... 52 more > > > > 20:26:28,938 INFO? [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal > > 20:26:28,953 INFO? [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = mysql > > 20:26:28,991 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > ??? Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > ??? Caused by: java.lang.RuntimeException: Failed to connect to database > > ??? Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] > > ??? Caused by: java.lang.IllegalStateException"}} > > 20:26:29,011 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending > > 20:26:29,014 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443 > > 20:26:29,017 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0019: Host default-host stopping > > 20:26:29,021 INFO? [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] > > 20:26:29,029 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0003: Stopped realms cache from keycloak container > > 20:26:29,030 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0003: Stopped offlineClientSessions cache from keycloak container > > 20:26:29,030 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak container > > 20:26:29,031 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0003: Stopped clientSessions cache from keycloak container > > 20:26:29,032 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0003: Stopped authenticationSessions cache from keycloak container > > 20:26:29,032 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 46) WFLYCLINF0003: Stopped sessions cache from keycloak container > > 20:26:29,033 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 47) WFLYCLINF0003: Stopped authorization cache from keycloak container > > 20:26:29,034 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0003: Stopped loginFailures cache from keycloak container > > 20:26:29,034 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0003: Stopped actionTokens cache from keycloak container > > 20:26:29,035 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped offlineSessions cache from keycloak container > > 20:26:29,038 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped keys cache from keycloak container > > 20:26:29,062 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0003: Stopped work cache from keycloak container > > 20:26:29,068 INFO? [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = h2 > > 20:26:29,088 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTP listener default suspending > > 20:26:29,089 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0003: Stopped client-mappings cache from ejb container > > 20:26:29,089 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 0.0.0.0:8080 > > 20:26:29,091 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0004: Undertow 2.0.9.Final stopping > > 20:26:29,100 INFO? [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped authorizationRevisions cache from keycloak container > > 20:26:29,106 INFO? [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped realmRevisions cache from keycloak container > > 20:26:29,110 INFO? [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped userRevisions cache from keycloak container > > 20:26:29,111 INFO? [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: keycloak-server.war) in 170ms > > 20:26:29,149 INFO? [org.jboss.as.server] (ServerService Thread Pool -- 37) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") > > 20:26:29,282 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: java.lang.NullPointerException > > ??????????????? at org.jboss.as.controller.AbstractControllerService.finishBoot(AbstractControllerService.java:534) > > ??????????????? at org.jboss.as.server.ServerService.finishBoot(ServerService.java:418) > > ??????????????? at org.jboss.as.server.ServerService.boot(ServerService.java:388) > > ??????????????? at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) > > ??????????????? at java.lang.Thread.run(Thread.java:748) > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vramik at redhat.com Tue Nov 6 18:24:04 2018 From: vramik at redhat.com (Vlasta Ramik) Date: Wed, 7 Nov 2018 00:24:04 +0100 Subject: [keycloak-user] I need a Integrationtest example for keycloak 4.5 In-Reply-To: <5BDF0BC3.4080309@patrick-hesse.de> References: <5BDF0BC3.4080309@patrick-hesse.de> Message-ID: <064a0019-3606-50d7-344c-028b51d01a25@redhat.com> Hello Patrick, you can find some information about arquillian tests here: https://github.com/keycloak/keycloak/tree/master/testsuite/integration-arquillian On 11/4/18 4:09 PM, Patrick Hesse wrote: > Hi all, > > i have her some sourcecode incl. IntegrationTests for a custom > authenticator. This code was written by some other people. Now i must > migrate this from Keycloak 3.0 to 4.5. > > I have migrated the authenticator, bute the migration for the > IntegrationTests will not work. > > Where can i find a demo integrationTests with Arquillian. > > nice greetings > Patrick Hesse > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nomb85 at gmail.com Tue Nov 6 18:38:06 2018 From: nomb85 at gmail.com (Nathan McBride) Date: Tue, 06 Nov 2018 18:38:06 -0500 Subject: [keycloak-user] Error Being Thrown with MySql In-Reply-To: <08363100-ac9a-15fe-dfa0-a3c61590ea4f@redhat.com> References: <81FB9C4C-1758-4E6C-8656-5EB32A40DA8F@gmail.com> <08363100-ac9a-15fe-dfa0-a3c61590ea4f@redhat.com> Message-ID: <7291B312-93AC-4AE5-99DB-4DA9E51D4A6B@gmail.com> Yes there is. Here is the parts of my configuration that pertain to mysql. I?m not worried about the passwords on here as it?s a lab box and will be changed anyway. ??????????? ??????????????? ??????????????????? jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE ??????????????????? h2 ??????????????????? ? ??????????????????????sa ??????????????????????? sa ??????????????????? ??????????????? ??????????????? ??????????????????? jdbc:mysql://localhost:3306/keycloak?useSSL=false&useLegacyDatetimeCode=false&serverTimezone=Europe/Amsterdam&characterEncoding=UTF-8 ??????????????????? org.mysql ??????????????????? ??????????????????????? keycloak ??????????????????????? 38Je*T/kGk]hVEU;86D6{BPUx ??????????????????? ??????????????????? ??????????????????????? ?????????? ?????????????true ??????????????????????? ??????????????????? ??????????????? ???? ??????????? ??????????????????? ??????????????????????? org.h2.jdbcx.JdbcDataSource ??????????????????? ??????????????????? ??????????????????????? com.mysql.jdbc.Driver ??????????????????? ??????????????? ??????????? ??????? Thank you. Nate From: Vlasta Ramik Date: Tuesday, November 6, 2018 at 6:02 PM To: Nathan McBride Cc: Subject: Re: [keycloak-user] Error Being Thrown with MySql Hello, Can you check $JBOSS_HOME/standalone/configuration/standalone.xml if there is something like this within datasources subsystem? On 11/6/18 9:31 PM, Nathan McBride wrote: Hello everyone, Thank you for taking the time to read this and trying to help me. I?m new to KeyCloak as well as JBOSS. I created an AWS Lightsail account, the $5 / month plan, and am trying to use it for a KeyCloak server. I chose CentOS 7 as the operating system. I have been following the guide located here: http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mysql-backend I have followed all the steps and am at the point where KeyCloak is supposed to be started. But when I start it, it errors and it looks like it is a problem with the mysql connection. However, I have tested the credentials both locally and connecting remote with DataGrip and I?m not really sure what I did wrong. Any help is greatly appreciated. Thank you, Nate Here are the errors: 20:26:28,925 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 56) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 more Caused by: java.lang.RuntimeException: Failed to connect to database at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) at javax.naming.InitialContext.lookup(InitialContext.java:417) at javax.naming.InitialContext.lookup(InitialContext.java:417) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366) ... 43 more Caused by: java.lang.IllegalStateException at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:50) at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:148) at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46) at org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1110) at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131) ... 52 more 20:26:28,938 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal 20:26:28,953 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = mysql 20:26:28,991 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: Failed to connect to database Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] Caused by: java.lang.IllegalStateException"}} 20:26:29,011 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending 20:26:29,014 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443 20:26:29,017 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0019: Host default-host stopping 20:26:29,021 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] 20:26:29,029 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0003: Stopped realms cache from keycloak container 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0003: Stopped offlineClientSessions cache from keycloak container 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak container 20:26:29,031 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0003: Stopped clientSessions cache from keycloak container 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0003: Stopped authenticationSessions cache from keycloak container 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 46) WFLYCLINF0003: Stopped sessions cache from keycloak container 20:26:29,033 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 47) WFLYCLINF0003: Stopped authorization cache from keycloak container 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0003: Stopped loginFailures cache from keycloak container 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0003: Stopped actionTokens cache from keycloak container 20:26:29,035 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped offlineSessions cache from keycloak container 20:26:29,038 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped keys cache from keycloak container 20:26:29,062 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0003: Stopped work cache from keycloak container 20:26:29,068 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = h2 20:26:29,088 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTP listener default suspending 20:26:29,089 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0003: Stopped client-mappings cache from ejb container 20:26:29,089 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 0.0.0.0:8080 20:26:29,091 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0004: Undertow 2.0.9.Final stopping 20:26:29,100 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped authorizationRevisions cache from keycloak container 20:26:29,106 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped realmRevisions cache from keycloak container 20:26:29,110 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped userRevisions cache from keycloak container 20:26:29,111 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: keycloak-server.war) in 170ms 20:26:29,149 INFO [org.jboss.as.server] (ServerService Thread Pool -- 37) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 20:26:29,282 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: java.lang.NullPointerException at org.jboss.as.controller.AbstractControllerService.finishBoot(AbstractControllerService.java:534) at org.jboss.as.server.ServerService.finishBoot(ServerService.java:418) at org.jboss.as.server.ServerService.boot(ServerService.java:388) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) at java.lang.Thread.run(Thread.java:748) _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From vramik at redhat.com Tue Nov 6 18:41:54 2018 From: vramik at redhat.com (Vlasta Ramik) Date: Wed, 7 Nov 2018 00:41:54 +0100 Subject: [keycloak-user] Error Being Thrown with MySql In-Reply-To: <7291B312-93AC-4AE5-99DB-4DA9E51D4A6B@gmail.com> References: <81FB9C4C-1758-4E6C-8656-5EB32A40DA8F@gmail.com> <08363100-ac9a-15fe-dfa0-a3c61590ea4f@redhat.com> <7291B312-93AC-4AE5-99DB-4DA9E51D4A6B@gmail.com> Message-ID: The issue might be in driver definition. Can you check that, please? See inline. On 11/7/18 12:38 AM, Nathan McBride wrote: > > Yes there is. Here is the parts of my configuration that pertain to mysql. > > I?m not worried about the passwords on here as it?s a lab box and will > be changed anyway. > > > > ??????????? > > ??????????????? jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" > enabled="true" use-java-context="true"> > > jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE > > h2 > > ??????????????????? > > ??????????????????????sa > > sa > > ??????????????????? > > ??????????????? > > ??????????????? jndi-name="java:/jboss/datasources/KeycloakDS" pool-name="KeycloakDS" > enabled="true" use-java-context="true"> > > jdbc:mysql://localhost:3306/keycloak?useSSL=false&useLegacyDatetimeCode=false&serverTimezone=Europe/Amsterdam&characterEncoding=UTF-8 > > org.mysql > driver should be "mysql", not "org.mysql", it refers to driver name attribute below > > ??????????????????? > > keycloak > > 38Je*T/kGk]hVEU;86D6{BPUx > > ??????????????????? > > ??????????????????? > > class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/> > > ?????????????true > > class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/> > > ??????????????????? > > ??????????????? > > ???? ??????????? > > ??????????????????? > > org.h2.jdbcx.JdbcDataSource > > ??????????????????? > > ??????????????????? > > com.mysql.jdbc.Driver > > ??????????????????? > > ??????????????? > > ??????????? > > ??????? > > Thank you. > > Nate > > *From: *Vlasta Ramik > *Date: *Tuesday, November 6, 2018 at 6:02 PM > *To: *Nathan McBride > *Cc: * > *Subject: *Re: [keycloak-user] Error Being Thrown with MySql > > Hello, > > Can you check $JBOSS_HOME/standalone/configuration/standalone.xml if > there is something like this > > > > within datasources subsystem? > > On 11/6/18 9:31 PM, Nathan McBride wrote: > > Hello everyone, > > > > Thank you for taking the time to read this and trying to help me. I?m new to KeyCloak as well as JBOSS. > > > > I created an AWS Lightsail account, the $5 / month plan, and am trying to use it for a KeyCloak server. I chose CentOS 7 as the operating system. > > > > I have been following the guide located here:http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mysql-backend > > > > I have followed all the steps and am at the point where KeyCloak is supposed to be started. But when I start it, it errors and it looks like it is a problem with the mysql connection. However, I have tested the credentials both locally and connecting remote with DataGrip and I?m not really sure what I did wrong. > > > > Any help is greatly appreciated. > > Thank you, > > Nate > > > > Here are the errors: > > > > 20:26:28,925 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 56) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) > > ??????????????? at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > ??????????????? at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > ??????????????? at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > > ??????????????? at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > > ??????????????? at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > > ??????????????? at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > > ??????????????? at java.lang.Thread.run(Thread.java:748) > > ??????????????? at org.jboss.threads.JBossThread.run(JBossThread.java:485) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > ??????????????? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) > > ??????????????? at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) > > ??????????????? at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) > > ??????????????? at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) > > ??????????????? at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) > > ??????????????? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) > > ??????????????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > ??????????????? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > > ??????????????? at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > ??????????????? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > > ??????????????? at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) > > ??????????????? at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) > > ??????????????? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) > > ??????????????? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) > > ??????????????? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) > > ??????????????? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > > ??????????????? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) > > ??????????????? at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) > > ??????????????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) > > ??????????????? ... 8 more > > Caused by: java.lang.RuntimeException: Failed to connect to database > > ??????????????? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) > > ??????????????? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) > > ??????????????? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) > > ??????????????? at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) > > ??????????????? at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) > > ??????????????? at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) > > ??????????????? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) > > ??????????????? at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) > > ??????????????? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > > ??????????????? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > > ??????????????? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > ??????????????? at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > > ??????????????? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > > ??????????????? ... 31 more > > Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] > > ??????????????? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) > > ??????????????? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) > > ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) > > ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) > > ??????????????? at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) > > ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) > > ??????????????? at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) > > ??????????????? at javax.naming.InitialContext.lookup(InitialContext.java:417) > > ??????????????? at javax.naming.InitialContext.lookup(InitialContext.java:417) > > ??????????????? at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366) > > ??????????????? ... 43 more > > Caused by: java.lang.IllegalStateException > > ??????????????? at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:50) > > ??????????????? at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:148) > > ??????????????? at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46) > > ??????????????? at org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1110) > > ??????????????? at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131) > > ??????????????? ... 52 more > > > > 20:26:28,938 INFO? [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal > > 20:26:28,953 INFO? [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = mysql > > 20:26:28,991 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > ??? Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > ??? Caused by: java.lang.RuntimeException: Failed to connect to database > > ??? Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] > > ??? Caused by: java.lang.IllegalStateException"}} > > 20:26:29,011 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending > > 20:26:29,014 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443 > > 20:26:29,017 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0019: Host default-host stopping > > 20:26:29,021 INFO? [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] > > 20:26:29,029 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0003: Stopped realms cache from keycloak container > > 20:26:29,030 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0003: Stopped offlineClientSessions cache from keycloak container > > 20:26:29,030 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak container > > 20:26:29,031 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0003: Stopped clientSessions cache from keycloak container > > 20:26:29,032 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0003: Stopped authenticationSessions cache from keycloak container > > 20:26:29,032 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 46) WFLYCLINF0003: Stopped sessions cache from keycloak container > > 20:26:29,033 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 47) WFLYCLINF0003: Stopped authorization cache from keycloak container > > 20:26:29,034 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0003: Stopped loginFailures cache from keycloak container > > 20:26:29,034 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0003: Stopped actionTokens cache from keycloak container > > 20:26:29,035 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped offlineSessions cache from keycloak container > > 20:26:29,038 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped keys cache from keycloak container > > 20:26:29,062 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0003: Stopped work cache from keycloak container > > 20:26:29,068 INFO? [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = h2 > > 20:26:29,088 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTP listener default suspending > > 20:26:29,089 INFO? [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0003: Stopped client-mappings cache from ejb container > > 20:26:29,089 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 0.0.0.0:8080 > > 20:26:29,091 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0004: Undertow 2.0.9.Final stopping > > 20:26:29,100 INFO? [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped authorizationRevisions cache from keycloak container > > 20:26:29,106 INFO? [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped realmRevisions cache from keycloak container > > 20:26:29,110 INFO? [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped userRevisions cache from keycloak container > > 20:26:29,111 INFO? [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: keycloak-server.war) in 170ms > > 20:26:29,149 INFO? [org.jboss.as.server] (ServerService Thread Pool -- 37) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") > > 20:26:29,282 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: java.lang.NullPointerException > > ??????????????? at org.jboss.as.controller.AbstractControllerService.finishBoot(AbstractControllerService.java:534) > > ??????????????? at org.jboss.as.server.ServerService.finishBoot(ServerService.java:418) > > ??????????????? at org.jboss.as.server.ServerService.boot(ServerService.java:388) > > ??????????????? at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) > > ??????????????? at java.lang.Thread.run(Thread.java:748) > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From robstyle1234 at gmail.com Wed Nov 7 03:23:20 2018 From: robstyle1234 at gmail.com (ola rob) Date: Wed, 7 Nov 2018 13:53:20 +0530 Subject: [keycloak-user] How can I use Keycloak to support my architecture? Message-ID: Hi, I need some help in securing my applications with keycloak: I have couple of grails applications (App1 and App2) using spring security. However, currently I am using keycloak REST API to authenticate users by passing username and password and receive token without registering these applications as clients in the keycloak. But this approach seems to be inefficient when we want to support SSO, kerberos and other lot of powerful features that Keycloak offers. So I came up with the below approach to support SSO/kerberos but wanted to know if Keycloak can solve our problem. "Create a new spring boot master application (App3) and register with Keycloak and redirect the login page to Keycloak. Once login is successful, use the token that keycloak provides and pass it on to App1 and App2 and tweak my existing code flow to handle this. Can this be possible because I am not registering/creating any clients for app1 and app2 in keycloak here but only creating for app3 which is the master application and using the access token? Is it mandatory to register/create all clients in Keycloak to support SSO?" Any help would be highly appreciated. Thanks in advance! From msakho at redhat.com Wed Nov 7 07:55:59 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 7 Nov 2018 13:55:59 +0100 Subject: [keycloak-user] remote debugging keycloak docker image In-Reply-To: References: Message-ID: Thanks Louis, It helps. I had to pass the DEBUG env variable to true and expose the debug port. It works for me. Meissa Le mar. 6 nov. 2018 ? 17:24, Luis Rodr?guez Fern?ndez a ?crit : > Hello Meissa, > > At the end of the day there should be no difference among debugging > keycloak or any other java process. In essence is just about to expose the > debug port outside your k8s cluster. This article [1] explains it very > well. > > Hope it helps, > > Luis > > [1] > https://itnext.io/remote-debugging-spring-boot-on-kubernetes-a5f96a40e5c0 > > > > El mar., 6 nov. 2018 a las 15:21, Meissa M'baye Sakho ( >) > escribi?: > > > Hello everyone, > > I need to enable remote debugging on keycloak docker image. I'm using a > > vanilla kubernetes. > > Any input on that? > > Regards, > > Meissa > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pcfleischer at outlook.com Wed Nov 7 10:12:08 2018 From: pcfleischer at outlook.com (Phillip Fleischer) Date: Wed, 7 Nov 2018 15:12:08 +0000 Subject: [keycloak-user] http connection/session timeout Message-ID: Hi, We use new relic APM to monitor keycloak and seems that on occasion there will be transactions running for ~30min which seems to be exceptionally long. We already lowered our database transaction timeouts, but thinking we should also add/change the wildly servlet timeout timeout from the default of 30 minutes.

I can?t see this being related to any of the ?keycloak session? timeouts, just wondering if anyone would know if this is a terrible idea?? ? Phil From nocquidant at gmail.com Wed Nov 7 12:17:34 2018 From: nocquidant at gmail.com (Nicolas Ocquidant) Date: Wed, 7 Nov 2018 18:17:34 +0100 Subject: [keycloak-user] Shared datastore? Message-ID: Hi, According to Infinispan, when passivation is disabled, every update to the cache should always write to the store. But I can't manage to get it work with Keycloak. If I disable passivation, my SQL store (Postgres) stays empty, even if the cache is full. So, if passivation is needed for Keycloak to write to the DB, it means that the use of a shared DB is not possible... But this leads to another issue for me. Enable passivation without a shared DB seems to imply that either 'fetch-state' or 'purge' should be enabled on startup, in order for the cache to not contain stale entries. 15:27:44,626 WARN [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] (MSC service thread 1-6) ISPN000149: Fetch persistent state and purge on startup are both disabled, cache may contain stale entries on startup As I need to keep millions of sessions, this will considerably slow down the startup of my node (when started again after a crash for instance). So, is shared datastore allowed in Keycloak? If yes, how to enable it? Otherwise what other options do I have to improve my startup time, if millions of sessions are in the store? Thanks --nick From ljbanii at gmail.com Wed Nov 7 15:25:13 2018 From: ljbanii at gmail.com (Joe Livu) Date: Thu, 8 Nov 2018 07:25:13 +1100 Subject: [keycloak-user] Mobile app authentication flow Message-ID: Hi, I came across KeyCloak while searching for a security provider and was immediately impressed. I am planning on building a REST API using ASP.NET Core Web API to be consumed by a mobile application to be built using Google's Flutter framework. I have a few questions. 1. Would KeyCloak be suitable for securing my REST API Whig is built using C# (ASP.NET Core Web API)? If so, can I get a brief explanation and steps that need to be taken to achieve this? 2. Now I need my mobile app to consume the REST API secured by KeyCloak. For authenticating users (e.g., via login screen using username/password credentials), how would this be done? Which grant type and flow will be suitable? The Web application demos shows a redirect to the KeyCloak server for authentication and then back to the app. It seems this cannot be applied for mobile apps (correct me if am wrong), so what would be the best approach for a mobile application? I would think KeyCloak would provide a REST API for such cases but I can only find an Admin REST API for admin purposes only Any help regarding this would very much appreciated. Kind regards, Joe Livu From marco.lamina at sap.com Wed Nov 7 17:27:38 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Wed, 7 Nov 2018 22:27:38 +0000 Subject: [keycloak-user] Policy Evaluation for Service Account shows unexpected behavior Message-ID: Hi, I am using the Protection API to create resources in Keycloak. Some of those resources are created by service accounts, some by regular users. I also have a JS policy that grants access to a resource if the given identity is the resource owner (it was an example from the documentation): var context = $evaluation.getContext(); var identity = context.getIdentity(); var permission = $evaluation.getPermission(); if (permission.resource !== null && permission.resource.owner == identity.id) { $evaluation.grant(); } The problem is that the policy fails to execute. Using the evaluation tool in the admin console, it produces the following stack trace: https://pastebin.com/2XXHQkNf . The policy works fine for regular users. In addition to that, trying to list the account?s permissions using the token endpoint (as described in [1]) fails with a 403. Am I missing something or is that a bug in Keycloak? [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions Thanks, Marco From dt at acutus.pro Wed Nov 7 17:44:46 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 08 Nov 2018 01:44:46 +0300 Subject: [keycloak-user] Data filtering in SQL In-Reply-To: <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> References: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> <1541136118.4390.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> Message-ID: <1541630686.2778.1.camel@acutus.pro> Hi Rob, On Tue, 2018-11-06 at 16:28 +0000, Byrd, Rob M wrote: > (Hope this is the correct way to reply - let me know if not) > > Thanks.??So my concern is really with the whole idea that an Enterprise Application's security constraints could really be all implemented based on url-patterns, is that what you guys are thinking? Cannot speak for Keycloak guys, but will put in my 2? as an architect - URL-based (or rather resource-based) authorization covers only one aspect of the application security. Data filtering is equally important, but it's just another facet of the problem, and needs to be solved accordingly. Indeed, Keycloak doesn't provide OOTB any means for automatically limiting subsets of data shown to the user, as Keycloak has a completely different scope (namely Web SSO/IDM solution). However, you can still use Keycloak as a central warehouse for your security (meta)data, and use it the way you want. Like I said before, nothing stops you from defining some policies in Keycloak, then retrieving them and converting to a WHERE clause for your SQL/JPQL/NoSQL query. Speaking of NoSQL - this might be not directly relevant to your problem, but still interesting. A similar problem has surfaced in the discussion following my talk on Apache Sling + Keycloak [1] earlier this year; the central point was: "okay, we can have Keycloak path-based authorization in Sling, but how do we limit the content visible to the user?" That time we came up with some sort of hybrid solution, like path-based security + JCR ACLs and/or application-level rules; but now I think this might be something similar, like generating JCR's equivalent to the WHERE clause based on Keycloak policy definition. Just to make sure I understand the case, let's imagine: - there are users and groups (live in Keycloak); - there are, say, "projects" (live in business tier + DB); - there is a policy in Keycloak saying "projects should be accessible only to the members of the respective groups"; - based on that: - GET /projects/ should return 200 + representation if the user is a member of the group, 403 otherwise; - GET /projects should return the list of projects the current user has access to. Is this correct? [1] https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > For example, mostly a user can visit most features (urls) in an application, but it is the subset of things they can see/do within the feature that is the crux of the security issue - and it does not seem feasible to architect urls in such a way that they can be used as the key to security.??Thoughts? > > Thanks! > > Rob Byrd > DST > Solutions Lead > SS&C Technologies Inc.?? |?? 1055 Broadway, Kansas City, MO 64105 > t: (816) 435-7286??| m?(816) 509-0119 > rmbyrd at dstsystems.com??|? www.ssctech.com > Follow us: ?|? ?|?? > > -----Original Message----- > > From: Dmitry Telegin [mailto:dt at acutus.pro]? > Sent: Friday, November 2, 2018 12:22 AM > > To: Byrd, Rob M ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Data filtering in SQL > > Hello Rob, > > If I get it right, it's all about generating SQL WHERE clause from Keycloak policies? I think this is doable, as Keycloak has a well-defined object model for authorization policies, and it's easy to obtain policy definitions in JSON format. I think Pedro Igor will tell you more about that. > > You should pay attention to the following: > - there are differences in semantics between OPA and Keycloak policies. For example, Keycloak policies do not operate HTTP methods but rather use more generic notion of scopes; > - not every policy type can be easily converted to a WHERE clause. It should be trivial for User/Group/Role policies, but is virtually impossible for Script and Rules, as they are just blackboxes that evaluate to true or false. Unless of course your DBMS has a built-in JavaScript engine :) > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-11-01 at 21:39 +0000, Byrd, Rob M wrote: > > I am comparing OPA authorization to Keycloak - how could I enforce Keycloak policy in the SQL closest to the data for good performance, including returning subsets of lists???OPA discusses this at https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4. > > > > Thanks! > > > > Rob Byrd > > DST > > Solutions Lead > > SS&C Technologies Inc.???|???1055 Broadway, Kansas City, MO 64105 > > t: (816) 435-7286??| m (816) 509-0119 > > rmbyrd at dstsystems.com??|??www.ssctech.com;; > > > > Follow us: [cid:image001.png at 01D412C1.A14C5770] ??|??[cid:image002.png at 01D412C1.A14C5770] ??|??[cid:image003.png at 01D412C1.A14C5770] > > > > > > > > Please consider the environment before printing this email and any attachments. > > > > This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > Please consider the environment before printing this email and any attachments. > > This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. From psilva at redhat.com Wed Nov 7 17:55:29 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 7 Nov 2018 20:55:29 -0200 Subject: [keycloak-user] Policy Evaluation for Service Account shows unexpected behavior In-Reply-To: References: Message-ID: Hi, It should be a bug. I've created https://issues.jboss.org/browse/KEYCLOAK-8768. I need to check if we are properly working with sessions when identity is a service account. Could you add a comment to that JIRA with an example of an authorization request to the token endpoint ? Thanks. On Wed, Nov 7, 2018 at 8:29 PM Lamina, Marco wrote: > Hi, > I am using the Protection API to create resources in Keycloak. Some of > those resources are created by service accounts, some by regular users. I > also have a JS policy that grants access to a resource if the given > identity is the resource owner (it was an example from the documentation): > > var context = $evaluation.getContext(); > var identity = context.getIdentity(); > var permission = $evaluation.getPermission(); > if (permission.resource !== null && permission.resource.owner == > identity.id) { > $evaluation.grant(); > } > > The problem is that the policy fails to execute. Using the evaluation tool > in the admin console, it produces the following stack trace: > https://pastebin.com/2XXHQkNf . > The policy works fine for regular users. In addition to that, trying to > list the account?s permissions using the token endpoint (as described in > [1]) fails with a 403. > Am I missing something or is that a bug in Keycloak? > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > > Thanks, > Marco > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From llivezking at gmail.com Wed Nov 7 21:40:56 2018 From: llivezking at gmail.com (Ilya Korol) Date: Thu, 8 Nov 2018 12:40:56 +1000 Subject: [keycloak-user] JTA and UserStorageProvider implementations Message-ID: Hi. I'm trying to realize how should i configure our datasources from JTA point of view. As far as i know default settings (that also described in docs) don't include any JTA capabilities, so keycloak will work in local transactions mode. (There is also a thing that confused me a little: in Wildfly Admin Console all datasources have 'JTA' option enabled by default). So the question is: what settings should i use if i add UserStorageProvider implementation which uses separate DataSource. As far as i understand JTA should be enabled for such case, so how should i configure datasources. For example: - KeycloakDS [Oracle] - datasource for keycloak itself - ExternalDS [Oracle] - datasource for external user storage Should both datasource be XA and JTA capable? And what about EntityManager that i would use for user data extraction? I refer to example implementation of User Storage Provider from documentation:| | |@Stateful||@Local(EjbExampleUserStorageProvider.class)||public class EjbExampleUserStorageProvider implements UserStorageProvider,||??? ??? UserLookupProvider, UserRegistrationProvider, UserQueryProvider, CredentialInputUpdater, CredentialInputValidator, OnUserCache { @PersistenceContext protected EntityManager em; protected ComponentModel model; protected KeycloakSession session; public void setModel(ComponentModel model) { this.model = model; } public void setSession(KeycloakSession session) { this.session = session; } @Remove @Override public void close() {} }| || || |Does transaction context of this entity manager same as transaction context of Keycloak Session? | From prashant.bapat at thetradedesk.com Thu Nov 8 04:04:32 2018 From: prashant.bapat at thetradedesk.com (Prashant Bapat) Date: Thu, 8 Nov 2018 09:04:32 +0000 Subject: [keycloak-user] Restrict access to clients based on Group membership Message-ID: <149FA3D4-A92D-4B87-995C-FD2D6746AEC4@thetradedesk.com> Hi, In our Keycloak setup (ver 4.4.0) we have a master realm configured to authenticate users in a Windows AD. We heavily use SAML and OIDC and both work great. Is there a way to restrict access to a OIDC client based on a group membership ? I?ve been reading up the docs and trying to get this working without success. For example, let?s say we have 2 clients; client-dev-api client-prod-api Can I configure Keycloak to issue JWT token for client-dev-api to members of AD group ?Developers? and client-prod-api to members AD group ?Production? ? Any guidance on getting this to work would be appreciated. Thanks. --Prashant From uo67113 at gmail.com Thu Nov 8 04:07:52 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Thu, 8 Nov 2018 10:07:52 +0100 Subject: [keycloak-user] How can I use Keycloak to support my architecture? In-Reply-To: References: Message-ID: Hello Ola, I've tested exactly the same approach as yours. In my case I am using SAML: 1. /login-module with org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve registered in IdP. It declares a for "/*" [1] 2. Any request to /login-module pass through a filter [2] that looks in the request for a secret (cookie). If there is no secret the request is redirected to a servlet [3]. If the user has a valid session in the IdP the secret is created and it is redirected to the original request. 3. The rest of the modules are "protected" by the custom filter [4] Answering your questions: - Can this be possible...? Yes it can, but personally I do not like it - It is mandatory to register...? I do believe that it is preferrable I developed this PoC for this scenario: I have a big legacy enterprise app (.ear) with several modules that make requests between them for getting protected resources. E.g. /module1 requests /module2/images/calendar.gif or /module1/ requests /module2/search. I do this because I want to avoid to touch the legacy and sometimes obscure code of the ear app :) Probably to use OAUTH2/OpenId Connect would be a better idea for these kind of scenarios. Hope it helps, Luis [1] https://gist.github.com/lurodrig/deb2e086fa425f2d64111b325caf1b96 [2] https://gist.github.com/lurodrig/7b157e6ebcfe857c86218eabd8063c6d [3] https://gist.github.com/lurodrig/e1a20f480f3c4202c083a091ed68b0d7 [4] https://gist.github.com/lurodrig/84c0bf35f184059fe27bb47e377f09af El jue., 8 nov. 2018 a las 8:15, ola rob () escribi?: > Hi, > > I need some help in securing my applications with keycloak: > > I have couple of grails applications (App1 and App2) using spring security. > However, currently I am using keycloak REST API to authenticate users by > passing username and password and receive token without registering these > applications as clients in the keycloak. But this approach seems to be > inefficient when we want to support SSO, kerberos and other lot of powerful > features that Keycloak offers. > So I came up with the below approach to support SSO/kerberos but wanted to > know if Keycloak can solve our problem. > > "Create a new spring boot master application (App3) and register with > Keycloak and redirect the login page to Keycloak. Once login is successful, > use the token that keycloak provides and pass it on to App1 and App2 and > tweak my existing code flow to handle this. Can this be possible because I > am not registering/creating any clients for app1 and app2 in keycloak here > but only creating for app3 which is the master application and using the > access token? Is it mandatory to register/create all clients in Keycloak to > support SSO?" > > Any help would be highly appreciated. > > Thanks in advance! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From karsten.honsack at zurich.com Thu Nov 8 04:50:05 2018 From: karsten.honsack at zurich.com (Karsten Honsack) Date: Thu, 8 Nov 2018 09:50:05 +0000 Subject: [keycloak-user] Login via SAML RESPONSE from an IdP Message-ID: Hello everybody, I am trying to figure out if Keycloak is capable to fulfil the following requirement. I read through the documentation but was not able to figure it out. Scenario: A user is on a website where he has the possibility to jump to web applications of different partners via SSO. The website provider only supports IdP Initiated SSO and the button links provided are SAML Assertion Consumer URLs. The flow describes what should be happening for my understanding: Flow: 1. User login on website. 2. User clicks on button. 3. Website creates an encrypted SAML RESPONSE using its STS, redirects user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE there. 4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user. 5. Keycloak redirects user to the application. 6. User uses application. Is this possible? How has it to be configured? Do you need any more information to help me? Thank you in advance! Best regards Karsten Honsack ************************************** From uo67113 at gmail.com Thu Nov 8 05:10:09 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Thu, 8 Nov 2018 11:10:09 +0100 Subject: [keycloak-user] Login via SAML RESPONSE from an IdP In-Reply-To: References: Message-ID: Hello Karsten, Yes it is possible, please have a look here [1]. Of course you will need to confire your SP with your specific SAML adapter [2] Hope it helps, Luis ps: just for the records: I always use SP initiated login, it looks more "natural" to me :) [1] https://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-general-config El jue., 8 nov. 2018 a las 10:51, Karsten Honsack (< karsten.honsack at zurich.com>) escribi?: > Hello everybody, > > I am trying to figure out if Keycloak is capable to fulfil the following > requirement. I read through the documentation but was not able to figure it > out. > > Scenario: > A user is on a website where he has the possibility to jump to web > applications of different partners via SSO. The website provider only > supports IdP Initiated SSO and the button links provided are SAML Assertion > Consumer URLs. The flow describes what should be happening for my > understanding: > > Flow: > 1. User login on website. > 2. User clicks on button. > 3. Website creates an encrypted SAML RESPONSE using its STS, redirects > user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE > there. > 4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user. > 5. Keycloak redirects user to the application. > 6. User uses application. > > Is this possible? How has it to be configured? Do you need any more > information to help me? Thank you in advance! > > Best regards > > Karsten Honsack > > ************************************** > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From Gregor.Tudan at cofinpro.de Thu Nov 8 05:30:47 2018 From: Gregor.Tudan at cofinpro.de (Gregor Tudan) Date: Thu, 8 Nov 2018 10:30:47 +0000 Subject: [keycloak-user] Email-Event UPDATE-PASSWORD Message-ID: Hi, We?re trying to send an email to a user if his/her password was changed. The Email-Event UPDATE-PASSWORD looks exactly like what we want. https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/events/email/EmailEventListenerProvider.java There?s one catch: the email seems to only get sent if the user has a verified email address. Email-Verification is not activated on the realm. Is there a reason why email-verification is required for those emails? Thanks, Gregor -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181108/d48320e1/attachment.bin From karsten.honsack at zurich.com Thu Nov 8 05:28:42 2018 From: karsten.honsack at zurich.com (Karsten Honsack) Date: Thu, 8 Nov 2018 10:28:42 +0000 Subject: [keycloak-user] Login via SAML RESPONSE from an IdP In-Reply-To: References: Message-ID: <074494c35fd045d48d1c14abff14e78d@CEEXC0523.ZURMWS.CSCMWS.COM> Hi Luis, thank you for the fast help! I was looking at the brokering section. That was totally wrong in this case. I will build a test scenario and try this out. Best regards Karsten Honsack -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org Im Auftrag von Luis Rodr?guez Fern?ndez Gesendet: Donnerstag, 8. November 2018 11:10 An: keycloak-user Betreff: [EXTERNAL] Re: [keycloak-user] Login via SAML RESPONSE from an IdP Hello Karsten, Yes it is possible, please have a look here [1]. Of course you will need to confire your SP with your specific SAML adapter [2] Hope it helps, Luis ps: just for the records: I always use SP initiated login, it looks more "natural" to me :) [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_server-5Fadmin_index.html-23idp-2Dinitiated-2Dlogin&d=DwIGaQ&c=DgzfCyvE4m33Nb8jT6Zstq7mstX2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=qspAgpvVTTvc9t-nOM1flvxotmIZxnKAdMYyScv58Ig&s=oEDTuu1cY-giNJjcutXqA9wXxhDbrlomVmbvSFDZlXQ&e= [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23-5Fsaml-2Dgeneral-2Dconfig&d=DwIGaQ&c=DgzfCyvE4m33Nb8jT6Zstq7mstX2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=qspAgpvVTTvc9t-nOM1flvxotmIZxnKAdMYyScv58Ig&s=LjEqAXudmP1sML3rguSEQSe5LcIyRTIgycnszoHEGBM&e= El jue., 8 nov. 2018 a las 10:51, Karsten Honsack (< karsten.honsack at zurich.com>) escribi?: > Hello everybody, > > I am trying to figure out if Keycloak is capable to fulfil the > following requirement. I read through the documentation but was not > able to figure it out. > > Scenario: > A user is on a website where he has the possibility to jump to web > applications of different partners via SSO. The website provider only > supports IdP Initiated SSO and the button links provided are SAML > Assertion Consumer URLs. The flow describes what should be happening > for my > understanding: > > Flow: > 1. User login on website. > 2. User clicks on button. > 3. Website creates an encrypted SAML RESPONSE using its STS, redirects > user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML > RESPONSE there. > 4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user. > 5. Keycloak redirects user to the application. > 6. User uses application. > > Is this possible? How has it to be configured? Do you need any more > information to help me? Thank you in advance! > > Best regards > > Karsten Honsack > > ************************************** > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=DgzfCyvE4m33Nb8jT6Zstq7mstX > 2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=qspAg > pvVTTvc9t-nOM1flvxotmIZxnKAdMYyScv58Ig&s=sRIEtNz_hzeZ7pWSAjmi6kartlN-g > eNm1PiImgC9pPQ&e= > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=DgzfCyvE4m33Nb8jT6Zstq7mstX2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=qspAgpvVTTvc9t-nOM1flvxotmIZxnKAdMYyScv58Ig&s=sRIEtNz_hzeZ7pWSAjmi6kartlN-geNm1PiImgC9pPQ&e= ************************************** From psilva at redhat.com Thu Nov 8 07:42:11 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 8 Nov 2018 10:42:11 -0200 Subject: [keycloak-user] Data filtering in SQL In-Reply-To: <1541630686.2778.1.camel@acutus.pro> References: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> <1541136118.4390.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> <1541630686.2778.1.camel@acutus.pro> Message-ID: Hi Dmitry, Agree with you when you mention application vs data security. I also agree that Keycloak can also solve data security problems. Privacy is one of the main reasons behind our UMA support a very important aspect of data security. In addition to privacy, we also added extensions to UMA and OAuth2 standards to enable applications to use Keycloak as a Policy Decision Point, mainly target for application security. As PDP (and PAP), Keycloak allows you to govern access to protected resources and to obtain authorization decisions as a result of the evaluation of policies associated with these resources. Being based on UMA and OAuth2 we support token-based authorization but also access control based on the permissions granted by the server. So, yeah, it should be possible to filter data based on those permissions as well dynamically create WHERE clauses. My main concerns about data security are scalability and manageability, two aspects that are closely related to how much fine-grained you want to be. Like I said, in Keycloak you can protect a set of one or more resources as well as scope specific permissions, which can span access decisions for one or more resources. We are using data security when you enable permissions to users or groups, where results are filtered based on the evaluation of these permissions. Performance wise, evaluation is quite satisfactory, being the main challenges the trade-off between usability vs performance. Recently we had important changes to improve the performance of our token endpoint and policy evaluation engine and I think we can perform well when fetching permissions from the server for a set of one or more resources. I'm happy to discuss how we can leverage what we have for data security if the community is interested. Regards. Pedro Igor On Wed, Nov 7, 2018 at 8:47 PM Dmitry Telegin

wrote: > Hi Rob, > > On Tue, 2018-11-06 at 16:28 +0000, Byrd, Rob M wrote: > > (Hope this is the correct way to reply - let me know if not) > > > > Thanks. So my concern is really with the whole idea that an Enterprise > Application's security constraints could really be all implemented based on > url-patterns, is that what you guys are thinking? > > Cannot speak for Keycloak guys, but will put in my 2? as an architect - > URL-based (or rather resource-based) authorization covers only one aspect > of the application security. Data filtering is equally important, but it's > just another facet of the problem, and needs to be solved accordingly. > Indeed, Keycloak doesn't provide OOTB any means for automatically limiting > subsets of data shown to the user, as Keycloak has a completely different > scope (namely Web SSO/IDM solution). > > However, you can still use Keycloak as a central warehouse for your > security (meta)data, and use it the way you want. Like I said before, > nothing stops you from defining some policies in Keycloak, then retrieving > them and converting to a WHERE clause for your SQL/JPQL/NoSQL query. > > Speaking of NoSQL - this might be not directly relevant to your problem, > but still interesting. A similar problem has surfaced in the discussion > following my talk on Apache Sling + Keycloak [1] earlier this year; the > central point was: "okay, we can have Keycloak path-based authorization in > Sling, but how do we limit the content visible to the user?" > That time we came up with some sort of hybrid solution, like path-based > security + JCR ACLs and/or application-level rules; but now I think this > might be something similar, like generating JCR's equivalent to the WHERE > clause based on Keycloak policy definition. > > Just to make sure I understand the case, let's imagine: > - there are users and groups (live in Keycloak); > - there are, say, "projects" (live in business tier + DB); > - there is a policy in Keycloak saying "projects should be accessible only > to the members of the respective groups"; > - based on that: > - GET /projects/ should return 200 + representation if the user > is a member of the group, 403 otherwise; > - GET /projects should return the list of projects the current user has > access to. > > Is this correct? > > [1] > https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > For example, mostly a user can visit most features (urls) in an > application, but it is the subset of things they can see/do within the > feature that is the crux of the security issue - and it does not seem > feasible to architect urls in such a way that they can be used as the key > to security. Thoughts? > > > > Thanks! > > > > Rob Byrd > > DST > > Solutions Lead > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > t: (816) 435-7286 | m (816) 509-0119 > > rmbyrd at dstsystems.com | www.ssctech.com > > Follow us: | | > > > > -----Original Message----- > > > From: Dmitry Telegin [mailto:dt at acutus.pro] > > Sent: Friday, November 2, 2018 12:22 AM > > > To: Byrd, Rob M ; keycloak-user at lists.jboss.org > > Subject: Re: [keycloak-user] Data filtering in SQL > > > > Hello Rob, > > > > If I get it right, it's all about generating SQL WHERE clause from > Keycloak policies? I think this is doable, as Keycloak has a well-defined > object model for authorization policies, and it's easy to obtain policy > definitions in JSON format. I think Pedro Igor will tell you more about > that. > > > > You should pay attention to the following: > > - there are differences in semantics between OPA and Keycloak policies. > For example, Keycloak policies do not operate HTTP methods but rather use > more generic notion of scopes; > > - not every policy type can be easily converted to a WHERE clause. It > should be trivial for User/Group/Role policies, but is virtually impossible > for Script and Rules, as they are just blackboxes that evaluate to true or > false. Unless of course your DBMS has a built-in JavaScript engine :) > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Thu, 2018-11-01 at 21:39 +0000, Byrd, Rob M wrote: > > > I am comparing OPA authorization to Keycloak - how could I enforce > Keycloak policy in the SQL closest to the data for good performance, > including returning subsets of lists? OPA discusses this at > https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 > . > > > > > > Thanks! > > > > > > Rob Byrd > > > DST > > > Solutions Lead > > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > > t: (816) 435-7286 | m (816) 509-0119 > > > rmbyrd at dstsystems.com | > www.ssctech.com;; > > > > > Follow us: [cid:image001.png at 01D412C1.A14C5770] < > https://www.linkedin.com/company/ss-c-technologies/ > > | [cid:image002.png at 01D412C1.A14C5770] < > https://twitter.com/ssctechnologies > > | [cid:image003.png at 01D412C1.A14C5770] < > https://www.facebook.com/ssctechnologies/> > > > > > > > > > > > > Please consider the environment before printing this email and any > attachments. > > > > > > This e-mail and any attachments are intended only for the individual > or company to which it is addressed and may contain information which is > privileged, confidential and prohibited from disclosure or unauthorized use > under applicable law. If you are not the intended recipient of this e-mail, > you are hereby notified that any use, dissemination, or copying of this > e-mail or the information contained in this e-mail is strictly prohibited > by the sender. If you have received this transmission in error, please > return the material received to the sender and delete all copies from your > system. > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > Please consider the environment before printing this email and any > attachments. > > > > This e-mail and any attachments are intended only for the individual or > company to which it is addressed and may contain information which is > privileged, confidential and prohibited from disclosure or unauthorized use > under applicable law. If you are not the intended recipient of this e-mail, > you are hereby notified that any use, dissemination, or copying of this > e-mail or the information contained in this e-mail is strictly prohibited > by the sender. If you have received this transmission in error, please > return the material received to the sender and delete all copies from your > system. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From fabrizio.usai at cjsm.vlaanderen.be Thu Nov 8 09:13:59 2018 From: fabrizio.usai at cjsm.vlaanderen.be (Usai, Fabrizio) Date: Thu, 8 Nov 2018 14:13:59 +0000 Subject: [keycloak-user] OpenID Java Adapter: configuring keycloak to use an IDP different then Keycloak Server Message-ID: <1541686439063.37605@cjsm.vlaanderen.be> Dear, We are using Keycloak Java adapter 4.5.0 in combination with EAP7.1. When we configure our keycloak.json we have for auth-server-url the url https://authentication.country.com/op/v1/auth (the original url is changed for privacy reasons). So far so good. When we navigate to our application, we are forwarded to https://authentication.country.com/op/v1/auth/realms/KeycloakOIDCRealm/protocol/openid-connect/auth?response_type=code&client_id=fac9d161-d27d-493d-uze896zed78&redirect_uri=..... This is not good, since we use our own identity provider. Removing the realms/KeycloakOIDCRealm/protocol/openid-connect/ part of the url, forwards it correctly to the identity provider. So the Keycloak adapter adds it by default, assuming we will always use Keycloak as an identity provider. Before we were using SAML and didn't had this issue. How can we configure the keycloak.json for the adapter to leave out the addition of realms/KeycloakOIDCRealm/protocol/openid-connect/? We don't understand why with SAML we didn't had this issue at all, and now with OpenID it seems very difficult to solve this issue. Our current guess to solve this, is to overwrite some Keycloak Java class and make sure the url is built the correct way. Although it is a bit dirty, we could accept this as solution (if it is possible), but we prefer to do this via configuration. Kind regards, Fabrizio Usai From Paolo.Tedesco at cern.ch Thu Nov 8 09:37:08 2018 From: Paolo.Tedesco at cern.ch (Paolo Tedesco) Date: Thu, 8 Nov 2018 14:37:08 +0000 Subject: [keycloak-user] Refreshing exchanged token Message-ID: <6D320D40264A8545A9C25EC79DE1E32501ECD41B3F@CERNXCHG41.cern.ch> Hi all, I have a problem refreshing an exchanged token, and I would need some help to understand if I'm doing something wrong. I have two test confidential clients, client_1 and client_2, and client_1 is allowed to exchange tokens for client_2. First, I get a token for client_1, then I use token exchange to get a token for client_2. The token that I have at this point looks like this (snipped): session_state: 30b295b9-7278-4c9e-b5c4-0927e111a676 token_type: bearer access_token (decoded claims) : aud = client_2 clientId = client_1 refresh_token (decoded claims) : aud = client_2 azp = client_1 So far, everything is fine, but the problem is when I try to refresh the token for client_2 I got from the previous call. The call I'm making is POST https:///auth/realms/master/protocol/openid-connect/token client_id = client_1 client_secret = grant_type = refresh_token refresh_token = What I would expect is to get a new token with aud = client_2, instead I get a new token with aud = client_1: session_state: 30b295b9-7278-4c9e-b5c4-0927e111a676 token_type: bearer access_token: aud = client_1 clientId = client_1 refresh_token: aud = client_1 azp = client_1 Is this correct? Should I just get a new token through token exchange in this case, instead of refreshing the existing one? Thanks, Paolo Tedesco From nocquidant at gmail.com Thu Nov 8 11:35:49 2018 From: nocquidant at gmail.com (Nicolas Ocquidant) Date: Thu, 8 Nov 2018 17:35:49 +0100 Subject: [keycloak-user] Shared datastore? In-Reply-To: References: Message-ID: My requirements are the following: store tokens emitted by KC during one year. I don't know how many users there are, but here are the number I get: * the number of connections a week is about 700k. * the number of session refresh a week is about 200k. I approximated around 1M of sessions a week, thus 52M a year. In memory, a user session has been estimated around 4KB (about 1KB in file/DB). But I guess a refresh does not create another session isn't it? And maybe it's possible to ask KC to delete previous emitted tokens when a new one is created for a same user? If yes, my estimation is probably a little bit too high here, but I certainly have several millions of tokens to keep (and maybe dozens of millions). Thanks --nick Le mer. 7 nov. 2018 ? 18:17, Nicolas Ocquidant a ?crit : > Hi, > > According to Infinispan, when passivation is disabled, every update to the > cache should always write to the store. > > But I can't manage to get it work with Keycloak. If I disable passivation, > my SQL store (Postgres) stays empty, even if the cache is full. > > So, if passivation is needed for Keycloak to write to the DB, it means > that the use of a shared DB is not possible... > > But this leads to another issue for me. Enable passivation without a > shared DB seems to imply that either 'fetch-state' or 'purge' should be > enabled on startup, in order for the cache to not contain stale entries. > > 15:27:44,626 WARN > [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] (MSC > service thread 1-6) ISPN000149: Fetch persistent state and purge on startup > are both disabled, cache may contain stale entries on startup > > As I need to keep millions of sessions, this will considerably slow down > the startup of my node (when started again after a crash for instance). > > So, is shared datastore allowed in Keycloak? If yes, how to enable it? > Otherwise what other options do I have to improve my startup time, if > millions of sessions are in the store? > > Thanks > --nick > From slaskawi at redhat.com Thu Nov 8 12:33:47 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Thu, 8 Nov 2018 18:33:47 +0100 Subject: [keycloak-user] Shared datastore? In-Reply-To: References: Message-ID: So I think there are at least two ways to address this problem. This first one is to use Offline Tokens [1]. I'm not sure if that fits into your application since it requires your client applications to store the token. In other words you can simply delegate this problem one layer below in your system. If that doesn't work for you, yes passivation is a way to go. Frankly, I haven't used passivation but from the manual I see it works hand in hand with eviction [2][3]. Will (on CC) can probably correct me here, but my understanding is that whenever an entry gets evicted, the passivation mechanism picks it up and stores somewhere. [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html [2] http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passivation [3] https://github.com/infinispan/infinispan/blob/master/core/src/test/java/org/infinispan/eviction/impl/EvictionWithPassivationTest.java#L61-L69 On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant wrote: > My requirements are the following: store tokens emitted by KC during one > year. > > I don't know how many users there are, but here are the number I get: > * the number of connections a week is about 700k. > * the number of session refresh a week is about 200k. > > I approximated around 1M of sessions a week, thus 52M a year. > In memory, a user session has been estimated around 4KB (about 1KB in > file/DB). > > But I guess a refresh does not create another session isn't it? And maybe > it's possible to ask KC to delete previous emitted tokens when a new one is > created for a same user? > > If yes, my estimation is probably a little bit too high here, but I > certainly have several millions of tokens to keep (and maybe dozens of > millions). > > Thanks > --nick > > Le mer. 7 nov. 2018 ? 18:17, Nicolas Ocquidant a > ?crit : > > > Hi, > > > > According to Infinispan, when passivation is disabled, every update to > the > > cache should always write to the store. > > > > But I can't manage to get it work with Keycloak. If I disable > passivation, > > my SQL store (Postgres) stays empty, even if the cache is full. > > > > So, if passivation is needed for Keycloak to write to the DB, it means > > that the use of a shared DB is not possible... > > > > But this leads to another issue for me. Enable passivation without a > > shared DB seems to imply that either 'fetch-state' or 'purge' should be > > enabled on startup, in order for the cache to not contain stale entries. > > > > 15:27:44,626 WARN > > [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] > (MSC > > service thread 1-6) ISPN000149: Fetch persistent state and purge on > startup > > are both disabled, cache may contain stale entries on startup > > > > As I need to keep millions of sessions, this will considerably slow down > > the startup of my node (when started again after a crash for instance). > > > > So, is shared datastore allowed in Keycloak? If yes, how to enable it? > > Otherwise what other options do I have to improve my startup time, if > > millions of sessions are in the store? > > > > Thanks > > --nick > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ionel.gardais at tech-advantage.com Thu Nov 8 14:04:48 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Thu, 8 Nov 2018 20:04:48 +0100 (CET) Subject: [keycloak-user] Email-Event UPDATE-PASSWORD In-Reply-To: References: Message-ID: <1879433522.649.1541703888436.JavaMail.zimbra@tech-advantage.com> Hi Gregor, I had the same questioning about other email-events. My guess is that not verified email could be wrong and than lead to keycloak spamming the world. It would be useless implement and maintain bounce logic whereas there is a verification process available, and thus to use a verified email for this purpose. One may ask : should verified-email be reconfirmed on a periodic schedule so abandoned addresses be unused ? -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ----- Mail original ----- De: "Gregor Tudan" ?: "keycloak-user" Envoy?: Jeudi 8 Novembre 2018 11:30:47 Objet: [FGTSPAM] [keycloak-user] Email-Event UPDATE-PASSWORD Hi, We?re trying to send an email to a user if his/her password was changed. The Email-Event UPDATE-PASSWORD looks exactly like what we want. https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/events/email/EmailEventListenerProvider.java There?s one catch: the email seems to only get sent if the user has a verified email address. Email-Verification is not activated on the realm. Is there a reason why email-verification is required for those emails? Thanks, Gregor _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 From rmbyrd at dstsystems.com Thu Nov 8 14:44:00 2018 From: rmbyrd at dstsystems.com (Byrd, Rob M) Date: Thu, 8 Nov 2018 19:44:00 +0000 Subject: [keycloak-user] Data filtering in SQL In-Reply-To: References: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> <1541136118.4390.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> <1541630686.2778.1.camel@acutus.pro> Message-ID: <5BCF31B569C0A2468D7904C8E5839D690104C3759B@DSKCMAIL1WC.ad.dstsystems.com> Thanks Dmitry and Pedro, Pardon my simple-minded response below, but I am wondering how these specific items would work? Dmitry, yes I agree your GET /projects/ and GET /projects scenario is on point for the issue ? I hope my questions below can further clarify the discussion. Here, I will have to make a ?go or no-go? decision in about a week. ? I would love to take on the challenge of searching for the ?holy grail? in this, but atm will need to figure out what Keycloak (or OPA, etc.) can confidently do today. Thanks for the great discussion and continued help! Questions 1) Simple role-based authorization policy seems doable. * Ex: ?Only veterinarians are allowed to read pet profiles.? 2) But how to answer once more context is needed, such as one resource?s affinity to another? Literally how does the application figure it out? Like the below example would need a pet-veterinarian mapping resolved somehow, it seems: * ?Only the treating veterinarian is allowed to read a pet?s profile.? 3) Keycloak has taken an example of ?Pet owners can access their own pet?s profiles.? and said we can write policies saying that "Only Owner" can access "/api/petservice/pet/{id}". But how does the policy engine figure out who is the owner of /pet/2 vs /pet/3? 4) Similarly, an OPA blog https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 gives the example where ?Only the treating veterinarian is allowed to read a pet?s profile, and only when signed in from a device at the pet?s clinic?. Again, it is easy enough to provide the OPA engine the target pet and the current device location, but how exactly is it determined who is the treating veterinarian of that pet and what clinic the pet belongs to? 5) In general, the security difficulty is constraining what a user can see/do in a particular feature, so how exactly would a policy engine bring back a subset of records that particular user can see (based on their affiliated company, etc.)? 6) Similarly, how exactly would a policy engine bring back all records but not the fields a user should not see (such as employee salary field, unless the user is a HR VIP)? These last two could be likened to @PostAuth post-filtering in spring security. Rob Byrd DST Solutions Lead SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 t: (816) 435-7286 | m (816) 509-0119 rmbyrd at dstsystems.com | www.ssctech.com Follow us: [cid:image001.png at 01D412C1.A14C5770] | [cid:image002.png at 01D412C1.A14C5770] | [cid:image003.png at 01D412C1.A14C5770] From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, November 8, 2018 6:42 AM To: Dmitry Telegin

Cc: Byrd, Rob M ; keycloak-user Subject: Re: [keycloak-user] Data filtering in SQL Hi Dmitry, Agree with you when you mention application vs data security. I also agree that Keycloak can also solve data security problems. Privacy is one of the main reasons behind our UMA support a very important aspect of data security. In addition to privacy, we also added extensions to UMA and OAuth2 standards to enable applications to use Keycloak as a Policy Decision Point, mainly target for application security. As PDP (and PAP), Keycloak allows you to govern access to protected resources and to obtain authorization decisions as a result of the evaluation of policies associated with these resources. Being based on UMA and OAuth2 we support token-based authorization but also access control based on the permissions granted by the server. So, yeah, it should be possible to filter data based on those permissions as well dynamically create WHERE clauses. My main concerns about data security are scalability and manageability, two aspects that are closely related to how much fine-grained you want to be. Like I said, in Keycloak you can protect a set of one or more resources as well as scope specific permissions, which can span access decisions for one or more resources. We are using data security when you enable permissions to users or groups, where results are filtered based on the evaluation of these permissions. Performance wise, evaluation is quite satisfactory, being the main challenges the trade-off between usability vs performance. Recently we had important changes to improve the performance of our token endpoint and policy evaluation engine and I think we can perform well when fetching permissions from the server for a set of one or more resources. I'm happy to discuss how we can leverage what we have for data security if the community is interested. Regards. Pedro Igor On Wed, Nov 7, 2018 at 8:47 PM Dmitry Telegin

> *Cc:* Byrd, Rob M ; keycloak-user < > keycloak-user at lists.jboss.org> > *Subject:* Re: [keycloak-user] Data filtering in SQL > > > > Hi Dmitry, > > > > Agree with you when you mention application vs data security. I also agree > that Keycloak can also solve data security problems. > > > > Privacy is one of the main reasons behind our UMA support a very important > aspect of data security. In addition to privacy, we also added extensions > to UMA and OAuth2 standards to enable applications to use Keycloak as a > Policy Decision Point, mainly target for application security. > > > > As PDP (and PAP), Keycloak allows you to govern access to protected > resources and to obtain authorization decisions as a result of the > evaluation of policies associated with these resources. Being based on UMA > and OAuth2 we support token-based authorization but also access control > based on the permissions granted by the server. So, yeah, it should be > possible to filter data based on those permissions as well dynamically > create WHERE clauses. > > > > My main concerns about data security are scalability and manageability, > two aspects that are closely related to how much fine-grained you want to > be. Like I said, in Keycloak you can protect a set of one or more resources > as well as scope specific permissions, which can span access decisions for > one or more resources. > > > > We are using data security when you enable permissions to users or groups, > where results are filtered based on the evaluation of these permissions. > Performance wise, evaluation is quite satisfactory, being the main > challenges the trade-off between usability vs performance. Recently we had > important changes to improve the performance of our token endpoint and > policy evaluation engine and I think we can perform well when fetching > permissions from the server for a set of one or more resources. > > > > I'm happy to discuss how we can leverage what we have for data security if > the community is interested. > > > > Regards. > > Pedro Igor > > > > On Wed, Nov 7, 2018 at 8:47 PM Dmitry Telegin

; keycloak-user Subject: Re: [keycloak-user] Data filtering in SQL On Thu, Nov 8, 2018 at 5:44 PM Byrd, Rob M > wrote: Thanks Dmitry and Pedro, Pardon my simple-minded response below, but I am wondering how these specific items would work? Dmitry, yes I agree your GET /projects/ and GET /projects scenario is on point for the issue ? I hope my questions below can further clarify the discussion. Here, I will have to make a ?go or no-go? decision in about a week. ? I would love to take on the challenge of searching for the ?holy grail? in this, but atm will need to figure out what Keycloak (or OPA, etc.) can confidently do today. Thanks for the great discussion and continued help! Questions 1) Simple role-based authorization policy seems doable. * Ex: ?Only veterinarians are allowed to read pet profiles.? 2) But how to answer once more context is needed, such as one resource?s affinity to another? Literally how does the application figure it out? Like the below example would need a pet-veterinarian mapping resolved somehow, it seems: * ?Only the treating veterinarian is allowed to read a pet?s profile.? Just like in OPA, but using a different approach, you can also push information (the input in OPA) to your policies. We call this "pushing claims" [1]. In our policy enforcer we also have the concept of a Claim Information Point [2] (similar concent as a PIP) which you can configure to automatically push claims to your policies when checking access for a particular resource. There is also a CIP that allows you to fetch claims from external services. Besides, a resource in Keycloak has attributes, which can be anything you want. So you could, for instance, have a Pet Foo resources in Keycloak and update a "veterinarian" attribute associated with it. So you could have a policy that checks if the user making the request is the same defined in the attribute. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims [2] https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point * 3) Keycloak has taken an example of ?Pet owners can access their own pet?s profiles.? and said we can write policies saying that "Only Owner" can access "/api/petservice/pet/{id}". But how does the policy engine figure out who is the owner of /pet/2 vs /pet/3? I can think two options. Like I mentioned before, we are resource-based and resources have an owner. So you can write policies that check if the resource owner is the user making the authorization request. Another option is to push claims. 4) Similarly, an OPA blog https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 gives the example where ?Only the treating veterinarian is allowed to read a pet?s profile, and only when signed in from a device at the pet?s clinic?. Again, it is easy enough to provide the OPA engine the target pet and the current device location, but how exactly is it determined who is the treating veterinarian of that pet and what clinic the pet belongs to? 5) In general, the security difficulty is constraining what a user can see/do in a particular feature, so how exactly would a policy engine bring back a subset of records that particular user can see (based on their affiliated company, etc.)? 6) Similarly, how exactly would a policy engine bring back all records but not the fields a user should not see (such as employee salary field, unless the user is a HR VIP)? These last two could be likened to @PostAuth post-filtering in spring security. You can have all those resources protected by Keycloak and make authorization requests to obtain the resources a user has access. We provide a REST API to create resources. And that is the point I tried to make when I said that data security is not really among the use cases we are trying to solve. Although it is possible. Keycloak allows you to send a "give me all" permission request. That means returning permissions for any resource, managed by Keycloak, that an user can access. But yeah, depending on how many resources you have you may end up with a huge response and a bad performance. Another approach is define a single Employee resource with a Salary scope to represent all your employees. So you could enforce access to your real employees and their salary based on the decisions made by the server for this single resource. The decision for one approach or another really depends on how fine grained you want to be, like I mentioned before. Do you need to manage indivudual employees or they all share the same access policies ? See this https://github.com/keycloak/keycloak-quickstarts/tree/master/app-authz-rest-employee. Regarding fields (e.g: salary) you could consider it as a scope associated with a resource. In Keycloak you can define permissions for scopes, not only for resources. Rob Byrd DST Solutions Lead SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 t: (816) 435-7286 | m (816) 509-0119 rmbyrd at dstsystems.com | www.ssctech.com Follow us: [cid:image001.png at 01D412C1.A14C5770] | [cid:image002.png at 01D412C1.A14C5770] | [cid:image003.png at 01D412C1.A14C5770] From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, November 8, 2018 6:42 AM To: Dmitry Telegin

> Cc: Byrd, Rob M >; keycloak-user > Subject: Re: [keycloak-user] Data filtering in SQL Hi Dmitry, Agree with you when you mention application vs data security. I also agree that Keycloak can also solve data security problems. Privacy is one of the main reasons behind our UMA support a very important aspect of data security. In addition to privacy, we also added extensions to UMA and OAuth2 standards to enable applications to use Keycloak as a Policy Decision Point, mainly target for application security. As PDP (and PAP), Keycloak allows you to govern access to protected resources and to obtain authorization decisions as a result of the evaluation of policies associated with these resources. Being based on UMA and OAuth2 we support token-based authorization but also access control based on the permissions granted by the server. So, yeah, it should be possible to filter data based on those permissions as well dynamically create WHERE clauses. My main concerns about data security are scalability and manageability, two aspects that are closely related to how much fine-grained you want to be. Like I said, in Keycloak you can protect a set of one or more resources as well as scope specific permissions, which can span access decisions for one or more resources. We are using data security when you enable permissions to users or groups, where results are filtered based on the evaluation of these permissions. Performance wise, evaluation is quite satisfactory, being the main challenges the trade-off between usability vs performance. Recently we had important changes to improve the performance of our token endpoint and policy evaluation engine and I think we can perform well when fetching permissions from the server for a set of one or more resources. I'm happy to discuss how we can leverage what we have for data security if the community is interested. Regards. Pedro Igor On Wed, Nov 7, 2018 at 8:47 PM Dmitry Telegin

> wrote: Hi Rob, On Tue, 2018-11-06 at 16:28 +0000, Byrd, Rob M wrote: > (Hope this is the correct way to reply - let me know if not) > > Thanks. So my concern is really with the whole idea that an Enterprise Application's security constraints could really be all implemented based on url-patterns, is that what you guys are thinking? Cannot speak for Keycloak guys, but will put in my 2? as an architect - URL-based (or rather resource-based) authorization covers only one aspect of the application security. Data filtering is equally important, but it's just another facet of the problem, and needs to be solved accordingly. Indeed, Keycloak doesn't provide OOTB any means for automatically limiting subsets of data shown to the user, as Keycloak has a completely different scope (namely Web SSO/IDM solution). However, you can still use Keycloak as a central warehouse for your security (meta)data, and use it the way you want. Like I said before, nothing stops you from defining some policies in Keycloak, then retrieving them and converting to a WHERE clause for your SQL/JPQL/NoSQL query. Speaking of NoSQL - this might be not directly relevant to your problem, but still interesting. A similar problem has surfaced in the discussion following my talk on Apache Sling + Keycloak [1] earlier this year; the central point was: "okay, we can have Keycloak path-based authorization in Sling, but how do we limit the content visible to the user?" That time we came up with some sort of hybrid solution, like path-based security + JCR ACLs and/or application-level rules; but now I think this might be something similar, like generating JCR's equivalent to the WHERE clause based on Keycloak policy definition. Just to make sure I understand the case, let's imagine: - there are users and groups (live in Keycloak); - there are, say, "projects" (live in business tier + DB); - there is a policy in Keycloak saying "projects should be accessible only to the members of the respective groups"; - based on that: - GET /projects/ should return 200 + representation if the user is a member of the group, 403 otherwise; - GET /projects should return the list of projects the current user has access to. Is this correct? [1] https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > For example, mostly a user can visit most features (urls) in an application, but it is the subset of things they can see/do within the feature that is the crux of the security issue - and it does not seem feasible to architect urls in such a way that they can be used as the key to security. Thoughts? > > Thanks! > > Rob Byrd > DST > Solutions Lead > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > t: (816) 435-7286 | m (816) 509-0119 > rmbyrd at dstsystems.com | www.ssctech.com > Follow us: | | > > -----Original Message----- > > From: Dmitry Telegin [mailto:dt at acutus.pro] > Sent: Friday, November 2, 2018 12:22 AM > > To: Byrd, Rob M >; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Data filtering in SQL > > Hello Rob, > > If I get it right, it's all about generating SQL WHERE clause from Keycloak policies? I think this is doable, as Keycloak has a well-defined object model for authorization policies, and it's easy to obtain policy definitions in JSON format. I think Pedro Igor will tell you more about that. > > You should pay attention to the following: > - there are differences in semantics between OPA and Keycloak policies. For example, Keycloak policies do not operate HTTP methods but rather use more generic notion of scopes; > - not every policy type can be easily converted to a WHERE clause. It should be trivial for User/Group/Role policies, but is virtually impossible for Script and Rules, as they are just blackboxes that evaluate to true or false. Unless of course your DBMS has a built-in JavaScript engine :) > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-11-01 at 21:39 +0000, Byrd, Rob M wrote: > > I am comparing OPA authorization to Keycloak - how could I enforce Keycloak policy in the SQL closest to the data for good performance, including returning subsets of lists? OPA discusses this at https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4. > > > > Thanks! > > > > Rob Byrd > > DST > > Solutions Lead > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > t: (816) 435-7286 | m (816) 509-0119 > > rmbyrd at dstsystems.com> | www.ssctech.com;; > > > > Follow us: [cid:image001.png at 01D412C1.A14C5770] | [cid:image002.png at 01D412C1.A14C5770] | [cid:image003.png at 01D412C1.A14C5770] > > > > > > > > Please consider the environment before printing this email and any attachments. > > > > This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > Please consider the environment before printing this email and any attachments. > > This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 588 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181108/6cab18f1/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 607 bytes Desc: image002.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181108/6cab18f1/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 566 bytes Desc: image003.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181108/6cab18f1/attachment-0005.png From aechols at bfcsaz.com Thu Nov 8 19:54:58 2018 From: aechols at bfcsaz.com (Aaron Echols) Date: Thu, 8 Nov 2018 17:54:58 -0700 Subject: [keycloak-user] Account Page Fields In-Reply-To: <811a3326-b848-39b5-1f74-68a550bb2d50@redhat.com> References: <1540878764.3824.3.camel@acutus.pro> <811a3326-b848-39b5-1f74-68a550bb2d50@redhat.com> Message-ID: Oh, this is excellent news! Thanks :) -- *Aaron Echols* On Mon, Nov 5, 2018 at 6:40 AM Stan Silvert wrote: > On 10/30/2018 1:52 AM, Dmitry Telegin wrote: > > Hello Aaron, > > > > I don't think this is easily doable with the current account UI. > However, there are chances we will have it in the forthcoming rewrite > thereof [1]. The revamped account UI should use REST APIs and be extensible > with the means of React.js. > > > > This topic is of particular interest to me, as we in Mageia Linux are > planning to migrate our IDM to Keycloak, and one of the problems to solve > is to allow the users to upload their SSH pubkeys via the account UI. We're > pretty determined to solve it, and to solve it soon, so stay tuned :) > > > > [1] https://issues.jboss.org/browse/KEYCLOAK-8421 > That's right. A proof of concept has already been built and merged into > the code base. You will indeed be able to create your own React > components as extensions for the account console. > > It's hard to say when this will be ready for prime time, but I'm > shooting for a code-complete version in the first quarter of 2019. > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Fri, 2018-10-26 at 15:35 -0700, Aaron Echols wrote: > >> Hello All, > >> > >> How hard is to modify or add fields that could be modified in the users > >> account page? It would be nice to add a personal email field to have be > >> able to send their password reset email to. Currently, they can only > send > >> to their employee addresses, which if they forget their password, makes > the > >> email a moot point. Thank in advance for any ideas. :) > >> -- > >> *Aaron Echols* > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From dt at acutus.pro Thu Nov 8 22:45:55 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 09 Nov 2018 06:45:55 +0300 Subject: [keycloak-user] OpenID Java Adapter: configuring keycloak to use an IDP different then Keycloak Server In-Reply-To: <1541686439063.37605@cjsm.vlaanderen.be> References: <1541686439063.37605@cjsm.vlaanderen.be> Message-ID: <1541735155.15117.3.camel@acutus.pro> Hello Fabrizio, Indeed, string templates like "/realms/{realm-name}/protocol/openid-connect/auth" are hardcoded into Keycloak adapters [1] [2]. Luckily, there seems to be a workaround. In Keycloak, there is a mechanism for multitenancy [3]; it requires you to supply a resolver that would return a KeycloakDeployment instance based on request parameters. One of its bonus features is that you can completely redefine the behavior of KeycloakDeployment. For example, you can extend org.keycloak.adapters.KeycloakDeployment and override its resolveUrls() method, to make the URLs point to your 3rd party IDP. This approach doesn't require any modifications to the adapter code, so I'd recommend you start with it. However, I wouldn't rule out further incompatibilities that could pop up. Another option is installing an intermediary Keycloak (server), configuring brokering to 3rd party IDP and pointing your adapter to Keycloak. Though sounds like an overkill, it's a bulletproof solution that should work 100% (and it also has some other benefits). There are of course other options like using 3rd party IDP's equivalent for Keycloak adapter (is it Intuit BTW?), or using other OpenID Connect Java libraries [4], or even proxy-level adapters like apache-mod_auth_openidc [5] or Keycloak Gatekeeper [6]. But I understand that this would probably require code rewrite, so you should consider these options only as the last resort. As for SAML and why it used to work: Keycloak adapter uses standard SAML SP metadata for configuration, which defines URLs strictly and unambiguously; here we need to admit that SAML is more mature and feature-complete. OIDC, on the contrary, allows for some freedom. At the moment, Keycloak OIDC adapter doesn't use any standard metadata, but rather generates URLs using hardcoded templates. I think Keycloak adapter could use OIDC's rough equivalent for SAML metadata, namely "well-known" URLs. You can experiment with your IDP and append ".well-known/openid-configuration" to its URL. If my conjecture about Intuit is correct, then it should look like this: https://oauth.platform.intuit.com/op/v1/.well-known/openid-configuration In theory, Keycloak OIDC adapter could ingest this metadata instead of hardcoding URL templates. To me, this could be a valuable addition, but surprisingly I don't see any?related JIRA issue. Maybe Keycloak developers could give us some feedback. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro [1] https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/constants/ServiceUrlConstants.java#L26 [2] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java#L161 [3] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy [4] https://openid.net/developers/certified/ [5] https://github.com/zmartzone/mod_auth_openidc [6] https://github.com/keycloak/keycloak-gatekeeper On Thu, 2018-11-08 at 14:13 +0000, Usai, Fabrizio wrote: > Dear, > > > > We are using Keycloak Java adapter 4.5.0 in combination with EAP7.1. When we configure our keycloak.json we have for auth-server-url the url https://authentication.country.com/op/v1/auth (the original url is changed for privacy reasons). So far so good. > > When we navigate to our application, we are forwarded to https://authentication.country.com/op/v1/auth/realms/KeycloakOIDCRealm/protocol/openid-connect/auth?response_type=code&client_id=fac9d161-d27d-493d-uze896zed78&redirect_uri=..... > > This is not good, since we use our own identity provider. Removing the realms/KeycloakOIDCRealm/protocol/openid-connect/ part of the url, forwards it correctly to the identity provider. So the Keycloak adapter adds it by default, assuming we will always use Keycloak as an identity provider. Before we were using SAML and didn't had this issue. > > How can we configure the keycloak.json for the adapter to leave out the addition of realms/KeycloakOIDCRealm/protocol/openid-connect/? > > We don't understand why with SAML we didn't had this issue at all, and now with OpenID it seems very difficult to solve this issue. Our current guess to solve this, is to overwrite some Keycloak Java class and make sure the url is built the correct way. Although it is a bit dirty, we could accept this as solution (if it is possible), but we prefer to do this via configuration. > > > Kind regards, > > Fabrizio Usai > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Thu Nov 8 23:13:56 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 09 Nov 2018 07:13:56 +0300 Subject: [keycloak-user] Login via SAML RESPONSE from an IdP In-Reply-To: References: Message-ID: <1541736836.15117.5.camel@acutus.pro> Hello Karsten, Just to add to Luis's answer below. In SAML terms, this is called "Unsolicited SAML response", meaning that it hasn't been preceded by any AuthnRequest. While configuring your partner webapp in the 3rd party IdP, make sure that your ACS URL is in the following form: /auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id} where {client-id} is the value of the "IDP Initiated SSO URL Name" in the broker definition. It's a common mistake to use Keycloak SAML endpoint (/auth/realms/{realm}/protocol/saml/endpoint) as ACS for IdP-initiated SSO. This won't work as generic SAML endpoint doesn't accept unsolicited responses, only client-specific endpoints do. By the way, what's that 3rd party IdP? Keycloak is known to work with Okta and PingFederate and theoretically should work with any SAML 2.0 compliant IdP. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-11-08 at 09:50 +0000, Karsten Honsack wrote: > Hello everybody, > > I am trying to figure out if Keycloak is capable to fulfil the following requirement. I read through the documentation but was not able to figure it out. > > Scenario: > A user is on a website where he has the possibility to jump to web applications of different partners via SSO. The website provider only supports IdP Initiated SSO and the button links provided are SAML Assertion Consumer URLs. The flow describes what should be happening for my understanding: > > Flow: > 1. User login on website. > 2. User clicks on button. > 3. Website creates an encrypted SAML RESPONSE using its STS, redirects user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE there. > 4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user. > 5. Keycloak redirects user to the application. > 6. User uses application. > > Is this possible? How has it to be configured? Do you need any more information to help me? Thank you in advance! > > Best regards > > Karsten Honsack > > ************************************** > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From prsrivas at redhat.com Fri Nov 9 01:55:56 2018 From: prsrivas at redhat.com (Pritha Srivastava) Date: Fri, 9 Nov 2018 01:55:56 -0500 (EST) Subject: [keycloak-user] Running Keycloak examples In-Reply-To: <1284645545.32184112.1541745735175.JavaMail.zimbra@redhat.com> Message-ID: <257635183.32186267.1541746556969.JavaMail.zimbra@redhat.com> Hi All, I am trying to setup a Keycloak server and run the examples, for which I did the following: 1. Downloaded 4.5.0.Final Standalone Server distribution, and started the server using ./standalone.sh, which worked fine. 2. Downlaoded keycloak-examples-4.5.0.Final, and for the preconfigured-demo, I did a mvn clean install and mvn wildfly:deploy and the second step gave me this error - UT010039: Unknown authentication mechanism KEYCLOAK 3. To solve the error in 2.0, I downloaded the wildfly adapter keycloak-wildfly-adapter-dist-4.5.0.Final.zip, and ran this command - ./bin/jboss-cli.sh --file=adapter-install.cli --connect --controller=127.0.0.1:9990 which gave the following response: {"outcome" => "success"} { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } { "outcome" => "failed", "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found", "rolled-back" => true, "response-headers" => {"process-state" => "reload-required"} } I am not sure how to solve the above problem. Any help is greatly appreciated. P.S.: I am completely new to Jboss, Wildfly etc. Thanks, Pritha From vramik at redhat.com Fri Nov 9 03:22:02 2018 From: vramik at redhat.com (Vlasta Ramik) Date: Fri, 9 Nov 2018 09:22:02 +0100 Subject: [keycloak-user] Running Keycloak examples In-Reply-To: <257635183.32186267.1541746556969.JavaMail.zimbra@redhat.com> References: <257635183.32186267.1541746556969.JavaMail.zimbra@redhat.com> Message-ID: <0cb2a458-a741-8858-f339-9ddb3b75a442@redhat.com> Hello, inline On 11/9/18 7:55 AM, Pritha Srivastava wrote: > Hi All, > > I am trying to setup a Keycloak server and run the examples, for which I did the following: > > 1. Downloaded 4.5.0.Final Standalone Server distribution, and started the server using ./standalone.sh, which worked fine. > 2. Downlaoded keycloak-examples-4.5.0.Final, and for the preconfigured-demo, I did a mvn clean install and mvn wildfly:deploy and the second step gave me this error - UT010039: Unknown authentication mechanism KEYCLOAK > 3. To solve the error in 2.0, I downloaded the wildfly adapter keycloak-wildfly-adapter-dist-4.5.0.Final.zip, and ran this command - ./bin/jboss-cli.sh --file=adapter-install.cli --connect --controller=127.0.0.1:9990 which gave the following response: can you please try the following to install adapter? ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli > {"outcome" => "success"} > { > "outcome" => "success", > "response-headers" => { > "operation-requires-reload" => true, > "process-state" => "reload-required" > } > } > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found", > "rolled-back" => true, > "response-headers" => {"process-state" => "reload-required"} > } > > I am not sure how to solve the above problem. Any help is greatly appreciated. > > P.S.: I am completely new to Jboss, Wildfly etc. > > Thanks, > Pritha > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From prsrivas at redhat.com Fri Nov 9 03:52:56 2018 From: prsrivas at redhat.com (Pritha Srivastava) Date: Fri, 9 Nov 2018 03:52:56 -0500 (EST) Subject: [keycloak-user] Running Keycloak examples In-Reply-To: <0cb2a458-a741-8858-f339-9ddb3b75a442@redhat.com> References: <257635183.32186267.1541746556969.JavaMail.zimbra@redhat.com> <0cb2a458-a741-8858-f339-9ddb3b75a442@redhat.com> Message-ID: <1107344991.32206816.1541753576533.JavaMail.zimbra@redhat.com> I still get the same error: ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli { "outcome" => "failed", "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found", "rolled-back" => true } Thanks, Pritha ----- Original Message ----- > From: "Vlasta Ramik" > To: keycloak-user at lists.jboss.org > Sent: Friday, November 9, 2018 1:52:02 PM > Subject: Re: [keycloak-user] Running Keycloak examples > > Hello, > > inline > > On 11/9/18 7:55 AM, Pritha Srivastava wrote: > > Hi All, > > > > I am trying to setup a Keycloak server and run the examples, for which I > > did the following: > > > > 1. Downloaded 4.5.0.Final Standalone Server distribution, and started the > > server using ./standalone.sh, which worked fine. > > 2. Downlaoded keycloak-examples-4.5.0.Final, and for the > > preconfigured-demo, I did a mvn clean install and mvn wildfly:deploy and > > the second step gave me this error - UT010039: Unknown authentication > > mechanism KEYCLOAK > > 3. To solve the error in 2.0, I downloaded the wildfly adapter > > keycloak-wildfly-adapter-dist-4.5.0.Final.zip, and ran this command - > > ./bin/jboss-cli.sh --file=adapter-install.cli --connect > > --controller=127.0.0.1:9990 which gave the following response: > > can you please try the following to install adapter? > > ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli > > > {"outcome" => "success"} > > { > > "outcome" => "success", > > "response-headers" => { > > "operation-requires-reload" => true, > > "process-state" => "reload-required" > > } > > } > > { > > "outcome" => "failed", > > "failure-description" => "WFLYCTL0310: Extension module > > org.keycloak.keycloak-adapter-subsystem not found", > > "rolled-back" => true, > > "response-headers" => {"process-state" => "reload-required"} > > } > > > > I am not sure how to solve the above problem. Any help is greatly > > appreciated. > > > > P.S.: I am completely new to Jboss, Wildfly etc. > > > > Thanks, > > Pritha > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ulrik.sjolin at gmail.com Fri Nov 9 04:15:07 2018 From: ulrik.sjolin at gmail.com (=?UTF-8?Q?Ulrik_Sj=C3=B6lin?=) Date: Fri, 9 Nov 2018 01:15:07 -0800 Subject: [keycloak-user] /authz/protection/permission/ticket usage? Message-ID: Hello, I have a question on how to use the API:?/authz/protection/permission/ticket I can call the endpoint successfully if I do the call with only ids: curl --silent -X POST \ ? http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket \ ? -H "Authorization: Bearer ${service_access_token}" \ ? -H "Content-Type: application/json" \ ? -d "{ ? ? ? ? \"resource\":\"${resource_id}\", ? ? ? ? \"scope\":\"40065a35-02d5-4db9-be46-02566cf7a666\", ? ? ? ? \"requester\":\"79ae9a5a-0304-41ec-b721-d57a09d419cb\", ? ? ? ? \"granted\":\"true\" ? ? }? It would however be a lot more workable for me if I could use names like: curl --silent -X POST \ ? http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket \ ? -H "Authorization: Bearer ${service_access_token}" \ ? -H "Content-Type: application/json" \ ? -d "{ ? ? ? ? \"resource\":\"${resource_id}\", ? ? ? ? \"scope\":\?Read\", ? ? ? ? \"requester\":\?alice\", ? ? ? ? \"granted\":\"true\" ? ? }? But when I do this I get: {"error":"invalid_scope","error_description":"Scope [Read] is invalid?} {"error":"invalid_permission","error_description":"Requester does not exists in this server as user.?} Looking at the code there seems to be lookups from names to id, but for some reason it fails. What am I doing wrong? Any help is greatly appreciated. Best Regards, Ulrik Sj?lin From msakho at redhat.com Fri Nov 9 04:18:24 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Fri, 9 Nov 2018 10:18:24 +0100 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> <1541018026.2120.1.camel@acutus.pro> <166e3975670.edec95a619314.6696607516355464263@mpouss.in> Message-ID: Hi Mathieu, Regarding your statement below: - *The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store * Could you please tell me how you managed to see the certificates in the JKS store? Regards, Meissa Le mar. 6 nov. 2018 ? 14:50, Meissa M'baye Sakho a ?crit : > My LDAPS configuration did also work fine with keycloak 3.3.5 docker image > My question was related to the The X509_CA_BUNDLE env variable that comes > with the keycloak 4.4.x docker image. > I would like to use it and wanted to know if it work. > Do I understand that it's working fine for you Mathieu? > Meissa > > Le lun. 5 nov. 2018 ? 12:17, Mathieu Poussin a ?crit : > >> I confirm this fixed the issue :) >> >> So simple that I didn't think about it... >> >> Thank you >> >> ---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin

>> wrote ---- >> > Mathieu, Meissa, >> > >> > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml >> instead of standalone.xml by default. I guess this is why your truststore >> settings are being ignored. >> > >> > I've also tested Keycloak + LDAP + self-signed cert + truststore on a >> non-Docker deployment - it works pretty well, so definitely not a Keycloak >> bug per se. >> > >> > Good luck! >> > Dmitry Telegin >> > CTO, Acutus s.r.o. >> > Keycloak Consulting and Training >> > >> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> > +42 (022) 888-30-71 >> > E-mail: info at acutus.pro >> > >> > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote: >> > > Hello Mathieu, >> > > did you manage to make it work? >> > > If yes, could you tell me how? >> > > Meissa >> > > >> > > > Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a >> ?crit : >> > > >> > > > Hello Marek. >> > > > >> > > > I've done that already but looks like it is completely ignored. >> > > > I have my custom truststore that have all my CA certificates (2), >> but I'm >> > > > still seeing the same issue. (SPI is enabled on the LDAPS settings >> on the >> > > > admin) >> > > > Is there a way to make sure it has been loaded correctly? (I don't >> see any >> > > > error when the application starts but it's not working as >> expected) >> > > > >> > > > Thanks. >> > > > Mathieu >> > > > >> > > > >> > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < >> > > > mposolda at redhat.com> wrote ---- >> > > > > You can configure the Truststore SPI, which is mentioned in our >> docs >> > > > > here: >> > > > > >> > > > >> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore >> > > > > >> > > > > Some additional notes around LDAP are here: >> > > > > >> > > > >> https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl >> > > > > >> > > > > Marek >> > > > > >> > > > > >> > > > > On 01/10/18 13:27, Mathieu Poussin wrote: >> > > > > > Hello. >> > > > > > >> > > > > > What would be the recommended way to add a custom CA >> certificates ? >> > > > The documentation has a lot of different ways and so far none of >> them >> > > > worked : >> > > > > > >> > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a >> > > > container), I can see the certificates in the JKS store but looks >> like >> > > > they are completely ignored by the app server. >> > > > > > - Added custom SPI to load a custom JKS store, same, no error >> at >> > > > server start but they are completely ignored by the app server. >> > > > > > >> > > > > > This is the error I am getting : >> > > > > > >> > > > > > Caused by: sun.security.validator.ValidatorException: PKIX >> path >> > > > building failed: >> > > > sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find >> > > > valid certification path to requested target >> > > > > > at >> > > > >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) >> > > > > > at >> > > > >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) >> > > > > > at >> > > > sun.security.validator.Validator.validate(Validator.java:262) >> > > > > > at >> > > > >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >> >> > > > >> > > > > > at >> > > > >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >> >> > > > >> > > > > > at >> > > > >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >> >> > > > >> > > > > > at >> > > > >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) >> >> > > > >> > > > > > ... 99 more >> > > > > > Caused by: >> > > > sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find >> > > > valid certification path to requested target >> > > > > > at >> > > > >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) >> >> > > > >> > > > > > at >> > > > >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) >> >> > > > >> > > > > > at >> > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >> > > > > > at >> > > > >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) >> > > > > > ... 105 more >> > > > > > >> > > > > > >> > > > > > Another option would be to disable certificate verification >> on LDAPS >> > > > as it's a trusted environment (last resort but well so far nothing >> else >> > > > worked), would there be a way to do that? >> > > > > > Connecting over LDAP is not an option a this prevent some >> features to >> > > > work like password reset. >> > > > > > >> > > > > > Thanks. >> > > > > > >> > > > > > >> > > > > > _______________________________________________ >> > > > > > keycloak-user mailing list >> > > > > > keycloak-user at lists.jboss.org >> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > >> > > > > >> > > > > >> > > > >> > > > >> > > > _______________________________________________ >> > > > keycloak-user mailing list >> > > > keycloak-user at lists.jboss.org >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > >> > > >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> >> From geoff at opticks.io Fri Nov 9 05:03:30 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 9 Nov 2018 11:03:30 +0100 Subject: [keycloak-user] Bulk Resource Delete? Message-ID: I want to delete thousands of resources. Must I do it 1 by 1 or is there a trick to delete multiple items with a single REST call? Or maybe a SQL delete would do the trick? From psilva at redhat.com Fri Nov 9 05:12:46 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 9 Nov 2018 08:12:46 -0200 Subject: [keycloak-user] Bulk Resource Delete? In-Reply-To: References: Message-ID: There is no operation for bulk delete. Would you mind creating an RFE in JIRA? Regards. Pedro Igor On Fri, Nov 9, 2018 at 8:06 AM Geoffrey Cleaves wrote: > I want to delete thousands of resources. Must I do it 1 by 1 or is there a > trick to delete multiple items with a single REST call? > > Or maybe a SQL delete would do the trick? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From fabrizio.usai at cjsm.vlaanderen.be Fri Nov 9 05:49:39 2018 From: fabrizio.usai at cjsm.vlaanderen.be (Usai, Fabrizio) Date: Fri, 9 Nov 2018 10:49:39 +0000 Subject: [keycloak-user] OpenID Java Adapter: configuring keycloak to use an IDP different then Keycloak Server In-Reply-To: <1541735155.15117.3.camel@acutus.pro> References: <1541686439063.37605@cjsm.vlaanderen.be>, <1541735155.15117.3.camel@acutus.pro> Message-ID: <1541760579107.82395@cjsm.vlaanderen.be> Hi Dmitry, thanks a lot for this elaborate clarification. :) It is clear to us what roads we can follow now. First, I asked this question before on stackoverflow. https://stackoverflow.com/questions/53192776/how-to-change-authentication-url-generated-by-keycloak-openid-connect-java-adapt. Is it ok if I add your reply as an answer there (I will only put there relevant parts)? I believe there will be other people asking the same question... Secondly, considering your recommended way (we love bulletproof solutions ;-)), a Keycloak server, I see I have two options: the full server or the Wildfly add-on. We use EAP 7.1. Can we use the add-on on our server? I also noticed that on the download page you do not recommend this for production use. So I was taking into consideration to install the full Keycloak server. But can we use this server then also to deploy our application? It seems to me that it should be possible since the Keycloak server has a fully featured standalone folder... Of course, we want to avoid to run two EAP instances, if possible ;) Regarding the Intuit question, I am not sure. It is another department who is responsible for this, I am just in the development team. But it could be they use Intuit behind the scenes. We only receive stuff like authentication url, clientId and secret and so on and we have to make it work :-) The well-known configuration we received from them, does look a lot like yours. Thirdly, I will make a JIRA issue for this. Or should I wait first a reply from the Keycloak developers? To be honest, it's the first time I use a mailing list... No idea who can reply on this email. KR, Fabrizio Usai ________________________________________ Van: Dmitry Telegin

Verzonden: vrijdag 9 november 2018 04:45 Aan: Usai, Fabrizio; keycloak-user at lists.jboss.org Onderwerp: Re: [keycloak-user] OpenID Java Adapter: configuring keycloak to use an IDP different then Keycloak Server Hello Fabrizio, Indeed, string templates like "/realms/{realm-name}/protocol/openid-connect/auth" are hardcoded into Keycloak adapters [1] [2]. Luckily, there seems to be a workaround. In Keycloak, there is a mechanism for multitenancy [3]; it requires you to supply a resolver that would return a KeycloakDeployment instance based on request parameters. One of its bonus features is that you can completely redefine the behavior of KeycloakDeployment. For example, you can extend org.keycloak.adapters.KeycloakDeployment and override its resolveUrls() method, to make the URLs point to your 3rd party IDP. This approach doesn't require any modifications to the adapter code, so I'd recommend you start with it. However, I wouldn't rule out further incompatibilities that could pop up. Another option is installing an intermediary Keycloak (server), configuring brokering to 3rd party IDP and pointing your adapter to Keycloak. Though sounds like an overkill, it's a bulletproof solution that should work 100% (and it also has some other benefits). There are of course other options like using 3rd party IDP's equivalent for Keycloak adapter (is it Intuit BTW?), or using other OpenID Connect Java libraries [4], or even proxy-level adapters like apache-mod_auth_openidc [5] or Keycloak Gatekeeper [6]. But I understand that this would probably require code rewrite, so you should consider these options only as the last resort. As for SAML and why it used to work: Keycloak adapter uses standard SAML SP metadata for configuration, which defines URLs strictly and unambiguously; here we need to admit that SAML is more mature and feature-complete. OIDC, on the contrary, allows for some freedom. At the moment, Keycloak OIDC adapter doesn't use any standard metadata, but rather generates URLs using hardcoded templates. I think Keycloak adapter could use OIDC's rough equivalent for SAML metadata, namely "well-known" URLs. You can experiment with your IDP and append ".well-known/openid-configuration" to its URL. If my conjecture about Intuit is correct, then it should look like this: https://oauth.platform.intuit.com/op/v1/.well-known/openid-configuration In theory, Keycloak OIDC adapter could ingest this metadata instead of hardcoding URL templates. To me, this could be a valuable addition, but surprisingly I don't see any related JIRA issue. Maybe Keycloak developers could give us some feedback. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro [1] https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/constants/ServiceUrlConstants.java#L26 [2] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java#L161 [3] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy [4] https://openid.net/developers/certified/ [5] https://github.com/zmartzone/mod_auth_openidc [6] https://github.com/keycloak/keycloak-gatekeeper On Thu, 2018-11-08 at 14:13 +0000, Usai, Fabrizio wrote: > Dear, > > > > We are using Keycloak Java adapter 4.5.0 in combination with EAP7.1. When we configure our keycloak.json we have for auth-server-url the url https://authentication.country.com/op/v1/auth (the original url is changed for privacy reasons). So far so good. > > When we navigate to our application, we are forwarded to https://authentication.country.com/op/v1/auth/realms/KeycloakOIDCRealm/protocol/openid-connect/auth?response_type=code&client_id=fac9d161-d27d-493d-uze896zed78&redirect_uri=..... > > This is not good, since we use our own identity provider. Removing the realms/KeycloakOIDCRealm/protocol/openid-connect/ part of the url, forwards it correctly to the identity provider. So the Keycloak adapter adds it by default, assuming we will always use Keycloak as an identity provider. Before we were using SAML and didn't had this issue. > > How can we configure the keycloak.json for the adapter to leave out the addition of realms/KeycloakOIDCRealm/protocol/openid-connect/? > > We don't understand why with SAML we didn't had this issue at all, and now with OpenID it seems very difficult to solve this issue. Our current guess to solve this, is to overwrite some Keycloak Java class and make sure the url is built the correct way. Although it is a bit dirty, we could accept this as solution (if it is possible), but we prefer to do this via configuration. > > > Kind regards, > > Fabrizio Usai > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nocquidant at gmail.com Fri Nov 9 05:55:30 2018 From: nocquidant at gmail.com (Nicolas Ocquidant) Date: Fri, 9 Nov 2018 11:55:30 +0100 Subject: [keycloak-user] Set sessions lifespan by realm? Message-ID: Hello Would it be possible to have several cache "sessions" with different configurations associated with different realms? I mean, I need to configure different lifespans for sessions, for different realm. How could I do that? Does the "SSO Session Max" entry from the GUI override the definition from the file standalone-ha.xml, for each realm:

... I yes, does it mean I need to set expiration lifespan in standalone-ha.xml as the maximum of all "SSO Session Max" GUI entries? Thanks a lot for clarification --nick From psilva at redhat.com Fri Nov 9 07:29:00 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 9 Nov 2018 10:29:00 -0200 Subject: [keycloak-user] Data filtering in SQL In-Reply-To: <5BCF31B569C0A2468D7904C8E5839D690104C378C5@DSKCMAIL1WC.ad.dstsystems.com> References: <5BCF31B569C0A2468D7904C8E5839D690104C35356@DSKCMAIL1WC.ad.dstsystems.com> <1541136118.4390.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C368EF@DSKCMAIL1WC.ad.dstsystems.com> <1541630686.2778.1.camel@acutus.pro> <5BCF31B569C0A2468D7904C8E5839D690104C3759B@DSKCMAIL1WC.ad.dstsystems.com> <5BCF31B569C0A2468D7904C8E5839D690104C378C5@DSKCMAIL1WC.ad.dstsystems.com> Message-ID: On Thu, Nov 8, 2018 at 9:27 PM Byrd, Rob M wrote: > Pedro, > > > > That is helping my understanding some, thank you. I understand your > recommendations on dealing with separating the employee's Salary field in > my example too. Please see follow-up questions below. > > > > String resource attributes statically in keycloak: > > 2.1) I had been thinking of Resource as a *type* of resource to this > point not a specific instance. But now I don't see how your suggestion of > basically using the resource attribute to store a foreign key (ie. pet's > veterinarian) will work unless we are talking about each individual pet > instance being a keycloak resource. Similarly it was mentioned pet 1 and > pet 2 could have a meaningful Owner in keycloak, which again is making me > think that *instances* are being suggested to store along with > entity-relationships basically. So, should I instead be thinking of > keycloak resources as storing single instances of items in our system? > You should not think of Keycloak as storing *only* single instances, but with the necessary support to store single instances. That was my point when I mentioned that you can have a 1:1 or 1:N mapping between keycloak resources and your resources. The work to manage resources in Keycloak is quite trivial, keep them in sync with your real resources too. Performance of authorization requests for specific resources is quite good. It is a trade-off, the flexibility we give regarding governing access to individual resources vs the drawbacks of managing these resources in Keycloak. But again, you are not forced to use this approach, it really depends on your requirements. For instance, we support privacy through User-Managed Access (UMA), users are allowed to manage permissions for their own resources, share resources with others, allow/approve access to specific scopes/actions, and revoke access, where you have loosely coupled clients and resource servers, resource servers in control over the context that a permission should be granted, etc. I'm not pushing you to any specific solution but trying to clarify what we have, what we can do, what we can improve and how we could help "data filtering" use cases. Btw, thanks you and Dmitry for starting this. > 2.2) This relatively static storage of resources plus extra attributes > like foreign keys seems to basically push/duplicate our business model of > data into keycloak, to some degree, correct? And the more keycloak needs > to decide, the more gets duplicated into keycloak? > Not really, but true for data filtering. That is another point/drawback/concern that I tried to make when I said that data filtering is not among our target use cases. We can support it, but not something we discussed in the details like we are doing in this thread. Attributes can be used to define specific security related data associated with a resource which are not part of your business model. Thus, allowing you to keep your business model decoupled from security aspects that govern access to your resources. > > > Push claims: > > 2.3) The push claim alternative seems to be having application logic fetch > more context as needed for the permission evaluation. This might work okay > when going after a single entity or asking singular questions of the > application logic ? but for lists, such as a user seeing his list of 100 > transaction history records amongst the 1 million transaction history > records on the system, would a question be asked for each of the 1 million > records, one at a time? > Pushing claims is not the correct approach to solve this problem. First, Keycloak is optmized to only evaluate policies for resources where the subject is the owner. So, considering that I decided to manage all 1 million resources in Keycloak, each resource would have a user as the resource owner. During evaluation the policy engine is going to evaluate permissions fo 100 resources, not 1 million. You may ask now, would that scale ? Depends on how you obtain permissions from the server. If you are asking the server for all permissions and users can have 1 million resources over time, it won't scale. However, if you ask permissions for individual transactions or a small set of transactions, it will scale. > > > Post-filtering of records: > > 2.4) A use case I still seek clarification on is the "post-filtering of > records", which I was trying to get at with my previous question #5. > Stated in another way - say a financial database has 1 million transaction > records across thousands of users. Every user is allowed to see transaction > history records view, but only the ones they transacted. So, a single user > viewing all transactions of the transaction history feature/resource should > (obviously) only be able to see all HIS transactions, not all 1 million on > the database. Spring Security would have @PostAuth for this (though its > drawback is slow db performance on first query that does a db table scan > and brings back everything to the middle tier, which then inefficiently > whittles it down to just what pertains to the user). My question is what > ways would this post-filtering of records be handled in Keycloak? With > what I know so far, I am guessing at keycloak basic options: > > a) Have each of 1mil transaction records managed by Keycloak, add a > "creator" attribute for who instigated the transaction, and have that user > identifier stored on each record so Keycloak can do the filtering down to > the 100 correct records > b) Receive a push claim, for each of the 1mil transaction records, > indicating who the "creator" is, so it may be matched against the current > user and thus filter down to the 100 correct records > > c) During evaluation, the policy engine can call out to a service > somewhere to get the primary keys of the subset of records this user can > see (this may be like a Claim Information Point), then whittle the full > list down to just those matching primary keys (kind of like sending an IN > list of primary keys in a SQL WHERE clause) > > d) Something more like the ?partial evaluation? that OPA blog and Dmitry > has been talking about > You don't need to create a "creator" attribute. Resources in Keycloak always have a owner. It can be the resource server (the application) itself or some user in your realm. See https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_overview . I just realized that we have another option in Keycloak that might be helpful to solve data filtering. I think it is similar to what you linked from OPA docs. Some background first about the capability that may help with that. In Keycloak, policies are allowed to push back claims to resource server (the application protecting the resources you want to access). Quite similar to Advice/Obligation in XACML. The idea is push back additional constratins to the application in order to indicate additional checks that should be performed by the policy enforcer. As a note, our CIPs do that in order to reinforce access to resources based on any claim pushed to Keycloak when evaluating permissions. Let me give you an example. Consider a Transaction resource that you created in Keycloak. This is a generic resource representing all your transactions. Suppose you have a specific scope that represents an operation that lists all user transactions. Let's call this scope "transaction:list". This scope is associated with the Transaction resource. So you have: Resource: Transaction Scopes: transaction:list Now, in addition to any other policy that applies to the Transaction resource (role, group, whatever) you have a specific permissions that govern access to the "transaction:list" scope. This permissions is granted by a "List Transaction Policy" as follows: var permission = $evaluation.getPermission(); var identity = $evaluation.getContext().getIdentity(); permission.addClaim('data.filter.userId', identity.getId()); $evaluation.grant(); Now, the client application acting on behalf of your user tries to access your application at "/api/v1/transaction" using HTTP GET. You know that GET method on that endpoint is associated with the "transaction:list" scope, so you ask Keycloak for permissions to "Transaction" resources + "transaction:list" scope. As a result, Keycloak will give you a response as follows: "permissions": [ { "scopes": [ "album:list" ], "claims": { "data.filter.userId": [ "e68fa92d-6167-438f-844b-78c7abfc0dd2" ] }, "rsid": "d3aaaf68-50cf-4c5c-97b9-99910a7bfb27", "rsname": "Transaction Resource" } ] In your application you can use the permission granted above, and the "data.filter.userId" claim to create a query in your database as follows: StringBuilder filter = new StringBuilder(); Map queryParams = new HashMap(); for (Map.Entry> entry : permission.getClaims().entrySet()) { if (filter.length() != 0) { filter.append(" and "); } String key = entry.getKey(); if (key.startsWith("data.filter")) { String left = key.substring(key.lastIndexOf('.') + 1); filter.append(left).append(" = :").append(left); queryParams.put(left, entry.getValue()); } }; Query query = this.entityManager.createQuery("from Transaction where " + filter.toString()); for (Map.Entry entry : queryParams.entrySet()) { query.setParameter(entry.getKey(), entry.getValue()); } The key points here are: * You are using a single resource to represent all transactions in your system * You are using a specific policy to protect the "transaction:list" operation by pushing back to your application how access should be enforced * Access management is still centralized and you can push back the "data.filter" claim with any information you want in order to indicate to the application how data must be filtered * Your policies are using information already available from the eluvation context (like user id, user attributes, user roles, groups) without being forced to push any claim to the server In fact, I can use this in one of our quickstarts that is using a database and protecting data. So we could introduce something similar to this in order to filter recors in addition to protect API endpoints. How that sounds to you ? > > General: > > 2.5) In general, it seems to me the bigger the chunks of extra context > provided by application logic to the policy engine, the less detail about > the actual constraints being enforced you have controlled and visible in > the policy layer? somewhat defeating the purpose of the policy layer. Does > that sound correct? I could see us offloading a ton of detail to the push > claims ? rather than, say, duplicating more of our business model in > keycloak ? and then realizing very little of our actual policy permission > details are visible or controllable in the policy layer. So I am not sure > what we are getting at that point. > > a) An answer might be drawing the line at only role-based > access control in the policy layer since that affinity is more easily > provided as input (thought that could even be debated) > > b) Maybe we try to define and draw the line at > ?resource-based? controls only in the policy layer > > c) Maybe we make the unit of work for each push claim so > granular that truly all of the policy rules that are occurring are > basically expressed in the policy layer (thus allowing control, flexibility > and visibility in one consolidated place) > > > > Thanks for your time. > > > > Rob Byrd > > DST > > Solutions Lead > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > t: (816) 435-7286 *| *m (816) 509-0119 > > *rmbyrd at dstsystems.com * | *www.ssctech.com > * > > Follow us: [image: cid:image001.png at 01D412C1.A14C5770] > | [image: > cid:image002.png at 01D412C1.A14C5770] | > [image: cid:image003.png at 01D412C1.A14C5770] > > > > > *From:* Pedro Igor Silva [mailto:psilva at redhat.com] > *Sent:* Thursday, November 8, 2018 2:20 PM > *To:* Byrd, Rob M > *Cc:* Dmitry Telegin

; keycloak-user < > keycloak-user at lists.jboss.org> > *Subject:* Re: [keycloak-user] Data filtering in SQL > > > > > > On Thu, Nov 8, 2018 at 5:44 PM Byrd, Rob M wrote: > > Thanks Dmitry and Pedro, > > > > Pardon my simple-minded response below, but I am wondering how these > specific items would work? Dmitry, yes I agree your GET > /projects/ and GET /projects scenario is on point for the issue ? > I hope my questions below can further clarify the discussion. Here, I will > have to make a ?go or no-go? decision in about a week. J I would love to > take on the challenge of searching for the ?holy grail? in this, but atm > will need to figure out what Keycloak (or OPA, etc.) can confidently do > today. > > > > Thanks for the great discussion and continued help! > > > > Questions > > 1) Simple role-based authorization policy seems doable. > > - Ex: ?Only veterinarians are allowed to read pet profiles.? > > > > 2) But how to answer once more context is needed, such as one resource?s > affinity to another? Literally how does the application figure it out? > Like the below example would need a pet-veterinarian mapping resolved > somehow, it seems: > > - ?Only the treating veterinarian is allowed to read a pet?s profile.? > > Just like in OPA, but using a different approach, you can also push > information (the input in OPA) to your policies. We call this "pushing > claims" [1]. In our policy enforcer we also have the concept of a Claim > Information Point [2] (similar concent as a PIP) which you can configure to > automatically push claims to your policies when checking access for a > particular resource. There is also a CIP that allows you to fetch claims > from external services. > > > > Besides, a resource in Keycloak has attributes, which can be anything you > want. So you could, for instance, have a Pet Foo resources in Keycloak and > update a "veterinarian" attribute associated with it. So you could have a > policy that checks if the user making the request is the same defined in > the attribute. > > > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims > > [2] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point > > > > > - > > > > 3) Keycloak has taken an example of ?Pet owners can access their own pet?s > profiles.? and said we can write policies saying that "Only Owner" can > access "/api/petservice/pet/{id}". But how does the policy engine figure > out who is the owner of /pet/2 vs /pet/3? > > I can think two options. Like I mentioned before, we are resource-based > and resources have an owner. So you can write policies that check if the > resource owner is the user making the authorization request. Another option > is to push claims. > > 4) Similarly, an OPA blog > https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 > gives the example where ?Only the treating veterinarian is allowed to read > a pet?s profile, and only when signed in from a device at the pet?s > clinic?. Again, it is easy enough to provide the OPA engine the target pet > and the current device location, but how exactly is it determined who is > the treating veterinarian of that pet and what clinic the pet belongs to? > > 5) In general, the security difficulty is constraining what a user can > see/do in a particular feature, so how exactly would a policy engine bring > back a subset of records that particular user can see (based on their > affiliated company, etc.)? > > 6) Similarly, how exactly would a policy engine bring back all records but > not the fields a user should not see (such as employee salary field, unless > the user is a HR VIP)? These last two could be likened to @PostAuth > post-filtering in spring security. > > You can have all those resources protected by Keycloak and make > authorization requests to obtain the resources a user has access. We > provide a REST API to create resources. And that is the point I tried to > make when I said that data security is not really among the use cases we > are trying to solve. Although it is possible. Keycloak allows you to send a > "give me all" permission request. That means returning permissions for any > resource, managed by Keycloak, that an user can access. But yeah, depending > on how many resources you have you may end up with a huge response and a > bad performance. > > > > Another approach is define a single Employee resource with a Salary scope > to represent all your employees. So you could enforce access to your real > employees and their salary based on the decisions made by the server for > this single resource. > > > > The decision for one approach or another really depends on how fine > grained you want to be, like I mentioned before. Do you need to manage > indivudual employees or they all share the same access policies ? > > > > See this > https://github.com/keycloak/keycloak-quickstarts/tree/master/app-authz-rest-employee > . > > > > Regarding fields (e.g: salary) you could consider it as a scope > associated with a resource. In Keycloak you can define permissions for > scopes, not only for resources. > > > > > > Rob Byrd > > DST > > Solutions Lead > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > t: (816) 435-7286 *| *m (816) 509-0119 > > *rmbyrd at dstsystems.com * | *www.ssctech.com > * > > Follow us: [image: cid:image001.png at 01D412C1.A14C5770] > | [image: > cid:image002.png at 01D412C1.A14C5770] | > [image: cid:image003.png at 01D412C1.A14C5770] > > > > > *From:* Pedro Igor Silva [mailto:psilva at redhat.com] > *Sent:* Thursday, November 8, 2018 6:42 AM > *To:* Dmitry Telegin

wrote: > > Hi Rob, > > On Tue, 2018-11-06 at 16:28 +0000, Byrd, Rob M wrote: > > (Hope this is the correct way to reply - let me know if not) > > > > Thanks. So my concern is really with the whole idea that an Enterprise > Application's security constraints could really be all implemented based on > url-patterns, is that what you guys are thinking? > > Cannot speak for Keycloak guys, but will put in my 2? as an architect - > URL-based (or rather resource-based) authorization covers only one aspect > of the application security. Data filtering is equally important, but it's > just another facet of the problem, and needs to be solved accordingly. > Indeed, Keycloak doesn't provide OOTB any means for automatically limiting > subsets of data shown to the user, as Keycloak has a completely different > scope (namely Web SSO/IDM solution). > > However, you can still use Keycloak as a central warehouse for your > security (meta)data, and use it the way you want. Like I said before, > nothing stops you from defining some policies in Keycloak, then retrieving > them and converting to a WHERE clause for your SQL/JPQL/NoSQL query. > > Speaking of NoSQL - this might be not directly relevant to your problem, > but still interesting. A similar problem has surfaced in the discussion > following my talk on Apache Sling + Keycloak [1] earlier this year; the > central point was: "okay, we can have Keycloak path-based authorization in > Sling, but how do we limit the content visible to the user?" > That time we came up with some sort of hybrid solution, like path-based > security + JCR ACLs and/or application-level rules; but now I think this > might be something similar, like generating JCR's equivalent to the WHERE > clause based on Keycloak policy definition. > > Just to make sure I understand the case, let's imagine: > - there are users and groups (live in Keycloak); > - there are, say, "projects" (live in business tier + DB); > - there is a policy in Keycloak saying "projects should be accessible only > to the members of the respective groups"; > - based on that: > - GET /projects/ should return 200 + representation if the user > is a member of the group, 403 otherwise; > - GET /projects should return the list of projects the current user has > access to. > > Is this correct? > > [1] > https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > For example, mostly a user can visit most features (urls) in an > application, but it is the subset of things they can see/do within the > feature that is the crux of the security issue - and it does not seem > feasible to architect urls in such a way that they can be used as the key > to security. Thoughts? > > > > Thanks! > > > > Rob Byrd > > DST > > Solutions Lead > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > t: (816) 435-7286 | m (816) 509-0119 > > rmbyrd at dstsystems.com | www.ssctech.com > > Follow us: | | > > > > -----Original Message----- > > > From: Dmitry Telegin [mailto:dt at acutus.pro] > > Sent: Friday, November 2, 2018 12:22 AM > > > To: Byrd, Rob M ; keycloak-user at lists.jboss.org > > Subject: Re: [keycloak-user] Data filtering in SQL > > > > Hello Rob, > > > > If I get it right, it's all about generating SQL WHERE clause from > Keycloak policies? I think this is doable, as Keycloak has a well-defined > object model for authorization policies, and it's easy to obtain policy > definitions in JSON format. I think Pedro Igor will tell you more about > that. > > > > You should pay attention to the following: > > - there are differences in semantics between OPA and Keycloak policies. > For example, Keycloak policies do not operate HTTP methods but rather use > more generic notion of scopes; > > - not every policy type can be easily converted to a WHERE clause. It > should be trivial for User/Group/Role policies, but is virtually impossible > for Script and Rules, as they are just blackboxes that evaluate to true or > false. Unless of course your DBMS has a built-in JavaScript engine :) > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Thu, 2018-11-01 at 21:39 +0000, Byrd, Rob M wrote: > > > I am comparing OPA authorization to Keycloak - how could I enforce > Keycloak policy in the SQL closest to the data for good performance, > including returning subsets of lists? OPA discusses this at > https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sql-d9d24db93bf4 > . > > > > > > Thanks! > > > > > > Rob Byrd > > > DST > > > Solutions Lead > > > SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 > > > t: (816) 435-7286 | m (816) 509-0119 > > > rmbyrd at dstsystems.com | > www.ssctech.com;; > > > > > Follow us: [cid:image001.png at 01D412C1.A14C5770] < > https://www.linkedin.com/company/ss-c-technologies/> | [ > cid:image002.png at 01D412C1.A14C5770] > | [cid:image003.png at 01D412C1.A14C5770] < > https://www.facebook.com/ssctechnologies/> > > > > > > > > > > > > Please consider the environment before printing this email and any > attachments. > > > > > > This e-mail and any attachments are intended only for the individual > or company to which it is addressed and may contain information which is > privileged, confidential and prohibited from disclosure or unauthorized use > under applicable law. If you are not the intended recipient of this e-mail, > you are hereby notified that any use, dissemination, or copying of this > e-mail or the information contained in this e-mail is strictly prohibited > by the sender. If you have received this transmission in error, please > return the material received to the sender and delete all copies from your > system. > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > Please consider the environment before printing this email and any > attachments. > > > > This e-mail and any attachments are intended only for the individual or > company to which it is addressed and may contain information which is > privileged, confidential and prohibited from disclosure or unauthorized use > under applicable law. If you are not the intended recipient of this e-mail, > you are hereby notified that any use, dissemination, or copying of this > e-mail or the information contained in this e-mail is strictly prohibited > by the sender. If you have received this transmission in error, please > return the material received to the sender and delete all copies from your > system. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ------------------------------ > > Please consider the environment before printing this email and any > attachments. > > This e-mail and any attachments are intended only for the individual or > company to which it is addressed and may contain information which is > privileged, confidential and prohibited from disclosure or unauthorized use > under applicable law. If you are not the intended recipient of this e-mail, > you are hereby notified that any use, dissemination, or copying of this > e-mail or the information contained in this e-mail is strictly prohibited > by the sender. If you have received this transmission in error, please > return the material received to the sender and delete all copies from your > system. > > ------------------------------ > Please consider the environment before printing this email and any > attachments. > > This e-mail and any attachments are intended only for the individual or > company to which it is addressed and may contain information which is > privileged, confidential and prohibited from disclosure or unauthorized use > under applicable law. If you are not the intended recipient of this e-mail, > you are hereby notified that any use, dissemination, or copying of this > e-mail or the information contained in this e-mail is strictly prohibited > by the sender. If you have received this transmission in error, please > return the material received to the sender and delete all copies from your > system. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 588 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181109/846bddbb/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 607 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181109/846bddbb/attachment-0005.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 566 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181109/846bddbb/attachment-0006.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 588 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181109/846bddbb/attachment-0007.png From wburns at redhat.com Fri Nov 9 08:05:58 2018 From: wburns at redhat.com (William Burns) Date: Fri, 9 Nov 2018 08:05:58 -0500 (EST) Subject: [keycloak-user] Shared datastore? In-Reply-To: References: Message-ID: <996899230.66401575.1541768758407.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Sebastian Laskawiec" > To: "Nicolas Ocquidant" > Cc: keycloak-user at lists.jboss.org, "Will Burns Rosenquist Burns" > Sent: Thursday, November 8, 2018 12:33:47 PM > Subject: Re: [keycloak-user] Shared datastore? > > So I think there are at least two ways to address this problem. This first > one is to use Offline Tokens [1]. I'm not sure if that fits into your > application since it requires your client applications to store the token. > In other words you can simply delegate this problem one layer below in your > system. > > If that doesn't work for you, yes passivation is a way to go. Frankly, I > haven't used passivation but from the manual I see it works hand in hand > with eviction [2][3]. Will (on CC) can probably correct me here, but my > understanding is that whenever an entry gets evicted, the passivation > mechanism picks it up and stores somewhere. It does and it works, the problem is that passivation doesn't play well with shared stores in Infinispan. We prevent this configuration in 9.4 or newer even. I recommended that Nicolas just use eviction and a shared store without passivation. However it seems that entries are not written to the store in this configuration. My guess is that KeyCloak performs write operations with the SKIP_CACHE_STORE flag and assumes entries will only be written to the store due to passivation. Is there a reason for that? > > [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html > [2] > http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passivation > [3] > https://github.com/infinispan/infinispan/blob/master/core/src/test/java/org/infinispan/eviction/impl/EvictionWithPassivationTest.java#L61-L69 > > On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant > wrote: > > > My requirements are the following: store tokens emitted by KC during one > > year. > > > > I don't know how many users there are, but here are the number I get: > > * the number of connections a week is about 700k. > > * the number of session refresh a week is about 200k. > > > > I approximated around 1M of sessions a week, thus 52M a year. > > In memory, a user session has been estimated around 4KB (about 1KB in > > file/DB). > > > > But I guess a refresh does not create another session isn't it? And maybe > > it's possible to ask KC to delete previous emitted tokens when a new one is > > created for a same user? > > > > If yes, my estimation is probably a little bit too high here, but I > > certainly have several millions of tokens to keep (and maybe dozens of > > millions). > > > > Thanks > > --nick > > > > Le mer. 7 nov. 2018 ? 18:17, Nicolas Ocquidant a > > ?crit : > > > > > Hi, > > > > > > According to Infinispan, when passivation is disabled, every update to > > the > > > cache should always write to the store. > > > > > > But I can't manage to get it work with Keycloak. If I disable > > passivation, > > > my SQL store (Postgres) stays empty, even if the cache is full. > > > > > > So, if passivation is needed for Keycloak to write to the DB, it means > > > that the use of a shared DB is not possible... > > > > > > But this leads to another issue for me. Enable passivation without a > > > shared DB seems to imply that either 'fetch-state' or 'purge' should be > > > enabled on startup, in order for the cache to not contain stale entries. > > > > > > 15:27:44,626 WARN > > > [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] > > (MSC > > > service thread 1-6) ISPN000149: Fetch persistent state and purge on > > startup > > > are both disabled, cache may contain stale entries on startup > > > > > > As I need to keep millions of sessions, this will considerably slow down > > > the startup of my node (when started again after a crash for instance). > > > > > > So, is shared datastore allowed in Keycloak? If yes, how to enable it? > > > Otherwise what other options do I have to improve my startup time, if > > > millions of sessions are in the store? > > > > > > Thanks > > > --nick > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From slaskawi at redhat.com Fri Nov 9 08:29:43 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Fri, 9 Nov 2018 14:29:43 +0100 Subject: [keycloak-user] Shared datastore? In-Reply-To: <1408145257.66131813.1541706517375.JavaMail.zimbra@redhat.com> References: <1408145257.66131813.1541706517375.JavaMail.zimbra@redhat.com> Message-ID: Yes, I think that could be case, I see a plenty of places where we use SKIP_CACHE_STORE. Let me ask Marek for help here since it has been implemented long before I joined the team and I don't know the history behind it... On Thu, Nov 8, 2018 at 8:48 PM William Burns wrote: > > > ----- Original Message ----- > > From: "Sebastian Laskawiec" > > To: "Nicolas Ocquidant" > > Cc: keycloak-user at lists.jboss.org, "Will Burns Rosenquist Burns" < > wburns at redhat.com> > > Sent: Thursday, November 8, 2018 12:33:47 PM > > Subject: Re: [keycloak-user] Shared datastore? > > > > So I think there are at least two ways to address this problem. This > first > > one is to use Offline Tokens [1]. I'm not sure if that fits into your > > application since it requires your client applications to store the > token. > > In other words you can simply delegate this problem one layer below in > your > > system. > > > > If that doesn't work for you, yes passivation is a way to go. Frankly, I > > haven't used passivation but from the manual I see it works hand in hand > > with eviction [2][3]. Will (on CC) can probably correct me here, but my > > understanding is that whenever an entry gets evicted, the passivation > > mechanism picks it up and stores somewhere. > > It does and it works, the problem is that passivation doesn't play well > with shared stores in Infinispan. We prevent this configuration in 9.4 or > newer even. > > I recommended that Nicolas just use eviction and a shared store without > passivation. However it seems that entries are not written to the store in > this configuration. My guess is that KeyCloak performs write operations > with the SKIP_CACHE_STORE flag and assumes entries will only be written to > the store due to passivation. Is there a reason for that? > > > > > [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html > > [2] > > > http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passivation > > [3] > > > https://github.com/infinispan/infinispan/blob/master/core/src/test/java/org/infinispan/eviction/impl/EvictionWithPassivationTest.java#L61-L69 > > > > On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant > > wrote: > > > > > My requirements are the following: store tokens emitted by KC during > one > > > year. > > > > > > I don't know how many users there are, but here are the number I get: > > > * the number of connections a week is about 700k. > > > * the number of session refresh a week is about 200k. > > > > > > I approximated around 1M of sessions a week, thus 52M a year. > > > In memory, a user session has been estimated around 4KB (about 1KB in > > > file/DB). > > > > > > But I guess a refresh does not create another session isn't it? And > maybe > > > it's possible to ask KC to delete previous emitted tokens when a new > one is > > > created for a same user? > > > > > > If yes, my estimation is probably a little bit too high here, but I > > > certainly have several millions of tokens to keep (and maybe dozens of > > > millions). > > > > > > Thanks > > > --nick > > > > > > Le mer. 7 nov. 2018 ? 18:17, Nicolas Ocquidant > a > > > ?crit : > > > > > > > Hi, > > > > > > > > According to Infinispan, when passivation is disabled, every update > to > > > the > > > > cache should always write to the store. > > > > > > > > But I can't manage to get it work with Keycloak. If I disable > > > passivation, > > > > my SQL store (Postgres) stays empty, even if the cache is full. > > > > > > > > So, if passivation is needed for Keycloak to write to the DB, it > means > > > > that the use of a shared DB is not possible... > > > > > > > > But this leads to another issue for me. Enable passivation without a > > > > shared DB seems to imply that either 'fetch-state' or 'purge' should > be > > > > enabled on startup, in order for the cache to not contain stale > entries. > > > > > > > > 15:27:44,626 WARN > > > > > [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] > > > (MSC > > > > service thread 1-6) ISPN000149: Fetch persistent state and purge on > > > startup > > > > are both disabled, cache may contain stale entries on startup > > > > > > > > As I need to keep millions of sessions, this will considerably slow > down > > > > the startup of my node (when started again after a crash for > instance). > > > > > > > > So, is shared datastore allowed in Keycloak? If yes, how to enable > it? > > > > Otherwise what other options do I have to improve my startup time, if > > > > millions of sessions are in the store? > > > > > > > > Thanks > > > > --nick > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From psilva at redhat.com Fri Nov 9 08:36:49 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 9 Nov 2018 11:36:49 -0200 Subject: [keycloak-user] /authz/protection/permission/ticket usage? In-Reply-To: References: Message-ID: Hi, You can use "scopeName" and "requesterName" properties for that. Take a look here https://github.com/keycloak/keycloak/blob/5cbe595fe3094aae8135b8f2c729e9af0cbdd076/core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketRepresentation.java#L22 . Regards. Pedro Igor On Fri, Nov 9, 2018 at 7:18 AM Ulrik Sj?lin wrote: > Hello, > > I have a question on how to use the > API: /authz/protection/permission/ticket > > I can call the endpoint successfully if I do the call with only ids: > > curl --silent -X POST \ > http:// > ${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket > \ > -H "Authorization: Bearer ${service_access_token}" \ > -H "Content-Type: application/json" \ > -d "{ > \"resource\":\"${resource_id}\", > \"scope\":\"40065a35-02d5-4db9-be46-02566cf7a666\", > \"requester\":\"79ae9a5a-0304-41ec-b721-d57a09d419cb\", > \"granted\":\"true\" > }? > > It would however be a lot more workable for me if I could use names like: > > curl --silent -X POST \ > http:// > ${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket > \ > -H "Authorization: Bearer ${service_access_token}" \ > -H "Content-Type: application/json" \ > -d "{ > \"resource\":\"${resource_id}\", > \"scope\":\?Read\", > \"requester\":\?alice\", > \"granted\":\"true\" > }? > > But when I do this I get: > > {"error":"invalid_scope","error_description":"Scope [Read] is invalid?} > {"error":"invalid_permission","error_description":"Requester does not > exists in this server as user.?} > > Looking at the code there seems to be lookups from names to id, but > for some reason it fails. What > am I doing wrong? Any help is greatly appreciated. > > Best Regards, > > Ulrik Sj?lin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From robstyle1234 at gmail.com Fri Nov 9 12:33:43 2018 From: robstyle1234 at gmail.com (ola rob) Date: Fri, 9 Nov 2018 23:03:43 +0530 Subject: [keycloak-user] How can I use Keycloak to support my architecture? Message-ID: Thanks Luis for quick help! Can you please relate to my example? I mean login-module is App3? Also, how can I get the token once login is successful after redirected back to my App3? From uo67113 at gmail.com Fri Nov 9 14:01:15 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Fri, 9 Nov 2018 20:01:15 +0100 Subject: [keycloak-user] How can I use Keycloak to support my architecture? In-Reply-To: References: Message-ID: Hello Ola, Sorry for confusing you. Yes my /login-module would be your App3 one. In App3 Once you are back from a successful login you have to: 1. Create the token (cookie for path "/") 2. Redirect the request to the original request The code is in [1] In my implementation APP3 is registered uses the tomcat SAML adapter, so is the one that deals with the keycloak authentication server requests & responses. Hope it helps, Luis [1] https://gist.github.com/lurodrig/e1a20f480f3c4202c083a091ed68b0d7 [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter El vie., 9 nov. 2018 a las 18:46, ola rob () escribi?: > Thanks Luis for quick help! Can you please relate to my example? I mean > login-module is App3? > > Also, how can I get the token once login is successful after redirected > back to my App3? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From t.rademacher at gmx.de Fri Nov 9 14:01:50 2018 From: t.rademacher at gmx.de (Tim Rademacher) Date: Fri, 9 Nov 2018 20:01:50 +0100 Subject: [keycloak-user] Verification of Access Token failed Message-ID: <005501d4785e$ac2e4740$048ad5c0$@gmx.de> Hi all, I am struggling with access token verification. So here is what I am doing (using Keycloak 4.5): 1. Generate an offline auth code from Client A. 2. Generate a refresh token from Client A. 3. Generate an access token from Client A. This token has an *ES256* Signatur. When using this token, I got an error from my Spring Boot application, that the used public key was not available: "Didn't find publicKey for specified kid". I set the public-key-cache-ttl to 1 sec and the log level to debug and could see, that only one pubilc key was retrieved for my configured Client: "Realm public keys successfully retrieved for client xxxxxxxxxx. New kids: [xxxxx]". As I could see in the realm settings, the key was created using *RS256*. When I force the Client A to just use RS256 signature by setting the "Access Token Signature Algorithm", then it works fine. But I wonder, how I could also use other signature algorithms!? Release notes are stating, that both (and more) algorithms are supported. Thanks for your help! Regards Tim From cmelean at gmail.com Fri Nov 9 15:51:14 2018 From: cmelean at gmail.com (=?utf-8?Q?Calixto_Mele=C3=A1n?=) Date: Fri, 9 Nov 2018 15:51:14 -0500 Subject: [keycloak-user] There is already a httpSessionManager Message-ID: <9700A518-4D16-4EEB-A7AC-18B650F0D2C2@gmail.com> I?m doing a simple tutorial with SpringBoot 2.1.0 and KeyCloack 4.5.0. When I start the app, I am getting the following error: org.springframework.beans.factory.support.BeanDefinitionOverrideException: Invalid bean definition with name 'httpSessionManager' defined in class path resource [com/example/demo/configuration/SecurityConfig.class]: Cannot register bean definition [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=securityConfig; factoryMethodName=httpSessionManager; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [com/example/demo/configuration/SecurityConfig.class]] for bean 'httpSessionManager': There is already [Generic bean: class [org.keycloak.adapters.springsecurity.management.HttpSessionManager]; scope=singleton; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in URL [jar:file:/Users/bigcat/.m! 2/repository/org/keycloak/keycloak-spring-security-adapter/4.5.0.Final/keycloak-spring-security-adapter-4.5.0.Final.jar!/org/keycloak/adapters/springsecurity/management/HttpSessionManager.class]] bound. Relevant maven dependencies I have are: org.keycloak keycloak-spring-boot-starter ${keycloak.version} org.springframework.boot spring-boot-starter-security SecurityConfig.class is: @KeycloakConfiguration public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Bean public KeycloakConfigResolver KeycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); } /** * Registers the KeycloakAuthenticationProvider with the authentication manager. */ @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(keycloakAuthenticationProvider()); } /** * Defines the session authentication strategy. */ @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .authorizeRequests() .antMatchers("/customers*").hasRole("pharmacist") .anyRequest().permitAll(); } } Appreciate any help. Thanks From dt at acutus.pro Fri Nov 9 18:04:24 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 10 Nov 2018 02:04:24 +0300 Subject: [keycloak-user] group mapper per client In-Reply-To: References: <1540868804.2121.1.camel@acutus.pro> Message-ID: <1541804664.2031.1.camel@acutus.pro> Ronald, sorry for late response, You can use the following snippet: function invalidGroup(context) { return context.form() .setError("Invalid group membership", []).createLogin(); } function authenticate(context) { ... if (authShouldFail) { var challengeResponse = invalidGroup(context); // context.failure(AuthenticationFlowError.INVALID_USER); context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse); return; } context.success(); } Just FYI, I used the source code of Keycloak stock authenticators as a reference, like this one [1]. [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java#L203 Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-10-30 at 14:47 +0000, Ronald Demneri wrote: > Almost forgot, If I set a static group name to compare against (which is not our goal, but just for testing), it works correctly if the account is member of that group. If the user is not a member, then it'll display an error like "Invalid username or password". Is it possible to modify the response in such cases, stating that the account is not a member of required groups, or at least have it like "Invalid group membership". > > > Looking forward to hearing from you! > > > Regards, > Ronald > > -----Original Message----- > > From: Dmitry Telegin

? > Sent: 30.Oct.2018 4:07 AM > > To: Ronald Demneri ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] group mapper per client > > Hello Ronald, > > If there is a literal correspondence between your AD group names and client names (like e.g. if the client is named "foo", and the corresponding AD group is "AD_group_foo"), you can do the following trick: > - make sure you have group-ldap-mapper configured in LDAP mappers, i.e. AD groups are synced to Keycloak groups; > - create a Javascript authenticator that would check client name against user's groups, and add it to your authentication flow. If the user tries to authenticate against the client without being a member of the corresponding group, the authenticator should deny login. > > If there is no such correspondence (e.g. the client is named "foo", and the group is "AD_group_bar"), you still have the following options: > - map AD groups to Keycloak roles using role-ldap-mapper, then use your adapter's configuration to restrict access only to the users with this role (e.g. in web.xml); > - or map AD groups to Keycloak groups, enable authorization services and use group policy (if your client adapter supports authorization, of course). > > This, however, will need to be configured per each client, on the contrary to the first approach (configured once per realm). > > Let me know if you need further explanations, Dmitry Telegin CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Mon, 2018-10-29 at 15:35 +0000, Ronald Demneri wrote: > > Hello everyone, > > > > Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs. > > > > > > Thanks in advance, > > Ronald > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Nov 9 18:18:32 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 10 Nov 2018 02:18:32 +0300 Subject: [keycloak-user] group mapper per client In-Reply-To: References: <1540868804.2121.1.camel@acutus.pro> Message-ID: <1541805512.2031.3.camel@acutus.pro> Ronald, glad to hear it worked, There is however an important moment regarding potential security issue with your authenticator. Imagine the following scenario: 1. a user?with the correct group membership logs into the client app A; 2. the same user tries to access client B (for which he/she doesn't have group membership); 3. client B redirects the user to Keycloak for authentication; 4. due to cookie-based SSO, Keycloak decides that the user is already authenticated and logs him/her in client B. To avoid this, you should turn off cookie-based auth for your restricted clients. Go to Authentication, create a copy of your browser flow (which should already have your script authenticator), remove Cookie, then go to your clients' settings and configure Authentication Flow Overrides for browser flow. This will actually disable SSO to your clients. If this is not acceptable, there are some other options to consider (however more complex). You should also make sure you don't enable token exchange between clients [1] (this is disabled by default). [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-10-31 at 13:49 +0000, Ronald Demneri wrote: > Hello everyone, > > So, thankfully, after some careful reading, I managed to solve the first issue regarding clientSession.client.clientId, which in fact shoud be authenticationSession.client.clientId (there was a mention on using loginSession.client.clientId in place of clientSession.client.clientId on this link https://issues.jboss.org/browse/KEYCLOAK-4505, which I tried to use, without success). > > > Regards, > Ronald > > -----Original Message----- > From: Ronald Demneri? > Sent: 30.Oct.2018 3:48 PM > > To: 'Dmitry Telegin'

; keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] group mapper per client > > Almost forgot, If I set a static group name to compare against (which is not our goal, but just for testing), it works correctly if the account is member of that group. If the user is not a member, then it'll display an error like "Invalid username or password". Is it possible to modify the response in such cases, stating that the account is not a member of required groups, or at least have it like "Invalid group membership". > > > Looking forward to hearing from you! > > > Regards, > Ronald > > -----Original Message----- > > From: Dmitry Telegin

? > Sent: 30.Oct.2018 4:07 AM > > To: Ronald Demneri ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] group mapper per client > > Hello Ronald, > > If there is a literal correspondence between your AD group names and client names (like e.g. if the client is named "foo", and the corresponding AD group is "AD_group_foo"), you can do the following trick: > - make sure you have group-ldap-mapper configured in LDAP mappers, i.e. AD groups are synced to Keycloak groups; > - create a Javascript authenticator that would check client name against user's groups, and add it to your authentication flow. If the user tries to authenticate against the client without being a member of the corresponding group, the authenticator should deny login. > > If there is no such correspondence (e.g. the client is named "foo", and the group is "AD_group_bar"), you still have the following options: > - map AD groups to Keycloak roles using role-ldap-mapper, then use your adapter's configuration to restrict access only to the users with this role (e.g. in web.xml); > - or map AD groups to Keycloak groups, enable authorization services and use group policy (if your client adapter supports authorization, of course). > > This, however, will need to be configured per each client, on the contrary to the first approach (configured once per realm). > > Let me know if you need further explanations, Dmitry Telegin CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Mon, 2018-10-29 at 15:35 +0000, Ronald Demneri wrote: > > Hello everyone, > > > > Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs. > > > > > > Thanks in advance, > > Ronald > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Nov 9 18:34:16 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 10 Nov 2018 02:34:16 +0300 Subject: [keycloak-user] filter group claim in token per client In-Reply-To: References: <1541397265.3650.7.camel@acutus.pro> , Message-ID: <1541806456.2031.5.camel@acutus.pro> Ronald, Here are some Pro Tips(tm) for you :) - use keycloakSession.context.client.clientId to retrieve client ID (works for both tokens and userinfo); - use Java.from() and Java.to() to convert objects and arrays from Java to JavaScript and vice versa; - use more JavaScript-fu like map() and filter() to avoid looping over arrays; - use RegExp for generic case-insensitive pattern matching. With the above, your whole mapper could look as simple as this: ========================================== /** * Available variables: * user - the current user * realm - the current realm * token - the current token * userSession - the current userSession * keycloakSession - the current userSession */ var client = keycloakSession.context.client.clientId; var groups = Java.from(user.groups) .map(function(group) { return group.name; }) .filter(function(name) { return RegExp("(\\w+)-" + client + "-(\\w+)", "i").test(name); }) token.setOtherClaims("fGroup", Java.to(groups, "java.lang.String[]")) ========================================== Please also read my earlier reply about the potential security issue with the script authenticator and how to mitigate it. In fact, this problem (restricting access to clients based on group membership) has surfaced here at least three times during last month, so I think I'd write an article with the solution walkthrough. Stay tuned and good luck :) Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-11-06 at 20:51 +0000, Ronald Demneri wrote: > I configured the client to not use the userinfo endpoint for the group mapping.? Instead I used the id token,? and everything looks good now (no errors in the log,? and the client gets the claim, and assigns permissions accordingly) . Anyhow,? the question remains,? is there a way to get the client id using the script mapper? > > Thanks in advance,? > Ronald > > Sent from my HTC > > ----- Reply message ----- > > From: "Ronald Demneri" > > > To: "Ronald Demneri" , "Dmitry Telegin"

, "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] filter group claim in token per client > Date: Tue, Nov 6, 2018 16:08 > > Hello again, > > Upon testing login and experimenting where the claim should be inserted, I found out that the duplicate print() is a result of including the claim in both ID access tokens. The error comes as a result of including the claim in the userinfo token, and probably that is why the userinfo endpoint does not contain the claim when the client application requests it. > > Any idea how to solve it? > > > Thanks in advance, > Ronald > > -----Original Message----- > From: Ronald Demneri? > Sent: 06.Nov.2018 12:01 PM > > To: Ronald Demneri ; Dmitry Telegin

; keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] filter group claim in token per client > > So, I am looking at the logs and receive the following when going to App1 > Client Scopes > Evaluate: > > 2018-11-06 10:51:42,407 INFO? [stdout] (default task-1892) ############################################ APP1 > 2018-11-06 10:51:42,407 INFO? [stdout] (default task-1892) ############################################ > 2018-11-06 10:51:42,407 INFO? [stdout] (default task-1892)? We are here!!! > 2018-11-06 10:51:42,408 INFO? [stdout] (default task-1892) ############################################ > > But when trying to actually log in to the client, I receive the following: > > 2018-11-06 10:52:20,465 INFO? [stdout] (default task-1891) ############################################ APP1 > 2018-11-06 10:52:20,465 INFO? [stdout] (default task-1891) ############################################ > 2018-11-06 10:52:20,465 INFO? [stdout] (default task-1891)? We are here!!! > 2018-11-06 10:52:20,466 INFO? [stdout] (default task-1891) ############################################ > 2018-11-06 10:52:20,474 INFO? [stdout] (default task-1891) ############################################ APP1 > 2018-11-06 10:52:20,474 INFO? [stdout] (default task-1891) ############################################ > 2018-11-06 10:52:20,474 INFO? [stdout] (default task-1891)? We are here!!! > 2018-11-06 10:52:20,475 INFO? [stdout] (default task-1891) ############################################ > 2018-11-06 10:52:20,691 ERROR [org.keycloak.protocol.oidc.mappers.ScriptBasedOIDCProtocolMapper] (default task-1891) Error during execution of ProtocolMapper script: org.keycloak.scripting.ScriptExecutionException: Could not execute script 'token-mapper-script_filteredGroupsMapper' problem was: TypeError: null has no such function "toUpperCase" in at line number 31 > > Line 31 is as follows: > > 31:??? var client = token.getIssuedFor().toUpperCase(); > 32:??? print("############################################ " + client); > > So why does it display an error, when in fact it also displays the correct form of the clientId in upper case? And why is the log entry duplicated? ATM, I removed the client scope mapper and have recreated the script mapper only for this client. > > > Regards, > Ronald > > > -----Original Message----- > From: Ronald Demneri? > Sent: 06.Nov.2018 11:05 AM > > > To: 'Ronald Demneri' ; 'Dmitry Telegin'

; 'keycloak-user at lists.jboss.org' > Subject: RE: [keycloak-user] filter group claim in token per client > > Hello Dmitry, > > A colleague of mine helped solving the issue with the array, and I can see the filtered groups in the Access token. I also used token.getIssuedFor() to get the client name and make the evaluation of the filtered groups dynamic. The problem now is that this new claim is not present in the userinfo. This is the script that we came up with (configured both as client scopes (possibly define as a default client scope) as well as script mapper specific to this client for test purposes - claim names are different of course): > > > [kcadmin at keycloak bin]$ ./kcadm.sh get client-scopes [ { > ? "id" : "4ea94866-044e-4590-a2da-f25c980f08b4", > ? "name" : "Filtered_Groups", > ? "protocol" : "openid-connect", > ? "attributes" : { > ??? "display.on.consent.screen" : "true" > ? }, > ? "protocolMappers" : [ { > ??? "id" : "7d3c521a-b291-4f43-ad87-6891ed9584d3", > ??? "name" : "Filtered Groups", > ??? "protocol" : "openid-connect", > ??? "protocolMapper" : "oidc-script-based-protocol-mapper", > ??? "consentRequired" : false, > ??? "config" : { > ????? "multivalued" : "true", > ????? "userinfo.token.claim" : "true", > ????? "id.token.claim" : "true", > ????? "access.token.claim" : "true", > ????? "claim.name" : "fGroup", > ????? "jsonType.label" : "String", > ????? "script" : "/** > ??????? * Available variables: > ??????? * user - the current user > ??????? * realm - the current realm > ??????? * token - the current token > ??????? * userSession - the current userSession > ??????? * keycloakSession - the current userSession > ??????? */ > ???????? > ??????? //insert your code here... > > ??????? //So, first we need to know, how many names should be added to the new claim, > ??????? var username = user ? user.username : \"anonymous\"; > ??????? var groups = user.getGroups(); > ??????? var group_array = groups.toArray(); > ??????? //print(\"########################################## \" + username); > > ??????? var client = token.getIssuedFor(); > ??????? //print(\"############################################ \" + client); > > ??????? var clUp = client.toUpperCase(); > ??????? //print(clUp); > > ??????? var group_APP = \"APP-\" + clUp + \"-USERS\"; > ??????? var group_ROL = \"ROL_SSO-\" + clUp + \"-ADMIN\"; > > ??????? var group_filtered = []; > > ??????? for (var i in group_array) { > ??????????????? var gn = group_array[i].getName(); > ??????????????? var gnUp = gn.toUpperCase(); > ??????????????? if (gnUp === group_APP || gnUp === group_ROL) { > ??????????????????????? group_filtered.push(\"/\" + gn); > ??????????????????????? } > ??????????????? } > ??????? //Then we declare the new array. > ??????? var l = group_filtered.length; > ??????? var group_token = java.lang.reflect.Array.newInstance(java.lang.String.class, l); > > ??????? for (var f in group_filtered) { > ??????????????? group_token[f] = group_filtered[f]; > ??????????????? //print(group_token[f]); > ??????? } > > ??????? //And submit the array as token > ??????? token.setOtherClaims(\"fGroup\", group_token);" > ??? } > ? } ] > } > > This is the userinfo data for my account: > > { > ? "sub": "bad7ff26-2a70-446f-a635-06fdbe1bec55", > ? "Group": [ > ??? "/APP-App1-Users/TGR-Team-ABC", > ??? "/APP-App1-Users/TGR-Team-DEF", > ??? "/APP-App1-Users", > ??? "/APP-MySmallApp-Users" > ? ], > ? "email_verified": false, > ? "name": "Ronald Demneri", > ? "preferred_username": "u151302", > ? "given_name": "Ronald", > ? "family_name": "Demneri" > > > The group claim is inserted by the group mapper created for this client, and the idea is to remove it once the script mapper works as expected. > What do you think is going on? Is this behavior normal? > > Thanks in advance, > Ronald > > -----Original Message----- > From: Ronald Demneri > Sent: 05.Nov.2018 12:12 PM > > To: 'Ronald Demneri' ; Dmitry Telegin

; keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] filter group claim in token per client > > Hello, > > In the script authenticator there was authenticationSession which I used to get the clientId. There is no such variable in the script mapper, and If I define such mapper in the client template, I suppose I'd need some mechanism to get the client name and then make the filtering of the groups that need to be inserted in the token. How do I do that? Is there any documentation available for this online? > > > Thanks again for your support! > Ronald > > > -----Original Message----- > > From: keycloak-user-bounces at lists.jboss.org On Behalf Of Ronald Demneri > Sent: 05.Nov.2018 11:00 AM > > To: Dmitry Telegin

; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] filter group claim in token per client > > Hello Dmitry, > > Thanks for the response. In fact I tried that before posting here, created a custom script mapper for the client that I have configured. The problem is that the script will return a list of objects, not an array of strings, which is what I am expecting. > > What do I need to pay extra attention in order to solve this? > > > Thanks in advance and Regards, > Ronald > > -----Original Message----- > > From: Dmitry Telegin

> Sent: 05.Nov.2018 6:54 AM > > To: Ronald Demneri ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] filter group claim in token per client > > Hello Ronald, > > As in the case with authentication, JavaScript is to the rescue again :) You can create a script mapper for groups that will do additional group filtering based on the client, and use it instead of the built-in one. > > To avoid explicitly configuring it for each and every client, you can create a Client Scope (can be called "Client Template" depending on the KC version), define the mapper in the scope, and add it do default scopes. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > > E-mail: info at acutus.pro? > > On Fri, 2018-11-02 at 10:30 +0000, Ronald Demneri wrote: > > Hello everyone, > >? > > Is there a way to filter the groups a user is a member of per client, based on clientId (which is part of the group name(s) in AD). Let's say that user Ronald is member of??group_client1, group_client2 and group_client3, so using a group mapper, the token will contain a claim like group:["group_client1", "group_client2", "group_client3"]. Upon logging in to client1 app, I want to customize the group claim so that it contains only the respective group_client1 value. > >? > > Thanks in advance, > >? > > Ronald > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From robstyle1234 at gmail.com Sat Nov 10 09:15:28 2018 From: robstyle1234 at gmail.com (ola rob) Date: Sat, 10 Nov 2018 19:45:28 +0530 Subject: [keycloak-user] How to enable keycloak for Embedded Jetty 9.3 server Message-ID: Hi, I wanted to use jetty 9.3 adapter to secure my applications using keycloak. But I see that keycloak doc talks about configuration on standalone jetty servers but not on embedded jetty servers: java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak My application uses embedded jetty server. Can you please provide steps to enable keycloak module for embedded jetty server? Thanks in advance! From craig at baseventure.com Sat Nov 10 10:00:37 2018 From: craig at baseventure.com (Craig Setera) Date: Sat, 10 Nov 2018 09:00:37 -0600 Subject: [keycloak-user] Adding attributes during login Message-ID: We have an attribute we use to allow customers to to "scope" or "namespace" a users interaction with our system (a "partner code" that is known to our system). In our previous proprietary Java session-based security system, this value was stored in the Java session at the time of login and used by the authorization engine to further restrict what the user was allowed to see. As we transition to using Keycloak for authentication, I'm wondering if there is a way to use Keycloak to manage this partner code during a login session? Some way to send the value during the Keycloak login sequence and then later retrieve it based on the access token? Thanks for any insights. Craig ================================= *Craig Setera* *Chief Technology Officer* From balazskov at gmail.com Sat Nov 10 11:52:46 2018 From: balazskov at gmail.com (Balazs Kovacs) Date: Sat, 10 Nov 2018 17:52:46 +0100 Subject: [keycloak-user] TLS configuration issues with 4.5.0 Message-ID: Hi, I run a test instance of keycloak from public docker hub. I'm able to set up the server with TLS on default port 8443 up until KC 4.3.0 with my own certificates. I did not try with 4.4.0, but 4.5.0 never succeeds and ends up with a auto-generated self-signed certificate in any case. I attached the standalone.xml configuration I use. When I turn on DEBUG log level, I get the below suspicious error that I thought is related: ESC[0mESC[32m10:07:51,880 DEBUG [org.jboss.as.domain.management] (MSC service thread 1-2) Starting 'ApplicationRealm' Security Realm Service ESC[0mESC[32m10:07:52,028 DEBUG [org.jboss.modcluster] (MSC service thread 1-1) MODCLUSTER000005: Received add context event for default-host:/wildfly-services ESC[0mESC[32m10:07:52,032 DEBUG [org.jboss.modcluster] (MSC service thread 1-1) MODCLUSTER000007: Received start context event for default-host:/wildfly-services ESC[0mESC[32m10:07:52,124 DEBUG [io.undertow] (MSC service thread 1-1) JDK9 ALPN not supported: java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;) at java.lang.Class.getMethod(Class.java:1786) at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) at java.security.AccessController.doPrivileged(Native Method) at io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) at java.util.ServiceLoader$1.next(ServiceLoader.java:480) at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) at io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) at io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:68) at io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:94) at org.wildfly.extension.undertow.HttpsListenerService.createAlpnOpenListener(HttpsListenerService.java:123) at org.wildfly.extension.undertow.HttpsListenerService.createOpenListener(HttpsListenerService.java:108) at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:177) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364) at java.lang.Thread.run(Thread.java:748) Any idea what's going wrong with this version of keycloak docker image and TLS setup? Thanks, Balazs -------------- next part -------------- A non-text attachment was scrubbed... Name: standalone-4.5.0.xml Type: text/xml Size: 32110 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181110/9bc9b821/attachment-0001.xml From dt at acutus.pro Sat Nov 10 14:49:16 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 10 Nov 2018 22:49:16 +0300 Subject: [keycloak-user] Adding attributes during login In-Reply-To: References: Message-ID: <1541879356.3515.1.camel@acutus.pro> Hell Craig, Do you mean the user should enter a "partner code" along with login+password? (either as a 3rd field or in a separate screen) Or only once during registration / upon the first login? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote: > We have an attribute we use to allow customers to to "scope" or "namespace" > a users interaction with our system (a "partner code" that is known to our > system).??In our previous proprietary Java session-based security system, > this value was stored in the Java session at the time of login and used by > the authorization engine to further restrict what the user was allowed to > see. > > As we transition to using Keycloak for authentication, I'm wondering if > there is a way to use Keycloak to manage this partner code during a login > session???Some way to send the value during the Keycloak login sequence and > then later retrieve it based on the access token? > > Thanks for any insights. > Craig > > ================================= > *Craig Setera* > > *Chief Technology Officer* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From craig at baseventure.com Sat Nov 10 15:01:37 2018 From: craig at baseventure.com (Craig Setera) Date: Sat, 10 Nov 2018 14:01:37 -0600 Subject: [keycloak-user] Adding attributes during login In-Reply-To: <1541879356.3515.1.camel@acutus.pro> References: <1541879356.3515.1.camel@acutus.pro> Message-ID: Dmitry, Thanks for responding and sorry for not being more clear. The circumstance is that a username may be associated with multiple different companies in our system. However, if the user is logging in from a link that originated from company X, we want to limit what they are authorized to view based on the incoming link to preserve the view of separate tenancy. So, the partner code is provided (hidden) for each login. The hope would be that it would be part of the initial login URL as a query parameter, be captured in Keycloak and then made available throughout the "session" associated with the access/refresh tokens. Thanks! Craig ================================= *Craig Setera* *Chief Technology Officer* *415-324-5861**craig at baseventure.com * On Sat, Nov 10, 2018 at 1:49 PM Dmitry Telegin

wrote: > Hell Craig, > > Do you mean the user should enter a "partner code" along with > login+password? (either as a 3rd field or in a separate screen) > Or only once during registration / upon the first login? > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote: > > We have an attribute we use to allow customers to to "scope" or > "namespace" > > a users interaction with our system (a "partner code" that is known to > our > > system). In our previous proprietary Java session-based security system, > > this value was stored in the Java session at the time of login and used > by > > the authorization engine to further restrict what the user was allowed to > > see. > > > > As we transition to using Keycloak for authentication, I'm wondering if > > there is a way to use Keycloak to manage this partner code during a login > > session? Some way to send the value during the Keycloak login sequence > and > > then later retrieve it based on the access token? > > > > Thanks for any insights. > > Craig > > > > ================================= > > *Craig Setera* > > > > *Chief Technology Officer* > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at acutus.pro Sat Nov 10 15:11:14 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 10 Nov 2018 23:11:14 +0300 Subject: [keycloak-user] TLS configuration issues with 4.5.0 In-Reply-To: References: Message-ID: <1541880674.3515.4.camel@acutus.pro> Hello Balasz, Just FYI, Keycloak Docker image uses standalone-ha.xml by default starting from version 4.5.0, so you should use it instead of standalone.xml. The warning in the log is unrelated, as it is caused by Keycloak runtime trying to discover some optional SSL features found in Java 9 only. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-11-10 at 17:52 +0100, Balazs Kovacs wrote: > Hi, > > I run a test instance of keycloak from public docker hub. > > I'm able to set up the server with TLS on default port 8443 up until KC > 4.3.0 with my own certificates. I did not try with 4.4.0, but 4.5.0 never > succeeds and ends up with a auto-generated self-signed certificate in any > case. > > I attached the standalone.xml configuration I use. When I turn on DEBUG log > level, I get the below suspicious error that I thought is related: > > ESC[0mESC[32m10:07:51,880 DEBUG [org.jboss.as.domain.management] (MSC > service thread 1-2) Starting 'ApplicationRealm' Security Realm Service > ESC[0mESC[32m10:07:52,028 DEBUG [org.jboss.modcluster] (MSC service thread > 1-1) MODCLUSTER000005: Received add context event for > default-host:/wildfly-services > ESC[0mESC[32m10:07:52,032 DEBUG [org.jboss.modcluster] (MSC service thread > 1-1) MODCLUSTER000007: Received start context event for > default-host:/wildfly-services > ESC[0mESC[32m10:07:52,124 DEBUG [io.undertow] (MSC service thread 1-1) JDK9 > ALPN not supported: java.lang.NoSuchMethodException: > javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;) > ????????at java.lang.Class.getMethod(Class.java:1786) > ????????at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) > ????????at > io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) > ????????at java.security.AccessController.doPrivileged(Native Method) > ????????at > io.undertow.protocols.alpn.JDK9AlpnProvider.(JDK9AlpnProvider.java:43) > ????????at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > ????????at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > ????????at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > ????????at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > ????????at java.lang.Class.newInstance(Class.java:442) > ????????at > java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) > ????????at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) > ????????at java.util.ServiceLoader$1.next(ServiceLoader.java:480) > ????????at > io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:40) > ????????at > io.undertow.protocols.alpn.ALPNManager.(ALPNManager.java:35) > ????????at > io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:68) > ????????at > io.undertow.server.protocol.http.AlpnOpenListener.(AlpnOpenListener.java:94) > ????????at > org.wildfly.extension.undertow.HttpsListenerService.createAlpnOpenListener(HttpsListenerService.java:123) > ????????at > org.wildfly.extension.undertow.HttpsListenerService.createOpenListener(HttpsListenerService.java:108) > ????????at > org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:177) > ????????at > org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736) > ????????at > org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698) > ????????at > org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556) > ????????at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > ????????at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > ????????at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > ????????at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364) > ????????at java.lang.Thread.run(Thread.java:748) > > Any idea what's going wrong with this version of keycloak docker image and > TLS setup? > > Thanks, > Balazs > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Sun Nov 11 00:31:08 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sun, 11 Nov 2018 08:31:08 +0300 Subject: [keycloak-user] Adding attributes during login In-Reply-To: References: <1541879356.3515.1.camel@acutus.pro> Message-ID: <1541914268.3830.1.camel@acutus.pro> Hello Craig, Thanks for the explanation, it's pretty clear now. I guess that "partner code" is the same parameter you use to dynamically brand your login themes, right? First, you need to extract it from your request parameters. In Keycloak, you can do this with a script authenticator. Things are a bit complicated by the fact that the initial incoming link (protocol/openid-connect/auth) does a POST to another endpoint (login-actions/authenticate), and the script authenticator is able introspect only the second request. Query parameters do not survive POST, but still can be found in the Referer header; therefore, you need to fish them out of there. (NB this will only work unless sending this header is disabled in the browser by a paranoid user :) Create it as the last authenticator in the flow and make it "required". It's up to you how to handle the case where there is no "foo" parameter in the initial link. =================================================== function authenticate(context) { var username = user ? user.username : "anonymous"; var uri = new java.net.URI(httpRequest.httpHeaders.getHeaderString("Referer")); LOG.info(uri); var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri); var _foo = uriInfo.queryParameters['foo']; if (_foo !== null ){ var foo = _foo[0]; // uriInfo.queryParameters is a multivalued map LOG.info(script.name + ": " + username + " foo=" + foo); authenticationSession.setUserSessionNote("foo", foo); } context.success(); } =================================================== (Quick remark on terminology: in Keycloak's terms, "attributes" are persistent pieces of data attached to a user, group or realm; you can find them in the corresponding GUI tabs. Transient data is called "[session] notes".) Next, you will need to propagate it to the tokens. Again, JavaScript to the rescue, this time in the form of script mapper (client -> Mappers): =================================================== var foo = userSession.notes["foo"]; if (foo !== null) { token.setOtherClaims("foo", foo); } =================================================== And voil?, your query parameter is now in the tokens :) Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-11-10 at 14:01 -0600, Craig Setera wrote: > Dmitry, > > Thanks for responding and sorry for not being more clear.?? > > The circumstance is that a username may be associated with multiple different companies in our system.? However, if the user is logging in from a link that originated from company X, we want to limit what they are authorized to view based on the incoming link to preserve the view of separate tenancy.? So, the partner code is provided (hidden) for each login.? The hope would be that it would be part of the initial login URL as a query parameter, be captured in Keycloak and then made available throughout the "session" associated with the access/refresh tokens. > > Thanks! > Craig > > > ================================= > Craig Setera > Chief Technology Officer > 415-324-5861 > craig at baseventure.com > > > > > > On Sat, Nov 10, 2018 at 1:49 PM Dmitry Telegin

wrote: > > Hell Craig, > > > > Do you mean the user should enter a "partner code" along with login+password? (either as a 3rd field or in a separate screen) > > Or only once during registration / upon the first login? > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > > > E-mail: info at acutus.pro? > > > > On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote: > > > We have an attribute we use to allow customers to to "scope" or "namespace" > > > a users interaction with our system (a "partner code" that is known to our > > > system).??In our previous proprietary Java session-based security system, > > > this value was stored in the Java session at the time of login and used by > > > the authorization engine to further restrict what the user was allowed to > > > see. > > >? > > > As we transition to using Keycloak for authentication, I'm wondering if > > > there is a way to use Keycloak to manage this partner code during a login > > > session???Some way to send the value during the Keycloak login sequence and > > > then later retrieve it based on the access token? > > >? > > > Thanks for any insights. > > > Craig > > >? > > > ================================= > > > *Craig Setera* > > >? > > > *Chief Technology Officer* > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From craig at baseventure.com Sun Nov 11 07:56:44 2018 From: craig at baseventure.com (Craig Setera) Date: Sun, 11 Nov 2018 06:56:44 -0600 Subject: [keycloak-user] Adding attributes during login In-Reply-To: <1541914268.3830.1.camel@acutus.pro> References: <1541879356.3515.1.camel@acutus.pro> <1541914268.3830.1.camel@acutus.pro> Message-ID: Wow! This is great. Thanks so much. I will have to give this a try this week and see if I can make it work. You are correct that this is also the code that we want to use to drive our branding. Are the session notes or token claims available to the theme engine? ================================= *Craig Setera* *Chief Technology Officer* *415-324-5861**craig at baseventure.com * On Sat, Nov 10, 2018 at 11:31 PM Dmitry Telegin

wrote: > Hello Craig, > > Thanks for the explanation, it's pretty clear now. I guess that "partner > code" is the same parameter you use to dynamically brand your login themes, > right? > > First, you need to extract it from your request parameters. In Keycloak, > you can do this with a script authenticator. Things are a bit complicated > by the fact that the initial incoming link (protocol/openid-connect/auth) > does a POST to another endpoint (login-actions/authenticate), and the > script authenticator is able introspect only the second request. Query > parameters do not survive POST, but still can be found in the Referer > header; therefore, you need to fish them out of there. (NB this will only > work unless sending this header is disabled in the browser by a paranoid > user :) > > Create it as the last authenticator in the flow and make it "required". > It's up to you how to handle the case where there is no "foo" parameter in > the initial link. > > =================================================== > function authenticate(context) { > > var username = user ? user.username : "anonymous"; > > var uri = new > java.net.URI(httpRequest.httpHeaders.getHeaderString("Referer")); > LOG.info(uri); > var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri); > var _foo = uriInfo.queryParameters['foo']; > if (_foo !== null ){ > var foo = _foo[0]; // uriInfo.queryParameters is a multivalued map > LOG.info(script.name + ": " + username + " foo=" + foo); > authenticationSession.setUserSessionNote("foo", foo); > } > > context.success(); > > } > =================================================== > > (Quick remark on terminology: in Keycloak's terms, "attributes" are > persistent pieces of data attached to a user, group or realm; you can find > them in the corresponding GUI tabs. Transient data is called "[session] > notes".) > > Next, you will need to propagate it to the tokens. Again, JavaScript to > the rescue, this time in the form of script mapper (client -> Mappers): > > =================================================== > var foo = userSession.notes["foo"]; > > if (foo !== null) { > token.setOtherClaims("foo", foo); > } > =================================================== > > And voil?, your query parameter is now in the tokens :) > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Sat, 2018-11-10 at 14:01 -0600, Craig Setera wrote: > > Dmitry, > > > > Thanks for responding and sorry for not being more clear. > > > > The circumstance is that a username may be associated with multiple > different companies in our system. However, if the user is logging in from > a link that originated from company X, we want to limit what they are > authorized to view based on the incoming link to preserve the view of > separate tenancy. So, the partner code is provided (hidden) for each > login. The hope would be that it would be part of the initial login URL as > a query parameter, be captured in Keycloak and then made available > throughout the "session" associated with the access/refresh tokens. > > > > Thanks! > > Craig > > > > > > ================================= > > Craig Setera > > Chief Technology Officer > > 415-324-5861 > > craig at baseventure.com > > > > > > > > > > > On Sat, Nov 10, 2018 at 1:49 PM Dmitry Telegin

wrote: > > > Hell Craig, > > > > > > Do you mean the user should enter a "partner code" along with > login+password? (either as a 3rd field or in a separate screen) > > > Or only once during registration / upon the first login? > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > > > E-mail: info at acutus.pro > > > > > > On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote: > > > > We have an attribute we use to allow customers to to "scope" or > "namespace" > > > > a users interaction with our system (a "partner code" that is known > to our > > > > system). In our previous proprietary Java session-based security > system, > > > > this value was stored in the Java session at the time of login and > used by > > > > the authorization engine to further restrict what the user was > allowed to > > > > see. > > > > > > > > As we transition to using Keycloak for authentication, I'm wondering > if > > > > there is a way to use Keycloak to manage this partner code during a > login > > > > session? Some way to send the value during the Keycloak login > sequence and > > > > then later retrieve it based on the access token? > > > > > > > > Thanks for any insights. > > > > Craig > > > > > > > > ================================= > > > > *Craig Setera* > > > > > > > > *Chief Technology Officer* > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From dt at acutus.pro Sun Nov 11 18:47:08 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 12 Nov 2018 02:47:08 +0300 Subject: [keycloak-user] Adding attributes during login In-Reply-To: References: <1541879356.3515.1.camel@acutus.pro> <1541914268.3830.1.camel@acutus.pro> Message-ID: <1541980028.2048.1.camel@acutus.pro> Hi Craig, you're welcome :) As for "theme engine", in fact there are five types thereof in Keycloak: - Welcome theme - Login theme - Admin console theme - Email theme - Account theme Which one is most relevant to your problem? And, more generally, what are you trying to achieve? Cheers, Dmitry On Sun, 2018-11-11 at 06:56 -0600, Craig Setera wrote: > Wow!? This is great.? Thanks so much.? I will have to give this a try this week and see if I can make it work.? You are correct that this is also the code that we want to use to drive our branding.? Are the session notes or token claims available to the theme engine??? > > ================================= > Craig Setera > Chief Technology Officer > 415-324-5861 > craig at baseventure.com > > > > > > On Sat, Nov 10, 2018 at 11:31 PM Dmitry Telegin

wrote: > > Hello Craig, > > > > Thanks for the explanation, it's pretty clear now. I guess that "partner code" is the same parameter you use to dynamically brand your login themes, right? > > > > First, you need to extract it from your request parameters. In Keycloak, you can do this with a script authenticator. Things are a bit complicated by the fact that the initial incoming link (protocol/openid-connect/auth) does a POST to another endpoint (login-actions/authenticate), and the script authenticator is able introspect only the second request. Query parameters do not survive POST, but still can be found in the Referer header; therefore, you need to fish them out of there. (NB this will only work unless sending this header is disabled in the browser by a paranoid user :) > > > > Create it as the last authenticator in the flow and make it "required". It's up to you how to handle the case where there is no "foo" parameter in the initial link. > > > > =================================================== > > function authenticate(context) { > > > > ? ? var username = user ? user.username : "anonymous"; > > > > ? ? var uri = new java.net.URI(httpRequest.httpHeaders.getHeaderString("Referer")); > > ? ? LOG.info(uri); > > ? ? var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri); > > ? ? var _foo = uriInfo.queryParameters['foo']; > > ? ? if (_foo !== null ){ > > ? ? ? ? var foo = _foo[0]; // uriInfo.queryParameters is a multivalued map > > ? ? ? ? LOG.info(script.name + ": " + username + " foo=" + foo); > > ? ? ? ? authenticationSession.setUserSessionNote("foo", foo); > > ? ? } > > > > ? ? context.success(); > > > > } > > =================================================== > > > > (Quick remark on terminology: in Keycloak's terms, "attributes" are persistent pieces of data attached to a user, group or realm; you can find them in the corresponding GUI tabs. Transient data is called "[session] notes".) > > > > Next, you will need to propagate it to the tokens. Again, JavaScript to the rescue, this time in the form of script mapper (client -> Mappers): > > > > =================================================== > > var foo = userSession.notes["foo"]; > > > > if (foo !== null) { > > ? token.setOtherClaims("foo", foo);? ?? > > } > > =================================================== > > > > And voil?, your query parameter is now in the tokens :) > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Sat, 2018-11-10 at 14:01 -0600, Craig Setera wrote: > > > Dmitry, > > >? > > > Thanks for responding and sorry for not being more clear.?? > > >? > > > The circumstance is that a username may be associated with multiple different companies in our system.? However, if the user is logging in from a link that originated from company X, we want to limit what they are authorized to view based on the incoming link to preserve the view of separate tenancy.? So, the partner code is provided (hidden) for each login.? The hope would be that it would be part of the initial login URL as a query parameter, be captured in Keycloak and then made available throughout the "session" associated with the access/refresh tokens. > > >? > > > Thanks! > > > Craig > > >? > > >? > > > ================================= > > > Craig Setera > > > Chief Technology Officer > > > 415-324-5861 > > > craig at baseventure.com > > >? > > >? > > >? > > >? > > > > > > On Sat, Nov 10, 2018 at 1:49 PM Dmitry Telegin

wrote: > > > > Hell Craig, > > > >? > > > > Do you mean the user should enter a "partner code" along with login+password? (either as a 3rd field or in a separate screen) > > > > Or only once during registration / upon the first login? > > > >? > > > > Cheers, > > > > Dmitry Telegin > > > > CTO, Acutus s.r.o. > > > > Keycloak Consulting and Training > > > >? > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > +42 (022) 888-30-71 > > > > > > > > E-mail: info at acutus.pro? > > > >? > > > > On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote: > > > > > We have an attribute we use to allow customers to to "scope" or "namespace" > > > > > a users interaction with our system (a "partner code" that is known to our > > > > > system).??In our previous proprietary Java session-based security system, > > > > > this value was stored in the Java session at the time of login and used by > > > > > the authorization engine to further restrict what the user was allowed to > > > > > see. > > > > >? > > > > > As we transition to using Keycloak for authentication, I'm wondering if > > > > > there is a way to use Keycloak to manage this partner code during a login > > > > > session???Some way to send the value during the Keycloak login sequence and > > > > > then later retrieve it based on the access token? > > > > >? > > > > > Thanks for any insights. > > > > > Craig > > > > >? > > > > > ================================= > > > > > *Craig Setera* > > > > >? > > > > > *Chief Technology Officer* > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >? > > From craig at baseventure.com Sun Nov 11 20:12:50 2018 From: craig at baseventure.com (Craig Setera) Date: Sun, 11 Nov 2018 19:12:50 -0600 Subject: [keycloak-user] Adding attributes during login In-Reply-To: <1541980028.2048.1.camel@acutus.pro> References: <1541879356.3515.1.camel@acutus.pro> <1541914268.3830.1.camel@acutus.pro> <1541980028.2048.1.camel@acutus.pro> Message-ID: We want to "brand" (color and logo) the user-facing parts of the application based on the partner code. I think that means: - Login theme - Email theme - Account theme Craig ================================= *Craig Setera* *Chief Technology Officer* On Sun, Nov 11, 2018 at 5:47 PM Dmitry Telegin

wrote: > Hi Craig, you're welcome :) > > As for "theme engine", in fact there are five types thereof in Keycloak: > - Welcome theme > - Login theme > - Admin console theme > - Email theme > - Account theme > > Which one is most relevant to your problem? And, more generally, what are > you trying to achieve? > > Cheers, > Dmitry > > On Sun, 2018-11-11 at 06:56 -0600, Craig Setera wrote: > > Wow! This is great. Thanks so much. I will have to give this a try > this week and see if I can make it work. You are correct that this is also > the code that we want to use to drive our branding. Are the session notes > or token claims available to the theme engine? > > > > ================================= > > Craig Setera > > Chief Technology Officer > > 415-324-5861 > > craig at baseventure.com > > > > > > > > > > > On Sat, Nov 10, 2018 at 11:31 PM Dmitry Telegin

wrote: > > > Hello Craig, > > > > > > Thanks for the explanation, it's pretty clear now. I guess that > "partner code" is the same parameter you use to dynamically brand your > login themes, right? > > > > > > First, you need to extract it from your request parameters. In > Keycloak, you can do this with a script authenticator. Things are a bit > complicated by the fact that the initial incoming link > (protocol/openid-connect/auth) does a POST to another endpoint > (login-actions/authenticate), and the script authenticator is able > introspect only the second request. Query parameters do not survive POST, > but still can be found in the Referer header; therefore, you need to fish > them out of there. (NB this will only work unless sending this header is > disabled in the browser by a paranoid user :) > > > > > > Create it as the last authenticator in the flow and make it > "required". It's up to you how to handle the case where there is no "foo" > parameter in the initial link. > > > > > > =================================================== > > > function authenticate(context) { > > > > > > var username = user ? user.username : "anonymous"; > > > > > > var uri = new > java.net.URI(httpRequest.httpHeaders.getHeaderString("Referer")); > > > LOG.info(uri); > > > var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri); > > > var _foo = uriInfo.queryParameters['foo']; > > > if (_foo !== null ){ > > > var foo = _foo[0]; // uriInfo.queryParameters is a multivalued > map > > > LOG.info(script.name + ": " + username + " foo=" + foo); > > > authenticationSession.setUserSessionNote("foo", foo); > > > } > > > > > > context.success(); > > > > > > } > > > =================================================== > > > > > > (Quick remark on terminology: in Keycloak's terms, "attributes" are > persistent pieces of data attached to a user, group or realm; you can find > them in the corresponding GUI tabs. Transient data is called "[session] > notes".) > > > > > > Next, you will need to propagate it to the tokens. Again, JavaScript > to the rescue, this time in the form of script mapper (client -> Mappers): > > > > > > =================================================== > > > var foo = userSession.notes["foo"]; > > > > > > if (foo !== null) { > > > token.setOtherClaims("foo", foo); > > > } > > > =================================================== > > > > > > And voil?, your query parameter is now in the tokens :) > > > > > > Good luck! > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Sat, 2018-11-10 at 14:01 -0600, Craig Setera wrote: > > > > Dmitry, > > > > > > > > Thanks for responding and sorry for not being more clear. > > > > > > > > The circumstance is that a username may be associated with multiple > different companies in our system. However, if the user is logging in from > a link that originated from company X, we want to limit what they are > authorized to view based on the incoming link to preserve the view of > separate tenancy. So, the partner code is provided (hidden) for each > login. The hope would be that it would be part of the initial login URL as > a query parameter, be captured in Keycloak and then made available > throughout the "session" associated with the access/refresh tokens. > > > > > > > > Thanks! > > > > Craig > > > > > > > > > > > > ================================= > > > > Craig Setera > > > > Chief Technology Officer > > > > 415-324-5861 > > > > craig at baseventure.com > > > > > > > > > > > > > > > > > > > > > > > On Sat, Nov 10, 2018 at 1:49 PM Dmitry Telegin

> wrote: > > > > > Hell Craig, > > > > > > > > > > Do you mean the user should enter a "partner code" along with > login+password? (either as a 3rd field or in a separate screen) > > > > > Or only once during registration / upon the first login? > > > > > > > > > > Cheers, > > > > > Dmitry Telegin > > > > > CTO, Acutus s.r.o. > > > > > Keycloak Consulting and Training > > > > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > +42 (022) 888-30-71 > > > > > > > > > E-mail: info at acutus.pro > > > > > > > > > > On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote: > > > > > > We have an attribute we use to allow customers to to "scope" or > "namespace" > > > > > > a users interaction with our system (a "partner code" that is > known to our > > > > > > system). In our previous proprietary Java session-based > security system, > > > > > > this value was stored in the Java session at the time of login > and used by > > > > > > the authorization engine to further restrict what the user was > allowed to > > > > > > see. > > > > > > > > > > > > As we transition to using Keycloak for authentication, I'm > wondering if > > > > > > there is a way to use Keycloak to manage this partner code > during a login > > > > > > session? Some way to send the value during the Keycloak login > sequence and > > > > > > then later retrieve it based on the access token? > > > > > > > > > > > > Thanks for any insights. > > > > > > Craig > > > > > > > > > > > > ================================= > > > > > > *Craig Setera* > > > > > > > > > > > > *Chief Technology Officer* > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > From dt at acutus.pro Sun Nov 11 22:22:18 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 12 Nov 2018 06:22:18 +0300 Subject: [keycloak-user] OpenID Java Adapter: configuring keycloak to use an IDP different then Keycloak Server In-Reply-To: <1541760579107.82395@cjsm.vlaanderen.be> References: <1541686439063.37605@cjsm.vlaanderen.be> ,<1541735155.15117.3.camel@acutus.pro> <1541760579107.82395@cjsm.vlaanderen.be> Message-ID: <1541992938.2048.3.camel@acutus.pro> Hi Fabrizio, On Fri, 2018-11-09 at 10:49 +0000, Usai, Fabrizio wrote: > Hi Dmitry, > > thanks a lot for this elaborate clarification. :) It is clear to us what roads we can follow now. You're welcome :) > First, I asked this question before on stackoverflow. https://stackoverflow.com/questions/53192776/how-to-change-authentication-url-generated-by-keycloak-openid-connect-java-adapt.??Is it ok if I add your reply as an answer there (I will only put there relevant parts)? I believe there will be other people asking the same question... Sure. I think?I'll even write an article / blog post on that. Stay tuned :) > Secondly, considering your recommended way (we love bulletproof solutions ;-)), a Keycloak server, I see I have two options: the full server or the Wildfly add-on. We use EAP 7.1. Can we use the add-on on our server? I also noticed that on the download page you do not recommend this for production use. So I was taking into consideration to install the full Keycloak server. But can we use this server then also to deploy our application? It seems to me that it should be possible since the Keycloak server has a fully featured standalone folder... Of course, we want to avoid to run two EAP instances, if possible ;) So, if you want just a single server, there are basically two options: 1) install?Keycloak add-on on top of existing Wildfly/EAP; 2) use Keycloak (in fact, the underlying Wildfly) as an application server. Both methods are not recommended for production :) I think this is mainly because they are not tested as thoroughly as the stock Keycloak+Wildfly bundle. But you are free to become a tester :) There are however things to consider. If you go with add-on, you should install it on top of exactly the same Wildfly version that official standalone Keycloak is built on top of; otherwise, the results will be unpredictable. Cannot tell anything about EAP either. If you choose the second variant, please remember that Keycloak's Wildfly is somewhat stripped-down, with modules like webservices and weld excluded from the default configuration. > > Regarding the Intuit question, I am not sure. It is another department who is responsible for this, I am just in the development team. But it could be they use Intuit behind the scenes. We only receive stuff like authentication url, clientId and secret and so on and we have to make it work :-) The well-known configuration we received from them, does look a lot like yours.? > > Thirdly, I will make a JIRA issue for this. Or should I wait first a reply from the Keycloak developers? To be honest, it's the first time I use a mailing list... No idea who can reply on this email. Let's start with the posting to keycloak-dev mailing list. I'll put you in CC. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > KR, > > Fabrizio Usai > > ________________________________________ > > Van: Dmitry Telegin

> Verzonden: vrijdag 9 november 2018 04:45 > Aan: Usai, Fabrizio; keycloak-user at lists.jboss.org > Onderwerp: Re: [keycloak-user] OpenID Java Adapter: configuring keycloak to use an IDP different then Keycloak Server > > Hello Fabrizio, > > Indeed, string templates like "/realms/{realm-name}/protocol/openid-connect/auth" are hardcoded into Keycloak adapters [1] [2]. > > Luckily, there seems to be a workaround. In Keycloak, there is a mechanism for multitenancy [3]; it requires you to supply a resolver that would return a KeycloakDeployment instance based on request parameters. > One of its bonus features is that you can completely redefine the behavior of KeycloakDeployment. For example, you can extend org.keycloak.adapters.KeycloakDeployment and override its resolveUrls() method, to make the URLs point to your 3rd party IDP. > > This approach doesn't require any modifications to the adapter code, so I'd recommend you start with it. However, I wouldn't rule out further incompatibilities that could pop up. > > Another option is installing an intermediary Keycloak (server), configuring brokering to 3rd party IDP and pointing your adapter to Keycloak. Though sounds like an overkill, it's a bulletproof solution that should work 100% (and it also has some other benefits). > > There are of course other options like using 3rd party IDP's equivalent for Keycloak adapter (is it Intuit BTW?), or using other OpenID Connect Java libraries [4], or even proxy-level adapters like apache-mod_auth_openidc [5] or Keycloak Gatekeeper [6]. But I understand that this would probably require code rewrite, so you should consider these options only as the last resort. > > As for SAML and why it used to work: Keycloak adapter uses standard SAML SP metadata for configuration, which defines URLs strictly and unambiguously; here we need to admit that SAML is more mature and feature-complete. > > OIDC, on the contrary, allows for some freedom. At the moment, Keycloak OIDC adapter doesn't use any standard metadata, but rather generates URLs using hardcoded templates. I think Keycloak adapter could use OIDC's rough equivalent for SAML metadata, namely "well-known" URLs. > > You can experiment with your IDP and append ".well-known/openid-configuration" to its URL. If my conjecture about Intuit is correct, then it should look like this: > https://oauth.platform.intuit.com/op/v1/.well-known/openid-configuration > > In theory, Keycloak OIDC adapter could ingest this metadata instead of hardcoding URL templates. To me, this could be a valuable addition, but surprisingly I don't see any related JIRA issue. Maybe Keycloak developers could give us some feedback. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > [1] https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/constants/ServiceUrlConstants.java#L26 > [2] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java#L161 > [3] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy > [4] https://openid.net/developers/certified/ > [5] https://github.com/zmartzone/mod_auth_openidc > [6] https://github.com/keycloak/keycloak-gatekeeper > > On Thu, 2018-11-08 at 14:13 +0000, Usai, Fabrizio wrote: > > Dear, > > > > > > > We are using Keycloak Java adapter 4.5.0 in combination with EAP7.1. When we configure our keycloak.json we have for auth-server-url the url https://authentication.country.com/op/v1/auth (the original url is changed for privacy reasons). So far so good. > > > > When we navigate to our application, we are forwarded to https://authentication.country.com/op/v1/auth/realms/KeycloakOIDCRealm/protocol/openid-connect/auth?response_type=code&client_id=fac9d161-d27d-493d-uze896zed78&redirect_uri=..... > > > > This is not good, since we use our own identity provider. Removing the realms/KeycloakOIDCRealm/protocol/openid-connect/ part of the url, forwards it correctly to the identity provider. So the Keycloak adapter adds it by default, assuming we will always use Keycloak as an identity provider. Before we were using SAML and didn't had this issue. > > > > How can we configure the keycloak.json for the adapter to leave out the addition of realms/KeycloakOIDCRealm/protocol/openid-connect/? > > > > We don't understand why with SAML we didn't had this issue at all, and now with OpenID it seems very difficult to solve this issue. Our current guess to solve this, is to overwrite some Keycloak Java class and make sure the url is built the correct way. Although it is a bit dirty, we could accept this as solution (if it is possible), but we prefer to do this via configuration. > > > > > > Kind regards, > > > > Fabrizio Usai > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Mon Nov 12 00:16:35 2018 From: testoauth55 at gmail.com (Bruce Wings) Date: Mon, 12 Nov 2018 10:46:35 +0530 Subject: [keycloak-user] Keycloak Javascript Adapter - Advisable to be used for confidential clients? In-Reply-To: References: <8E6265AD-A055-4A7A-BDFD-9AB19E834819@gmail.com>

Message-ID: The solution that worked for me was suggested by Jim Talbut < jtalbut at spudsoft.co.uk>. He was unable to post on the mailing list, so posting on his behalf. You need to create a ScriptMapper because it lets you put multiple values, so you can use that to overwrite the aud with both the desired values. In below example, JettyApp is my confidential client and Webapp is public client. - Protocol: openid-connect - Name: aud - Mapper Type: Script Mapper - Script: new java.util.ArrayList(["Jettyapp","Webapp"]); - Multivalued: ON - Token Claim Name: aud - Claim JSON Type: String On Sat, Nov 3, 2018 at 10:30 PM Bruce Wings wrote: > Geoffrey, > > I was able to get the config right. I have received the aud:JettyApp in > generated token also, but I still get 401:Unauthorized for the backend app. > Anything else needs to be done? > > Token (Partial): > "jti": "b7b07046-5417-40d6-9338-1851a0f5e1e5", > "exp": 1541292863, > "nbf": 0, > "iat": 1541264063, > "iss": "http://localhost:7200/auth/realms/MyRealm", > *"aud": "JettyApp",* > "sub": "c801fc43-e7d3-4229-869c-cef19d049389", > "typ": "Bearer", > "azp": "Webapps", > "nonce": "3ec36116-c8a3-482c-828e-6458ad179270", > "auth_time": 1541264063, > "session_state": "0b40b785-6956-4234-bcb5-96ff8fdcb822", > "acr": "1", > > > [image: image.png] > > On Sat, Nov 3, 2018 at 10:11 PM Bruce Wings wrote: > >> Thanks Geoffrey, >> >> I believe this will solve my problem. However, I tried creating the >> mapper, but maybe I missed something cause I am still getting 401 if I >> login with front end. >> >> In the attached image, I have shared my config, can you give it a quick >> look and confirm this is how it is supposed to be? >> >> Name of my backend client in keycloak JettyApp: >> >> I have created Token claim name as - clientId and value as JettyApp. >> >> >> [image: image.png] >> >> >> On Sat, Nov 3, 2018 at 1:36 PM Geoffrey Cleaves wrote: >> >>> Bruce, here's how I fixed the issue you're describing. I think it's a >>> unfortunate omission in the docs (which are generally quite good). You need >>> to include the backend client ID in the front end clients aud claim. >>> >>> https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak >>> >>> On Sat, Nov 3, 2018, 01:45 Bruce Wings >> >>>> Thanks Eric for the reply. >>>> >>>> But If I use a separate public client for my angular app, I am not able >>>> to >>>> access my Rest Api with the generated token, that's why I had to use >>>> confidential client Json that I used to secure my server. Any idea, >>>> what is >>>> the right approach in case of server client architecture? >>>> >>>> ( My project contains Rest Apis that I have secured with jetty adapter >>>> and >>>> confidential client ( as keycloak Authorization works only for >>>> confidential >>>> client and not public clients). My angular app is accessing these rest >>>> api. >>>> Therefore I used the same confidential client oidc Json in my angular >>>> app >>>> too. ) >>>> >>>> >>>> >>>> On Friday, November 2, 2018, Eric Boyd Ramirez < >>>> eric.ramirez.sv at gmail.com> >>>> wrote: >>>> >>>> > Hi Bruce, >>>> > I am fairly new to Keycloak myself, so I am giving my opinion in hopes >>>> > some else can double check. >>>> > The JS adapter is designed to work with Public clients, siting on the >>>> the >>>> > client side, the idea is that the a user/person would have to enter >>>> his/her >>>> > credentials to in order to login. >>>> > >>>> > Confidential clients generate an installation JSON or XML >>>> configuration >>>> > object which is meant to be installed on the server side/ Application >>>> > server. The user accessing this application does not receive this >>>> > configuration. >>>> > >>>> > Hope this helps. >>>> > >>>> > > On Nov 2, 2018, at 1:28 AM, Bruce Wings >>>> wrote: >>>> > > >>>> > > I am referring to Keycloak Javascript adapter as mentioned in : >>>> > > https://www.keycloak.org/docs/4.5/securing_apps/index.html#_ >>>> > javascript_adapter >>>> > > >>>> > > I have a confidential client and I have downloaded >>>> keycloak-oidc.json >>>> > > containing client secret. Now I am not sure how secure is it to >>>> keep this >>>> > > file containing client-secret at the client side. >>>> > > >>>> > > Am I being over concerned? >>>> > > _______________________________________________ >>>> > > keycloak-user mailing list >>>> > > keycloak-user at lists.jboss.org >>>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 53646 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181112/b659d806/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 57527 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181112/b659d806/attachment-0003.png From dt at acutus.pro Mon Nov 12 01:15:23 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 12 Nov 2018 09:15:23 +0300 Subject: [keycloak-user] How can I use Keycloak to support my architecture? In-Reply-To: References: Message-ID: <1542003323.7421.3.camel@acutus.pro> Hi Ola, Just my 2?: are your App1/App2 classic web applications, or are they SPAs using REST APIs and token bearer authorization? AFAIK the second scenario doesn't mandate that you register you apps as clients. You can simply reuse tokens issued for another application, in your case App3. But if those are classical webapps and you want to Keycloak-enable them, then you will need to register them, because Keycloak's interactive authentication is client-based. Either way, I'd recommend you to register your apps with Keycloak, because it will give you other benefits beyond SSO, like using custom flows per client, manipulating token claims, using authorization services etc. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-11-07 at 13:53 +0530, ola rob wrote: > Hi, > > I need some help in securing my applications with keycloak: > > I have couple of grails applications (App1 and App2) using spring security. > However, currently I am using keycloak REST API to authenticate users by > passing username and password and receive token without registering these > applications as clients in the keycloak.??But this approach seems to be > inefficient when we want to support SSO, kerberos and other lot of powerful > features that Keycloak offers. > So I came up with the below approach to support SSO/kerberos but wanted to > know if Keycloak can solve our problem. > > "Create a new spring boot master application (App3) and register with > Keycloak and redirect the login page to Keycloak. Once login is successful, > use the token that keycloak provides and pass it on to App1 and App2 and > tweak my existing code flow to handle this. Can this be possible because I > am not registering/creating any clients for app1 and app2 in keycloak here > but only creating for app3 which is the master application and using the > access token? Is it mandatory to register/create all clients in Keycloak to > support SSO?" > > Any help would be highly appreciated. > > Thanks in advance! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 12 01:24:49 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 12 Nov 2018 09:24:49 +0300 Subject: [keycloak-user] Restrict access to clients based on Group membership In-Reply-To: <149FA3D4-A92D-4B87-995C-FD2D6746AEC4@thetradedesk.com> References: <149FA3D4-A92D-4B87-995C-FD2D6746AEC4@thetradedesk.com> Message-ID: <1542003889.7421.7.camel@acutus.pro> Hello Prashant, Your case seems very similar to this one (please read the whole thread): http://lists.jboss.org/pipermail/keycloak-user/2018-November/016092.html In your case, however, there is no literal correspondence between client names and group names, so you can't infer one from another. But you can make use of group attributes and place the name(s) of allowed clients there. The rest of the implementation remains roughly the same. If you don't want to use script authenticator (this has limitations), you can simply map groups to roles in your JWT tokens and then configure client adapters to restrict access to the given role only. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-11-08 at 09:04 +0000, Prashant Bapat wrote: > Hi, > > In our Keycloak setup (ver 4.4.0) we have a master realm configured to authenticate users in a Windows AD. We heavily use SAML and OIDC and both work great. > > Is there a way to restrict access to a OIDC client based on a group membership ? I?ve been reading up the docs and trying to get this working without success. > > For example, let?s say we have 2 clients; > client-dev-api > client-prod-api > Can I configure Keycloak to issue JWT token for client-dev-api to members of AD group ?Developers? and client-prod-api to members AD group ?Production? ? > > Any guidance on getting this to work would be appreciated. > > Thanks. > --Prashant > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 12 01:36:21 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 12 Nov 2018 09:36:21 +0300 Subject: [keycloak-user] Mobile app authentication flow In-Reply-To: References: Message-ID: <1542004581.7421.9.camel@acutus.pro> Hello Joe, answers inline, On Thu, 2018-11-08 at 07:25 +1100, Joe Livu wrote: > Hi, > > I came across KeyCloak while searching for a security provider and was > immediately impressed. > > > I am planning on building a REST API using ASP.NET Core > Web API to be consumed by a mobile application to be built using Google's > Flutter framework. I have a few questions. > > 1. Would KeyCloak be suitable for securing my REST API Whig is built using > > C# (ASP.NET Core Web API)? If so, can I get a brief > explanation and steps that need to be taken to achieve this? Please take a look at this: https://andrewlock.net/an-introduction-to-openid-connect-in-asp-net-core/ > 2. Now I need my mobile app to consume the REST API secured by KeyCloak. > For authenticating users (e.g., via login screen using username/password > credentials), how would this be done? Which grant type and flow will be > suitable? The Web application demos shows a redirect to the KeyCloak server > for authentication and then back to the app. It seems this cannot be > applied for mobile apps (correct me if am wrong), so what would be the best > approach for a mobile application? I would think KeyCloak would provide a > REST API for such cases but I can only find an Admin REST API for admin > purposes only Any help regarding this would very much appreciated. For mobile apps, there are basically two options. That "REST API for authentication" you're talking about is called "direct grant" in Keycloak's terms: https://www.keycloak.org/docs/latest/securing_apps/index.html#_resource_owner_password_credentials_flow You can create your own GUI form to ask a user for credentials and then use direct grant to obtain a token. In this case, you will be generally limited to simple login/password authentication (no OTP, brokering etc.) Or you can embed a web view, use Keycloak JavaScript adapter (link below) to handle interaction with Keycloak, and then retrieve tokens from it. https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter As always, both methods have their benefits and drawbacks. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > Kind regards, > > Joe Livu > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 12 01:58:30 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 12 Nov 2018 09:58:30 +0300 Subject: [keycloak-user] Welcome Email after Verification Success In-Reply-To: References: Message-ID: <1542005910.7421.11.camel@acutus.pro> Hello Rajib, The phrase in the doc "The Email Event Listener only supports the following events at the moment" and those 4 types boil down to the following 4 template files: event-login_error.ftl event-remove_totp.ftl event-update_password.ftl event-update_totp.ftl They can be found under "html" and "text" subdirs under this subtree: https://github.com/keycloak/keycloak/tree/master/themes/src/main/resources/theme/base/email Other than that, there are no restrictions on email event types.?See this: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/email/freemarker/FreeMarkerEmailTemplateProvider.java#L109 Basically, you need to define your own email theme and include event-verify_email.ftl in it. See this on creating and deploying custom themes: https://www.keycloak.org/docs/latest/server_development/index.html#_themes Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-11-06 at 16:26 +0000, Mitra Rajib, Bedag wrote: > Hi! > > I use Keycloak for User-Registration and would like to send a realm-customized "Welcome"-Email after the user verified his email-account. > > The doc at https://www.keycloak.org/docs/3.2/server_admin/topics/events/login.html mentions 4 different type of email events, but none of these events fit my use-case. > Is there any other way I can (easily) implement such a functionality ? > > Thanks, > Rajib > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From wilson.sharlet at gmail.com Mon Nov 12 03:07:35 2018 From: wilson.sharlet at gmail.com (Sharlet Wilson) Date: Mon, 12 Nov 2018 13:37:35 +0530 Subject: [keycloak-user] Regarding keycloak REST api Message-ID: Hi, I have a user's keycloak access token on my backend Node.js application. Would like to know how I can use it to authorize a user to access my custom REST apis. (I am using the /auth/realms//protocol/openid-connect/token api to get the user's access token). Regards, Sharlet Hannah Wilson From Gregor.Tudan at cofinpro.de Mon Nov 12 03:12:04 2018 From: Gregor.Tudan at cofinpro.de (Gregor Tudan) Date: Mon, 12 Nov 2018 08:12:04 +0000 Subject: [keycloak-user] Email-Event UPDATE-PASSWORD In-Reply-To: <1879433522.649.1541703888436.JavaMail.zimbra@tech-advantage.com> References: <1879433522.649.1541703888436.JavaMail.zimbra@tech-advantage.com> Message-ID: Hey Ionel, Could be - but it makes those email-events rather useless if you don?t do email-verification. I?m going to file an issue for adding a note in the manual about the verification requirement - it?s a rather surprising constraint. https://www.keycloak.org/docs/latest/server_admin/index.html#event-listener Still, it would be nice to know the reasons behind this design choice. Gregor Am 08.11.2018 um 20:04 schrieb GARDAIS Ionel >: Hi Gregor, I had the same questioning about other email-events. My guess is that not verified email could be wrong and than lead to keycloak spamming the world. It would be useless implement and maintain bounce logic whereas there is a verification process available, and thus to use a verified email for this purpose. One may ask : should verified-email be reconfirmed on a periodic schedule so abandoned addresses be unused ? -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager ----- Mail original ----- De: "Gregor Tudan" > ?: "keycloak-user" > Envoy?: Jeudi 8 Novembre 2018 11:30:47 Objet: [FGTSPAM] [keycloak-user] Email-Event UPDATE-PASSWORD Hi, We?re trying to send an email to a user if his/her password was changed. The Email-Event UPDATE-PASSWORD looks exactly like what we want. https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/events/email/EmailEventListenerProvider.java There?s one catch: the email seems to only get sent if the user has a verified email address. Email-Verification is not activated on the realm. Is there a reason why email-verification is required for those emails? Thanks, Gregor _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 From Rajib.Mitra at bedag.ch Mon Nov 12 03:38:44 2018 From: Rajib.Mitra at bedag.ch (Mitra Rajib, Bedag) Date: Mon, 12 Nov 2018 08:38:44 +0000 Subject: [keycloak-user] Welcome Email after Verification Success In-Reply-To: <1542005910.7421.11.camel@acutus.pro> References: <1542005910.7421.11.camel@acutus.pro> Message-ID: Hi Dmitry, Thanks for your reply! I ended up implementing my own EventListenerProvider / Theme-Extension, like you mentioned. Unfortunately a few things with this solution are not ideal: 1) The EventListenerProviderFactory-Interface resides in a "private" module, assuming meaning the SPI could change at any time (see https://issues.jboss.org/browse/KEYCLOAK-6071). 2) The event-type that is sent in my case after a user verified his email is a CUSTOM_REQUIRED_ACTION (see http://lists.jboss.org/pipermail/keycloak-user/2018-May/013935.html), so I have to provide this .ftl accordingly. The event contains a detail so I can differentiate it from other custom required actions. But unfortunately since the template is shared between all the custom required actions, I can only have one email for all of events of the same type. Or I could introduce FreeMaker if-else-statements to differentiate what should be displayed according to the event-detail. 3) Since I use the sendEvent-Method, I can't introduce my own attributes for the email-template (e.g. realmName, Custom-Link, etc.). 2) and 3) could be mitigated by providing a new method in FreeMarkerEmailTemplateProvider that could be named for example sendWelcomeEmail, accepting additional attributes as a parameter for the email-template. Do you think this is worth contacting the dev-mailing list for? I would be happy to provide a PR for this change with the new EventListener, since I am sure this is a common requirement. Best, Rajib -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin [mailto:dt at acutus.pro] Gesendet: Montag, 12. November 2018 07:59 An: Mitra Rajib, Bedag; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Welcome Email after Verification Success Hello Rajib, The phrase in the doc "The Email Event Listener only supports the following events at the moment" and those 4 types boil down to the following 4 template files: event-login_error.ftl event-remove_totp.ftl event-update_password.ftl event-update_totp.ftl They can be found under "html" and "text" subdirs under this subtree: https://github.com/keycloak/keycloak/tree/master/themes/src/main/resources/theme/base/email Other than that, there are no restrictions on email event types.?See this: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/email/freemarker/FreeMarkerEmailTemplateProvider.java#L109 Basically, you need to define your own email theme and include event-verify_email.ftl in it. See this on creating and deploying custom themes: https://www.keycloak.org/docs/latest/server_development/index.html#_themes Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-11-06 at 16:26 +0000, Mitra Rajib, Bedag wrote: > Hi! > > I use Keycloak for User-Registration and would like to send a realm-customized "Welcome"-Email after the user verified his email-account. > > The doc at https://www.keycloak.org/docs/3.2/server_admin/topics/events/login.html mentions 4 different type of email events, but none of these events fit my use-case. > Is there any other way I can (easily) implement such a functionality ? > > Thanks, > Rajib > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vramik at redhat.com Mon Nov 12 03:46:28 2018 From: vramik at redhat.com (Vlasta Ramik) Date: Mon, 12 Nov 2018 09:46:28 +0100 Subject: [keycloak-user] Running Keycloak examples In-Reply-To: <1107344991.32206816.1541753576533.JavaMail.zimbra@redhat.com> References: <257635183.32186267.1541746556969.JavaMail.zimbra@redhat.com> <0cb2a458-a741-8858-f339-9ddb3b75a442@redhat.com> <1107344991.32206816.1541753576533.JavaMail.zimbra@redhat.com> Message-ID: <9a1bf974-82c9-4d0d-b7a1-70c439e43f64@redhat.com> I've just checked it and it seems to work. There are my steps: 1. download wildfly-14.0.1.Final.zip as an application server and unpack 2. download keycloak-wildfly-adapter-dist-4.5.0.Final.zip unpack it to $WILDFLY_HOME 3. run $WILDFLY_HOME/bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli all passes. 4. download keycloak-4.5.0.Final.zip and keycloak-examples-4.5.0.Final.zip (which are deprecated) and unzip it then I can start keycloak-4.5.0.Final (auth server) and wildfly-14.0.1.Final (app server) and then I can deploy examples to the app server. V. On 11/9/18 9:52 AM, Pritha Srivastava wrote: > I still get the same error: > > ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli > > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found", > "rolled-back" => true > } > > > Thanks, > Pritha > > ----- Original Message ----- >> From: "Vlasta Ramik" >> To: keycloak-user at lists.jboss.org >> Sent: Friday, November 9, 2018 1:52:02 PM >> Subject: Re: [keycloak-user] Running Keycloak examples >> >> Hello, >> >> inline >> >> On 11/9/18 7:55 AM, Pritha Srivastava wrote: >>> Hi All, >>> >>> I am trying to setup a Keycloak server and run the examples, for which I >>> did the following: >>> >>> 1. Downloaded 4.5.0.Final Standalone Server distribution, and started the >>> server using ./standalone.sh, which worked fine. >>> 2. Downlaoded keycloak-examples-4.5.0.Final, and for the >>> preconfigured-demo, I did a mvn clean install and mvn wildfly:deploy and >>> the second step gave me this error - UT010039: Unknown authentication >>> mechanism KEYCLOAK >>> 3. To solve the error in 2.0, I downloaded the wildfly adapter >>> keycloak-wildfly-adapter-dist-4.5.0.Final.zip, and ran this command - >>> ./bin/jboss-cli.sh --file=adapter-install.cli --connect >>> --controller=127.0.0.1:9990 which gave the following response: >> can you please try the following to install adapter? >> >> ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli >> >>> {"outcome" => "success"} >>> { >>> "outcome" => "success", >>> "response-headers" => { >>> "operation-requires-reload" => true, >>> "process-state" => "reload-required" >>> } >>> } >>> { >>> "outcome" => "failed", >>> "failure-description" => "WFLYCTL0310: Extension module >>> org.keycloak.keycloak-adapter-subsystem not found", >>> "rolled-back" => true, >>> "response-headers" => {"process-state" => "reload-required"} >>> } >>> >>> I am not sure how to solve the above problem. Any help is greatly >>> appreciated. >>> >>> P.S.: I am completely new to Jboss, Wildfly etc. >>> >>> Thanks, >>> Pritha >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From bruno at abstractj.org Mon Nov 12 03:56:43 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 12 Nov 2018 06:56:43 -0200 Subject: [keycloak-user] Regarding keycloak REST api In-Reply-To: References: Message-ID: Hi Sharlet, there's a quickstart here https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-nodejs which can help you. On Mon, Nov 12, 2018 at 6:08 AM Sharlet Wilson wrote: > > Hi, > > I have a user's keycloak access token on my backend Node.js application. > Would like to know how I can use it to authorize a user to access my custom > REST apis. (I am using the > /auth/realms//protocol/openid-connect/token > api to get the user's access token). > > Regards, > Sharlet Hannah Wilson > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From bruno at abstractj.org Mon Nov 12 04:00:38 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 12 Nov 2018 07:00:38 -0200 Subject: [keycloak-user] There is already a httpSessionManager In-Reply-To: <9700A518-4D16-4EEB-A7AC-18B650F0D2C2@gmail.com> References: <9700A518-4D16-4EEB-A7AC-18B650F0D2C2@gmail.com> Message-ID: Hi Calixto, I'd suggest to validate your setup just looking at the quickstarts https://github.com/keycloak/keycloak-quickstarts On Fri, Nov 9, 2018 at 6:53 PM Calixto Mele?n wrote: > > I?m doing a simple tutorial with SpringBoot 2.1.0 and KeyCloack 4.5.0. When I start the app, I am getting the following error: > > org.springframework.beans.factory.support.BeanDefinitionOverrideException: Invalid bean definition with name 'httpSessionManager' defined in class path resource [com/example/demo/configuration/SecurityConfig.class]: Cannot register bean definition [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=securityConfig; factoryMethodName=httpSessionManager; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [com/example/demo/configuration/SecurityConfig.class]] for bean 'httpSessionManager': There is already [Generic bean: class [org.keycloak.adapters.springsecurity.management.HttpSessionManager]; scope=singleton; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in URL [jar:file:/Users/bigcat/.m! > 2/repository/org/keycloak/keycloak-spring-security-adapter/4.5.0.Final/keycloak-spring-security-adapter-4.5.0.Final.jar!/org/keycloak/adapters/springsecurity/management/HttpSessionManager.class]] bound. > > Relevant maven dependencies I have are: > > > org.keycloak > keycloak-spring-boot-starter > ${keycloak.version} > > > > org.springframework.boot > spring-boot-starter-security > > > SecurityConfig.class is: > > @KeycloakConfiguration > public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { > > @Bean > public KeycloakConfigResolver KeycloakConfigResolver() { > return new KeycloakSpringBootConfigResolver(); > } > > /** > * Registers the KeycloakAuthenticationProvider with the authentication manager. > */ > @Autowired > public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { > auth.authenticationProvider(keycloakAuthenticationProvider()); > } > > /** > * Defines the session authentication strategy. > */ > @Bean > @Override > protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { > return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); > } > > @Override > protected void configure(HttpSecurity http) throws Exception > { > super.configure(http); > http > .authorizeRequests() > .antMatchers("/customers*").hasRole("pharmacist") > .anyRequest().permitAll(); > } > } > > > Appreciate any help. Thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From msakho at redhat.com Mon Nov 12 04:24:51 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Mon, 12 Nov 2018 10:24:51 +0100 Subject: [keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable In-Reply-To: References:

Message-ID: Hi Sebastian, That's correct. I can see that my the truststore is created correctly with my CA certificates. I need now to configure the OutGoing HTTPS Request Truststore [3] with the created truststore and the password. The problem is that I can't set the password. I've checked into the x509-truststore.cli [1] and see that it's picked from the $keycloak_tls_truststore_password variable. and created from your x509.sh script [2] I've tried to use the same syntax in my cli below but it fails because the $keycloak_tls_truststore_password is not know from my cli. So Sebastien, do you know how I can get the trsustore password? Is it possible to set it as an environment variable to the docker image? [1]= https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/cli/x509-truststore.cli [2]= https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/x509.sh [3]= https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore Thanks, Meissa Le mer. 31 oct. 2018 ? 09:08, Sebastian Laskawiec a ?crit : > Hey Meissa, > > The warning you see does no harm. As you can see here [1], the message is > being thrown without stopping the script. > > Pulling JDK CAs has been implemented somewhat ahead of time. I asked the > Cloud Enablement (and also other Red Hat teams) to put Kubernetes and > OpenShift CAs into JDK lib directory. This way Keycloak will trust the > OpenShift cluster out of the box. The warning you see clearly indicates > that this feature hasn't been implemented yet. > > So the bottom line - please ignore this error. I'm pretty sure it will > disappear in the future (and if not, I'll just remove or disable this > feature). > > Thanks, > Sebastian > > [1] > https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L88 > > On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho > wrote: > >> Hi Sebastian, >> Do you have any advice in this issue. It's related to the x509.sh script >> and I would really apprecaite an input/help here. >> Meissa >> ---------- Forwarded message --------- >> From: Meissa M'baye Sakho >> Date: mar. 30 oct. 2018 ? 17:12 >> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment >> variable >> To: keycloak-user >> >> >> hello everyone, >> I'm using the jboss/keycloak:4.5.0.Final docker image. >> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment >> variable as explained in the Jboss/keycloak docker image documentation. >> I've mounted a volume to the image pointing to the cert file and defined >> the env variable. >> I'm running the image with the following command: >> *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e >> KEYCLOAK_PASSWORD=meissa \* >> * -e PROXY_ADDRESS_FORWARDING=true \* >> * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \* >> * -v >> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* >> * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* >> * -e >> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* >> * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* >> * jboss/keycloak:4.5.0.Final* >> >> >> When The container starts, I've checked that the cert has been corectly >> mounted to the expected folder /var/run/secrets >> But I see in the log that the certificat import fails (extract below): >> *Creating HTTPS keystore via OpenShift's service serving x509 certificate >> secrets..* >> *HTTPS keystore successfully created at: >> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* >> *Creating Keycloak truststore..* >> *Keycloak truststore successfully created at: >> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* >> *Importing certificates from system's Java CA certificate bundle into >> Keycloak truststore..* >> *Failed to import certificates from system's Java CA certificate bundle >> into Keycloak truststore!* >> *Setting JGroups discovery to dns.DNS_PING with properties >> {dns_query=>bdf-opengie-test.paas.eclair.local}* >> >> I've checked in the script that handle the TLS import [1], but I'm not >> able to guess why the import is failing. >> >> The following extract is a part of the scripts that is used by the image >> to import the cert. >> # Import existing system CA certificates into the newly generated >> truststore >> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which >> keytool)))"/../lib/security/cacerts") >> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > >> /dev/null; then >> echo "Importing certificates from system's Java CA certificate bundle >> into Keycloak truststore.." >> keytool -importkeystore -noprompt \ >> -srckeystore "${SYSTEM_CACERTS}" \ >> -destkeystore "${JKS_TRUSTSTORE_PATH}" \ >> -srcstoretype jks -deststoretype jks \ >> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null >> if [ "$?" -ne "0" ]; then >> echo "Successfully imported certificates from system's Java CA >> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" >> else >> echo "Failed to import certificates from system's Java CA certificate >> bundle into Keycloak truststore!" >> fi >> >> Any advice? >> >> [1]= >> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh >> >> Meissa >> > From msakho at redhat.com Mon Nov 12 04:47:03 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Mon, 12 Nov 2018 10:47:03 +0100 Subject: [keycloak-user] Add CA certificates for LDAPS ? In-Reply-To: References: <1662f626b66.d913c15131404.552465038631491981@mpouss.in> <9a8a4961-c5fb-87e9-661c-bfd87e10da09@redhat.com> <16633c8bd7b.1093feebf42029.2315606082414745027@mpouss.in> <1541018026.2120.1.camel@acutus.pro> <166e3975670.edec95a619314.6696607516355464263@mpouss.in>

Message-ID: Hi Mathieu, I finally managed to see the certificates in the jks store. I need to defind the outgoing https request and the truststore password is required. Did you find a way to get the truststore password? Meissa Le ven. 9 nov. 2018 ? 10:18, Meissa M'baye Sakho a ?crit : > Hi Mathieu, > Regarding your statement below: > - *The X509_CA_BUNDLE env variable thing (It's running in a container), I > can see the certificates in the JKS store * > Could you please tell me how you managed to see the certificates in the > JKS store? > Regards, > Meissa > > Le mar. 6 nov. 2018 ? 14:50, Meissa M'baye Sakho a > ?crit : > >> My LDAPS configuration did also work fine with keycloak 3.3.5 docker image >> My question was related to the The X509_CA_BUNDLE env variable that >> comes with the keycloak 4.4.x docker image. >> I would like to use it and wanted to know if it work. >> Do I understand that it's working fine for you Mathieu? >> Meissa >> >> Le lun. 5 nov. 2018 ? 12:17, Mathieu Poussin a ?crit : >> >>> I confirm this fixed the issue :) >>> >>> So simple that I didn't think about it... >>> >>> Thank you >>> >>> ---- On Wed, 31 Oct 2018 21:33:46 +0100 Dmitry Telegin

>>> wrote ---- >>> > Mathieu, Meissa, >>> > >>> > Starting from 4.5.0, the Keycloak Docker image uses standalone-ha.xml >>> instead of standalone.xml by default. I guess this is why your truststore >>> settings are being ignored. >>> > >>> > I've also tested Keycloak + LDAP + self-signed cert + truststore on a >>> non-Docker deployment - it works pretty well, so definitely not a Keycloak >>> bug per se. >>> > >>> > Good luck! >>> > Dmitry Telegin >>> > CTO, Acutus s.r.o. >>> > Keycloak Consulting and Training >>> > >>> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >>> > +42 (022) 888-30-71 >>> > E-mail: info at acutus.pro >>> > >>> > On Wed, 2018-10-31 at 11:05 +0100, Meissa M'baye Sakho wrote: >>> > > Hello Mathieu, >>> > > did you manage to make it work? >>> > > If yes, could you tell me how? >>> > > Meissa >>> > > >>> > > > Le mar. 2 oct. 2018 ? 10:01, Mathieu Poussin a >>> ?crit : >>> > > >>> > > > Hello Marek. >>> > > > >>> > > > I've done that already but looks like it is completely ignored. >>> > > > I have my custom truststore that have all my CA certificates (2), >>> but I'm >>> > > > still seeing the same issue. (SPI is enabled on the LDAPS >>> settings on the >>> > > > admin) >>> > > > Is there a way to make sure it has been loaded correctly? (I >>> don't see any >>> > > > error when the application starts but it's not working as >>> expected) >>> > > > >>> > > > Thanks. >>> > > > Mathieu >>> > > > >>> > > > >>> > > > ---- On Mon, 01 Oct 2018 20:14:22 +0200 Marek Posolda < >>> > > > mposolda at redhat.com> wrote ---- >>> > > > > You can configure the Truststore SPI, which is mentioned in >>> our docs >>> > > > > here: >>> > > > > >>> > > > >>> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore >>> > > > > >>> > > > > Some additional notes around LDAP are here: >>> > > > > >>> > > > >>> https://www.keycloak.org/docs/latest/server_admin/index.html#connect-to-ldap-over-ssl >>> > > > > >>> > > > > Marek >>> > > > > >>> > > > > >>> > > > > On 01/10/18 13:27, Mathieu Poussin wrote: >>> > > > > > Hello. >>> > > > > > >>> > > > > > What would be the recommended way to add a custom CA >>> certificates ? >>> > > > The documentation has a lot of different ways and so far none of >>> them >>> > > > worked : >>> > > > > > >>> > > > > > - The X509_CA_BUNDLE env variable thing (It's running in a >>> > > > container), I can see the certificates in the JKS store but >>> looks like >>> > > > they are completely ignored by the app server. >>> > > > > > - Added custom SPI to load a custom JKS store, same, no >>> error at >>> > > > server start but they are completely ignored by the app server. >>> > > > > > >>> > > > > > This is the error I am getting : >>> > > > > > >>> > > > > > Caused by: sun.security.validator.ValidatorException: PKIX >>> path >>> > > > building failed: >>> > > > sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find >>> > > > valid certification path to requested target >>> > > > > > at >>> > > > >>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) >>> > > > > > at >>> > > > >>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) >>> > > > > > at >>> > > > sun.security.validator.Validator.validate(Validator.java:262) >>> > > > > > at >>> > > > >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >>> >>> > > > >>> > > > > > at >>> > > > >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >>> >>> > > > >>> > > > > > at >>> > > > >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >>> >>> > > > >>> > > > > > at >>> > > > >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) >>> >>> > > > >>> > > > > > ... 99 more >>> > > > > > Caused by: >>> > > > sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find >>> > > > valid certification path to requested target >>> > > > > > at >>> > > > >>> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) >>> >>> > > > >>> > > > > > at >>> > > > >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) >>> >>> > > > >>> > > > > > at >>> > > > >>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >>> > > > > > at >>> > > > >>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) >>> > > > > > ... 105 more >>> > > > > > >>> > > > > > >>> > > > > > Another option would be to disable certificate verification >>> on LDAPS >>> > > > as it's a trusted environment (last resort but well so far >>> nothing else >>> > > > worked), would there be a way to do that? >>> > > > > > Connecting over LDAP is not an option a this prevent some >>> features to >>> > > > work like password reset. >>> > > > > > >>> > > > > > Thanks. >>> > > > > > >>> > > > > > >>> > > > > > _______________________________________________ >>> > > > > > keycloak-user mailing list >>> > > > > > keycloak-user at lists.jboss.org >>> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > > > >>> > > > > >>> > > > > >>> > > > >>> > > > >>> > > > _______________________________________________ >>> > > > keycloak-user mailing list >>> > > > keycloak-user at lists.jboss.org >>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > > >>> > > >>> > > _______________________________________________ >>> > > keycloak-user mailing list >>> > > keycloak-user at lists.jboss.org >>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> >>> >>> From ronald.demneri at amdtia.com Mon Nov 12 04:59:13 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Mon, 12 Nov 2018 09:59:13 +0000 Subject: [keycloak-user] filter group claim in token per client In-Reply-To: <1541806456.2031.5.camel@acutus.pro> References: <1541397265.3650.7.camel@acutus.pro> , <1541806456.2031.5.camel@acutus.pro> Message-ID: Hello Dmitry, After some trial and error, we were able to achieve having only pertinent groups in the token, although not as elegant as your script. So now we have it configured the way we want... approximately... Do you care to elaborate a little bit more on the possibilities to mitigate that security issue you mentioned in the email. The idea behind allowing a user to login if required group membership constraint is fulfilled, is quite important to us, which means that we need to find a different way from what we are doing right now. And of course, disabling SSO for all the clients is not a solution :) Looking forward to hearing from you soon! Thanks in advance, Ronald -----Original Message----- From: Dmitry Telegin

Sent: 10.Nov.2018 12:34 AM To: Ronald Demneri ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] filter group claim in token per client Ronald, Here are some Pro Tips(tm) for you :) - use keycloakSession.context.client.clientId to retrieve client ID (works for both tokens and userinfo); - use Java.from() and Java.to() to convert objects and arrays from Java to JavaScript and vice versa; - use more JavaScript-fu like map() and filter() to avoid looping over arrays; - use RegExp for generic case-insensitive pattern matching. With the above, your whole mapper could look as simple as this: ========================================== /** * Available variables: * user - the current user * realm - the current realm * token - the current token * userSession - the current userSession * keycloakSession - the current userSession */ var client = keycloakSession.context.client.clientId; var groups = Java.from(user.groups) .map(function(group) { return group.name; }) .filter(function(name) { return RegExp("(\\w+)-" + client + "-(\\w+)", "i").test(name); }) token.setOtherClaims("fGroup", Java.to(groups, "java.lang.String[]")) ========================================== Please also read my earlier reply about the potential security issue with the script authenticator and how to mitigate it. In fact, this problem (restricting access to clients based on group membership) has surfaced here at least three times during last month, so I think I'd write an article with the solution walkthrough. Stay tuned and good luck :) Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-11-06 at 20:51 +0000, Ronald Demneri wrote: > I configured the client to not use the userinfo endpoint for the group mapping.? Instead I used the id token,? and everything looks good now (no errors in the log,? and the client gets the claim, and assigns permissions accordingly) . Anyhow,? the question remains,? is there a way to get the client id using the script mapper? > > Thanks in advance, > Ronald > > Sent from my HTC > > ----- Reply message ----- > > From: "Ronald Demneri" > > > To: "Ronald Demneri" , "Dmitry Telegin" > > >

, "keycloak-user at lists.jboss.org" > > > > Subject: [keycloak-user] filter group claim in token per client > Date: Tue, Nov 6, 2018 16:08 > > Hello again, > > Upon testing login and experimenting where the claim should be inserted, I found out that the duplicate print() is a result of including the claim in both ID access tokens. The error comes as a result of including the claim in the userinfo token, and probably that is why the userinfo endpoint does not contain the claim when the client application requests it. > > Any idea how to solve it? > > > Thanks in advance, > Ronald > > -----Original Message----- > From: Ronald Demneri > Sent: 06.Nov.2018 12:01 PM > > To: Ronald Demneri ; Dmitry Telegin > >

; keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] filter group claim in token per client > > So, I am looking at the logs and receive the following when going to App1 > Client Scopes > Evaluate: > > 2018-11-06 10:51:42,407 INFO? [stdout] (default task-1892) > ############################################ APP1 > 2018-11-06 10:51:42,407 INFO? [stdout] (default task-1892) > ############################################ > 2018-11-06 10:51:42,407 INFO? [stdout] (default task-1892)? We are here!!! > 2018-11-06 10:51:42,408 INFO? [stdout] (default task-1892) > ############################################ > > But when trying to actually log in to the client, I receive the following: > > 2018-11-06 10:52:20,465 INFO? [stdout] (default task-1891) > ############################################ APP1 > 2018-11-06 10:52:20,465 INFO? [stdout] (default task-1891) > ############################################ > 2018-11-06 10:52:20,465 INFO? [stdout] (default task-1891)? We are here!!! > 2018-11-06 10:52:20,466 INFO? [stdout] (default task-1891) > ############################################ > 2018-11-06 10:52:20,474 INFO? [stdout] (default task-1891) > ############################################ APP1 > 2018-11-06 10:52:20,474 INFO? [stdout] (default task-1891) > ############################################ > 2018-11-06 10:52:20,474 INFO? [stdout] (default task-1891)? We are here!!! > 2018-11-06 10:52:20,475 INFO? [stdout] (default task-1891) > ############################################ > 2018-11-06 10:52:20,691 ERROR > [org.keycloak.protocol.oidc.mappers.ScriptBasedOIDCProtocolMapper] > (default task-1891) Error during execution of ProtocolMapper script: > org.keycloak.scripting.ScriptExecutionException: Could not execute > script 'token-mapper-script_filteredGroupsMapper' problem was: > TypeError: null has no such function "toUpperCase" in at line > number 31 > > Line 31 is as follows: > > 31:??? var client = token.getIssuedFor().toUpperCase(); > 32:??? print("############################################ " + > client); > > So why does it display an error, when in fact it also displays the correct form of the clientId in upper case? And why is the log entry duplicated? ATM, I removed the client scope mapper and have recreated the script mapper only for this client. > > > Regards, > Ronald > > > -----Original Message----- > From: Ronald Demneri > Sent: 06.Nov.2018 11:05 AM > > > To: 'Ronald Demneri' ; 'Dmitry Telegin' > > >

; 'keycloak-user at lists.jboss.org' > > > > Subject: RE: [keycloak-user] filter group claim in token per client > > Hello Dmitry, > > A colleague of mine helped solving the issue with the array, and I can see the filtered groups in the Access token. I also used token.getIssuedFor() to get the client name and make the evaluation of the filtered groups dynamic. The problem now is that this new claim is not present in the userinfo. This is the script that we came up with (configured both as client scopes (possibly define as a default client scope) as well as script mapper specific to this client for test purposes - claim names are different of course): > > > [kcadmin at keycloak bin]$ ./kcadm.sh get client-scopes [ { > ? "id" : "4ea94866-044e-4590-a2da-f25c980f08b4", > ? "name" : "Filtered_Groups", > ? "protocol" : "openid-connect", > ? "attributes" : { > ??? "display.on.consent.screen" : "true" > ? }, > ? "protocolMappers" : [ { > ??? "id" : "7d3c521a-b291-4f43-ad87-6891ed9584d3", > ??? "name" : "Filtered Groups", > ??? "protocol" : "openid-connect", > ??? "protocolMapper" : "oidc-script-based-protocol-mapper", > ??? "consentRequired" : false, > ??? "config" : { > ????? "multivalued" : "true", > ????? "userinfo.token.claim" : "true", > ????? "id.token.claim" : "true", > ????? "access.token.claim" : "true", > ????? "claim.name" : "fGroup", > ????? "jsonType.label" : "String", > ????? "script" : "/** > ??????? * Available variables: > ??????? * user - the current user > ??????? * realm - the current realm > ??????? * token - the current token > ??????? * userSession - the current userSession > ??????? * keycloakSession - the current userSession > ??????? */ > ???????? > ??????? //insert your code here... > > ??????? //So, first we need to know, how many names should be added to > the new claim, > ??????? var username = user ? user.username : \"anonymous\"; > ??????? var groups = user.getGroups(); > ??????? var group_array = groups.toArray(); > ??????? //print(\"########################################## \" + > username); > > ??????? var client = token.getIssuedFor(); > ??????? //print(\"############################################ \" + > client); > > ??????? var clUp = client.toUpperCase(); > ??????? //print(clUp); > > ??????? var group_APP = \"APP-\" + clUp + \"-USERS\"; > ??????? var group_ROL = \"ROL_SSO-\" + clUp + \"-ADMIN\"; > > ??????? var group_filtered = []; > > ??????? for (var i in group_array) { > ??????????????? var gn = group_array[i].getName(); > ??????????????? var gnUp = gn.toUpperCase(); > ??????????????? if (gnUp === group_APP || gnUp === group_ROL) { > ??????????????????????? group_filtered.push(\"/\" + gn); > ??????????????????????? } > ??????????????? } > ??????? //Then we declare the new array. > ??????? var l = group_filtered.length; > ??????? var group_token = > java.lang.reflect.Array.newInstance(java.lang.String.class, l); > > ??????? for (var f in group_filtered) { > ??????????????? group_token[f] = group_filtered[f]; > ??????????????? //print(group_token[f]); > ??????? } > > ??????? //And submit the array as token > ??????? token.setOtherClaims(\"fGroup\", group_token);" > ??? } > ? } ] > } > > This is the userinfo data for my account: > > { > ? "sub": "bad7ff26-2a70-446f-a635-06fdbe1bec55", > ? "Group": [ > ??? "/APP-App1-Users/TGR-Team-ABC", > ??? "/APP-App1-Users/TGR-Team-DEF", > ??? "/APP-App1-Users", > ??? "/APP-MySmallApp-Users" > ? ], > ? "email_verified": false, > ? "name": "Ronald Demneri", > ? "preferred_username": "u151302", > ? "given_name": "Ronald", > ? "family_name": "Demneri" > > > The group claim is inserted by the group mapper created for this client, and the idea is to remove it once the script mapper works as expected. > What do you think is going on? Is this behavior normal? > > Thanks in advance, > Ronald > > -----Original Message----- > From: Ronald Demneri > Sent: 05.Nov.2018 12:12 PM > > To: 'Ronald Demneri' ; Dmitry Telegin > >

; keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] filter group claim in token per client > > Hello, > > In the script authenticator there was authenticationSession which I used to get the clientId. There is no such variable in the script mapper, and If I define such mapper in the client template, I suppose I'd need some mechanism to get the client name and then make the filtering of the groups that need to be inserted in the token. How do I do that? Is there any documentation available for this online? > > > Thanks again for your support! > Ronald > > > -----Original Message----- > > From: keycloak-user-bounces at lists.jboss.org > > On Behalf Of Ronald Demneri > Sent: 05.Nov.2018 11:00 AM > > To: Dmitry Telegin

> Sent: 05.Nov.2018 6:54 AM > > To: Ronald Demneri ; > > keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] filter group claim in token per client > > Hello Ronald, > > As in the case with authentication, JavaScript is to the rescue again :) You can create a script mapper for groups that will do additional group filtering based on the client, and use it instead of the built-in one. > > To avoid explicitly configuring it for each and every client, you can create a Client Scope (can be called "Client Template" depending on the KC version), define the mapper in the scope, and add it do default scopes. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > On Fri, 2018-11-02 at 10:30 +0000, Ronald Demneri wrote: > > Hello everyone, > >? > > Is there a way to filter the groups a user is a member of per client, based on clientId (which is part of the group name(s) in AD). Let's say that user Ronald is member of??group_client1, group_client2 and group_client3, so using a group mapper, the token will contain a claim like group:["group_client1", "group_client2", "group_client3"]. Upon logging in to client1 app, I want to customize the group claim so that it contains only the respective group_client1 value. > >? > > Thanks in advance, > >? > > Ronald > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From wilson.sharlet at gmail.com Mon Nov 12 05:48:27 2018 From: wilson.sharlet at gmail.com (Sharlet Wilson) Date: Mon, 12 Nov 2018 16:18:27 +0530 Subject: [keycloak-user] Regarding keycloak REST api In-Reply-To: References: Message-ID: Hi, I'm directly using the jboss/keycloak docker image to run Keycloak. I created a 'quickstart' realm and a 'service-nodejs' client in the Keycloak server. I get the access token by sending a POST request to /auth/realms//protocol/openid-connect/token API. (For this, I had to set the Access Type of the client to 'confidential' on the Keycloak server). Now I'm trying to access the protected route of the example http://localhost:3000/service/secured by setting the Authorization header to the access token I got above, but it still gives me 'Access denied'. Am I doing anything wrong here? Regards, Sharlet Hannah Wilson On Mon, Nov 12, 2018 at 1:37 PM Sharlet Wilson wrote: > Hi, > > I have a user's keycloak access token on my backend Node.js application. > Would like to know how I can use it to authorize a user to access my custom > REST apis. (I am using the /auth/realms//protocol/openid-connect/token > api to get the user's access token). > > Regards, > Sharlet Hannah Wilson > From sthorger at redhat.com Mon Nov 12 05:52:09 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Nov 2018 11:52:09 +0100 Subject: [keycloak-user] Latvian translation review Message-ID: Anyone from the community that can review Latvian translation PR [1]? [1] https://github.com/keycloak/keycloak/pull/5676 From mad_style42 at hotmail.com Mon Nov 12 06:34:01 2018 From: mad_style42 at hotmail.com (David F) Date: Mon, 12 Nov 2018 11:34:01 +0000 Subject: [keycloak-user] How update the locale value in user profile with REST API ? Message-ID: Hi, I use the doc to update my profile with REST API PUT /{realm}/users/{id} but if I want to change the locale value ("en", "fr"...), it's impossible. I have this response "Unrecognized field "locale" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable" because in my body object I use "locale" key for "en" value for example. I don't see in the doc how send my new locale value in my body object. Thanks for your help ? From bruno at abstractj.org Mon Nov 12 07:02:25 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 12 Nov 2018 10:02:25 -0200 Subject: [keycloak-user] Regarding keycloak REST api In-Reply-To: References:

Message-ID: Try something like this: #!/bin/bash REALM="quickstart" PORT="8180" echo "Access" TKN=$(curl -X POST "http://172.18.0.2:$PORT/auth/realms/$REALM/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "username=alice" \ -d 'password=password' \ -d 'grant_type=password' \ -d 'client_id=admin-cli' | jq -r '.access_token') curl -X GET 'http://localhost:3000/service/secured' -H "Accept: application/json" -H "Authorization: Bearer $TKN" On Mon, Nov 12, 2018 at 8:49 AM Sharlet Wilson wrote: > > Hi, I'm directly using the jboss/keycloak docker image to run Keycloak. > > I created a 'quickstart' realm and a 'service-nodejs' client in the > Keycloak server. I get the access token by sending a POST request to > /auth/realms//protocol/openid-connect/token API. (For this, I > had to set the Access Type of the client to 'confidential' on the Keycloak > server). Now I'm trying to access the protected route of the example > http://localhost:3000/service/secured by setting the Authorization header > to the access token I got above, but it still gives me 'Access denied'. Am > I doing anything wrong here? > > Regards, > Sharlet Hannah Wilson > > > On Mon, Nov 12, 2018 at 1:37 PM Sharlet Wilson > wrote: > > > Hi, > > > > I have a user's keycloak access token on my backend Node.js application. > > Would like to know how I can use it to authorize a user to access my custom > > REST apis. (I am using the /auth/realms//protocol/openid-connect/token > > api to get the user's access token). > > > > Regards, > > Sharlet Hannah Wilson > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From geoff at opticks.io Mon Nov 12 07:08:00 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Mon, 12 Nov 2018 13:08:00 +0100 Subject: [keycloak-user] End user sharing of his resource removes permission to his resource Message-ID: I'm experiencing unexpected results and believe there is a bug. I am losing permissions to my resource after sharing my resource with another user. Resource owner rs1 has read and edit rights to his resource1 through a JS policy and permission which grants the resource owner the rights. If rs1 uses the My resources screen to grant another user, rs2, the read scope to resource1, rs1 looses the right to the read scope. Please see JIRA https://issues.jboss.org/browse/KEYCLOAK-8794 and the screen cast within the JIRA. From Cedric.Roeck at senacor.com Mon Nov 12 07:24:40 2018 From: Cedric.Roeck at senacor.com (=?utf-8?B?UsO2Y2ssIENlZHJpYw==?=) Date: Mon, 12 Nov 2018 12:24:40 +0000 Subject: [keycloak-user] Persist Keycloak session cache into JDBC store, no data is written into table Message-ID: <91A1C543-4CFF-4BC6-9A2F-904A2FCB9736@senacor.com> Hi, we are currently trying to persist the in-memory session cache of our Keycloak (9.5.0.Final) deployment into a persistent store, preferably JDBC based. In order to achieve this, we already updated the configuration and ended up with this config for the Infinispan subsystem:

false true

[...] [...] Even though the table ?ispn_entry_sessions? gets created once Keycloak starts, no data is being persisted there. Not after 5min and also not once several hours passed. To exclude batch sizes and alike as error cause, our test creates 300 users and performs repeated logins for all of them, so there should also be enough load on the system. Some more details: * The statistics already show more than 600 cache-loader-misses for the jdbc store, but no successful load. * Our deployment consists of three Keycloak instances running in Kubernetes pods / docker containers. * Target JDBC Database is an Azure managed SQL DB / SQL Server * We can?t see any errors in the logs and also the cache distribution appears to still work amongst all nodes in the cluster. If you need more details, log excerpts, the full config, ?, just give me a ping. What are we missing? Any help is very much appreciated. Thanks and kind regards Cedric Cedric R?ck ______________________________ Senacor Technologies AG ?u?ere Cramer-Klett-Str. 21 90489 N?rnberg M +49 (170) 2274 878 Cedric.Roeck at senacor.com www.senacor.com Senacor Technologies Aktiengesellschaft - Sitz: Eschborn - Amtsgericht Frankfurt am Main - Reg.-Nr.: HRB 110482 Vorstand: Matthias Tomann, Marcus Purzer - Aufsichtsratsvorsitzender: Daniel Gr?zinger Diese E-Mail inklusive Anlagen enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten, informieren Sie bitte den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. This e-mail including any attachments may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the materials in this e-mail is strictly forbidden. From psilva at redhat.com Mon Nov 12 07:34:01 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 12 Nov 2018 10:34:01 -0200 Subject: [keycloak-user] End user sharing of his resource removes permission to his resource In-Reply-To: References: Message-ID: Hi, It should be fixed by https://issues.jboss.org/browse/KEYCLOAK-8445. Fix will be available in the next release. Regards. Pedro Igor On Mon, Nov 12, 2018 at 10:23 AM Geoffrey Cleaves wrote: > I'm experiencing unexpected results and believe there is a bug. I am losing > permissions to my resource after sharing my resource with another user. > > Resource owner rs1 has read and edit rights to his resource1 through a JS > policy and permission which grants the resource owner the rights. > > If rs1 uses the My resources screen to grant another user, rs2, the read > scope to resource1, rs1 looses the right to the read scope. > > Please see JIRA https://issues.jboss.org/browse/KEYCLOAK-8794 and the > screen cast within the JIRA. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From geoff at opticks.io Mon Nov 12 08:42:29 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Mon, 12 Nov 2018 14:42:29 +0100 Subject: [keycloak-user] How update the locale value in user profile with REST API ? In-Reply-To: References: Message-ID: Does this body work? Is locale an attribute? { "username": "username", "enabled": true, "emailVerified": true, "email": "email", "disableableCredentialTypes": ["password"], "credentials": [{ "value": "pass123", "type": "password" }], "attributes": { "company": ["company"], "locale": ["fr"] } } Regards, Geoffrey Cleaves On Mon, 12 Nov 2018 at 12:37, David F wrote: > Hi, > > I use the doc to update my profile with REST API > > > PUT /{realm}/users/{id} > > but if I want to change the locale value ("en", "fr"...), it's impossible. > > I have this response "Unrecognized field "locale" (class > org.keycloak.representations.idm.UserRepresentation), not marked as > ignorable" because in my body object I use "locale" key for "en" value for > example. > > I don't see in the doc how send my new locale value in my body object. > > Thanks for your help ? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From prsrivas at redhat.com Mon Nov 12 10:00:17 2018 From: prsrivas at redhat.com (Pritha Srivastava) Date: Mon, 12 Nov 2018 10:00:17 -0500 (EST) Subject: [keycloak-user] Running Keycloak examples In-Reply-To: <9a1bf974-82c9-4d0d-b7a1-70c439e43f64@redhat.com> References: <257635183.32186267.1541746556969.JavaMail.zimbra@redhat.com> <0cb2a458-a741-8858-f339-9ddb3b75a442@redhat.com> <1107344991.32206816.1541753576533.JavaMail.zimbra@redhat.com> <9a1bf974-82c9-4d0d-b7a1-70c439e43f64@redhat.com> Message-ID: <219649640.32930099.1542034817156.JavaMail.zimbra@redhat.com> Thank you for your help. It does work fine for me as well. I was not sure what is the correct location of $WILDFLY_HOME. Thanks, Pritha ----- Original Message ----- > From: "Vlasta Ramik" > To: "Pritha Srivastava" > Cc: keycloak-user at lists.jboss.org > Sent: Monday, November 12, 2018 2:16:28 PM > Subject: Re: [keycloak-user] Running Keycloak examples > > I've just checked it and it seems to work. There are my steps: > > 1. download wildfly-14.0.1.Final.zip as an application server and unpack > > 2. download keycloak-wildfly-adapter-dist-4.5.0.Final.zip unpack it to > $WILDFLY_HOME > > 3. run $WILDFLY_HOME/bin/jboss-cli.sh > --file=adapter-elytron-install-offline.cli > > all passes. > > 4. download keycloak-4.5.0.Final.zip and > keycloak-examples-4.5.0.Final.zip (which are deprecated) and unzip it > > then I can start keycloak-4.5.0.Final (auth server) and > wildfly-14.0.1.Final (app server) and then I can deploy examples to the > app server. > > V. > > On 11/9/18 9:52 AM, Pritha Srivastava wrote: > > I still get the same error: > > > > ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli > > > > { > > "outcome" => "failed", > > "failure-description" => "WFLYCTL0310: Extension module > > org.keycloak.keycloak-adapter-subsystem not found", > > "rolled-back" => true > > } > > > > > > Thanks, > > Pritha > > > > ----- Original Message ----- > >> From: "Vlasta Ramik" > >> To: keycloak-user at lists.jboss.org > >> Sent: Friday, November 9, 2018 1:52:02 PM > >> Subject: Re: [keycloak-user] Running Keycloak examples > >> > >> Hello, > >> > >> inline > >> > >> On 11/9/18 7:55 AM, Pritha Srivastava wrote: > >>> Hi All, > >>> > >>> I am trying to setup a Keycloak server and run the examples, for which I > >>> did the following: > >>> > >>> 1. Downloaded 4.5.0.Final Standalone Server distribution, and started the > >>> server using ./standalone.sh, which worked fine. > >>> 2. Downlaoded keycloak-examples-4.5.0.Final, and for the > >>> preconfigured-demo, I did a mvn clean install and mvn wildfly:deploy and > >>> the second step gave me this error - UT010039: Unknown authentication > >>> mechanism KEYCLOAK > >>> 3. To solve the error in 2.0, I downloaded the wildfly adapter > >>> keycloak-wildfly-adapter-dist-4.5.0.Final.zip, and ran this command - > >>> ./bin/jboss-cli.sh --file=adapter-install.cli --connect > >>> --controller=127.0.0.1:9990 which gave the following response: > >> can you please try the following to install adapter? > >> > >> ./bin/jboss-cli.sh --file=adapter-elytron-install-offline.cli > >> > >>> {"outcome" => "success"} > >>> { > >>> "outcome" => "success", > >>> "response-headers" => { > >>> "operation-requires-reload" => true, > >>> "process-state" => "reload-required" > >>> } > >>> } > >>> { > >>> "outcome" => "failed", > >>> "failure-description" => "WFLYCTL0310: Extension module > >>> org.keycloak.keycloak-adapter-subsystem not found", > >>> "rolled-back" => true, > >>> "response-headers" => {"process-state" => "reload-required"} > >>> } > >>> > >>> I am not sure how to solve the above problem. Any help is greatly > >>> appreciated. > >>> > >>> P.S.: I am completely new to Jboss, Wildfly etc. > >>> > >>> Thanks, > >>> Pritha > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > From fabio.ebner at lumera.com.br Mon Nov 12 15:56:59 2018 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Mon, 12 Nov 2018 18:56:59 -0200 Subject: [keycloak-user] Authorize Url Message-ID: I using SpringBoot 2.0.5 and keycloak 4.5.0.Final so it's possible to secure an URL using: @PreAuthorize("hasRole('USER')") @GetMapping("/mensagem/enviada/t") instead the .antMatchers("/mensagem/enviada/**").hasRole("USER") From david at smooth-systems.solutions Mon Nov 12 16:55:46 2018 From: david at smooth-systems.solutions (David Monichi) Date: Mon, 12 Nov 2018 22:55:46 +0100 Subject: [keycloak-user] Extend keycloak notifications Message-ID: <5145cc17-a0aa-ca89-3a6f-41e4ad15599e@smooth-systems.solutions> Hi, I'm considering to create a new application and for sure I'll use keycloak as user backend. It's really cool stuff what you guys created. I thought about various solutions for notifications of my application and was wondering if you guys already thought about to extend your e-mail notification to a more general and flexible system. So that not only keycloak e-mails will be sent over keycloak but also other applications e-mails and even more notifications can be send over keycloak (I'm thinking here of SMS, etc.). Therefore applications would need to upload any kind of templates to keycloak and somehow be able to manage them. There are 2 reasons for such a step. First of all keycloak already provides such basic functionality to sent notifications and so extending it could be done with lower overhead. Second, keycloak already owns the recipient data, if applications manage users over keycloak. As additional feature of course a proper monitoring should be placed in such a feature, since notifications are really vital to modern applications. We would be able to provide programming resources for such a feature but of course working together, specially for the design phase, with you guys. The alternative would be to provide a different notification system and forward keycloak e-mails to that service (actually the event to sent a notification). Don't know if this actually is the way to go ... My motivation for such a feature is, that a single application should be responsible for sending notifications of any kind and not be widespread over various applications. Any ideas welcome ;) Eventually I overlooked something in my design ... Thx in advance for all your thoughts & all the best /david From dt at acutus.pro Mon Nov 12 18:20:27 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 13 Nov 2018 02:20:27 +0300 Subject: [keycloak-user] Extend keycloak notifications In-Reply-To: <5145cc17-a0aa-ca89-3a6f-41e4ad15599e@smooth-systems.solutions> References: <5145cc17-a0aa-ca89-3a6f-41e4ad15599e@smooth-systems.solutions> Message-ID: <1542064827.2535.5.camel@acutus.pro> Hello David, Just FYI, you can reach Keycloak developers via keycloak-dev mailing list; this one is more like a community of independent Keycloak experts. Being a proud member thereof, I'll put in my two cents with great pleasure :) see answers inline. TL;DR: the feature seems interesting, but I highly doubt it will be ever made a part of Keycloak. However, you can implement everything as a Keycloak extension (and that's what we love about Keycloak). On Mon, 2018-11-12 at 22:55 +0100, David Monichi wrote: > Hi, > > I'm considering to create a new application and for sure I'll use? > keycloak as user backend. It's really cool stuff what you guys created. > > I thought about various solutions for notifications of my application? > and was wondering if you guys already thought about to extend your? > e-mail notification to a more general and flexible system. So that not? > only keycloak e-mails will be sent over keycloak but also other? > applications e-mails and even more notifications can be send over? > keycloak (I'm thinking here of SMS, etc.). Therefore applications would? > need to upload any kind of templates to keycloak and somehow be able to? > manage them. There are 2 reasons for such a step. First of all keycloak? > already provides such basic functionality to sent notifications and so? > extending it could be done with lower overhead. Second, keycloak already? > owns the recipient data, if applications manage users over keycloak. I'd also add that Keycloak already integrates the Freemarker?template engine, which is used to generate emails (along with login forms and the account UI). > As additional feature of course a proper monitoring should be placed in? > such a feature, since notifications are really vital to modern applications. Could you please elaborate what exactly you need to monitor? > We would be able to provide programming resources for such a feature but? > of course working together, specially for the design phase, with you guys. > > The alternative would be to provide a different notification system and? > forward keycloak e-mails to that service (actually the event to sent a? > notification). Don't know if this actually is the way to go ... > > > My motivation for such a feature is, that a single application should be? > responsible for sending notifications of any kind and not be widespread? > over various applications. > > Any ideas welcome ;) Eventually I overlooked something in my design ... My experience says that features like that rarely get incorporated into mainline Keycloak; the necessary (but not sufficient) condition is that you should be able to maintain this feature in the future. However, you can use Keycloak extension points (called Providers [1] in Keycloak's terms) to implement what you want. Here's my take on the outline of the solution: - implement EntityProvider [2] (custom JPA entity + DB table) to store templates; - implement RealmResourceProvider [3] (custom REST resource) for CRUD-style template management by the applications; - implement another one to trigger notification (and potentially track its status); - implement the actual notification code, i.e. retrieving the template, processing it with Freemarker and queueing it for delivery; - most likely, you will need a persistent queue to store pending notifications. For that, you can employ Keycloak's built-in ActiveMQ Artemis message broker; - optionally, integrate your system with Keycloak internal events, so that the latter could trigger your application-managed notifications. For the reference, I'd recommend the official keycloak examples [4] and my own BeerCloak project [5]. Good luck, and feel free to ask any questions :) Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro [1] https://www.keycloak.org/docs/latest/server_development/index.html#_providers [2] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa [3] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest [4] https://github.com/keycloak/keycloak/tree/master/examples/providers [5] https://github.com/dteleguin/beercloak > > > Thx in advance for all your thoughts & all the best > > /david > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From tommaso.tamantini at staff.aruba.it Tue Nov 13 02:01:38 2018 From: tommaso.tamantini at staff.aruba.it (Tommaso Tamantini) Date: Tue, 13 Nov 2018 08:01:38 +0100 Subject: [keycloak-user] Keycloak + Custom AuthenticatorFactory + Spring 5 Message-ID: <000001d47b1e$b980ac40$2c8204c0$@staff.aruba.it> Hi to all, I'm trying to develope a custom AuthenticatorFactory with a custom Authenticator. I would like to inject my custom Authenticator as Spring Bean into my custom AuthenticatorFactory (because my authenticator should use an existing spring library). My authenticator is like: @Component public class MyAuthenticator extends AbstractUsernameFormAuthenticator implements Authenticator { [.] To achieve it, I created an ApplicationContextAware bean @Service public class BeanUtil implements ApplicationContextAware { private static ApplicationContext applicationContext; public BeanUtil() { } @Override public void setApplicationContext(ApplicationContext applicationContext) throws BeansException { this.applicationContext = applicationContext; } public static Authenticator getAuthenticatorBean() { return applicationContext.getBean(MyAuthenticator.class); } } My factory is: public class MyAuthenticatorFactory implements AuthenticatorFactory, ConfigurableAuthenticatorFactory { public static final String PROVIDER_ID = "aruba-alias-authenticator"; public static final String G_RECAPTCHA_RESPONSE = "g-recaptcha-response"; public static final String RECAPTCHA_REFERENCE_CATEGORY = "recaptcha"; public static final String SITE_KEY = "site.key"; public static final String NUMBER_KEY = "number.key"; public static final String SITE_SECRET = "secret"; @Override public String getId() { return PROVIDER_ID; } @Override public MyAuthenticator create(KeycloakSession session) { return BeanUtil.AuthenticatorBean(); } [.] Keycloak starts up correctly. When I try to use myAuthenticator, i get: 16:46:48,484 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://0.0.0.0:9990/management sia-keycloak | 16:46:48,484 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://0.0.0.0:9990 sia-keycloak | 16:46:48,485 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in 23456ms - Started 943 of 1231 services (653 services are lazy, passive or on-demand) sia-keycloak | 16:47:12,357 WARN [org.keycloak.services] (default task-3) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException sia-keycloak | at ...authenticator.alias.BeanUtil.getArubaAliasAuthenticatorBean(BeanUtil.java :22) sia-keycloak | at ..authenticator.alias.AuthenticatorFactory.create(MyAuthenticatorFactory.jav a:35) sia-keycloak | at ...authenticator.alias.AuthenticatorFactory.create(MyAuthenticatorFactory.ja va:1) The reason in that the Spring Context is null. Any idea about how to fix this issue? Many thanks, Tom From karsten.honsack at zurich.com Tue Nov 13 02:11:03 2018 From: karsten.honsack at zurich.com (Karsten Honsack) Date: Tue, 13 Nov 2018 07:11:03 +0000 Subject: [keycloak-user] Login via SAML RESPONSE from an IdP In-Reply-To: <1541736836.15117.5.camel@acutus.pro> References: <1541736836.15117.5.camel@acutus.pro> Message-ID: Hi Dimitry, thank you for the additional information! I don't know the the exact technology. It is a german SSO provider for insurance sellers called "easy login" and I think their IdP is their own implementation as they also use some proprietary token formats for other scenarios. Best regards Karsten -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin

Gesendet: Freitag, 9. November 2018 05:14 An: Karsten Honsack ; keycloak-user at lists.jboss.org Betreff: [EXTERNAL] Re: [keycloak-user] Login via SAML RESPONSE from an IdP Hello Karsten, Just to add to Luis's answer below. In SAML terms, this is called "Unsolicited SAML response", meaning that it hasn't been preceded by any AuthnRequest. While configuring your partner webapp in the 3rd party IdP, make sure that your ACS URL is in the following form: /auth/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id} where {client-id} is the value of the "IDP Initiated SSO URL Name" in the broker definition. It's a common mistake to use Keycloak SAML endpoint (/auth/realms/{realm}/protocol/saml/endpoint) as ACS for IdP-initiated SSO. This won't work as generic SAML endpoint doesn't accept unsolicited responses, only client-specific endpoints do. By the way, what's that 3rd party IdP? Keycloak is known to work with Okta and PingFederate and theoretically should work with any SAML 2.0 compliant IdP. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-11-08 at 09:50 +0000, Karsten Honsack wrote: > Hello everybody, > > I am trying to figure out if Keycloak is capable to fulfil the following requirement. I read through the documentation but was not able to figure it out. > > Scenario: > A user is on a website where he has the possibility to jump to web applications of different partners via SSO. The website provider only supports IdP Initiated SSO and the button links provided are SAML Assertion Consumer URLs. The flow describes what should be happening for my understanding: > > Flow: > 1. User login on website. > 2. User clicks on button. > 3. Website creates an encrypted SAML RESPONSE using its STS, redirects user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE there. > 4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user. > 5. Keycloak redirects user to the application. > 6. User uses application. > > Is this possible? How has it to be configured? Do you need any more information to help me? Thank you in advance! > > Best regards > > Karsten Honsack > > ************************************** > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICaQ&c=DgzfCyvE4m33Nb8jT6Zstq7mstX2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=I3NNDtQVN-43hlzPT2rh2Hy2X1Aj7wsMVhzwxJ8T_KM&s=EJEl86Bzg8pClVwtool4TJhr8H_PmG54y8BoEGn43XI&e= ************************************** From msakho at redhat.com Tue Nov 13 03:14:03 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 13 Nov 2018 09:14:03 +0100 Subject: [keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable In-Reply-To: References:

Message-ID: Hello Sebastien, Any advice? I really need to access trustore password initilized loccally from the x509.sh script. (extrcat below) local PASSWORD=$(openssl rand -base64 32 2>/dev/null) local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks I'm stuck otherwise. How can I get access to it? Meissa Le lun. 12 nov. 2018 ? 10:24, Meissa M'baye Sakho a ?crit : > Hi Sebastian, > That's correct. I can see that my the truststore is created correctly with > my CA certificates. > I need now to configure the OutGoing HTTPS Request Truststore [3] with the > created truststore and the password. > The problem is that I can't set the password. I've checked into the > x509-truststore.cli [1] and see that it's picked from the > $keycloak_tls_truststore_password variable. > and created from your x509.sh script [2] > I've tried to use the same syntax in my cli below but it fails because the > $keycloak_tls_truststore_password is not know from my cli. > So Sebastien, do you know how I can get the trsustore password? > Is it possible to set it as an environment variable to the docker image? > > > [1]= > https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/cli/x509-truststore.cli > [2]= > https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/x509.sh > [3]= > https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore > Thanks, > Meissa > > > Le mer. 31 oct. 2018 ? 09:08, Sebastian Laskawiec a > ?crit : > >> Hey Meissa, >> >> The warning you see does no harm. As you can see here [1], the message is >> being thrown without stopping the script. >> >> Pulling JDK CAs has been implemented somewhat ahead of time. I asked the >> Cloud Enablement (and also other Red Hat teams) to put Kubernetes and >> OpenShift CAs into JDK lib directory. This way Keycloak will trust the >> OpenShift cluster out of the box. The warning you see clearly indicates >> that this feature hasn't been implemented yet. >> >> So the bottom line - please ignore this error. I'm pretty sure it will >> disappear in the future (and if not, I'll just remove or disable this >> feature). >> >> Thanks, >> Sebastian >> >> [1] >> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L88 >> >> On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho >> wrote: >> >>> Hi Sebastian, >>> Do you have any advice in this issue. It's related to the x509.sh script >>> and I would really apprecaite an input/help here. >>> Meissa >>> ---------- Forwarded message --------- >>> From: Meissa M'baye Sakho >>> Date: mar. 30 oct. 2018 ? 17:12 >>> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment >>> variable >>> To: keycloak-user >>> >>> >>> hello everyone, >>> I'm using the jboss/keycloak:4.5.0.Final docker image. >>> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment >>> variable as explained in the Jboss/keycloak docker image documentation. >>> I've mounted a volume to the image pointing to the cert file and defined >>> the env variable. >>> I'm running the image with the following command: >>> *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e >>> KEYCLOAK_PASSWORD=meissa \* >>> * -e PROXY_ADDRESS_FORWARDING=true \* >>> * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets >>> \* >>> * -v >>> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* >>> * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* >>> * -e >>> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* >>> * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* >>> * jboss/keycloak:4.5.0.Final* >>> >>> >>> When The container starts, I've checked that the cert has been corectly >>> mounted to the expected folder /var/run/secrets >>> But I see in the log that the certificat import fails (extract below): >>> *Creating HTTPS keystore via OpenShift's service serving x509 >>> certificate secrets..* >>> *HTTPS keystore successfully created at: >>> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* >>> *Creating Keycloak truststore..* >>> *Keycloak truststore successfully created at: >>> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* >>> *Importing certificates from system's Java CA certificate bundle into >>> Keycloak truststore..* >>> *Failed to import certificates from system's Java CA certificate bundle >>> into Keycloak truststore!* >>> *Setting JGroups discovery to dns.DNS_PING with properties >>> {dns_query=>bdf-opengie-test.paas.eclair.local}* >>> >>> I've checked in the script that handle the TLS import [1], but I'm not >>> able to guess why the import is failing. >>> >>> The following extract is a part of the scripts that is used by the image >>> to import the cert. >>> # Import existing system CA certificates into the newly generated >>> truststore >>> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which >>> keytool)))"/../lib/security/cacerts") >>> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" >>> > /dev/null; then >>> echo "Importing certificates from system's Java CA certificate bundle >>> into Keycloak truststore.." >>> keytool -importkeystore -noprompt \ >>> -srckeystore "${SYSTEM_CACERTS}" \ >>> -destkeystore "${JKS_TRUSTSTORE_PATH}" \ >>> -srcstoretype jks -deststoretype jks \ >>> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null >>> if [ "$?" -ne "0" ]; then >>> echo "Successfully imported certificates from system's Java CA >>> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" >>> else >>> echo "Failed to import certificates from system's Java CA certificate >>> bundle into Keycloak truststore!" >>> fi >>> >>> Any advice? >>> >>> [1]= >>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh >>> >>> Meissa >>> >> From slaskawi at redhat.com Tue Nov 13 03:37:41 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Tue, 13 Nov 2018 09:37:41 +0100 Subject: [keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable In-Reply-To: References:

Message-ID: So the variable you're pointing out is local to the script. Having said that, you have no access to it from the outside. I think the proper solution would be to modify Keycloak codebase (especially Keycloak subsystem) and integrate it with Elytron. Probably +Pedro Igor Silva would be the best person to ask about that. As for the short-term solution, I guess introducing two optional environmental variables for storing Keystore and Truststore passwords would be enough. If those variables were empty, we would generate a new password. If not, we'd use it for generating JKS files. Unfortunately adding this feature is not currently on our priority list. Therefore, I highly encourage you to contribute it. If you plan to do so, please remember about creating a JIRA for it. I will be more than happy to review the code once you have something ready. Thanks, Sebastian On Tue, Nov 13, 2018 at 9:14 AM Meissa M'baye Sakho wrote: > Hello Sebastien, > Any advice? > I really need to access trustore password initilized loccally from the > x509.sh script. (extrcat below) > local PASSWORD=$(openssl rand -base64 32 2>/dev/null) > local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks > > I'm stuck otherwise. > How can I get access to it? > Meissa > > Le lun. 12 nov. 2018 ? 10:24, Meissa M'baye Sakho a > ?crit : > >> Hi Sebastian, >> That's correct. I can see that my the truststore is created correctly >> with my CA certificates. >> I need now to configure the OutGoing HTTPS Request Truststore [3] with >> the created truststore and the password. >> The problem is that I can't set the password. I've checked into the >> x509-truststore.cli [1] and see that it's picked from the >> $keycloak_tls_truststore_password variable. >> and created from your x509.sh script [2] >> I've tried to use the same syntax in my cli below but it fails because >> the $keycloak_tls_truststore_password is not know from my cli. >> So Sebastien, do you know how I can get the trsustore password? >> Is it possible to set it as an environment variable to the docker image? >> >> >> [1]= >> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/cli/x509-truststore.cli >> [2]= >> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/x509.sh >> [3]= >> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore >> Thanks, >> Meissa >> >> >> Le mer. 31 oct. 2018 ? 09:08, Sebastian Laskawiec >> a ?crit : >> >>> Hey Meissa, >>> >>> The warning you see does no harm. As you can see here [1], the message >>> is being thrown without stopping the script. >>> >>> Pulling JDK CAs has been implemented somewhat ahead of time. I asked the >>> Cloud Enablement (and also other Red Hat teams) to put Kubernetes and >>> OpenShift CAs into JDK lib directory. This way Keycloak will trust the >>> OpenShift cluster out of the box. The warning you see clearly indicates >>> that this feature hasn't been implemented yet. >>> >>> So the bottom line - please ignore this error. I'm pretty sure it will >>> disappear in the future (and if not, I'll just remove or disable this >>> feature). >>> >>> Thanks, >>> Sebastian >>> >>> [1] >>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L88 >>> >>> On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho >>> wrote: >>> >>>> Hi Sebastian, >>>> Do you have any advice in this issue. It's related to the x509.sh >>>> script and I would really apprecaite an input/help here. >>>> Meissa >>>> ---------- Forwarded message --------- >>>> From: Meissa M'baye Sakho >>>> Date: mar. 30 oct. 2018 ? 17:12 >>>> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment >>>> variable >>>> To: keycloak-user >>>> >>>> >>>> hello everyone, >>>> I'm using the jboss/keycloak:4.5.0.Final docker image. >>>> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment >>>> variable as explained in the Jboss/keycloak docker image documentation. >>>> I've mounted a volume to the image pointing to the cert file and >>>> defined the env variable. >>>> I'm running the image with the following command: >>>> *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e >>>> KEYCLOAK_PASSWORD=meissa \* >>>> * -e PROXY_ADDRESS_FORWARDING=true \* >>>> * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets >>>> \* >>>> * -v >>>> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* >>>> * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* >>>> * -e >>>> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* >>>> * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* >>>> * jboss/keycloak:4.5.0.Final* >>>> >>>> >>>> When The container starts, I've checked that the cert has been corectly >>>> mounted to the expected folder /var/run/secrets >>>> But I see in the log that the certificat import fails (extract below): >>>> *Creating HTTPS keystore via OpenShift's service serving x509 >>>> certificate secrets..* >>>> *HTTPS keystore successfully created at: >>>> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* >>>> *Creating Keycloak truststore..* >>>> *Keycloak truststore successfully created at: >>>> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* >>>> *Importing certificates from system's Java CA certificate bundle into >>>> Keycloak truststore..* >>>> *Failed to import certificates from system's Java CA certificate bundle >>>> into Keycloak truststore!* >>>> *Setting JGroups discovery to dns.DNS_PING with properties >>>> {dns_query=>bdf-opengie-test.paas.eclair.local}* >>>> >>>> I've checked in the script that handle the TLS import [1], but I'm not >>>> able to guess why the import is failing. >>>> >>>> The following extract is a part of the scripts that is used by the >>>> image to import the cert. >>>> # Import existing system CA certificates into the newly generated >>>> truststore >>>> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which >>>> keytool)))"/../lib/security/cacerts") >>>> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" >>>> > /dev/null; then >>>> echo "Importing certificates from system's Java CA certificate bundle >>>> into Keycloak truststore.." >>>> keytool -importkeystore -noprompt \ >>>> -srckeystore "${SYSTEM_CACERTS}" \ >>>> -destkeystore "${JKS_TRUSTSTORE_PATH}" \ >>>> -srcstoretype jks -deststoretype jks \ >>>> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null >>>> if [ "$?" -ne "0" ]; then >>>> echo "Successfully imported certificates from system's Java CA >>>> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" >>>> else >>>> echo "Failed to import certificates from system's Java CA certificate >>>> bundle into Keycloak truststore!" >>>> fi >>>> >>>> Any advice? >>>> >>>> [1]= >>>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh >>>> >>>> Meissa >>>> >>> From thomas.darimont at googlemail.com Tue Nov 13 03:42:36 2018 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 13 Nov 2018 09:42:36 +0100 Subject: [keycloak-user] [keycloak-dev] There is already a httpSessionManager In-Reply-To: References: <9700A518-4D16-4EEB-A7AC-18B650F0D2C2@gmail.com> Message-ID: Hello Calixto, this is more a question for keycloak-user instead of keycloak-dev. There are some issues with Spring Security and the latest version of the keycloak spring-boot / spring-security adapter 4.5.0.Final. You can have a look at the following two examples for a working configuration. see: https://github.com/thomasdarimont/wjax2018-spring-keycloak/tree/master/demos - spring-boot-2-frontend - spring-boot-2-backend The examples are currently using org.springframework.boot spring-boot-starter-parent 2.0.6.RELEASE but the configuration works as well with org.springframework.boot spring-boot-starter-parent 2.1.0.RELEASE in combination with the following setting in application.yml / application.properties: spring: main: allow-bean-definition-overriding: true which seems to be required since Spring Boot 2.1 Cheers, Thomas Am Di., 13. Nov. 2018 um 01:18 Uhr schrieb Calixto Mele?n : > I?m doing a simple tutorial with SpringBoot 2.1.0 and KeyCloack 4.5.0. > When I start my app, I am getting the error below. It?s like the session > manager bean is being registered more than once. > > org.springframework.beans.factory.support.BeanDefinitionOverrideException: > Invalid bean definition with name 'httpSessionManager' defined in class > path resource [com/example/demo/configuration/SecurityConfig.class]: Cannot > register bean definition [Root bean: class [null]; scope=; abstract=false; > lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; > primary=false; factoryBeanName=securityConfig; > factoryMethodName=httpSessionManager; initMethodName=null; > destroyMethodName=(inferred); defined in class path resource > [com/example/demo/configuration/SecurityConfig.class]] for bean > 'httpSessionManager': There is already [Generic bean: class > [org.keycloak.adapters.springsecurity.management.HttpSessionManager]; > scope=singleton; abstract=false; lazyInit=false; autowireMode=0; > dependencyCheck=0; autowireCandidate=true; primary=false; > factoryBeanName=null; factoryMethodName=null; initMethodName=null; > destroyMethodName=null; defined in URL [jar:file:/Users/bigcat/.m! > 2/repository/org/keycloak/keycloak-spring-security-adapter/4.5.0.Final/keycloak-spring-security-adapter-4.5.0.Final.jar!/org/keycloak/adapters/springsecurity/management/HttpSessionManager.class]] > bound. > > Relevant maven dependencies I have are: > > > org.keycloak > keycloak-spring-boot-starter > ${keycloak.version} > > > > org.springframework.boot > spring-boot-starter-security > > > SecurityConfig.class is: > > @KeycloakConfiguration > public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { > > @Bean > public KeycloakConfigResolver KeycloakConfigResolver() { > return new KeycloakSpringBootConfigResolver(); > } > > /** > * Registers the KeycloakAuthenticationProvider with the authentication > manager. > */ > @Autowired > public void configureGlobal(AuthenticationManagerBuilder auth) throws > Exception { > auth.authenticationProvider(keycloakAuthenticationProvider()); > } > > /** > * Defines the session authentication strategy. > */ > @Bean > @Override > protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { > return new RegisterSessionAuthenticationStrategy(new > SessionRegistryImpl()); > } > > @Override > protected void configure(HttpSecurity http) throws Exception > { > super.configure(http); > http > .authorizeRequests() > .antMatchers("/customers*").hasRole("pharmacist") > .anyRequest().permitAll(); > } > } > > > Appreciate any help. Thanks > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From msakho at redhat.com Tue Nov 13 03:54:01 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 13 Nov 2018 09:54:01 +0100 Subject: [keycloak-user] setting up TLS(SSL) through the X509_CA_BUNDLE environment variable In-Reply-To: References:

Message-ID: Sebastian, I'm already working for the short term solution. I will create a JIRA and let you know when everything is ok. @Pedro Igor Silva for the wildfly solution, I've opened a thread in the wildfly forum [0]. No one answered ATM. I think that it's a feature between wildfly and keycloak. We should be able to reference a truststore while defining a keycloak SPI [1] with keycloak 4.5 that rely on wildfly 13. This feature is missing. [0] =https://developer.jboss.org/message/986328#986328 [1]= https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore What do you think about that? thanks, Meissa Le mar. 13 nov. 2018 ? 09:37, Sebastian Laskawiec a ?crit : > So the variable you're pointing out is local to the script. Having said > that, you have no access to it from the outside. > > I think the proper solution would be to modify Keycloak codebase > (especially Keycloak subsystem) and integrate it with Elytron. Probably +Pedro > Igor Silva would be the best person to ask about that. > > As for the short-term solution, I guess introducing two optional > environmental variables for storing Keystore and Truststore passwords would > be enough. If those variables were empty, we would generate a new password. > If not, we'd use it for generating JKS files. > > Unfortunately adding this feature is not currently on our priority list. > Therefore, I highly encourage you to contribute it. If you plan to do so, > please remember about creating a JIRA for it. I will be more than happy to > review the code once you have something ready. > > Thanks, > Sebastian > > On Tue, Nov 13, 2018 at 9:14 AM Meissa M'baye Sakho > wrote: > >> Hello Sebastien, >> Any advice? >> I really need to access trustore password initilized loccally from the >> x509.sh script. (extrcat below) >> local PASSWORD=$(openssl rand -base64 32 2>/dev/null) >> local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks >> >> I'm stuck otherwise. >> How can I get access to it? >> Meissa >> >> Le lun. 12 nov. 2018 ? 10:24, Meissa M'baye Sakho a >> ?crit : >> >>> Hi Sebastian, >>> That's correct. I can see that my the truststore is created correctly >>> with my CA certificates. >>> I need now to configure the OutGoing HTTPS Request Truststore [3] with >>> the created truststore and the password. >>> The problem is that I can't set the password. I've checked into the >>> x509-truststore.cli [1] and see that it's picked from the >>> $keycloak_tls_truststore_password variable. >>> and created from your x509.sh script [2] >>> I've tried to use the same syntax in my cli below but it fails because >>> the $keycloak_tls_truststore_password is not know from my cli. >>> So Sebastien, do you know how I can get the trsustore password? >>> Is it possible to set it as an environment variable to the docker image? >>> >>> >>> [1]= >>> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/cli/x509-truststore.cli >>> [2]= >>> https://raw.githubusercontent.com/jboss-dockerfiles/keycloak/master/server/tools/x509.sh >>> [3]= >>> https://www.keycloak.org/docs/latest/server_installation/index.html#_truststore >>> Thanks, >>> Meissa >>> >>> >>> Le mer. 31 oct. 2018 ? 09:08, Sebastian Laskawiec >>> a ?crit : >>> >>>> Hey Meissa, >>>> >>>> The warning you see does no harm. As you can see here [1], the message >>>> is being thrown without stopping the script. >>>> >>>> Pulling JDK CAs has been implemented somewhat ahead of time. I asked >>>> the Cloud Enablement (and also other Red Hat teams) to put Kubernetes and >>>> OpenShift CAs into JDK lib directory. This way Keycloak will trust the >>>> OpenShift cluster out of the box. The warning you see clearly indicates >>>> that this feature hasn't been implemented yet. >>>> >>>> So the bottom line - please ignore this error. I'm pretty sure it will >>>> disappear in the future (and if not, I'll just remove or disable this >>>> feature). >>>> >>>> Thanks, >>>> Sebastian >>>> >>>> [1] >>>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh#L88 >>>> >>>> On Wed, Oct 31, 2018 at 8:59 AM Meissa M'baye Sakho >>>> wrote: >>>> >>>>> Hi Sebastian, >>>>> Do you have any advice in this issue. It's related to the x509.sh >>>>> script and I would really apprecaite an input/help here. >>>>> Meissa >>>>> ---------- Forwarded message --------- >>>>> From: Meissa M'baye Sakho >>>>> Date: mar. 30 oct. 2018 ? 17:12 >>>>> Subject: setting up TLS(SSL) through the X509_CA_BUNDLE environment >>>>> variable >>>>> To: keycloak-user >>>>> >>>>> >>>>> hello everyone, >>>>> I'm using the jboss/keycloak:4.5.0.Final docker image. >>>>> I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment >>>>> variable as explained in the Jboss/keycloak docker image documentation. >>>>> I've mounted a volume to the image pointing to the cert file and >>>>> defined the env variable. >>>>> I'm running the image with the following command: >>>>> *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e >>>>> KEYCLOAK_PASSWORD=meissa \* >>>>> * -e PROXY_ADDRESS_FORWARDING=true \* >>>>> * -v >>>>> /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \* >>>>> * -v >>>>> /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* >>>>> * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* >>>>> * -e >>>>> JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* >>>>> * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* >>>>> * jboss/keycloak:4.5.0.Final* >>>>> >>>>> >>>>> When The container starts, I've checked that the cert has been >>>>> corectly mounted to the expected folder /var/run/secrets >>>>> But I see in the log that the certificat import fails (extract below): >>>>> *Creating HTTPS keystore via OpenShift's service serving x509 >>>>> certificate secrets..* >>>>> *HTTPS keystore successfully created at: >>>>> /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* >>>>> *Creating Keycloak truststore..* >>>>> *Keycloak truststore successfully created at: >>>>> /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* >>>>> *Importing certificates from system's Java CA certificate bundle into >>>>> Keycloak truststore..* >>>>> *Failed to import certificates from system's Java CA certificate >>>>> bundle into Keycloak truststore!* >>>>> *Setting JGroups discovery to dns.DNS_PING with properties >>>>> {dns_query=>bdf-opengie-test.paas.eclair.local}* >>>>> >>>>> I've checked in the script that handle the TLS import [1], but I'm not >>>>> able to guess why the import is failing. >>>>> >>>>> The following extract is a part of the scripts that is used by the >>>>> image to import the cert. >>>>> # Import existing system CA certificates into the newly generated >>>>> truststore >>>>> local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which >>>>> keytool)))"/../lib/security/cacerts") >>>>> if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass >>>>> "changeit" > /dev/null; then >>>>> echo "Importing certificates from system's Java CA certificate bundle >>>>> into Keycloak truststore.." >>>>> keytool -importkeystore -noprompt \ >>>>> -srckeystore "${SYSTEM_CACERTS}" \ >>>>> -destkeystore "${JKS_TRUSTSTORE_PATH}" \ >>>>> -srcstoretype jks -deststoretype jks \ >>>>> -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null >>>>> if [ "$?" -ne "0" ]; then >>>>> echo "Successfully imported certificates from system's Java CA >>>>> certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" >>>>> else >>>>> echo "Failed to import certificates from system's Java CA >>>>> certificate bundle into Keycloak truststore!" >>>>> fi >>>>> >>>>> Any advice? >>>>> >>>>> [1]= >>>>> https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x509.sh >>>>> >>>>> Meissa >>>>> >>>> From lists at merit.unu.edu Tue Nov 13 04:23:59 2018 From: lists at merit.unu.edu (mj) Date: Tue, 13 Nov 2018 10:23:59 +0100 Subject: [keycloak-user] SaaS idp brokering Message-ID: Hi, This question is slightly off-topic, I hope it's allowed to ask here. We are using keycloak as an IdP, loving it. One of our sister institutes is using another (openid connect / saml2 compatible) IdP. Now a new project: Trying to achieve web SSO across both institutes, for several web applications, mostly supporting only one single IdP. We have made a PoC using keycloak's brokering function, and it worked nicely. However, our sister institute prefers a SaaS solution. I've done my googling, but terminology is confusingly different: - onelogin ("trusted IdP") - okta ("inbound federation") - gluu ("inbound identity") and obviously - keycloak ("IdP brokering") (but not saas) and I am not even sure that the above solution are really the same as keycloak's IdP brokering, and that they would solve our SSO requirement. (doing a PoC would be the next step) So I am asking for recommendations from the guru's here. What are the do's and don't for something like this? Perhaps suggestions what to look for, what to avoid, what other products to take a look at, etc, etc. Insights? Thanks very much in advance, and again: apologies for being a bit off-topic, hope not to offend anyone. MJ From geoff at opticks.io Tue Nov 13 08:10:06 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 13 Nov 2018 14:10:06 +0100 Subject: [keycloak-user] 4.6.0 Final Message-ID: Anybody know when 4.6.0 is expected to roll out? I'm waiting for some nice bug fixes... From wburns at redhat.com Tue Nov 13 09:09:28 2018 From: wburns at redhat.com (William Burns) Date: Tue, 13 Nov 2018 09:09:28 -0500 (EST) Subject: [keycloak-user] Persist Keycloak session cache into JDBC store, no data is written into table In-Reply-To: <91A1C543-4CFF-4BC6-9A2F-904A2FCB9736@senacor.com> References: <91A1C543-4CFF-4BC6-9A2F-904A2FCB9736@senacor.com> Message-ID: <1294229187.68193521.1542118168285.JavaMail.zimbra@redhat.com> This looks like the same issue I mentioned at [1]. It seems that keycloak is writing to the underlying Infinispan Cache using SKIP_CACHE_STORE flag which is preventing it from writing the entry to any configured store when passivation is configured as false. It seems that Keycloak currently only supports persistence when passivation is true. Unfortunately, a shared store and passivation can have consistency guarantees and as such is no longer a valid configuration with Infinispan 9.4 [2]. [1] http://lists.jboss.org/pipermail/keycloak-user/2018-November/016214.html [2] https://issues.jboss.org/browse/ISPN-7168 ----- Original Message ----- > From: "Cedric R?ck" > To: keycloak-user at lists.jboss.org > Sent: Monday, November 12, 2018 7:24:40 AM > Subject: [keycloak-user] Persist Keycloak session cache into JDBC store, no data is written into table > > Hi, > > we are currently trying to persist the in-memory session cache of our > Keycloak (9.5.0.Final) deployment into a persistent store, preferably JDBC > based. > > In order to achieve this, we already updated the configuration and ended up > with this config for the Infinispan subsystem: > > > > > > > > > > > > > > > > > > > owners="${env.CACHE_OWNERS:1}"> > fetch-state="true" passivation="false" preload="true" > purge="false" shared="true" singleton="false"> > > false > > > true > >

> > > owners="${env.CACHE_OWNERS:1}"/> > statistics-enabled="true" owners="${env.CACHE_OWNERS:1}"/> > [...] > > [...] > > > Even though the table ?ispn_entry_sessions? gets created once Keycloak > starts, no data is being persisted there. Not after 5min and also not once > several hours passed. To exclude batch sizes and alike as error cause, our > test creates 300 users and performs repeated logins for all of them, so > there should also be enough load on the system. > > Some more details: > > * The statistics already show more than 600 cache-loader-misses for > the jdbc store, but no successful load. > * Our deployment consists of three Keycloak instances running in > Kubernetes pods / docker containers. > * Target JDBC Database is an Azure managed SQL DB / SQL Server > * We can?t see any errors in the logs and also the cache distribution > appears to still work amongst all nodes in the cluster. > > > If you need more details, log excerpts, the full config, ?, just give me a > ping. > > What are we missing? Any help is very much appreciated. > > Thanks and kind regards > Cedric > > Cedric R?ck > ______________________________ > Senacor Technologies AG > ?u?ere Cramer-Klett-Str. 21 > 90489 N?rnberg > > M +49 (170) 2274 878 > > Cedric.Roeck at senacor.com > www.senacor.com > > > Senacor Technologies Aktiengesellschaft - Sitz: Eschborn - Amtsgericht > Frankfurt am Main - Reg.-Nr.: HRB 110482 > Vorstand: Matthias Tomann, Marcus Purzer - Aufsichtsratsvorsitzender: > Daniel Gr?zinger > > Diese E-Mail inklusive Anlagen enth?lt vertrauliche und/oder rechtlich > gesch?tzte Informationen. Wenn Sie > nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten, > informieren Sie bitte den Absender > und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die > unbefugte Weitergabe dieser E-Mail ist > nicht gestattet. > > This e-mail including any attachments may contain confidential and/or > privileged information. If you are > not the intended recipient (or have received this e-mail in error) please > notify the sender immediately and > destroy this e-mail. Any unauthorized copying, disclosure or distribution > of the materials in this e-mail is > strictly forbidden. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vagelis.savvas at gmail.com Tue Nov 13 12:07:09 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Tue, 13 Nov 2018 19:07:09 +0200 Subject: [keycloak-user] Custom authentication Message-ID: <92f9ed9f-1adf-4da1-4b5a-4ede725d8c42@gmail.com> Hello, I'd like some advice on how to go about implementing the following custom authentication scenario: ?- A user besides the standard username and password optionally provides one more secret in the login screen. ?- The secret is associated with a realm role (one to one) by the realm admin, and if matched the user is dynamically added to the corresponding role. ?- If the secret isn't provided the user is normally authenticated and gets whatever roles he is assigned, like the default behavior Of course I would like to avoid implementing an SPI for that :-) but if it is not possible to avoid it I'd appreciate any insights and advice. I admit I haven't carefully read the relevant SPI extension docs yet, hoping that there is some way of doing it without an SPI extension. Cheers, Vagelis From zitrone at gmx-topmail.de Tue Nov 13 14:11:10 2018 From: zitrone at gmx-topmail.de (zitrone at gmx-topmail.de) Date: Tue, 13 Nov 2018 20:11:10 +0100 Subject: [keycloak-user] Adding attributes during login In-Reply-To: <1541914268.3830.1.camel@acutus.pro> References: <1541914268.3830.1.camel@acutus.pro> Message-ID: <7d9b9737-12f5-a48a-7ead-3355f55c257b@gmx-topmail.de> Hi, i'm working on a similar problem. I managed to set up a script authenticator and a User Session Note Mapper. Works fine on first request (like, on the first try. Thanks for the code!). I send the query parameter to the auth endpoint, enter the credentials and get a code. The token i get for the code contains the query parameter as a field. But when i query the auth endpoint a second time, it authenticates via cookie. Then it starts the script and the script throws a null pointer exception. The problen is, that the "Referer" header is null. The idea behind the second call is to "update" the session note. Any ideas how to get the query parameter in this case? Or why it vanishes in the first place? Regards From pnowak.pierre at gmail.com Tue Nov 13 15:41:35 2018 From: pnowak.pierre at gmail.com (Pierre Nowak) Date: Tue, 13 Nov 2018 21:41:35 +0100 Subject: [keycloak-user] UMA fine grained management in the client itself Message-ID: Hello, I have difficulties finding the best way of protecting resources using Authorization Services or UMA. Here is the following problem: user1 creates resource/item/id1 user2 creates resource/item/id2 I want to be able in my nodejs confidential client to: 1. list users that have access to a specific item (eg: item/id1) 2. list all resources a user has access to (not only the ones he has, but also the ones other users shared with him) 3. permit a user to access a resource 4. remove the access of a user to a resource I saw in photoz UMA example a nice UI directly in keycloak. I would like to reproduce this tab directly in my client calling APIs to Keycloak. The reason is the tab in the account page doesnt give enough functionality for example if I want to join some detail about the resources that would only be available in my resource server. I saw the resource set api and a node package ( https://github.com/proficonf/keycloak-authz) that tries to manage the resources only but I can't find APIs that directly handle the 4 steps I just mentioned. Thanks From nocquidant at gmail.com Tue Nov 13 16:02:11 2018 From: nocquidant at gmail.com (Nicolas Ocquidant) Date: Tue, 13 Nov 2018 22:02:11 +0100 Subject: [keycloak-user] File based cache store migration Message-ID: Hi When using a file based cache store for sessions, and assuming that I have millions of sessions in the file I don't want to loose, could Keycloak helps me migrate this file when upgrading for a new version of Keycloak? It is serialized data inside, so migration may be difficult that's why I am asking. Thanks --nick From dt at acutus.pro Tue Nov 13 17:40:37 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 01:40:37 +0300 Subject: [keycloak-user] Adding attributes during login In-Reply-To: <7d9b9737-12f5-a48a-7ead-3355f55c257b@gmx-topmail.de> References: <1541914268.3830.1.camel@acutus.pro> <7d9b9737-12f5-a48a-7ead-3355f55c257b@gmx-topmail.de> Message-ID: <1542148837.10365.2.camel@acutus.pro> Hi, you're welcome, In the second scenario (cookie-based auth), there is no HTTP redirect, hence your query params are in the actual URL, not in the referer header. You can extract them as follows: var _foo = httpRequest.uri.queryParameters['foo']); if (_foo !== null) var foo = _foo[0]; Good luck! Dmitry On Tue, 2018-11-13 at 20:11 +0100, zitrone at gmx-topmail.de wrote: > Hi, > > i'm working on a similar problem. I managed to set up a script? > authenticator and a User Session Note Mapper. Works fine on first? > request (like, on the first try. Thanks for the code!). I send the query? > parameter to the auth endpoint, enter the credentials and get a code.? > The token i get for the code contains the query parameter as a field. > > But when i query the auth endpoint a second time, it authenticates via? > cookie. Then it starts the script and the script throws a null pointer? > exception. The problen is, that the "Referer" header is null. > > The idea behind the second call is to "update" the session note. Any? > ideas how to get the query parameter in this case? Or why it vanishes in? > the first place? > > > Regards > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Nov 13 17:54:51 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 01:54:51 +0300 Subject: [keycloak-user] Adding attributes during login In-Reply-To: References: <1541879356.3515.1.camel@acutus.pro> <1541914268.3830.1.camel@acutus.pro> <1541980028.2048.1.camel@acutus.pro> Message-ID: <1542149691.10365.4.camel@acutus.pro> Hello Craig, Unfortunately I didn't have time for a full PoC, but here are some ideas that might be helpful. On Sun, 2018-11-11 at 19:12 -0600, Craig Setera wrote: > We want to "brand" (color and logo) the user-facing parts of the application based on the partner code.? I think that means: > > - Login theme I think we have covered this in the previous thread (dynamically branded login). In case your auth flow contains additional steps like optional OTP, and you want to brand them too, you can reuse already populated user session notes. Use the same technique (extend FreeMarkerLoginFormsProvider and override createCommonAttributes) to obtain partner code from the user session (via authenticationSession field) and push it to Freemarker context via template attributes. > - Email theme Similarly, extend FreeMarkerEmailTemplateProvider and override processTemplate() to pass your partner code from authenticationSession to the template attributes. > - Account theme This one will be a bit more complex, since FreeMarkerAccountProvider doesn't have authenticationSession field. However, you can use org.keycloak.services.managers.AuthenticationSessionManager to obtain current user session. As the final step, again override processTemplate(). Good luck, Dmitry > > Craig > > ================================= > Craig Setera > Chief Technology Officer > > > > > > On Sun, Nov 11, 2018 at 5:47 PM Dmitry Telegin

wrote: > > Hi Craig, you're welcome :) > > > > As for "theme engine", in fact there are five types thereof in Keycloak: > > - Welcome theme > > - Login theme > > - Admin console theme > > - Email theme > > - Account theme > > > > Which one is most relevant to your problem? And, more generally, what are you trying to achieve? > > > > Cheers, > > Dmitry > > > > On Sun, 2018-11-11 at 06:56 -0600, Craig Setera wrote: > > > Wow!? This is great.? Thanks so much.? I will have to give this a try this week and see if I can make it work.? You are correct that this is also the code that we want to use to drive our branding.? Are the session notes or token claims available to the theme engine??? > > >? > > > ================================= > > > Craig Setera > > > Chief Technology Officer > > > 415-324-5861 > > > craig at baseventure.com > > >? > > >? > > >? > > >? > > > > > > On Sat, Nov 10, 2018 at 11:31 PM Dmitry Telegin

wrote: > > > > Hello Craig, > > > >? > > > > Thanks for the explanation, it's pretty clear now. I guess that "partner code" is the same parameter you use to dynamically brand your login themes, right? > > > >? > > > > First, you need to extract it from your request parameters. In Keycloak, you can do this with a script authenticator. Things are a bit complicated by the fact that the initial incoming link (protocol/openid-connect/auth) does a POST to another endpoint (login-actions/authenticate), and the script authenticator is able introspect only the second request. Query parameters do not survive POST, but still can be found in the Referer header; therefore, you need to fish them out of there. (NB this will only work unless sending this header is disabled in the browser by a paranoid user :) > > > >? > > > > Create it as the last authenticator in the flow and make it "required". It's up to you how to handle the case where there is no "foo" parameter in the initial link. > > > >? > > > > =================================================== > > > > function authenticate(context) { > > > >? > > > > ? ? var username = user ? user.username : "anonymous"; > > > >? > > > > ? ? var uri = new java.net.URI(httpRequest.httpHeaders.getHeaderString("Referer")); > > > > ? ? LOG.info(uri); > > > > ? ? var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri); > > > > ? ? var _foo = uriInfo.queryParameters['foo']; > > > > ? ? if (_foo !== null ){ > > > > ? ? ? ? var foo = _foo[0]; // uriInfo.queryParameters is a multivalued map > > > > ? ? ? ? LOG.info(script.name + ": " + username + " foo=" + foo); > > > > ? ? ? ? authenticationSession.setUserSessionNote("foo", foo); > > > > ? ? } > > > >? > > > > ? ? context.success(); > > > >? > > > > } > > > > =================================================== > > > >? > > > > (Quick remark on terminology: in Keycloak's terms, "attributes" are persistent pieces of data attached to a user, group or realm; you can find them in the corresponding GUI tabs. Transient data is called "[session] notes".) > > > >? > > > > Next, you will need to propagate it to the tokens. Again, JavaScript to the rescue, this time in the form of script mapper (client -> Mappers): > > > >? > > > > =================================================== > > > > var foo = userSession.notes["foo"]; > > > >? > > > > if (foo !== null) { > > > > ? token.setOtherClaims("foo", foo);? ?? > > > > } > > > > =================================================== > > > >? > > > > And voil?, your query parameter is now in the tokens :) > > > >? > > > > Good luck! > > > > Dmitry Telegin > > > > CTO, Acutus s.r.o. > > > > Keycloak Consulting and Training > > > >? > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > +42 (022) 888-30-71 > > > > E-mail: info at acutus.pro > > > >? > > > > On Sat, 2018-11-10 at 14:01 -0600, Craig Setera wrote: > > > > > Dmitry, > > > > >? > > > > > Thanks for responding and sorry for not being more clear.?? > > > > >? > > > > > The circumstance is that a username may be associated with multiple different companies in our system.? However, if the user is logging in from a link that originated from company X, we want to limit what they are authorized to view based on the incoming link to preserve the view of separate tenancy.? So, the partner code is provided (hidden) for each login.? The hope would be that it would be part of the initial login URL as a query parameter, be captured in Keycloak and then made available throughout the "session" associated with the access/refresh tokens. > > > > >? > > > > > Thanks! > > > > > Craig > > > > >? > > > > >? > > > > > ================================= > > > > > Craig Setera > > > > > Chief Technology Officer > > > > > 415-324-5861 > > > > > craig at baseventure.com > > > > >? > > > > >? > > > > >? > > > > >? > > > > > > > > On Sat, Nov 10, 2018 at 1:49 PM Dmitry Telegin

wrote: > > > > > > Hell Craig, > > > > > >? > > > > > > Do you mean the user should enter a "partner code" along with login+password? (either as a 3rd field or in a separate screen) > > > > > > Or only once during registration / upon the first login? > > > > > >? > > > > > > Cheers, > > > > > > Dmitry Telegin > > > > > > CTO, Acutus s.r.o. > > > > > > Keycloak Consulting and Training > > > > > >? > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > > +42 (022) 888-30-71 > > > > > > > > > > > > E-mail: info at acutus.pro? > > > > > >? > > > > > > On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote: > > > > > > > We have an attribute we use to allow customers to to "scope" or "namespace" > > > > > > > a users interaction with our system (a "partner code" that is known to our > > > > > > > system).??In our previous proprietary Java session-based security system, > > > > > > > this value was stored in the Java session at the time of login and used by > > > > > > > the authorization engine to further restrict what the user was allowed to > > > > > > > see. > > > > > > >? > > > > > > > As we transition to using Keycloak for authentication, I'm wondering if > > > > > > > there is a way to use Keycloak to manage this partner code during a login > > > > > > > session???Some way to send the value during the Keycloak login sequence and > > > > > > > then later retrieve it based on the access token? > > > > > > >? > > > > > > > Thanks for any insights. > > > > > > > Craig > > > > > > >? > > > > > > > ================================= > > > > > > > *Craig Setera* > > > > > > >? > > > > > > > *Chief Technology Officer* > > > > > > > _______________________________________________ > > > > > > > keycloak-user mailing list > > > > > > > keycloak-user at lists.jboss.org > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > >? > > > >? > > From craig at baseventure.com Tue Nov 13 18:07:25 2018 From: craig at baseventure.com (Craig Setera) Date: Tue, 13 Nov 2018 17:07:25 -0600 Subject: [keycloak-user] Adding attributes during login In-Reply-To: <1542149691.10365.4.camel@acutus.pro> References: <1541879356.3515.1.camel@acutus.pro> <1541914268.3830.1.camel@acutus.pro> <1541980028.2048.1.camel@acutus.pro> <1542149691.10365.4.camel@acutus.pro> Message-ID: Dmitry, Thanks again for the various pointers. I'd like to believe that you've given me more than enough threads to pull on. Much appreciated! Craig ================================= *Craig Setera* *Chief Technology Officer* On Tue, Nov 13, 2018 at 4:55 PM Dmitry Telegin

wrote: > Hello Craig, > > Unfortunately I didn't have time for a full PoC, but here are some ideas > that might be helpful. > > On Sun, 2018-11-11 at 19:12 -0600, Craig Setera wrote: > > We want to "brand" (color and logo) the user-facing parts of the > application based on the partner code. I think that means: > > > > - Login theme > > I think we have covered this in the previous thread (dynamically branded > login). In case your auth flow contains additional steps like optional OTP, > and you want to brand them too, you can reuse already populated user > session notes. > > Use the same technique (extend FreeMarkerLoginFormsProvider and override > createCommonAttributes) to obtain partner code from the user session (via > authenticationSession field) and push it to Freemarker context via template > attributes. > > > - Email theme > > Similarly, extend FreeMarkerEmailTemplateProvider and override > processTemplate() to pass your partner code from authenticationSession to > the template attributes. > > > - Account theme > > This one will be a bit more complex, since FreeMarkerAccountProvider > doesn't have authenticationSession field. However, you can use > org.keycloak.services.managers.AuthenticationSessionManager to obtain > current user session. As the final step, again override processTemplate(). > > Good luck, > Dmitry > > > > > Craig > > > > ================================= > > Craig Setera > > Chief Technology Officer > > > > > > > > > > > On Sun, Nov 11, 2018 at 5:47 PM Dmitry Telegin

wrote: > > > Hi Craig, you're welcome :) > > > > > > As for "theme engine", in fact there are five types thereof in > Keycloak: > > > - Welcome theme > > > - Login theme > > > - Admin console theme > > > - Email theme > > > - Account theme > > > > > > Which one is most relevant to your problem? And, more generally, what > are you trying to achieve? > > > > > > Cheers, > > > Dmitry > > > > > > On Sun, 2018-11-11 at 06:56 -0600, Craig Setera wrote: > > > > Wow! This is great. Thanks so much. I will have to give this a > try this week and see if I can make it work. You are correct that this is > also the code that we want to use to drive our branding. Are the session > notes or token claims available to the theme engine? > > > > > > > > ================================= > > > > Craig Setera > > > > Chief Technology Officer > > > > 415-324-5861 > > > > craig at baseventure.com > > > > > > > > > > > > > > > > > > > > > > > On Sat, Nov 10, 2018 at 11:31 PM Dmitry Telegin

> wrote: > > > > > Hello Craig, > > > > > > > > > > Thanks for the explanation, it's pretty clear now. I guess that > "partner code" is the same parameter you use to dynamically brand your > login themes, right? > > > > > > > > > > First, you need to extract it from your request parameters. In > Keycloak, you can do this with a script authenticator. Things are a bit > complicated by the fact that the initial incoming link > (protocol/openid-connect/auth) does a POST to another endpoint > (login-actions/authenticate), and the script authenticator is able > introspect only the second request. Query parameters do not survive POST, > but still can be found in the Referer header; therefore, you need to fish > them out of there. (NB this will only work unless sending this header is > disabled in the browser by a paranoid user :) > > > > > > > > > > Create it as the last authenticator in the flow and make it > "required". It's up to you how to handle the case where there is no "foo" > parameter in the initial link. > > > > > > > > > > =================================================== > > > > > function authenticate(context) { > > > > > > > > > > var username = user ? user.username : "anonymous"; > > > > > > > > > > var uri = new > java.net.URI(httpRequest.httpHeaders.getHeaderString("Referer")); > > > > > LOG.info(uri); > > > > > var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri); > > > > > var _foo = uriInfo.queryParameters['foo']; > > > > > if (_foo !== null ){ > > > > > var foo = _foo[0]; // uriInfo.queryParameters is a > multivalued map > > > > > LOG.info(script.name + ": " + username + " foo=" + foo); > > > > > authenticationSession.setUserSessionNote("foo", foo); > > > > > } > > > > > > > > > > context.success(); > > > > > > > > > > } > > > > > =================================================== > > > > > > > > > > (Quick remark on terminology: in Keycloak's terms, "attributes" > are persistent pieces of data attached to a user, group or realm; you can > find them in the corresponding GUI tabs. Transient data is called > "[session] notes".) > > > > > > > > > > Next, you will need to propagate it to the tokens. Again, > JavaScript to the rescue, this time in the form of script mapper (client -> > Mappers): > > > > > > > > > > =================================================== > > > > > var foo = userSession.notes["foo"]; > > > > > > > > > > if (foo !== null) { > > > > > token.setOtherClaims("foo", foo); > > > > > } > > > > > =================================================== > > > > > > > > > > And voil?, your query parameter is now in the tokens :) > > > > > > > > > > Good luck! > > > > > Dmitry Telegin > > > > > CTO, Acutus s.r.o. > > > > > Keycloak Consulting and Training > > > > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > +42 (022) 888-30-71 > > > > > E-mail: info at acutus.pro > > > > > > > > > > On Sat, 2018-11-10 at 14:01 -0600, Craig Setera wrote: > > > > > > Dmitry, > > > > > > > > > > > > Thanks for responding and sorry for not being more clear. > > > > > > > > > > > > The circumstance is that a username may be associated with > multiple different companies in our system. However, if the user is > logging in from a link that originated from company X, we want to limit > what they are authorized to view based on the incoming link to preserve the > view of separate tenancy. So, the partner code is provided (hidden) for > each login. The hope would be that it would be part of the initial login > URL as a query parameter, be captured in Keycloak and then made available > throughout the "session" associated with the access/refresh tokens. > > > > > > > > > > > > Thanks! > > > > > > Craig > > > > > > > > > > > > > > > > > > ================================= > > > > > > Craig Setera > > > > > > Chief Technology Officer > > > > > > 415-324-5861 > > > > > > craig at baseventure.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Sat, Nov 10, 2018 at 1:49 PM Dmitry Telegin < > dt at acutus.pro> wrote: > > > > > > > Hell Craig, > > > > > > > > > > > > > > Do you mean the user should enter a "partner code" along with > login+password? (either as a 3rd field or in a separate screen) > > > > > > > Or only once during registration / upon the first login? > > > > > > > > > > > > > > Cheers, > > > > > > > Dmitry Telegin > > > > > > > CTO, Acutus s.r.o. > > > > > > > Keycloak Consulting and Training > > > > > > > > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > > > +42 (022) 888-30-71 > > > > > > > > > > > > > E-mail: info at acutus.pro > > > > > > > > > > > > > > On Sat, 2018-11-10 at 09:00 -0600, Craig Setera wrote: > > > > > > > > We have an attribute we use to allow customers to to "scope" > or "namespace" > > > > > > > > a users interaction with our system (a "partner code" that > is known to our > > > > > > > > system). In our previous proprietary Java session-based > security system, > > > > > > > > this value was stored in the Java session at the time of > login and used by > > > > > > > > the authorization engine to further restrict what the user > was allowed to > > > > > > > > see. > > > > > > > > > > > > > > > > As we transition to using Keycloak for authentication, I'm > wondering if > > > > > > > > there is a way to use Keycloak to manage this partner code > during a login > > > > > > > > session? Some way to send the value during the Keycloak > login sequence and > > > > > > > > then later retrieve it based on the access token? > > > > > > > > > > > > > > > > Thanks for any insights. > > > > > > > > Craig > > > > > > > > > > > > > > > > ================================= > > > > > > > > *Craig Setera* > > > > > > > > > > > > > > > > *Chief Technology Officer* > > > > > > > > _______________________________________________ > > > > > > > > keycloak-user mailing list > > > > > > > > keycloak-user at lists.jboss.org > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > From marco.lamina at sap.com Tue Nov 13 18:44:20 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Tue, 13 Nov 2018 23:44:20 +0000 Subject: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions Message-ID: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com> Hi, I am trying to use Keycloak?s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2]. Expected behavior: Token endpoint returns a list of all resources and scopes that the token?s user has permission to access. Observed behavior: Token endpoint only returns resources that are owned by either the token?s user or the resource server itself. Resources owned by other users are not listed, even though the token?s user has permission to access them. Is that a bug or expected behavior? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions [2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545 Thanks, Marco From dt at acutus.pro Tue Nov 13 22:02:21 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 06:02:21 +0300 Subject: [keycloak-user] Custom authentication In-Reply-To: <92f9ed9f-1adf-4da1-4b5a-4ede725d8c42@gmail.com> References: <92f9ed9f-1adf-4da1-4b5a-4ede725d8c42@gmail.com> Message-ID: <1542164541.10365.6.camel@acutus.pro> Hello Vagelis, Here's the outline of the solution as I see it: - you'll need a custom authenticator, this could be either Script authenticator or Java-based one (Authentication SPI [1]); - you'll need to modify or supply your own login page. The easiest way is to use Theme Resource JAR [2]; - next, you need to decide how would you store role secrets. I'd recommend to use the same mechanism Keycloak uses to store passwords and private keys, namely Credentials (see org.keycloak.credential.*); - then, you should establish 1-to-1 association between roles and secrets. You can use CredentialAttributeEntity (CREDENTIAL_ATTRIBUTE table) for that; - or maybe better introduce your own entity [3] for that association, because CREDENTIAL_ATTRIBUTE.VALUE doesn't have index, therefore queries will be slow; - finally, you need a mechanism to manage your role secrets. If you want to use Admin console GUI for that, you'll need to implement a REST endpoint [3] and your custom GUI theme [4]. So probably you'll end up with 2-3 providers and a theme, packaged in a single JAR. As always, I'd recommend my BeerCloak project [6] as a reference, since it contains many of the above. Feel free to ask questions, and good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro [1] https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi [2] https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource [3] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa [4] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest [5] https://www.keycloak.org/docs/latest/server_development/index.html#_themes [6] https://github.com/dteleguin/beercloak On Tue, 2018-11-13 at 19:07 +0200, Vagelis Savvas wrote: > Hello, > I'd like some advice on how to go about implementing the following? > custom authentication scenario: > ??- A user besides the standard username and password optionally? > provides one more secret in the login screen. > ??- The secret is associated with a realm role (one to one) by the realm? > admin, and if matched the user is dynamically added to the corresponding? > role. > ??- If the secret isn't provided the user is normally authenticated and? > gets whatever roles he is assigned, like the default behavior > > Of course I would like to avoid implementing an SPI for that :-) but if? > it is not possible to avoid it I'd appreciate any insights and advice. > I admit I haven't carefully read the relevant SPI extension docs yet,? > hoping that there is some way of doing it without an SPI extension. > > Cheers, > > Vagelis > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Nov 13 22:15:06 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 06:15:06 +0300 Subject: [keycloak-user] SaaS idp brokering In-Reply-To: References: Message-ID: <1542165306.10365.8.camel@acutus.pro> Hello MJ, Quick question: do you plan to decommission both your Keycloak and sister institute's IdP, and migrate everything to a SaaS IdP? Or you want both your IdPs broker to SaaS? Or is your sister institute going to migrate to SaaS IdP, and you have to broker to it from your Keycloak? All the options are viable and will do the job. As always, each has benefits and drawbacks. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-11-13 at 10:23 +0100, mj wrote: > Hi, > > This question is slightly off-topic, I hope it's allowed to ask here. > > We are using keycloak as an IdP, loving it. One of our sister institutes? > is using another (openid connect / saml2 compatible) IdP. > > Now a new project: Trying to achieve web SSO across both institutes, for? > several web applications, mostly supporting only one single IdP. > > We have made a PoC using keycloak's brokering function, and it worked? > nicely. However, our sister institute prefers a SaaS solution. > > I've done my googling, but terminology is confusingly different: > - onelogin??("trusted IdP") > - okta ("inbound federation") > - gluu ("inbound identity") > and obviously > - keycloak ("IdP brokering") (but not saas) > > and I am not even sure that the above solution are really the same as? > keycloak's IdP brokering, and that they would solve our SSO requirement.? > (doing a PoC would be the next step) > > So I am asking for recommendations from the guru's here. What are the? > do's and don't for something like this? Perhaps suggestions what to look? > for, what to avoid, what other products to take a look at, etc, etc. > > Insights? > > Thanks very much in advance, and again: apologies for being a bit? > off-topic, hope not to offend anyone. > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Nov 13 22:31:13 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 06:31:13 +0300 Subject: [keycloak-user] Keycloak + Custom AuthenticatorFactory + Spring 5 In-Reply-To: <000001d47b1e$b980ac40$2c8204c0$@staff.aruba.it> References: <000001d47b1e$b980ac40$2c8204c0$@staff.aruba.it> Message-ID: <1542166273.10365.10.camel@acutus.pro> Hello Tommaso, Spring framework needs to be initialized before you can use it, including booting IoC container etc. Keycloak itself is a pure Java EE web application; I'm not sure this is possible in principle, let alone it would likely require source code modification. If you absolutely need to use Spring-based components, I'd recommend to deploy them as a separate WAR/EAR with Spring inside, microservice style, and use some kind of IPC/RPC to call them from your Keycloak providers. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-11-13 at 08:01 +0100, Tommaso Tamantini wrote: > Hi to all, > > ? > > I'm trying to develope a custom AuthenticatorFactory with a custom > Authenticator. > > ? > > I would like to inject my custom Authenticator??as Spring Bean into my > custom AuthenticatorFactory (because my authenticator should use an existing > spring library). > > ? > > My authenticator is like: > > ? > > @Component > > public class MyAuthenticator extends AbstractUsernameFormAuthenticator > implements Authenticator { > > [.] > > ? > > To achieve it, I created an??ApplicationContextAware bean? > > ? > > @Service > > public class BeanUtil implements ApplicationContextAware { > > ? > > ?????private static ApplicationContext applicationContext; > > ????? > > ?????public BeanUtil() { > > ?????} > > ? > > ?????@Override > > ?????public void setApplicationContext(ApplicationContext > applicationContext) throws BeansException { > > ??????????this.applicationContext = applicationContext; > > ?????} > > ? > > ?????public static Authenticator getAuthenticatorBean() {? > > ??????????return applicationContext.getBean(MyAuthenticator.class); > > ?????}? > > ? > > } > > ? > > My factory is: > > ? > > public class MyAuthenticatorFactory implements AuthenticatorFactory, > ConfigurableAuthenticatorFactory { > > ? > > ?????public static final String PROVIDER_ID = "aruba-alias-authenticator"; > > ? > > ?????public static final String G_RECAPTCHA_RESPONSE = > "g-recaptcha-response"; > > ?????public static final String RECAPTCHA_REFERENCE_CATEGORY = "recaptcha"; > > ?????public static final String SITE_KEY = "site.key"; > > ?????public static final String NUMBER_KEY = "number.key"; > > ?????public static final String SITE_SECRET = "secret"; > > ? > > ?????@Override > > ?????public String getId() { > > ??????????return PROVIDER_ID; > > ?????} > > ? > > ?????@Override > > ?????public MyAuthenticator create(KeycloakSession session) { > > ??????????return BeanUtil.AuthenticatorBean(); > > ?????} > > ? > > [.] > > ? > > Keycloak starts up correctly.? > > ? > > When I try to use myAuthenticator, i get:? > > ? > > ? > > 16:46:48,484 INFO??[org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http > management interface listening on http://0.0.0.0:9990/management > > sia-keycloak | 16:46:48,484 INFO??[org.jboss.as] (Controller Boot Thread) > WFLYSRV0051: Admin console listening on http://0.0.0.0:9990 > > sia-keycloak | 16:46:48,485 INFO??[org.jboss.as] (Controller Boot Thread) > WFLYSRV0025: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in > 23456ms - Started 943 of 1231 services (653 services are lazy, passive or > on-demand) > > sia-keycloak | 16:47:12,357 WARN??[org.keycloak.services] (default task-3) > KC-SERVICES0013: Failed authentication: java.lang.NullPointerException > > sia-keycloak |??at > ...authenticator.alias.BeanUtil.getArubaAliasAuthenticatorBean(BeanUtil.java > :22) > > sia-keycloak |??at > ..authenticator.alias.AuthenticatorFactory.create(MyAuthenticatorFactory.jav > a:35) > > sia-keycloak |??at > ...authenticator.alias.AuthenticatorFactory.create(MyAuthenticatorFactory.ja > va:1) > > ? > > ? > > The reason in that the Spring Context is null.? > > ? > > Any idea about how to fix this issue? > > ? > > ? > > Many thanks,? > > Tom > > ? > > ? > > ? > > ? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Nov 13 23:04:49 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 07:04:49 +0300 Subject: [keycloak-user] EVENTTYPE for a temporarily disabled user In-Reply-To: <4dc8e3ce-50da-497a-6db0-c4142beeb756@breust.de> References: <4dc8e3ce-50da-497a-6db0-c4142beeb756@breust.de> Message-ID: <1542168289.10365.12.camel@acutus.pro> Hello Anneke, I've encountered exactly the same problem about a year ago, also trying to collect custom metrics from Keycloak. Matter is, all the data layer in Keycloak is accessed through the Infinispan facade. The idea is, if there is no built-in event type in Keycloak, you can still hook directly into the corresponding Infinispan cache and listen for its events. (Thanks Marek Posolda for pointing this out.) The workflow is roughly the following: - write a dummy provider (+factory); - upon startup, use KeycloakSession::getProvider(InfinispanConnectionProvider.class) to retrieve default Infinispan connection; - get users cache; - get cache manager; - call addListener to register your event handler. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-11-06 at 14:31 +0100, Anneke Breust wrote: > Hi, > > in context with customized Prometheus metrics I am looking for an Event,? > which is emitted whenever a user is temporarily disabled (and a? > counterpart, which is emitted when the disabled user is enabled again).? > The goal is to be able to monitor the number of currently disabled users? > as well as how many times in a specific time span a user has been? > disabled. I looked through the EventTypes here? > https://www.keycloak.org/docs-api/3.2/javadocs/org/keycloak/events/EventType.html? > but I didn't find anything useful- did I overlook something? > > > Thanks in advance, > > Anneke > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Nov 13 23:20:55 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 07:20:55 +0300 Subject: [keycloak-user] Notify Keycloak Bearer Clients on Admin Actions In-Reply-To: References: Message-ID: <1542169255.10365.14.camel@acutus.pro> Hello Miguel, There is no default mechanism to notify clients, so you'll have to implement it yourself. That shouldn't be that hard, especially given that it's a perfect case for a message-driven solution. I'd suggest that you use Keycloak's builtin ActiveMQ Artemis message broker [1], which supports persistence and message redelivery. Write your EventListenerProvider, listen for AdminEvents, publish them to MQ and subscribe your clients to it. If your clients are also Java-based, JMS should be your choice. Otherwise, you should be using AMQP directly. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro [1] http://activemq.apache.org/artemis/ On Tue, 2018-11-06 at 15:27 +0200, Miguel Haber wrote: > Hi, > > I'm just wondering about one scenario where I'm running: > > - Keycloak server (using it as a user base, and for > authentication/authorization) > - 3 resource servers connected to the Keycloak as bearer-only clients > > These resource servers store separate information about users. > > One use case I need to investigate: > > - Keycloak admin logs in, deletes one user that has data in all 3 resource > servers > > Questions: > > 1) Do the 3 resource servers get notified at the moment in order to purge > the user data from their DBs? > 2) What if 1 resource server is offline, does it get notified as soon as it > goes back online? > > Thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Wed Nov 14 02:26:42 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Wed, 14 Nov 2018 08:26:42 +0100 Subject: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions In-Reply-To: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com> References: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com> Message-ID: Sounds like a bug. I know there is a bug in the policy evaluation code that can result in some permissions being missed and I understand that it will be fixed in 4.6. That being said, when I request all the permissions for the token's owner, I do get the expected result except for some missing scopes due to said bug. Are you sure your policies are built correctly? Did you build a policy granting permissions to resource owners? On Wed, Nov 14, 2018, 00:52 Lamina, Marco Hi, > I am trying to use Keycloak?s token endpoint to obtain a list of all > resources and the respective scopes that a user has permission to access. > However, the behavior I am observing does not match what is described in > the documentation (Link [1]). I am using the token endpoint as shown in > Link [2]. > > Expected behavior: > Token endpoint returns a list of all resources and scopes that the token?s > user has permission to access. > > Observed behavior: > Token endpoint only returns resources that are owned by either the token?s > user or the resource server itself. Resources owned by other users are not > listed, even though the token?s user has permission to access them. > > Is that a bug or expected behavior? > > Links: > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > [2] > https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545 > > Thanks, > Marco > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vagelis.savvas at gmail.com Wed Nov 14 02:50:41 2018 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Wed, 14 Nov 2018 09:50:41 +0200 Subject: [keycloak-user] Custom authentication In-Reply-To: <1542164541.10365.6.camel@acutus.pro> References: <92f9ed9f-1adf-4da1-4b5a-4ede725d8c42@gmail.com> <1542164541.10365.6.camel@acutus.pro> Message-ID: Thanx alot Dmitry! Your explanation sounds pretty straightforward , I'll go about implementing it soon and keep you up to date with feedback. Cheers, Vagelis On 14/11/2018 05:02, Dmitry Telegin wrote: > Hello Vagelis, > > Here's the outline of the solution as I see it: > - you'll need a custom authenticator, this could be either Script authenticator or Java-based one (Authentication SPI [1]); > - you'll need to modify or supply your own login page. The easiest way is to use Theme Resource JAR [2]; > - next, you need to decide how would you store role secrets. I'd recommend to use the same mechanism Keycloak uses to store passwords and private keys, namely Credentials (see org.keycloak.credential.*); > - then, you should establish 1-to-1 association between roles and secrets. You can use CredentialAttributeEntity (CREDENTIAL_ATTRIBUTE table) for that; > - or maybe better introduce your own entity [3] for that association, because CREDENTIAL_ATTRIBUTE.VALUE doesn't have index, therefore queries will be slow; > - finally, you need a mechanism to manage your role secrets. If you want to use Admin console GUI for that, you'll need to implement a REST endpoint [3] and your custom GUI theme [4]. > > So probably you'll end up with 2-3 providers and a theme, packaged in a single JAR. As always, I'd recommend my BeerCloak project [6] as a reference, since it contains many of the above. > > Feel free to ask questions, and good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > [1] https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi > [2] https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource > [3] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa > [4] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest > [5] https://www.keycloak.org/docs/latest/server_development/index.html#_themes > [6] https://github.com/dteleguin/beercloak > > On Tue, 2018-11-13 at 19:07 +0200, Vagelis Savvas wrote: >> Hello, >> I'd like some advice on how to go about implementing the following >> custom authentication scenario: >> ??- A user besides the standard username and password optionally >> provides one more secret in the login screen. >> ??- The secret is associated with a realm role (one to one) by the realm >> admin, and if matched the user is dynamically added to the corresponding >> role. >> ??- If the secret isn't provided the user is normally authenticated and >> gets whatever roles he is assigned, like the default behavior >> >> Of course I would like to avoid implementing an SPI for that :-) but if >> it is not possible to avoid it I'd appreciate any insights and advice. >> I admit I haven't carefully read the relevant SPI extension docs yet, >> hoping that there is some way of doing it without an SPI extension. >> >> Cheers, >> >> Vagelis >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From Ori.Doolman at amdocs.com Wed Nov 14 05:36:14 2018 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Wed, 14 Nov 2018 10:36:14 +0000 Subject: [keycloak-user] SSO experience Message-ID: Hi, I have 2 applications: one is desktop (Windows) and the other one is a web application. My desktop application performs authentication and login using Keycloak, and getting a JWT Access Token. My web application is using the Keycloak JS adapter to perform the same. After I login to my desktop application, is there a way to pass the generated access token to the web application and continue the same session? Or at least have an SSO experience and get another token for the user without the user entering the credentials again? Maybe I can pass the token and refresh token from desktop application as init parameters to the Keycloak-JS ? I see the following code is checking if initOptions contains the token: function processInit() { var callback = parseCallback(window.location.href); if (callback) { window.history.replaceState({}, null, callback.newUrl); } if (callback && callback.valid) { return setupCheckLoginIframe().success(function() { processCallback(callback, initPromise); }).error(function (e) { initPromise.setError(); }); } else if (initOptions) { if (initOptions.token && initOptions.refreshToken) { setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken); Thanks, Ori Doolman Lead Software Architect Amdocs Optima [cid:image001.png at 01D2C8DE.BFF33E10] ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3506 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181114/9f5d0de9/attachment.png From hannah.short at cern.ch Wed Nov 14 06:24:50 2018 From: hannah.short at cern.ch (Hannah Short) Date: Wed, 14 Nov 2018 11:24:50 +0000 Subject: [keycloak-user] Authenticated Protocol Mapper? Message-ID: Hi, I?d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is this possible? The objective is for the mapper to be able to call an API that is protected also by Keycloak. The current approach was for the mapper to use the Client Credentials flow to authenticate, exchange the access token for one for the API client, and use it to call the API. This works OK until I deploy the mapper to Keycloak, where it throws various exceptions and does not seem to attempt the Client Credentials flow. Any guidance, including alternative approaches, would be appreciated! Cheers, Hannah From psilva at redhat.com Wed Nov 14 07:03:52 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 14 Nov 2018 10:03:52 -0200 Subject: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions In-Reply-To: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com> References: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com> Message-ID: When asking for *all* permissions a user has, the policy evaluation engine resolves the resources as follows: 1) Get all resources owned by the user 2) Get all resources owned by the resource server 3) Get all resources granted by another user to the user based on UMA and permission tickets. NOTE: when doing an "all" request we don't fetch all resources managed by the server. If you are not getting the resources owned by other users is probably because they were not granted based on permission tickets (UMA flow). I would suggest you to get the id for one of these resources and send an authorization request using the resource id to see what you get. Regards. Pedro Igor On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco wrote: > Hi, > I am trying to use Keycloak?s token endpoint to obtain a list of all > resources and the respective scopes that a user has permission to access. > However, the behavior I am observing does not match what is described in > the documentation (Link [1]). I am using the token endpoint as shown in > Link [2]. > > Expected behavior: > Token endpoint returns a list of all resources and scopes that the token?s > user has permission to access. > > Observed behavior: > Token endpoint only returns resources that are owned by either the token?s > user or the resource server itself. Resources owned by other users are not > listed, even though the token?s user has permission to access them. > > Is that a bug or expected behavior? > > Links: > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > [2] > https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545 > > Thanks, > Marco > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Nov 14 07:05:12 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 14 Nov 2018 10:05:12 -0200 Subject: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions In-Reply-To: References: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com> Message-ID: +1. However, that issue that was fixed only impact scope-based permissions. On Wed, Nov 14, 2018 at 5:34 AM Geoffrey Cleaves wrote: > Sounds like a bug. I know there is a bug in the policy evaluation code that > can result in some permissions being missed and I understand that it will > be fixed in 4.6. > > That being said, when I request all the permissions for the token's owner, > I do get the expected result except for some missing scopes due to said > bug. Are you sure your policies are built correctly? Did you build a policy > granting permissions to resource owners? > > On Wed, Nov 14, 2018, 00:52 Lamina, Marco > > Hi, > > I am trying to use Keycloak?s token endpoint to obtain a list of all > > resources and the respective scopes that a user has permission to access. > > However, the behavior I am observing does not match what is described in > > the documentation (Link [1]). I am using the token endpoint as shown in > > Link [2]. > > > > Expected behavior: > > Token endpoint returns a list of all resources and scopes that the > token?s > > user has permission to access. > > > > Observed behavior: > > Token endpoint only returns resources that are owned by either the > token?s > > user or the resource server itself. Resources owned by other users are > not > > listed, even though the token?s user has permission to access them. > > > > Is that a bug or expected behavior? > > > > Links: > > > > [1] > > > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > > [2] > > > https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545 > > > > Thanks, > > Marco > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From orwittatibm at gmail.com Wed Nov 14 07:49:20 2018 From: orwittatibm at gmail.com (Oliver-Rainer Wittmann) Date: Wed, 14 Nov 2018 13:49:20 +0100 Subject: [keycloak-user] Update user attributes on login Message-ID: <2C8A4D72-F9FD-4A8D-9F60-1985BA800798@gmail.com> Hi, I have a running keycloak with a custom identity provider - corresponding implementation of AbstractOAuth2IdentityProvider On registration of a user certain user attributes are stored and mapped into the token. Now, I want to update these user attributes on following logins. How to do this? Unfortunately, I did not find a corresponding hint in the documentation. Thx in advance for your support. Best regards, Oliver From SvenErik.Jeroschewski at bosch-si.com Wed Nov 14 08:51:02 2018 From: SvenErik.Jeroschewski at bosch-si.com (Jeroschewski Sven Erik (INST-CSS/BSV-OS)) Date: Wed, 14 Nov 2018 13:51:02 +0000 Subject: [keycloak-user] UMA 2.0 manage shared access with Rest-API Message-ID: <6c720e7cbfb94933b5d6a40a618a6635@bosch-si.com> Hello everyone, is there an example project or tutorial with UMA 2.0 where the user can give his consent regarding shared access using the Rest-API of Keycloak? We already had a look at the "app-authz-uma-photoz" project from the "keycloak-quickstarts" repository. However, the example integrates a Keycloak website where the user can manage the requests for her/his resources. In our application we would like to have a custom service through which the user can manage his/her resources, can get notifications for new requests, and can define rules for permissions that are set automatically when a new resource is created or a new request is coming in. For example, we have a use case in which an application creates new resources where the user is the resource owner. This resource should be accessible by another user by default or the uploading application should be able to grant access in the name of the resource owner. We would be glad for any comments and recommendations on our approach. Mit freundlichen Gr??en / Best regards Sven Erik Jeroschewski Open Source Services - Product Group Customer Success Services (INST-CSS/BSV-OS) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-416 | Mobil +49 152 24308225 | SvenErik.Jeroschewski at bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic From thesofiane at gmail.com Wed Nov 14 09:17:50 2018 From: thesofiane at gmail.com (So Be) Date: Wed, 14 Nov 2018 15:17:50 +0100 Subject: [keycloak-user] Upgrade Keycloak running in Docker Message-ID: Hi, I am running keycloak 3 in a docker container. Is it possible to upgrade to v4 or the to the latest version without pulling new image? The reason of my question is that I don't want to configure the realms, clients, etc from scratch. Do you have an advice for this? Thank you. Sofiane. From thesofiane at gmail.com Wed Nov 14 09:22:01 2018 From: thesofiane at gmail.com (So Be) Date: Wed, 14 Nov 2018 15:22:01 +0100 Subject: [keycloak-user] User registration Message-ID: I want to enable user registration, it works fine, but after successful registration (email confirmation, etc), the new user is first redirected to "account management" and not directly to the client (in my case JupyterHub). Is there a solution to avoid users to get the account management page? Best, Sofiane. From stuarta at squashedfrog.net Wed Nov 14 09:56:55 2018 From: stuarta at squashedfrog.net (Stuart Auchterlonie) Date: Wed, 14 Nov 2018 14:56:55 +0000 Subject: [keycloak-user] Upgrade Keycloak running in Docker In-Reply-To: References: Message-ID: <107c07df-8ee2-5913-d889-0f0a9b2a9db0@squashedfrog.net> On 14/11/2018 14:17, So Be wrote: > Hi, > I am running keycloak 3 in a docker container. Is it possible to upgrade > to v4 or the to the latest version without pulling new image? > The reason of my question is that I don't want to configure the realms, > clients, etc from scratch. > > Do you have an advice for this? > Thank you. > I believe you are missing the point. You can't actually upgrade without pulling the new container. I'm hoping you are using an external database, and not the default in built database? Upgrade procedure should be - Shutdown currently running container - Ensure you have a docker tag (other than latest) against the container you are currently using. - Backup database - Pull new image - Start new image, and it should automatically upgrade the DB to new version. For rollback, you can restore the DB, and start the container from the earlier version tag. Regards Stuart From psilva at redhat.com Wed Nov 14 10:12:36 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 14 Nov 2018 13:12:36 -0200 Subject: [keycloak-user] UMA 2.0 manage shared access with Rest-API In-Reply-To: <6c720e7cbfb94933b5d6a40a618a6635@bosch-si.com> References: <6c720e7cbfb94933b5d6a40a618a6635@bosch-si.com> Message-ID: Hi, building your own service should be fine if you use parts of the API that we provide. 1) User can manage his/her resources Take a look at the Protection API, the Resource Management Endpoint in particular [1]. 2) Notifications and management of authorization requests We have an undocumented endpoint that exposes the permission tickets, which represent authorization requests pending for approval or already approved by the resource owner. For now, you could take a look at the app-auths-uma-photoz to check there how we are using this endpoint to fetch "shared resources" [2]. 3) Define rules for permissions that are set automatically when a new resource is created You have some options here. If you have typed resource (owned by the resource server itself) and a set of permissions associated with this resource when you create a new user resource (user is the owner, thus it is considered a resource instance) any permission defined for the typed resource will be applied to the user resource. You can also manage permissions/policies through the Admin REST API, just like we do in Keycloak admin console. For User-Managed resources, you can also use the User-Managed Policy API [3]. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_resources_api [2] https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-uma-photoz/photoz-restful-api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L101 [3] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_authorization_uma_policy_api Regards. Pedro Igor On Wed, Nov 14, 2018 at 12:00 PM Jeroschewski Sven Erik (INST-CSS/BSV-OS) < SvenErik.Jeroschewski at bosch-si.com> wrote: > Hello everyone, > > is there an example project or tutorial with UMA 2.0 where the user can > give his consent regarding shared access using the Rest-API of Keycloak? > > We already had a look at the "app-authz-uma-photoz" project from the > "keycloak-quickstarts" repository. However, the example integrates a > Keycloak website where the user can manage the requests for her/his > resources. In our application we would like to have a custom service > through which the user can manage his/her resources, can get notifications > for new requests, and can define rules for permissions that are set > automatically when a new resource is created or a new request is coming in. > > For example, we have a use case in which an application creates new > resources where the user is the resource owner. This resource should be > accessible by another user by default or the uploading application should > be able to grant access in the name of the resource owner. > > We would be glad for any comments and recommendations on our approach. > > Mit freundlichen Gr??en / Best regards > > Sven Erik Jeroschewski > > Open Source Services - Product Group Customer Success Services > (INST-CSS/BSV-OS) > Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | > GERMANY | www.bosch-si.com > Tel. +49 30 726112-416 | Mobil +49 152 24308225 | > SvenErik.Jeroschewski at bosch-si.com SvenErik.Jeroschewski at bosch-si.com> > > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. > Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Wed Nov 14 10:21:12 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 14 Nov 2018 13:21:12 -0200 Subject: [keycloak-user] UMA fine grained management in the client itself In-Reply-To: References: Message-ID: Hi, answers inline. In general, I need to document this endpoint https://github.com/keycloak/keycloak/blob/5a9bfea419f37267afb656ea4bfce1ff1489384f/services/src/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java#L57 . On Tue, Nov 13, 2018 at 6:56 PM Pierre Nowak wrote: > Hello, > > I have difficulties finding the best way of protecting resources using > Authorization Services or UMA. > > Here is the following problem: > > user1 creates resource/item/id1 > user2 creates resource/item/id2 > > I want to be able in my nodejs confidential client to: > > 1. list users that have access to a specific item (eg: item/id1) > Being the resource owner, user1 will always have access to item/id1, I guess. To fetch other users with access to this resource after resource owner's approval, you can use this example [1]. [1] https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-uma-photoz/photoz-restful-api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L101 > 2. list all resources a user has access to (not only the ones he has, > but also the ones other users shared with him) > The same as above. > 3. permit a user to access a resource > The same endpoint also allows you to create permission tickets and grant access to the resource. Best is follow UMA flow though, for privacy reasons. > 4. remove the access of a user to a resource > Same endpoint as above. > > I saw in photoz UMA example a nice UI directly in keycloak. I would like to > reproduce this tab directly in my client calling APIs to Keycloak. The > reason is the tab in the account page doesnt give enough functionality for > example if I want to join some detail about the resources that would only > be available in my resource server. > > I saw the resource set api and a node package ( > https://github.com/proficonf/keycloak-authz) that tries to manage the > resources only > but I can't find APIs that directly handle the 4 steps I just mentioned. > > Thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From lists at merit.unu.edu Wed Nov 14 12:37:21 2018 From: lists at merit.unu.edu (lists) Date: Wed, 14 Nov 2018 18:37:21 +0100 Subject: [keycloak-user] SaaS idp brokering In-Reply-To: <1542165306.10365.8.camel@acutus.pro> References: <1542165306.10365.8.camel@acutus.pro> Message-ID: <7e9acb90-50cb-262d-73c3-421214dc88ac@merit.unu.edu> Hi Dmitri, Thanks for your follow-up. The idea is to both keep our current IdP's, and use an 'umbrella' brokering IdP for the applications that need to be shared between the two institutes. It's just the brokering IdP that has to be SaaS. We also just discovered Ping Identity, making our shortlist: - PingIdentity - OneLogin - okta - gluu Anyone here with arguments against / in favour of / experience with one of these options? MJ On 14-11-2018 4:15, Dmitry Telegin wrote: > Quick question: do you plan to decommission both your Keycloak and > sister institute's IdP, and migrate everything to a SaaS IdP? Or you > want both your IdPs broker to SaaS? Or is your sister institute going > to migrate to SaaS IdP, and you have to broker to it from your > Keycloak? From dt at acutus.pro Wed Nov 14 12:37:46 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 20:37:46 +0300 Subject: [keycloak-user] User registration In-Reply-To: References: Message-ID: <1542217066.2133.1.camel@acutus.pro> Hello Sofiane, I've just tested this workflow with Keylcoak 4.5.0: - try to access a test application secured by Keycloak; - login screen is shown; - click Register, complete the process; - you will be logged in and redirected to the test application. How exactly do your clients register themselves? If they to go to JupyterHub first, like in the workflow above, at the end they will land right there. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-11-14 at 15:22 +0100, So Be wrote: > I want to enable user registration, it works fine, but after successful > registration (email confirmation, etc), the new user is first redirected to > "account management" and not directly to the client (in my case > JupyterHub). > > Is there a solution to avoid users to get the account management page? > > Best, > > Sofiane. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Nov 14 13:02:34 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 21:02:34 +0300 Subject: [keycloak-user] Update user attributes on login In-Reply-To: <2C8A4D72-F9FD-4A8D-9F60-1985BA800798@gmail.com> References: <2C8A4D72-F9FD-4A8D-9F60-1985BA800798@gmail.com> Message-ID: <1542218554.2133.3.camel@acutus.pro> Hello Oliver, If you mean that very attributes that you can see under user's "Attributes" tab in Admin console, you can use script authenticator to do that: function authenticate(context) { var username = user ? user.username : "anonymous"; LOG.info(script.name + " trace auth for: " + username); if (user) { LOG.info(user.attributes.foo); // multivalued map // replace existing value user.attributes.foo[0] = "bar"; // or create new attribute user.attributes.bar = java.util.ArrayList(['foo', 'bar', 'baz']); } context.success(); } Add this as the last step in your flow and make it required. Please note that the attributes are always multivalued in the model. This is not yet implemented in the GUI, but you can use ## to separate multiple values. That said, the value of the "bar" attribute will be seen as "foo##bar##baz" under the Attributes tab. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-11-14 at 13:49 +0100, Oliver-Rainer Wittmann wrote: > Hi, > > I have a running keycloak with a custom identity provider - corresponding implementation of AbstractOAuth2IdentityProvider > > On registration of a user certain user attributes are stored and mapped into the token. > Now, I want to update these user attributes on following logins. > > How to do this? > Unfortunately, I did not find a corresponding hint in the documentation. > > Thx in advance for your support. > > Best regards, Oliver > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Nov 14 13:15:15 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 21:15:15 +0300 Subject: [keycloak-user] SaaS idp brokering In-Reply-To: <7e9acb90-50cb-262d-73c3-421214dc88ac@merit.unu.edu> References: <1542165306.10365.8.camel@acutus.pro> <7e9acb90-50cb-262d-73c3-421214dc88ac@merit.unu.edu> Message-ID: <1542219315.2133.5.camel@acutus.pro> Hi, you're welcome, On Wed, 2018-11-14 at 18:37 +0100, lists wrote: > Hi Dmitri, > > Thanks for your follow-up. > > The idea is to both keep our current IdP's, and use an 'umbrella'? > brokering IdP for the applications that need to be shared between the? > two institutes. > > It's just the brokering IdP that has to be SaaS. Thanks for the info, it's clear now. > We also just discovered Ping Identity, making our shortlist: > > - PingIdentity > - OneLogin > - okta > - gluu > > Anyone here with arguments against / in favour of / experience with one? > of these options? I used to work with PingIdentity (or rather on-premise PingFederate) and?Okta, using SAML in both cases, and the results were perfect. For Okta, I'd recommend an excellent article by Michael Furman [1]. Michael uses SAML too; don't know if you're going to use SAML or OpenID Connect, but in the latter case the process should be similar. Please read this [2] on the protocol choice. NB you can use whatever combination of protocols you like (OIDC at Keycloak + SAML at Saas IdP or vice versa), but probably unless you're seriously considering IdP-initiated login. In that case, things work more smoothly with pure SAML. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro [1] https://ultimatesecurity.pro/post/okta-saml/ [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#openid-connect-vs-saml > > MJ > > On 14-11-2018 4:15, Dmitry Telegin wrote: > > Quick question: do you plan to decommission both your Keycloak and > > sister institute's IdP, and migrate everything to a SaaS IdP? Or you > > want both your IdPs broker to SaaS? Or is your sister institute going > > to migrate to SaaS IdP, and you have to broker to it from your > > Keycloak? From dt at acutus.pro Wed Nov 14 13:27:41 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 21:27:41 +0300 Subject: [keycloak-user] Authenticated Protocol Mapper? In-Reply-To: References: Message-ID: <1542220061.2133.7.camel@acutus.pro> Hello Hannah, Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm? If so, this is probably a use case for offline tokens and/or impersonation. The idea is, the mapper is executed with Keycloak's privileges, hence no need to perform "honest" authentication; you can in fact produce any token you need to act on behalf of another identity. However, I'd also suggest that you try to "short-circuit" the whole operation, maybe with the help of RMI/RPC. Is that possible? REST has more overhead, which can come to the fore under high load. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-11-14 at 11:24 +0000, Hannah Short wrote: > Hi,? > > I?d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is this possible?? > > The objective is for the mapper to be able to call an API that is protected also by Keycloak. > > The current approach was for the mapper to use the Client Credentials flow to authenticate, exchange the access token for one for the API client, and use it to call the API. This works OK until I deploy the mapper to Keycloak, where it throws various exceptions and does not seem to attempt the Client Credentials flow. > > Any guidance, including alternative approaches, would be appreciated! > > Cheers, > Hannah > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Nov 14 13:34:23 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 14 Nov 2018 21:34:23 +0300 Subject: [keycloak-user] SSO experience In-Reply-To: References: Message-ID: <1542220463.2133.9.camel@acutus.pro> Hello Ori, How do you implement SSO for your desktop application? Are you using kcinit [1] or KeycloakInstalled [2]? Both will do interactive login via the system browser, that means, SSO cookies should be shared with whatever web application that is run therein. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro [1] https://github.com/keycloak/kcinit [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_installed_adapter On Wed, 2018-11-14 at 10:36 +0000, Ori Doolman wrote: > Hi, > I have 2 applications: one is desktop (Windows) and the other one is a web application. > My desktop application performs authentication and login using Keycloak, and getting a JWT Access Token. > My web application is using the Keycloak JS adapter to perform the same. > > After I login to my desktop application, is there a way to pass the generated access token to the web application and continue the same session? Or at least have an SSO experience and get another token for the user without the user entering the credentials again? > > > > Maybe I can pass the token and refresh token from desktop application as init parameters to the Keycloak-JS ? > I see the following code is checking if initOptions contains the token: > > > ????????????function processInit() { > ????????????????var callback = parseCallback(window.location.href); > > ????????????????if (callback) { > ????????????????????window.history.replaceState({}, null, callback.newUrl); > ????????????????} > > ????????????????if (callback && callback.valid) { > ????????????????????return setupCheckLoginIframe().success(function() { > ????????????????????????processCallback(callback, initPromise); > ????????????????????}).error(function (e) { > ????????????????????????initPromise.setError(); > ????????????????????}); > ????????????????} else if (initOptions) { > ????????????????????if (initOptions.token && initOptions.refreshToken) { > ????????????????????????setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken); > > > > > > > Thanks, > > Ori Doolman > Lead Software Architect > Amdocs Optima > > > > [cid:image001.png at 01D2C8DE.BFF33E10] > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From marco.lamina at sap.com Wed Nov 14 13:44:03 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Wed, 14 Nov 2018 18:44:03 +0000 Subject: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions In-Reply-To: References: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com> Message-ID: The permission to my resources is not given using the UMA flow, but by policies and permissions that I defined manually. For example, I have a resource-type-based permission that combines two policies with the ?affirmative? strategy: 1. ?User is resource owner? ? JS-based policy 2. ?User is admin? ? role-based policy My assumption was that this will grant full access to any resources of that type if a user is either its owner or is assigned the ?admin? role. Using the evaluation tool, I can verify that admins have permission to access any resource of that type with any scope. But still, these resources do not show up in the permissions list I receive from the token endpoint. For context: I need this type of request to query my database for all objects that a given token has access to. Maybe I?m going about this the wrong way? Would love to hear your suggestions! From: Pedro Igor Silva Date: Wednesday, November 14, 2018 at 4:04 AM To: "Lamina, Marco" Cc: keycloak-user Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions When asking for *all* permissions a user has, the policy evaluation engine resolves the resources as follows: 1) Get all resources owned by the user 2) Get all resources owned by the resource server 3) Get all resources granted by another user to the user based on UMA and permission tickets. NOTE: when doing an "all" request we don't fetch all resources managed by the server. If you are not getting the resources owned by other users is probably because they were not granted based on permission tickets (UMA flow). I would suggest you to get the id for one of these resources and send an authorization request using the resource id to see what you get. Regards. Pedro Igor On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco > wrote: Hi, I am trying to use Keycloak?s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2]. Expected behavior: Token endpoint returns a list of all resources and scopes that the token?s user has permission to access. Observed behavior: Token endpoint only returns resources that are owned by either the token?s user or the resource server itself. Resources owned by other users are not listed, even though the token?s user has permission to access them. Is that a bug or expected behavior? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions [2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545 Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Nov 14 15:34:47 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 14 Nov 2018 18:34:47 -0200 Subject: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions In-Reply-To: References: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com>

Message-ID: I see. As I mentioned before, the specific resource (owned by a different user) is not processed by the policy evaluation engine. For this particular case, if the user is granted with the typed resource you could just assume that she/he can fetch any resource from the database with the same logical type, right ? On Wed, Nov 14, 2018 at 4:44 PM Lamina, Marco wrote: > The permission to my resources is not given using the UMA flow, but by > policies and permissions that I defined manually. > > For example, I have a resource-type-based permission that combines two > policies with the ?affirmative? strategy: > > 1. ?User is resource owner? ? JS-based policy > 2. ?User is admin? ? role-based policy > > > > My assumption was that this will grant full access to any resources of > that type if a user is either its owner or is assigned the ?admin? role. > Using the evaluation tool, I can verify that admins have permission to > access any resource of that type with any scope. But still, these resources > do not show up in the permissions list I receive from the token endpoint. > > > > For context: I need this type of request to query my database for all > objects that a given token has access to. Maybe I?m going about this the > wrong way? Would love to hear your suggestions! > > > > > > *From: *Pedro Igor Silva > *Date: *Wednesday, November 14, 2018 at 4:04 AM > *To: *"Lamina, Marco" > *Cc: *keycloak-user > *Subject: *Re: [keycloak-user] Unspecified behavior of token endpoint > when obtaining permissions > > > > When asking for *all* permissions a user has, the policy evaluation engine > resolves the resources as follows: > > > > 1) Get all resources owned by the user > > 2) Get all resources owned by the resource server > > 3) Get all resources granted by another user to the user based on UMA and > permission tickets. > > > > NOTE: when doing an "all" request we don't fetch all resources managed by > the server. > > > > If you are not getting the resources owned by other users is probably > because they were not granted based on permission tickets (UMA flow). I > would suggest you to get the id for one of these resources and send an > authorization request using the resource id to see what you get. > > > > Regards. > > Pedro Igor > > > > On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco > wrote: > > Hi, > I am trying to use Keycloak?s token endpoint to obtain a list of all > resources and the respective scopes that a user has permission to access. > However, the behavior I am observing does not match what is described in > the documentation (Link [1]). I am using the token endpoint as shown in > Link [2]. > > Expected behavior: > Token endpoint returns a list of all resources and scopes that the token?s > user has permission to access. > > Observed behavior: > Token endpoint only returns resources that are owned by either the token?s > user or the resource server itself. Resources owned by other users are not > listed, even though the token?s user has permission to access them. > > Is that a bug or expected behavior? > > Links: > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > [2] > https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545 > > Thanks, > Marco > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From marco.lamina at sap.com Wed Nov 14 15:55:48 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Wed, 14 Nov 2018 20:55:48 +0000 Subject: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions In-Reply-To: References: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com>

Message-ID: <50CD5317-9273-4407-8469-87D5B24B3F62@sap.com> Correct, in this particular case that might be true. However, in the future there will be a more complex scenario with different types of permissions and users involved. For now I am using the following workaround to implement my use case on the resource server: 1. Request a PAT token from Keycloak 2. List all resources of a certain type via {keycloak}/auth/realms/${realm_name}/authz/protection/resource_set?type={type} 3. Send a permissions request to the token endpoint with a permission={resource_id}#{my_scope} item for every resource ID from 2), using the user?s access token in the header 4. The resulting list contains all resources a user can access with a given scope This gives me the correct result, but doesn?t scale well if I end up having a lot of resources. From: Pedro Igor Silva Date: Wednesday, November 14, 2018 at 12:35 PM To: "Lamina, Marco" Cc: keycloak-user Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions I see. As I mentioned before, the specific resource (owned by a different user) is not processed by the policy evaluation engine. For this particular case, if the user is granted with the typed resource you could just assume that she/he can fetch any resource from the database with the same logical type, right ? On Wed, Nov 14, 2018 at 4:44 PM Lamina, Marco > wrote: The permission to my resources is not given using the UMA flow, but by policies and permissions that I defined manually. For example, I have a resource-type-based permission that combines two policies with the ?affirmative? strategy: 1. ?User is resource owner? ? JS-based policy 2. ?User is admin? ? role-based policy My assumption was that this will grant full access to any resources of that type if a user is either its owner or is assigned the ?admin? role. Using the evaluation tool, I can verify that admins have permission to access any resource of that type with any scope. But still, these resources do not show up in the permissions list I receive from the token endpoint. For context: I need this type of request to query my database for all objects that a given token has access to. Maybe I?m going about this the wrong way? Would love to hear your suggestions! From: Pedro Igor Silva > Date: Wednesday, November 14, 2018 at 4:04 AM To: "Lamina, Marco" > Cc: keycloak-user > Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions When asking for *all* permissions a user has, the policy evaluation engine resolves the resources as follows: 1) Get all resources owned by the user 2) Get all resources owned by the resource server 3) Get all resources granted by another user to the user based on UMA and permission tickets. NOTE: when doing an "all" request we don't fetch all resources managed by the server. If you are not getting the resources owned by other users is probably because they were not granted based on permission tickets (UMA flow). I would suggest you to get the id for one of these resources and send an authorization request using the resource id to see what you get. Regards. Pedro Igor On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco > wrote: Hi, I am trying to use Keycloak?s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2]. Expected behavior: Token endpoint returns a list of all resources and scopes that the token?s user has permission to access. Observed behavior: Token endpoint only returns resources that are owned by either the token?s user or the resource server itself. Resources owned by other users are not listed, even though the token?s user has permission to access them. Is that a bug or expected behavior? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions [2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545 Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Nov 14 16:40:23 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 14 Nov 2018 19:40:23 -0200 Subject: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions In-Reply-To: <50CD5317-9273-4407-8469-87D5B24B3F62@sap.com> References: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com>

<50CD5317-9273-4407-8469-87D5B24B3F62@sap.com> Message-ID: I mentioned a possible solution in another thread which was about data filtering. What if you push back claims from your policies where these claims represent conditions that should be added to your query. See http://lists.jboss.org/pipermail/keycloak-user/2018-November/016213.html. Regards. Pedro Igor On Wed, Nov 14, 2018 at 6:56 PM Lamina, Marco wrote: > Correct, in this particular case that might be true. However, in the > future there will be a more complex scenario with different types of > permissions and users involved. For now I am using the following workaround > to implement my use case on the resource server: > > 1. Request a PAT token from Keycloak > 2. List all resources of a certain type via > {keycloak}/auth/realms/${realm_name}/authz/protection/resource_set?type={type} > 3. Send a permissions request to the token endpoint with a > permission={resource_id}#{my_scope} item for every resource ID from 2), > using the user?s access token in the header > 4. The resulting list contains all resources a user can access with a > given scope > > > > This gives me the correct result, but doesn?t scale well if I end up > having a lot of resources. > > > > > > *From: *Pedro Igor Silva > *Date: *Wednesday, November 14, 2018 at 12:35 PM > *To: *"Lamina, Marco" > *Cc: *keycloak-user > *Subject: *Re: [keycloak-user] Unspecified behavior of token endpoint > when obtaining permissions > > > > I see. As I mentioned before, the specific resource (owned by a different > user) is not processed by the policy evaluation engine. > > > > For this particular case, if the user is granted with the typed resource > you could just assume that she/he can fetch any resource from the database > with the same logical type, right ? > > On Wed, Nov 14, 2018 at 4:44 PM Lamina, Marco > wrote: > > The permission to my resources is not given using the UMA flow, but by > policies and permissions that I defined manually. > > For example, I have a resource-type-based permission that combines two > policies with the ?affirmative? strategy: > > 1. ?User is resource owner? ? JS-based policy > 2. ?User is admin? ? role-based policy > > > > My assumption was that this will grant full access to any resources of > that type if a user is either its owner or is assigned the ?admin? role. > Using the evaluation tool, I can verify that admins have permission to > access any resource of that type with any scope. But still, these resources > do not show up in the permissions list I receive from the token endpoint. > > > > For context: I need this type of request to query my database for all > objects that a given token has access to. Maybe I?m going about this the > wrong way? Would love to hear your suggestions! > > > > > > *From: *Pedro Igor Silva > *Date: *Wednesday, November 14, 2018 at 4:04 AM > *To: *"Lamina, Marco" > *Cc: *keycloak-user > *Subject: *Re: [keycloak-user] Unspecified behavior of token endpoint > when obtaining permissions > > > > When asking for *all* permissions a user has, the policy evaluation engine > resolves the resources as follows: > > > > 1) Get all resources owned by the user > > 2) Get all resources owned by the resource server > > 3) Get all resources granted by another user to the user based on UMA and > permission tickets. > > > > NOTE: when doing an "all" request we don't fetch all resources managed by > the server. > > > > If you are not getting the resources owned by other users is probably > because they were not granted based on permission tickets (UMA flow). I > would suggest you to get the id for one of these resources and send an > authorization request using the resource id to see what you get. > > > > Regards. > > Pedro Igor > > > > On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco > wrote: > > Hi, > I am trying to use Keycloak?s token endpoint to obtain a list of all > resources and the respective scopes that a user has permission to access. > However, the behavior I am observing does not match what is described in > the documentation (Link [1]). I am using the token endpoint as shown in > Link [2]. > > Expected behavior: > Token endpoint returns a list of all resources and scopes that the token?s > user has permission to access. > > Observed behavior: > Token endpoint only returns resources that are owned by either the token?s > user or the resource server itself. Resources owned by other users are not > listed, even though the token?s user has permission to access them. > > Is that a bug or expected behavior? > > Links: > > [1] > https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > [2] > https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545 > > Thanks, > Marco > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From marco.lamina at sap.com Wed Nov 14 18:37:42 2018 From: marco.lamina at sap.com (Lamina, Marco) Date: Wed, 14 Nov 2018 23:37:42 +0000 Subject: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions In-Reply-To: References: <93622CAC-1CFE-48C6-9CC3-D2AD9047CF1A@sap.com>

<50CD5317-9273-4407-8469-87D5B24B3F62@sap.com> Message-ID: I looked at push claims and I like the idea, but I wasn?t able to come up with a scenario that would support my use case. From: Pedro Igor Silva Date: Wednesday, November 14, 2018 at 1:41 PM To: "Lamina, Marco" Cc: keycloak-user Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions I mentioned a possible solution in another thread which was about data filtering. What if you push back claims from your policies where these claims represent conditions that should be added to your query. See http://lists.jboss.org/pipermail/keycloak-user/2018-November/016213.html. Regards. Pedro Igor On Wed, Nov 14, 2018 at 6:56 PM Lamina, Marco > wrote: Correct, in this particular case that might be true. However, in the future there will be a more complex scenario with different types of permissions and users involved. For now I am using the following workaround to implement my use case on the resource server: 1. Request a PAT token from Keycloak 2. List all resources of a certain type via {keycloak}/auth/realms/${realm_name}/authz/protection/resource_set?type={type} 3. Send a permissions request to the token endpoint with a permission={resource_id}#{my_scope} item for every resource ID from 2), using the user?s access token in the header 4. The resulting list contains all resources a user can access with a given scope This gives me the correct result, but doesn?t scale well if I end up having a lot of resources. From: Pedro Igor Silva > Date: Wednesday, November 14, 2018 at 12:35 PM To: "Lamina, Marco" > Cc: keycloak-user > Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions I see. As I mentioned before, the specific resource (owned by a different user) is not processed by the policy evaluation engine. For this particular case, if the user is granted with the typed resource you could just assume that she/he can fetch any resource from the database with the same logical type, right ? On Wed, Nov 14, 2018 at 4:44 PM Lamina, Marco > wrote: The permission to my resources is not given using the UMA flow, but by policies and permissions that I defined manually. For example, I have a resource-type-based permission that combines two policies with the ?affirmative? strategy: 1. ?User is resource owner? ? JS-based policy 2. ?User is admin? ? role-based policy My assumption was that this will grant full access to any resources of that type if a user is either its owner or is assigned the ?admin? role. Using the evaluation tool, I can verify that admins have permission to access any resource of that type with any scope. But still, these resources do not show up in the permissions list I receive from the token endpoint. For context: I need this type of request to query my database for all objects that a given token has access to. Maybe I?m going about this the wrong way? Would love to hear your suggestions! From: Pedro Igor Silva > Date: Wednesday, November 14, 2018 at 4:04 AM To: "Lamina, Marco" > Cc: keycloak-user > Subject: Re: [keycloak-user] Unspecified behavior of token endpoint when obtaining permissions When asking for *all* permissions a user has, the policy evaluation engine resolves the resources as follows: 1) Get all resources owned by the user 2) Get all resources owned by the resource server 3) Get all resources granted by another user to the user based on UMA and permission tickets. NOTE: when doing an "all" request we don't fetch all resources managed by the server. If you are not getting the resources owned by other users is probably because they were not granted based on permission tickets (UMA flow). I would suggest you to get the id for one of these resources and send an authorization request using the resource id to see what you get. Regards. Pedro Igor On Tue, Nov 13, 2018 at 9:50 PM Lamina, Marco > wrote: Hi, I am trying to use Keycloak?s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2]. Expected behavior: Token endpoint returns a list of all resources and scopes that the token?s user has permission to access. Observed behavior: Token endpoint only returns resources that are owned by either the token?s user or the resource server itself. Resources owned by other users are not listed, even though the token?s user has permission to access them. Is that a bug or expected behavior? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions [2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13658545 Thanks, Marco _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Thu Nov 15 02:55:32 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 15 Nov 2018 08:55:32 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released Message-ID: http://blog.keycloak.org/2018/11/keycloak-460final-released.html From cedric at couralet.eu Thu Nov 15 03:23:51 2018 From: cedric at couralet.eu (=?UTF-8?Q?C=C3=A9dric_Couralet?=) Date: Thu, 15 Nov 2018 09:23:51 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: References: Message-ID: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu> Le 2018-11-15 08:55, Stian Thorgersen a ?crit?: > http://blog.keycloak.org/2018/11/keycloak-460final-released.html > _______________________________________________ Hi all, When updating the docker image, I had a lot of warning in log (stack trace in bottom). This is related to infinispan apparently. Everything seems to work fine, but should I be worried? 08:11:49,642 WARN [org.infinispan.statetransfer.StateConsumerImpl] (transport-thread--p19-t3) ISPN000209: Failed to retrieve transactions of cache client-mappings from node cba19ca69fd1, segments {0-255}: org.infinispan.remoting.RemoteException: ISPN000217: Received exception from cba19ca69fd1, see cause for remote stack trace at org.infinispan.remoting.transport.ResponseCollectors.wrapRemoteException(ResponseCollectors.java:27) at org.infinispan.remoting.transport.ValidSingleResponseCollector.withException(ValidSingleResponseCollector.java:37) at org.infinispan.remoting.transport.ValidSingleResponseCollector.addResponse(ValidSingleResponseCollector.java:21) at org.infinispan.remoting.transport.impl.SingleTargetRequest.receiveResponse(SingleTargetRequest.java:52) at org.infinispan.remoting.transport.impl.SingleTargetRequest.onResponse(SingleTargetRequest.java:35) at org.infinispan.remoting.transport.impl.RequestRepository.addResponse(RequestRepository.java:52) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.processResponse(JGroupsTransport.java:1370) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.processMessage(JGroupsTransport.java:1273) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.access$300(JGroupsTransport.java:125) at org.infinispan.remoting.transport.jgroups.JGroupsTransport$ChannelCallbacks.up(JGroupsTransport.java:1418) at org.jgroups.JChannel.up(JChannel.java:816) at org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:134) at org.jgroups.stack.Protocol.up(Protocol.java:340) at org.jgroups.protocols.FORK.up(FORK.java:134) at org.jgroups.protocols.FRAG2.up(FRAG2.java:177) at org.jgroups.protocols.FlowControl.up(FlowControl.java:343) at org.jgroups.protocols.pbcast.GMS.up(GMS.java:873) at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:240) at org.jgroups.protocols.UNICAST3.deliverMessage(UNICAST3.java:1003) at org.jgroups.protocols.UNICAST3.handleDataReceived(UNICAST3.java:729) at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:384) at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:600) at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:130) at org.jgroups.protocols.FD.up(FD.java:212) at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:253) at org.jgroups.protocols.MERGE3.up(MERGE3.java:280) at org.jgroups.protocols.Discovery.up(Discovery.java:269) at org.jgroups.protocols.TP.passMessageUp(TP.java:1248) at org.jgroups.util.SubmitToThreadPool$SingleMessageHandler.run(SubmitToThreadPool.java:87) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) at java.lang.Thread.run(Thread.java:748) Suppressed: org.infinispan.util.logging.TraceException at org.infinispan.remoting.rpc.RpcManagerImpl.blocking(RpcManagerImpl.java:268) at org.infinispan.statetransfer.StateConsumerImpl.getTransactions(StateConsumerImpl.java:916) at org.infinispan.statetransfer.StateConsumerImpl.requestTransactions(StateConsumerImpl.java:829) at org.infinispan.statetransfer.StateConsumerImpl.addTransfers(StateConsumerImpl.java:767) at org.infinispan.statetransfer.StateConsumerImpl.handleSegments(StateConsumerImpl.java:470) at org.infinispan.statetransfer.StateConsumerImpl.onTopologyUpdate(StateConsumerImpl.java:362) at org.infinispan.statetransfer.StateTransferManagerImpl.doTopologyUpdate(StateTransferManagerImpl.java:197) at org.infinispan.statetransfer.StateTransferManagerImpl.access$000(StateTransferManagerImpl.java:54) at org.infinispan.statetransfer.StateTransferManagerImpl$1.rebalance(StateTransferManagerImpl.java:117) at org.infinispan.topology.LocalTopologyManagerImpl.doHandleRebalance(LocalTopologyManagerImpl.java:517) at org.infinispan.topology.LocalTopologyManagerImpl.lambda$handleRebalance$3(LocalTopologyManagerImpl.java:475) at org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175) at org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37) at org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47) ... 1 more Caused by: java.io.IOException: Unknown type: 132 at org.infinispan.marshall.core.GlobalMarshaller.readNonNullableObject(GlobalMarshaller.java:681) at org.infinispan.marshall.core.GlobalMarshaller.readNullableObject(GlobalMarshaller.java:355) at org.infinispan.marshall.core.BytesObjectInput.readObject(BytesObjectInput.java:40) at org.infinispan.commons.marshall.MarshallUtil.unmarshallCollectionUnbounded(MarshallUtil.java:302) at org.infinispan.statetransfer.StateRequestCommand.readFrom(StateRequestCommand.java:197) at org.infinispan.marshall.exts.ReplicableCommandExternalizer.readCommandParameters(ReplicableCommandExternalizer.java:104) at org.infinispan.marshall.exts.CacheRpcCommandExternalizer.readObject(CacheRpcCommandExternalizer.java:130) at org.infinispan.marshall.exts.CacheRpcCommandExternalizer.readObject(CacheRpcCommandExternalizer.java:65) at org.infinispan.marshall.core.GlobalMarshaller.readWithExternalizer(GlobalMarshaller.java:688) at org.infinispan.marshall.core.GlobalMarshaller.readNonNullableObject(GlobalMarshaller.java:671) at org.infinispan.marshall.core.GlobalMarshaller.readNullableObject(GlobalMarshaller.java:355) at org.infinispan.marshall.core.GlobalMarshaller.objectFromObjectInput(GlobalMarshaller.java:193) at org.infinispan.marshall.core.GlobalMarshaller.objectFromByteBuffer(GlobalMarshaller.java:222) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.processRequest(JGroupsTransport.java:1278) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.processMessage(JGroupsTransport.java:1218) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.access$200(JGroupsTransport.java:123) at org.infinispan.remoting.transport.jgroups.JGroupsTransport$ChannelCallbacks.receive(JGroupsTransport.java:1356) at org.jgroups.JChannel.up(JChannel.java:819) at org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:134) at org.jgroups.stack.Protocol.up(Protocol.java:340) at org.jgroups.protocols.FORK.up(FORK.java:134) at org.jgroups.protocols.FRAG2.up(FRAG2.java:177) at org.jgroups.protocols.FlowControl.up(FlowControl.java:351) at org.jgroups.protocols.pbcast.GMS.up(GMS.java:864) at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:240) at org.jgroups.protocols.UNICAST3.deliverMessage(UNICAST3.java:1002) at org.jgroups.protocols.UNICAST3.handleDataReceived(UNICAST3.java:728) at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:383) at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:600) at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:119) at org.jgroups.protocols.FD.up(FD.java:212) at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:252) at org.jgroups.protocols.MERGE3.up(MERGE3.java:276) at org.jgroups.protocols.Discovery.up(Discovery.java:267) ... 6 more C?dric From orwittatibm at gmail.com Thu Nov 15 03:35:03 2018 From: orwittatibm at gmail.com (Oliver-Rainer Wittmann) Date: Thu, 15 Nov 2018 09:35:03 +0100 Subject: [keycloak-user] Update user attributes on login In-Reply-To: <1542218554.2133.3.camel@acutus.pro> References: <2C8A4D72-F9FD-4A8D-9F60-1985BA800798@gmail.com> <1542218554.2133.3.camel@acutus.pro> Message-ID: Hi Dmitry, Thanks for your suggestion. In the meanwhile I got the hint to implement AbstractIdentityProvider.updateBrokeredUser(..) to update the user?s attributes. The method got called on following logins. Best regards, Oliver. > On 14. Nov 2018, at 19:02, Dmitry Telegin

wrote: > > Hello Oliver, > > If you mean that very attributes that you can see under user's "Attributes" tab in Admin console, you can use script authenticator to do that: > > function authenticate(context) { > > var username = user ? user.username : "anonymous"; > LOG.info(script.name + " trace auth for: " + username); > > if (user) { > LOG.info(user.attributes.foo); // multivalued map > // replace existing value > user.attributes.foo[0] = "bar"; > // or create new attribute > user.attributes.bar = java.util.ArrayList(['foo', 'bar', 'baz']); > } > > context.success(); > > } > > Add this as the last step in your flow and make it required. Please note that the attributes are always multivalued in the model. This is not yet implemented in the GUI, but you can use ## to separate multiple values. That said, the value of the "bar" attribute will be seen as "foo##bar##baz" under the Attributes tab. > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Wed, 2018-11-14 at 13:49 +0100, Oliver-Rainer Wittmann wrote: >> Hi, >> >> I have a running keycloak with a custom identity provider - corresponding implementation of AbstractOAuth2IdentityProvider >> >> On registration of a user certain user attributes are stored and mapped into the token. >> Now, I want to update these user attributes on following logins. >> >> How to do this? >> Unfortunately, I did not find a corresponding hint in the documentation. >> >> Thx in advance for your support. >> >> Best regards, Oliver >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From ronald.demneri at amdtia.com Thu Nov 15 03:44:21 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Thu, 15 Nov 2018 08:44:21 +0000 Subject: [keycloak-user] filter group claim in token per client References: <1541397265.3650.7.camel@acutus.pro> , <1541806456.2031.5.camel@acutus.pro> Message-ID: Hello Dmitry, When you have some time, can you please explain a little bit more about the more complex methods to mitigate the potential security issue that arises from our current configuration (Keycloak to allow/deny login based on group membership of user). Thanks in advance, Ronald -----Original Message----- From: Ronald Demneri Sent: 12.Nov.2018 10:59 AM To: 'Dmitry Telegin'

; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] filter group claim in token per client Hello Dmitry, After some trial and error, we were able to achieve having only pertinent groups in the token, although not as elegant as your script. So now we have it configured the way we want... approximately... Do you care to elaborate a little bit more on the possibilities to mitigate that security issue you mentioned in the email. The idea behind allowing a user to login if required group membership constraint is fulfilled, is quite important to us, which means that we need to find a different way from what we are doing right now. And of course, disabling SSO for all the clients is not a solution :) Looking forward to hearing from you soon! Thanks in advance, Ronald -----Original Message----- From: Dmitry Telegin

; keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] filter group claim in token per client > > So, I am looking at the logs and receive the following when going to App1 > Client Scopes > Evaluate: > > 2018-11-06 10:51:42,407 INFO? [stdout] (default task-1892) > ############################################ APP1 > 2018-11-06 10:51:42,407 INFO? [stdout] (default task-1892) > ############################################ > 2018-11-06 10:51:42,407 INFO? [stdout] (default task-1892)? We are here!!! > 2018-11-06 10:51:42,408 INFO? [stdout] (default task-1892) > ############################################ > > But when trying to actually log in to the client, I receive the following: > > 2018-11-06 10:52:20,465 INFO? [stdout] (default task-1891) > ############################################ APP1 > 2018-11-06 10:52:20,465 INFO? [stdout] (default task-1891) > ############################################ > 2018-11-06 10:52:20,465 INFO? [stdout] (default task-1891)? We are here!!! > 2018-11-06 10:52:20,466 INFO? [stdout] (default task-1891) > ############################################ > 2018-11-06 10:52:20,474 INFO? [stdout] (default task-1891) > ############################################ APP1 > 2018-11-06 10:52:20,474 INFO? [stdout] (default task-1891) > ############################################ > 2018-11-06 10:52:20,474 INFO? [stdout] (default task-1891)? We are here!!! > 2018-11-06 10:52:20,475 INFO? [stdout] (default task-1891) > ############################################ > 2018-11-06 10:52:20,691 ERROR > [org.keycloak.protocol.oidc.mappers.ScriptBasedOIDCProtocolMapper] > (default task-1891) Error during execution of ProtocolMapper script: > org.keycloak.scripting.ScriptExecutionException: Could not execute > script 'token-mapper-script_filteredGroupsMapper' problem was: > TypeError: null has no such function "toUpperCase" in at line > number 31 > > Line 31 is as follows: > > 31:??? var client = token.getIssuedFor().toUpperCase(); > 32:??? print("############################################ " + > client); > > So why does it display an error, when in fact it also displays the correct form of the clientId in upper case? And why is the log entry duplicated? ATM, I removed the client scope mapper and have recreated the script mapper only for this client. > > > Regards, > Ronald > > > -----Original Message----- > From: Ronald Demneri > Sent: 06.Nov.2018 11:05 AM > > > To: 'Ronald Demneri' ; 'Dmitry Telegin' > > >

; keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] filter group claim in token per client > > Hello, > > In the script authenticator there was authenticationSession which I used to get the clientId. There is no such variable in the script mapper, and If I define such mapper in the client template, I suppose I'd need some mechanism to get the client name and then make the filtering of the groups that need to be inserted in the token. How do I do that? Is there any documentation available for this online? > > > Thanks again for your support! > Ronald > > > -----Original Message----- > > From: keycloak-user-bounces at lists.jboss.org > > On Behalf Of Ronald Demneri > Sent: 05.Nov.2018 11:00 AM > > To: Dmitry Telegin

> Sent: 05.Nov.2018 6:54 AM > > To: Ronald Demneri ; > > keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] filter group claim in token per client > > Hello Ronald, > > As in the case with authentication, JavaScript is to the rescue again :) You can create a script mapper for groups that will do additional group filtering based on the client, and use it instead of the built-in one. > > To avoid explicitly configuring it for each and every client, you can create a Client Scope (can be called "Client Template" depending on the KC version), define the mapper in the scope, and add it do default scopes. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > On Fri, 2018-11-02 at 10:30 +0000, Ronald Demneri wrote: > > Hello everyone, > >? > > Is there a way to filter the groups a user is a member of per client, based on clientId (which is part of the group name(s) in AD). Let's say that user Ronald is member of??group_client1, group_client2 and group_client3, so using a group mapper, the token will contain a claim like group:["group_client1", "group_client2", "group_client3"]. Upon logging in to client1 app, I want to customize the group claim so that it contains only the respective group_client1 value. > >? > > Thanks in advance, > >? > > Ronald > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From marian.petrik at esgroup.ch Thu Nov 15 04:06:54 2018 From: marian.petrik at esgroup.ch (Marian Petrik) Date: Thu, 15 Nov 2018 09:06:54 +0000 Subject: [keycloak-user] multitenant login with Keyclaok OpenID connect providers Message-ID: Dear Keycloak team, I have a multitenant keycloak setup with dedicated tenant realms. The goal is to have a single login page and pick the target realm automatically based on the domain in the user email. Can this be achieved in keycloak? My idea is to create an extra LOGIN realm with keycloak OIDC provider for each tenant realm. Client would only use this single LOGIN realm. The issue is how to get rid of the realm selection and implement custom authentication flow. Is this the right way to do this? Kind regards, Maran Petrik From msakho at redhat.com Thu Nov 15 04:12:16 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 15 Nov 2018 10:12:16 +0100 Subject: [keycloak-user] ldaps configuration --> Bug or regression with ldap connection ulr Message-ID: Hello everyone, I'm facing a very strange behaviour using keycloak 4.5 Final while configuring my realm user federation with ldaps. When I set the ldap connection URL to ldaps://myldaphost. It works fine. When I change it to LDAPS://myldaphost, the test connexion fails with the exception below (extract): *KC-SERVICES0055: Error when connecting to LDAP: intra-dev01.bdf-dev01.local:636: javax.naming.CommunicationException: intra-dev01.bdf-dev01.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]* * at com.sun.jndi.ldap.Connection.(Connection.java:238)* * at com.sun.jndi.ldap.LdapClient.(LdapClient.java:137)* * at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)* * at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)* * at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)* * at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)* * at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)* * Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target* * at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)* * at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)* With Keycloak 3.4.3Final, I used LDAPS without any problem. Any advice? Meissa From Ori.Doolman at amdocs.com Thu Nov 15 04:15:07 2018 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Thu, 15 Nov 2018 09:15:07 +0000 Subject: [keycloak-user] SSO experience In-Reply-To: <1542220463.2133.9.camel@acutus.pro> References: <1542220463.2133.9.camel@acutus.pro> Message-ID: Hi Dmitry, Thank you for answering. In fact, the desktop app is not yet integrated to Keycloak and it is work to be done. I'm not familiar with the desktop app since it is a 3rd party app not written by us. If Java based, I thought of using one of the Keycloak Java adapters. If not, just get the token with an HTTP[S] call (which seems that this is also what kcinit and KeycloakInstalled are doing as well). I was not familiar with kcinit or KeycloakInstalled before. KeycloakInstalled might be a solution, but with limitations: 1) The desktop app must be written in Java. 2) It must be acceptable by the app designers to launch a browser for login. 3) If I understand correctly, it only performs a client level authentication, not supporting username/password credentials authentication. That leads me to the original question - can I have SSO without using cookies, and by simply send the token to my web app as part of the starting URL (the desktop app will launch the web app in a browser)? Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) -----Original Message----- From: Dmitry Telegin

Sent: Wednesday, November 14, 2018 20:34 To: Ori Doolman ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SSO experience Hello Ori, How do you implement SSO for your desktop application? Are you using kcinit [1] or KeycloakInstalled [2]? Both will do interactive login via the system browser, that means, SSO cookies should be shared with whatever web application that is run therein. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro [1] https://github.com/keycloak/kcinit [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_installed_adapter On Wed, 2018-11-14 at 10:36 +0000, Ori Doolman wrote: > Hi, > I have 2 applications: one is desktop (Windows) and the other one is a web application. > My desktop application performs authentication and login using Keycloak, and getting a JWT Access Token. > My web application is using the Keycloak JS adapter to perform the same. > > After I login to my desktop application, is there a way to pass the generated access token to the web application and continue the same session? Or at least have an SSO experience and get another token for the user without the user entering the credentials again? > > > > Maybe I can pass the token and refresh token from desktop application as init parameters to the Keycloak-JS ? > I see the following code is checking if initOptions contains the token: > > > ????????????function processInit() { > ????????????????var callback = parseCallback(window.location.href); > > ????????????????if (callback) { > ????????????????????window.history.replaceState({}, null, callback.newUrl); > ????????????????} > > ????????????????if (callback && callback.valid) { > ????????????????????return setupCheckLoginIframe().success(function() { > ????????????????????????processCallback(callback, initPromise); > ????????????????????}).error(function (e) { > ????????????????????????initPromise.setError(); > ????????????????????}); > ????????????????} else if (initOptions) { > ????????????????????if (initOptions.token && initOptions.refreshToken) { > ????????????????????????setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken); > > > > > > > Thanks, > > Ori Doolman > Lead Software Architect > Amdocs Optima > > > > [cid:image001.png at 01D2C8DE.BFF33E10] > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From slaskawi at redhat.com Thu Nov 15 04:37:02 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Thu, 15 Nov 2018 10:37:02 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu> References: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu> Message-ID: Adding +Pedro Ruivo . It seems you lost some of the transactions. This those are volatile data, you should be fine. The only thing you might do (if it's not too late) is to flush the caches from Keycloak admin panel... just in case... On Thu, Nov 15, 2018 at 9:30 AM C?dric Couralet wrote: > Le 2018-11-15 08:55, Stian Thorgersen a ?crit : > > http://blog.keycloak.org/2018/11/keycloak-460final-released.html > > _______________________________________________ > > Hi all, > > When updating the docker image, I had a lot of warning in log (stack > trace in bottom). This is related to infinispan apparently. Everything > seems to work fine, but should I be worried? > > > > 08:11:49,642 WARN [org.infinispan.statetransfer.StateConsumerImpl] > (transport-thread--p19-t3) ISPN000209: Failed to retrieve transactions > of cache client-mappings from node cba19ca69fd1, segments {0-255}: > org.infinispan.remoting.RemoteException: ISPN000217: Received exception > from cba19ca69fd1, see cause for remote stack trace > at > > org.infinispan.remoting.transport.ResponseCollectors.wrapRemoteException(ResponseCollectors.java:27) > at > > org.infinispan.remoting.transport.ValidSingleResponseCollector.withException(ValidSingleResponseCollector.java:37) > at > > org.infinispan.remoting.transport.ValidSingleResponseCollector.addResponse(ValidSingleResponseCollector.java:21) > at > > org.infinispan.remoting.transport.impl.SingleTargetRequest.receiveResponse(SingleTargetRequest.java:52) > at > > org.infinispan.remoting.transport.impl.SingleTargetRequest.onResponse(SingleTargetRequest.java:35) > at > > org.infinispan.remoting.transport.impl.RequestRepository.addResponse(RequestRepository.java:52) > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.processResponse(JGroupsTransport.java:1370) > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.processMessage(JGroupsTransport.java:1273) > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.access$300(JGroupsTransport.java:125) > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport$ChannelCallbacks.up(JGroupsTransport.java:1418) > at org.jgroups.JChannel.up(JChannel.java:816) > at > org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:134) > at org.jgroups.stack.Protocol.up(Protocol.java:340) > at org.jgroups.protocols.FORK.up(FORK.java:134) > at org.jgroups.protocols.FRAG2.up(FRAG2.java:177) > at org.jgroups.protocols.FlowControl.up(FlowControl.java:343) > at org.jgroups.protocols.pbcast.GMS.up(GMS.java:873) > at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:240) > at > org.jgroups.protocols.UNICAST3.deliverMessage(UNICAST3.java:1003) > at > org.jgroups.protocols.UNICAST3.handleDataReceived(UNICAST3.java:729) > at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:384) > at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:600) > at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:130) > at org.jgroups.protocols.FD.up(FD.java:212) > at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:253) > at org.jgroups.protocols.MERGE3.up(MERGE3.java:280) > at org.jgroups.protocols.Discovery.up(Discovery.java:269) > at org.jgroups.protocols.TP.passMessageUp(TP.java:1248) > at > > org.jgroups.util.SubmitToThreadPool$SingleMessageHandler.run(SubmitToThreadPool.java:87) > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > > org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) > at java.lang.Thread.run(Thread.java:748) > Suppressed: org.infinispan.util.logging.TraceException > at > > org.infinispan.remoting.rpc.RpcManagerImpl.blocking(RpcManagerImpl.java:268) > at > > org.infinispan.statetransfer.StateConsumerImpl.getTransactions(StateConsumerImpl.java:916) > at > > org.infinispan.statetransfer.StateConsumerImpl.requestTransactions(StateConsumerImpl.java:829) > at > > org.infinispan.statetransfer.StateConsumerImpl.addTransfers(StateConsumerImpl.java:767) > at > > org.infinispan.statetransfer.StateConsumerImpl.handleSegments(StateConsumerImpl.java:470) > at > > org.infinispan.statetransfer.StateConsumerImpl.onTopologyUpdate(StateConsumerImpl.java:362) > at > > org.infinispan.statetransfer.StateTransferManagerImpl.doTopologyUpdate(StateTransferManagerImpl.java:197) > at > > org.infinispan.statetransfer.StateTransferManagerImpl.access$000(StateTransferManagerImpl.java:54) > at > > org.infinispan.statetransfer.StateTransferManagerImpl$1.rebalance(StateTransferManagerImpl.java:117) > at > > org.infinispan.topology.LocalTopologyManagerImpl.doHandleRebalance(LocalTopologyManagerImpl.java:517) > at > > org.infinispan.topology.LocalTopologyManagerImpl.lambda$handleRebalance$3(LocalTopologyManagerImpl.java:475) > at > org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175) > at > > org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37) > at > > org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227) > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > > org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47) > ... 1 more > Caused by: java.io.IOException: Unknown type: 132 > at > > org.infinispan.marshall.core.GlobalMarshaller.readNonNullableObject(GlobalMarshaller.java:681) > at > > org.infinispan.marshall.core.GlobalMarshaller.readNullableObject(GlobalMarshaller.java:355) > at > > org.infinispan.marshall.core.BytesObjectInput.readObject(BytesObjectInput.java:40) > at > > org.infinispan.commons.marshall.MarshallUtil.unmarshallCollectionUnbounded(MarshallUtil.java:302) > at > > org.infinispan.statetransfer.StateRequestCommand.readFrom(StateRequestCommand.java:197) > at > > org.infinispan.marshall.exts.ReplicableCommandExternalizer.readCommandParameters(ReplicableCommandExternalizer.java:104) > at > > org.infinispan.marshall.exts.CacheRpcCommandExternalizer.readObject(CacheRpcCommandExternalizer.java:130) > at > > org.infinispan.marshall.exts.CacheRpcCommandExternalizer.readObject(CacheRpcCommandExternalizer.java:65) > at > > org.infinispan.marshall.core.GlobalMarshaller.readWithExternalizer(GlobalMarshaller.java:688) > at > > org.infinispan.marshall.core.GlobalMarshaller.readNonNullableObject(GlobalMarshaller.java:671) > at > > org.infinispan.marshall.core.GlobalMarshaller.readNullableObject(GlobalMarshaller.java:355) > at > > org.infinispan.marshall.core.GlobalMarshaller.objectFromObjectInput(GlobalMarshaller.java:193) > at > > org.infinispan.marshall.core.GlobalMarshaller.objectFromByteBuffer(GlobalMarshaller.java:222) > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.processRequest(JGroupsTransport.java:1278) > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.processMessage(JGroupsTransport.java:1218) > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.access$200(JGroupsTransport.java:123) > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport$ChannelCallbacks.receive(JGroupsTransport.java:1356) > at org.jgroups.JChannel.up(JChannel.java:819) > at > org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:134) > at org.jgroups.stack.Protocol.up(Protocol.java:340) > at org.jgroups.protocols.FORK.up(FORK.java:134) > at org.jgroups.protocols.FRAG2.up(FRAG2.java:177) > at org.jgroups.protocols.FlowControl.up(FlowControl.java:351) > at org.jgroups.protocols.pbcast.GMS.up(GMS.java:864) > at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:240) > at > org.jgroups.protocols.UNICAST3.deliverMessage(UNICAST3.java:1002) > at > org.jgroups.protocols.UNICAST3.handleDataReceived(UNICAST3.java:728) > at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:383) > at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:600) > at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:119) > at org.jgroups.protocols.FD.up(FD.java:212) > at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:252) > at org.jgroups.protocols.MERGE3.up(MERGE3.java:276) > at org.jgroups.protocols.Discovery.up(Discovery.java:267) > ... 6 more > > > C?dric > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Nov 15 05:05:29 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 15 Nov 2018 11:05:29 +0100 Subject: [keycloak-user] ldaps configuration --> Bug or regression with ldap connection ulr In-Reply-To: References: Message-ID: Hi Meissa, I don't think that we changed anything in this part related to ldaps, truststore SPI etc, but I could be wrong. We upgraded Wildfly, but this doesn't look that it is related to Wildfly upgrade (although again not 100% sure TBH). Also this could be a bug in Java. Are you using same Java version you used with Keycloak 3.4.3.Final? Another question is, how problematic it is to change "LDAPS://" to "ldap://" in the configuration? Any issues with changing that in your environment? Marek On 15/11/18 10:12, Meissa M'baye Sakho wrote: > Hello everyone, > I'm facing a very strange behaviour using keycloak 4.5 Final while > configuring my realm user federation with ldaps. > When I set the ldap connection URL to ldaps://myldaphost. It works fine. > When I change it to LDAPS://myldaphost, the test connexion fails with the > exception below (extract): > > *KC-SERVICES0055: Error when connecting to LDAP: > intra-dev01.bdf-dev01.local:636: javax.naming.CommunicationException: > intra-dev01.bdf-dev01.local:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target]* > * at com.sun.jndi.ldap.Connection.(Connection.java:238)* > * at com.sun.jndi.ldap.LdapClient.(LdapClient.java:137)* > * at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)* > * at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)* > * at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)* > * at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)* > * at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)* > > * Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target* > * at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)* > * at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)* > > With Keycloak 3.4.3Final, I used LDAPS without any problem. > Any advice? > Meissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hannah.short at cern.ch Thu Nov 15 05:13:47 2018 From: hannah.short at cern.ch (Hannah Short) Date: Thu, 15 Nov 2018 10:13:47 +0000 Subject: [keycloak-user] Authenticated Protocol Mapper? In-Reply-To: <1542220061.2133.7.camel@acutus.pro> References: <1542220061.2133.7.camel@acutus.pro> Message-ID: Hi Dmitry, Thanks for your help! > Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm? Yes, both the same Keycloak instance and realm. For the offline tokens approach, I?ve understood that they can only be generated programatically, and for a user. In our case this would be an offline token for the API (we could create a user to ?own" this token) - is there a way to generate tokens through the Keycloak UI? Cheers, Hannah > On 14 Nov 2018, at 19:27, Dmitry Telegin

wrote: > > Hello Hannah, > > Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm? > > If so, this is probably a use case for offline tokens and/or impersonation. The idea is, the mapper is executed with Keycloak's privileges, hence no need to perform "honest" authentication; you can in fact produce any token you need to act on behalf of another identity. > > However, I'd also suggest that you try to "short-circuit" the whole operation, maybe with the help of RMI/RPC. Is that possible? REST has more overhead, which can come to the fore under high load. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Wed, 2018-11-14 at 11:24 +0000, Hannah Short wrote: >> Hi, >> >> I?d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is this possible? >> >> The objective is for the mapper to be able to call an API that is protected also by Keycloak. >> >> The current approach was for the mapper to use the Client Credentials flow to authenticate, exchange the access token for one for the API client, and use it to call the API. This works OK until I deploy the mapper to Keycloak, where it throws various exceptions and does not seem to attempt the Client Credentials flow. >> >> Any guidance, including alternative approaches, would be appreciated! >> >> Cheers, >> Hannah >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From msakho at redhat.com Thu Nov 15 05:16:00 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 15 Nov 2018 11:16:00 +0100 Subject: [keycloak-user] ldaps configuration --> Bug or regression with ldap connection ulr In-Reply-To: References:

Message-ID: Marek, I'm using the same JRE. It's not problematic at all using ldaps instead of LDAPS. I've also been told (somewhere else) that protocols should be "lowercased". So I will stick to ldaps. Meissa Le jeu. 15 nov. 2018 ? 11:05, Marek Posolda a ?crit : > Hi Meissa, > > I don't think that we changed anything in this part related to ldaps, > truststore SPI etc, but I could be wrong. We upgraded Wildfly, but this > doesn't look that it is related to Wildfly upgrade (although again not > 100% sure TBH). > > Also this could be a bug in Java. Are you using same Java version you > used with Keycloak 3.4.3.Final? > > Another question is, how problematic it is to change "LDAPS://" to > "ldap://" in the configuration? Any issues with changing that in your > environment? > > Marek > > On 15/11/18 10:12, Meissa M'baye Sakho wrote: > > Hello everyone, > > I'm facing a very strange behaviour using keycloak 4.5 Final while > > configuring my realm user federation with ldaps. > > When I set the ldap connection URL to ldaps://myldaphost. It works fine. > > When I change it to LDAPS://myldaphost, the test connexion fails with the > > exception below (extract): > > > > *KC-SERVICES0055: Error when connecting to LDAP: > > intra-dev01.bdf-dev01.local:636: javax.naming.CommunicationException: > > intra-dev01.bdf-dev01.local:636 [Root exception is > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find > > valid certification path to requested target]* > > * at com.sun.jndi.ldap.Connection.(Connection.java:238)* > > * at com.sun.jndi.ldap.LdapClient.(LdapClient.java:137)* > > * at > com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)* > > * at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)* > > * at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)* > > * at > > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)* > > * at > > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)* > > > > * Caused by: javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find > > valid certification path to requested target* > > * at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)* > > * at > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)* > > > > With Keycloak 3.4.3Final, I used LDAPS without any problem. > > Any advice? > > Meissa > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From marian.petrik at esgroup.ch Thu Nov 15 05:23:30 2018 From: marian.petrik at esgroup.ch (Marian Petrik) Date: Thu, 15 Nov 2018 10:23:30 +0000 Subject: [keycloak-user] Realm resolution based on username (email address) In-Reply-To: <2053198511.654526.1526402760358.JavaMail.apache@nm83.abv.bg> References: <2053198511.654526.1526402760358.JavaMail.apache@nm83.abv.bg> Message-ID: <8837df2d-e121-7525-dd9a-127b4676f11a@esgroup.ch> Hi Pedro, We face now similar problem, have you found a solution to this? Best regards, Marian From mposolda at redhat.com Thu Nov 15 05:43:59 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 15 Nov 2018 11:43:59 +0100 Subject: [keycloak-user] Shared datastore? In-Reply-To: References: Message-ID: On 08/11/18 17:35, Nicolas Ocquidant wrote: > My requirements are the following: store tokens emitted by KC during one > year. > > I don't know how many users there are, but here are the number I get: > * the number of connections a week is about 700k. > * the number of session refresh a week is about 200k. > > I approximated around 1M of sessions a week, thus 52M a year. > In memory, a user session has been estimated around 4KB (about 1KB in > file/DB). > > But I guess a refresh does not create another session isn't it? And maybe > it's possible to ask KC to delete previous emitted tokens when a new one is > created for a same user? No, it doesn't. It just updates lastSessionRefresh field on userSession and possibly timestamp on clientSession. > > If yes, my estimation is probably a little bit too high here, but I > certainly have several millions of tokens to keep (and maybe dozens of > millions). > > Thanks > --nick > > Le mer. 7 nov. 2018 ? 18:17, Nicolas Ocquidant a > ?crit : > >> Hi, >> >> According to Infinispan, when passivation is disabled, every update to the >> cache should always write to the store. >> >> But I can't manage to get it work with Keycloak. If I disable passivation, >> my SQL store (Postgres) stays empty, even if the cache is full. >> >> So, if passivation is needed for Keycloak to write to the DB, it means >> that the use of a shared DB is not possible... >> >> But this leads to another issue for me. Enable passivation without a >> shared DB seems to imply that either 'fetch-state' or 'purge' should be >> enabled on startup, in order for the cache to not contain stale entries. >> >> 15:27:44,626 WARN >> [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] (MSC >> service thread 1-6) ISPN000149: Fetch persistent state and purge on startup >> are both disabled, cache may contain stale entries on startup >> >> As I need to keep millions of sessions, this will considerably slow down >> the startup of my node (when started again after a crash for instance). >> >> So, is shared datastore allowed in Keycloak? If yes, how to enable it? >> Otherwise what other options do I have to improve my startup time, if >> millions of sessions are in the store? >> >> Thanks >> --nick >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Thu Nov 15 05:55:20 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Thu, 15 Nov 2018 11:55:20 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: References: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu> Message-ID: I am unable to make absolutely any changes in the Admin Console since upgrading to 4.6. Every time I click the Save button, I get "An unexpected error occurred" message and the following log output: 10:52:20,574 DEBUG [io.undertow.request] (default I/O-16) Matched prefix path /auth for path /auth/admin/realms/master 10:52:20,575 DEBUG [io.undertow.request.security] (default task-1) Attempting to authenticate /auth/admin/realms/master, authentication required: false 10:52:20,575 DEBUG [io.undertow.request.security] (default task-1) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 43579ab2 for /auth/admin/realms/master 10:52:20,575 DEBUG [io.undertow.request.security] (default task-1) Authentication result was ATTEMPTED for /auth/admin/realms/master 10:52:20,575 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) new JtaTransactionWrapper 10:52:20,575 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) was existing? false 10:52:20,576 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-1) RESTEASY002315: PathInfo: /admin/realms/master 10:52:20,577 DEBUG [org.keycloak.services.resources.admin.AdminRoot] (default task-1) authenticated admin access for: admin 10:52:20,578 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NullPointerException at org.keycloak.services.resources.Cors.build(Cors.java:193) at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:211) at sun.reflect.GeneratedMethodAccessor576.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:69) at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:48) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:99) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) 10:52:20,578 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) JtaTransactionWrapper rollback 10:52:20,578 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) JtaTransactionWrapper end 10:52:20,578 DEBUG [io.undertow.request.error-response] (default task-1) Setting error code 500 for exchange HttpServerExchange{ PUT /auth/admin/realms/master request {X-Real-IP=[90.74.16.36], Accept=[application/json, text/plain, */*], Accept-Language=[en-US,en;q=0.9,es;q=0.8,ca;q=0.7,it;q=0.6], Accept-Encoding=[gzip, deflate, br], Origin=[https://files.opticks.io], User-Agent=[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36], Connection=[close], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJTdHN1M1JzUjNKWVBzWklzS2huZnlqSVZDdS1XY1JWNVRESXBtUzJQbWJjIn0.eyJqdGkiOiJkNDhiMmVkMC04NTdmLTQ5NDMtYmNiNS1mODQwMTM2MzdjNTIiLCJleHAiOjE1NDIyNzkxNzIsIm5iZiI6MCwiaWF0IjoxNTQyMjc5MTEyLCJpc3MiOiJodHRwczovL2ZpbGVzLm9wdGlja3MuaW8vYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiMGNiNmY2MGQtZjY2ZS00ZDc3LTlhN2YtYWNhOWY5NzMzOGU1IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsIm5vbmNlIjoiZDdiYzMyM2EtYzlkYS00ZjY1LTg4OGMtNTY0NjU2ZmQxNjAzIiwiYXV0aF90aW1lIjoxNTQyMjc2MjA1LCJzZXNzaW9uX3N0YXRlIjoiNDQ3OTZhNDgtN2U0Ny00NjkwLTlhYTMtNDNlNjZjNzlhZGQ1IiwiYWNyIjoiMSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJHZW9mZnJleSBDbGVhdmVzIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiR2VvZmZyZXkiLCJmYW1pbHlfbmFtZSI6IkNsZWF2ZXMiLCJlbWFpbCI6Imdlb2ZmQG9wdGlja3MuaW8ifQ.F8DBdQAzGfoer1G13lH0mTrVrsLhumL2imgTPS9KdkB8oFhsHz2Jlj98DOUxUQ2Uk5vJXTVljkDdmZnLyChotqYahp-N_sj7yL5HvVLk1Hgrc4oJL7enEcmdz2Sdso4o60Skr-nB5wGeFnKj_hxA3H_2y_p7yKjGWG3B6P912l-Vq3qbAm6-6TSsbewOwv9W1GQthJpILNFBtSWdITqrDfFhIvd741t5qQnu5USQemWGryh4Wzx_yW9ySP6wIAw6iIfI8KOF5OgDoysg7QclLqFmCHR_3goBE-VczUR4MulJt7O_ITdEqSW3cO4T7i0i_odDI9wd3A6Lg6hzXpfRMg], X-Forwarded-Proto=[https], X-Forwarded-For=[90.74.16.36], Content-Length=[2950], Content-Type=[application/json;charset=UTF-8], Cookie=[oc_sessionPassphrase=KktyoSFGbzCOvyEZDn1Uz%2FbfLthgd%2BdkuDuNiWXwBdoANODy1%2Ft0yjlnaAE6nYy8A9gUoERC3xDuonMLSHozCkePQ6LzeEFj9zL48Tg20Om5LHyGkHEZkQx5P33ApnjH; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; ocqxkekcn7nx=d80bbb02ce49e4ac9a1da9da665e1463; nc_username=admin; nc_token=c7u41tnkmcY8Ph6cjOrKJqlqnOPOIvYw; nc_session_id=d80bbb02ce49e4ac9a1da9da665e1463; _ga=GA1.2.356341845.1542269557; _gid=GA1.2.952747941.1542269557; intercom-session-gp3sy9ng=RjB6ZW5pMVc2RWYwRjdDeG44N1QxL0RmeU9lOHF6VFdFUS8xSGNoY29SMDIvSUxaRnNMd0xnNjFlMzZyVG9JRy0tNWZBclhadjZuRWJnc2ZhdkdZZ3J5Zz09--3c508aa794080345f94f1ac391e38eaf3ce08e86], Referer=[https://files.opticks.io/auth/admin/master/console/], Host=[ files.opticks.io]} response {}}: java.lang.RuntimeException at io.undertow.server.HttpServerExchange.setStatusCode(HttpServerExchange.java:1410) at io.undertow.servlet.spec.HttpServletResponseImpl.setStatus(HttpServletResponseImpl.java:286) at org.jboss.resteasy.plugins.server.servlet.HttpServletResponseWrapper.setStatus(HttpServletResponseWrapper.java:76) at org.jboss.resteasy.core.ServerResponseWriter.lambda$writeNomapResponse$2(ServerResponseWriter.java:89) at org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:398) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:208) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:205) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:459) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) 10:52:26,483 DEBUG [org.jboss.jca.core.connectionmanager.pool.validator.ConnectionValidator] (ConnectionValidator) Notifying pools, interval: 30000 10:52:26,483 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ConnectionValidator) Checking for connection within frequency I am using Docker and used the following process to upgrade: docker pull jboss/keycloak docker tag jboss/keycloak:latest jboss/keycloak:${LATEST_KC} docker stop keycloak docker rename keycloak keycloak_${OLD_KC} docker stop postgres docker run -it --rm -v postgres-data:/volume -v /root/backup/:/backup alpine tar -cjf /backup/keycloak_postgres.tar.bz2 -C /volume ./ docker start postgres docker run -d -p ${KC_IP}:8080:8080 -e DB_VENDOR=postgres -e DB_ADDR=${PG_IP} -e DB_PORT=5432 -e DB_DATABASE=keycloak -e DB_USER=${DB_KC_USER} -e DB_PASSWORD=${DB_KC_PASS} -e KEYCLOAK_LOGLEVEL=DEBUG -e ROOT_LOGLEVEL=DEBUG -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak:${LATEST_KC} Regards, Geoffrey Cleaves On Thu, 15 Nov 2018 at 10:40, Sebastian Laskawiec wrote: > Adding +Pedro Ruivo . > > It seems you lost some of the transactions. This those are volatile data, > you should be fine. The only thing you might do (if it's not too late) is > to flush the caches from Keycloak admin panel... just in case... > > On Thu, Nov 15, 2018 at 9:30 AM C?dric Couralet > wrote: > > > Le 2018-11-15 08:55, Stian Thorgersen a ?crit : > > > http://blog.keycloak.org/2018/11/keycloak-460final-released.html > > > _______________________________________________ > > > > Hi all, > > > > When updating the docker image, I had a lot of warning in log (stack > > trace in bottom). This is related to infinispan apparently. Everything > > seems to work fine, but should I be worried? > > > > > > > > 08:11:49,642 WARN [org.infinispan.statetransfer.StateConsumerImpl] > > (transport-thread--p19-t3) ISPN000209: Failed to retrieve transactions > > of cache client-mappings from node cba19ca69fd1, segments {0-255}: > > org.infinispan.remoting.RemoteException: ISPN000217: Received exception > > from cba19ca69fd1, see cause for remote stack trace > > at > > > > > org.infinispan.remoting.transport.ResponseCollectors.wrapRemoteException(ResponseCollectors.java:27) > > at > > > > > org.infinispan.remoting.transport.ValidSingleResponseCollector.withException(ValidSingleResponseCollector.java:37) > > at > > > > > org.infinispan.remoting.transport.ValidSingleResponseCollector.addResponse(ValidSingleResponseCollector.java:21) > > at > > > > > org.infinispan.remoting.transport.impl.SingleTargetRequest.receiveResponse(SingleTargetRequest.java:52) > > at > > > > > org.infinispan.remoting.transport.impl.SingleTargetRequest.onResponse(SingleTargetRequest.java:35) > > at > > > > > org.infinispan.remoting.transport.impl.RequestRepository.addResponse(RequestRepository.java:52) > > at > > > > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.processResponse(JGroupsTransport.java:1370) > > at > > > > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.processMessage(JGroupsTransport.java:1273) > > at > > > > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.access$300(JGroupsTransport.java:125) > > at > > > > > org.infinispan.remoting.transport.jgroups.JGroupsTransport$ChannelCallbacks.up(JGroupsTransport.java:1418) > > at org.jgroups.JChannel.up(JChannel.java:816) > > at > > org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:134) > > at org.jgroups.stack.Protocol.up(Protocol.java:340) > > at org.jgroups.protocols.FORK.up(FORK.java:134) > > at org.jgroups.protocols.FRAG2.up(FRAG2.java:177) > > at org.jgroups.protocols.FlowControl.up(FlowControl.java:343) > > at org.jgroups.protocols.pbcast.GMS.up(GMS.java:873) > > at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:240) > > at > > org.jgroups.protocols.UNICAST3.deliverMessage(UNICAST3.java:1003) > > at > > org.jgroups.protocols.UNICAST3.handleDataReceived(UNICAST3.java:729) > > at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:384) > > at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:600) > > at > org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:130) > > at org.jgroups.protocols.FD.up(FD.java:212) > > at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:253) > > at org.jgroups.protocols.MERGE3.up(MERGE3.java:280) > > at org.jgroups.protocols.Discovery.up(Discovery.java:269) > > at org.jgroups.protocols.TP.passMessageUp(TP.java:1248) > > at > > > > > org.jgroups.util.SubmitToThreadPool$SingleMessageHandler.run(SubmitToThreadPool.java:87) > > at > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > at > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > at > > > > > org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) > > at java.lang.Thread.run(Thread.java:748) > > Suppressed: org.infinispan.util.logging.TraceException > > at > > > > > org.infinispan.remoting.rpc.RpcManagerImpl.blocking(RpcManagerImpl.java:268) > > at > > > > > org.infinispan.statetransfer.StateConsumerImpl.getTransactions(StateConsumerImpl.java:916) > > at > > > > > org.infinispan.statetransfer.StateConsumerImpl.requestTransactions(StateConsumerImpl.java:829) > > at > > > > > org.infinispan.statetransfer.StateConsumerImpl.addTransfers(StateConsumerImpl.java:767) > > at > > > > > org.infinispan.statetransfer.StateConsumerImpl.handleSegments(StateConsumerImpl.java:470) > > at > > > > > org.infinispan.statetransfer.StateConsumerImpl.onTopologyUpdate(StateConsumerImpl.java:362) > > at > > > > > org.infinispan.statetransfer.StateTransferManagerImpl.doTopologyUpdate(StateTransferManagerImpl.java:197) > > at > > > > > org.infinispan.statetransfer.StateTransferManagerImpl.access$000(StateTransferManagerImpl.java:54) > > at > > > > > org.infinispan.statetransfer.StateTransferManagerImpl$1.rebalance(StateTransferManagerImpl.java:117) > > at > > > > > org.infinispan.topology.LocalTopologyManagerImpl.doHandleRebalance(LocalTopologyManagerImpl.java:517) > > at > > > > > org.infinispan.topology.LocalTopologyManagerImpl.lambda$handleRebalance$3(LocalTopologyManagerImpl.java:475) > > at > > > org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175) > > at > > > > > org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37) > > at > > > > > org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227) > > at > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > at > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > at > > > > > org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47) > > ... 1 more > > Caused by: java.io.IOException: Unknown type: 132 > > at > > > > > org.infinispan.marshall.core.GlobalMarshaller.readNonNullableObject(GlobalMarshaller.java:681) > > at > > > > > org.infinispan.marshall.core.GlobalMarshaller.readNullableObject(GlobalMarshaller.java:355) > > at > > > > > org.infinispan.marshall.core.BytesObjectInput.readObject(BytesObjectInput.java:40) > > at > > > > > org.infinispan.commons.marshall.MarshallUtil.unmarshallCollectionUnbounded(MarshallUtil.java:302) > > at > > > > > org.infinispan.statetransfer.StateRequestCommand.readFrom(StateRequestCommand.java:197) > > at > > > > > org.infinispan.marshall.exts.ReplicableCommandExternalizer.readCommandParameters(ReplicableCommandExternalizer.java:104) > > at > > > > > org.infinispan.marshall.exts.CacheRpcCommandExternalizer.readObject(CacheRpcCommandExternalizer.java:130) > > at > > > > > org.infinispan.marshall.exts.CacheRpcCommandExternalizer.readObject(CacheRpcCommandExternalizer.java:65) > > at > > > > > org.infinispan.marshall.core.GlobalMarshaller.readWithExternalizer(GlobalMarshaller.java:688) > > at > > > > > org.infinispan.marshall.core.GlobalMarshaller.readNonNullableObject(GlobalMarshaller.java:671) > > at > > > > > org.infinispan.marshall.core.GlobalMarshaller.readNullableObject(GlobalMarshaller.java:355) > > at > > > > > org.infinispan.marshall.core.GlobalMarshaller.objectFromObjectInput(GlobalMarshaller.java:193) > > at > > > > > org.infinispan.marshall.core.GlobalMarshaller.objectFromByteBuffer(GlobalMarshaller.java:222) > > at > > > > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.processRequest(JGroupsTransport.java:1278) > > at > > > > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.processMessage(JGroupsTransport.java:1218) > > at > > > > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.access$200(JGroupsTransport.java:123) > > at > > > > > org.infinispan.remoting.transport.jgroups.JGroupsTransport$ChannelCallbacks.receive(JGroupsTransport.java:1356) > > at org.jgroups.JChannel.up(JChannel.java:819) > > at > > org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:134) > > at org.jgroups.stack.Protocol.up(Protocol.java:340) > > at org.jgroups.protocols.FORK.up(FORK.java:134) > > at org.jgroups.protocols.FRAG2.up(FRAG2.java:177) > > at org.jgroups.protocols.FlowControl.up(FlowControl.java:351) > > at org.jgroups.protocols.pbcast.GMS.up(GMS.java:864) > > at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:240) > > at > > org.jgroups.protocols.UNICAST3.deliverMessage(UNICAST3.java:1002) > > at > > org.jgroups.protocols.UNICAST3.handleDataReceived(UNICAST3.java:728) > > at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:383) > > at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:600) > > at > org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:119) > > at org.jgroups.protocols.FD.up(FD.java:212) > > at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:252) > > at org.jgroups.protocols.MERGE3.up(MERGE3.java:276) > > at org.jgroups.protocols.Discovery.up(Discovery.java:267) > > ... 6 more > > > > > > C?dric > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Nov 15 05:55:38 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 15 Nov 2018 11:55:38 +0100 Subject: [keycloak-user] Shared datastore? In-Reply-To: References: <1408145257.66131813.1541706517375.JavaMail.zimbra@redhat.com> Message-ID: <6c684abf-809f-1a16-453b-5f99dbbe6a14@redhat.com> Yes, true. We're using SKIP_CACHE_STORE when writing to sessions. We never tested with CacheStores enabled. The only store, which we're tested with, is the "remote-store" which we're using for the cross-datacenter setup. We have lots of places when we're not just writing data to the "cache" directly and let the "remote-store" to propagate it, but instead we obtain "remoteCache" instance from the underlying remote-store and CRUD data directly to remoteCache to have some optimizations and guaranteed consistency and atomicity for remoteCache operations (EG. putIfAbsent, replace etc). That's also the reason why we're using SKIP_CACHE_STORE flag. Feel free to create JIRA for better support of other CacheStores. The other possibility to workaround this (besides what Sebastian already mentioned) is to have JDG server and configure your cache with the remote-store as described in our "Cross-Datacenter setup" documentation. On JDG side, you can configure the JDBC store to your cache. In other words, the session will be always written to JDG and JDG will write it to the undrlying JDBC. I know this option is far from ideal (you need to add JDG server just to workaround things), just mentioning it for completeness. Marek On 09/11/18 14:29, Sebastian Laskawiec wrote: > Yes, I think that could be case, I see a plenty of places where we > use?SKIP_CACHE_STORE. > > Let me ask Marek for help here since it has been implemented long > before I joined the team and I don't know the history behind it... > > On Thu, Nov 8, 2018 at 8:48 PM William Burns > wrote: > > > > ----- Original Message ----- > > From: "Sebastian Laskawiec" > > > To: "Nicolas Ocquidant" > > > Cc: keycloak-user at lists.jboss.org > , "Will Burns Rosenquist > Burns" > > > Sent: Thursday, November 8, 2018 12:33:47 PM > > Subject: Re: [keycloak-user] Shared datastore? > > > > So I think there are at least two ways to address this problem. > This first > > one is to use Offline Tokens [1]. I'm not sure if that fits into > your > > application since it requires your client applications to store > the token. > > In other words you can simply delegate this problem one layer > below in your > > system. > > > > If that doesn't work for you, yes passivation is a way to go. > Frankly, I > > haven't used passivation but from the manual I see it works hand > in hand > > with eviction [2][3]. Will (on CC) can probably correct me here, > but my > > understanding is that whenever an entry gets evicted, the > passivation > > mechanism picks it up and stores somewhere. > > It does and it works, the problem is that passivation doesn't play > well with shared stores in Infinispan. We prevent this > configuration in 9.4 or newer even. > > I recommended that Nicolas just use eviction and a shared store > without passivation. However it seems that entries are not written > to the store in this configuration. My guess is that KeyCloak > performs write operations with the SKIP_CACHE_STORE flag and > assumes entries will only be written to the store due to > passivation. Is there a reason for that? > > > > > [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html > > [2] > > > http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passivation > > [3] > > > https://github.com/infinispan/infinispan/blob/master/core/src/test/java/org/infinispan/eviction/impl/EvictionWithPassivationTest.java#L61-L69 > > > > On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant > > > > wrote: > > > > > My requirements are the following: store tokens emitted by KC > during one > > > year. > > > > > > I don't know how many users there are, but here are the number > I get: > > >? ?* the number of connections a week is about 700k. > > >? ?* the number of session refresh a week is about 200k. > > > > > > I approximated around 1M of sessions a week, thus 52M a year. > > > In memory, a user session has been estimated around 4KB (about > 1KB in > > > file/DB). > > > > > > But I guess a refresh does not create another session isn't > it? And maybe > > > it's possible to ask KC to delete previous emitted tokens when > a new one is > > > created for a same user? > > > > > > If yes, my estimation is probably a little bit too high here, > but I > > > certainly have several millions of tokens to keep (and maybe > dozens of > > > millions). > > > > > > Thanks > > > --nick > > > > > > Le mer. 7 nov. 2018 ? 18:17, Nicolas Ocquidant > > a > > > ?crit : > > > > > > > Hi, > > > > > > > > According to Infinispan, when passivation is disabled, every > update to > > > the > > > > cache should always write to the store. > > > > > > > > But I can't manage to get it work with Keycloak. If I disable > > > passivation, > > > > my SQL store (Postgres) stays empty, even if the cache is full. > > > > > > > > So, if passivation is needed for Keycloak to write to the > DB, it means > > > > that the use of a shared DB is not possible... > > > > > > > > But this leads to another issue for me. Enable passivation > without a > > > > shared DB seems to imply that either 'fetch-state' or > 'purge' should be > > > > enabled on startup, in order for the cache to not contain > stale entries. > > > > > > > > 15:27:44,626 WARN > > > > > [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] > > > (MSC > > > > service thread 1-6) ISPN000149: Fetch persistent state and > purge on > > > startup > > > > are both disabled, cache may contain stale entries on startup > > > > > > > > As I need to keep millions of sessions, this will > considerably slow down > > > > the startup of my node (when started again after a crash for > instance). > > > > > > > > So, is shared datastore allowed in Keycloak? If yes, how to > enable it? > > > > Otherwise what other options do I have to improve my startup > time, if > > > > millions of sessions are in the store? > > > > > > > > Thanks > > > > --nick > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From geoff at opticks.io Thu Nov 15 06:44:49 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Thu, 15 Nov 2018 12:44:49 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: References: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu> Message-ID: I've created this ticket: https://issues.jboss.org/browse/KEYCLOAK-8832 . (I wish I had been more careful before pasting the log dump in the previous email.) On Thu, 15 Nov 2018 at 11:55, Geoffrey Cleaves wrote: > I am unable to make absolutely any changes in the Admin Console since > upgrading to 4.6. Every time I click the Save button, I get "An unexpected > error occurred" message and the following log output: > > 10:52:20,574 DEBUG [io.undertow.request] (default I/O-16) Matched prefix > path /auth for path /auth/admin/realms/master > 10:52:20,575 DEBUG [io.undertow.request.security] (default task-1) > Attempting to authenticate /auth/admin/realms/master, authentication > required: false > 10:52:20,575 DEBUG [io.undertow.request.security] (default task-1) > Authentication outcome was NOT_ATTEMPTED with method > io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 43579ab2 > for /auth/admin/realms/master > 10:52:20,575 DEBUG [io.undertow.request.security] (default task-1) > Authentication result was ATTEMPTED for /auth/admin/realms/master > 10:52:20,575 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] > (default task-1) new JtaTransactionWrapper > 10:52:20,575 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] > (default task-1) was existing? false > 10:52:20,576 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-1) RESTEASY002315: PathInfo: /admin/realms/master > 10:52:20,577 DEBUG [org.keycloak.services.resources.admin.AdminRoot] > (default task-1) authenticated admin access for: admin > 10:52:20,578 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-1) Uncaught server error: java.lang.NullPointerException > at org.keycloak.services.resources.Cors.build(Cors.java:193) > at > org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:211) > at sun.reflect.GeneratedMethodAccessor576.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:69) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:48) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:99) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > at > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > > 10:52:20,578 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] > (default task-1) JtaTransactionWrapper rollback > 10:52:20,578 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] > (default task-1) JtaTransactionWrapper end > 10:52:20,578 DEBUG [io.undertow.request.error-response] (default task-1) > Setting error code 500 for exchange HttpServerExchange{ PUT > /auth/admin/realms/master request {X-Real-IP=[90.74.16.36], > Accept=[application/json, text/plain, */*], > Accept-Language=[en-US,en;q=0.9,es;q=0.8,ca;q=0.7,it;q=0.6], > Accept-Encoding=[gzip, deflate, br], Origin=[https://files.opticks.io], > User-Agent=[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36], > Connection=[close], Authorization=[Bearer > eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJTdHN1M1JzUjNKWVBzWklzS2huZnlqSVZDdS1XY1JWNVRESXBtUzJQbWJjIn0.eyJqdGkiOiJkNDhiMmVkMC04NTdmLTQ5NDMtYmNiNS1mODQwMTM2MzdjNTIiLCJleHAiOjE1NDIyNzkxNzIsIm5iZiI6MCwiaWF0IjoxNTQyMjc5MTEyLCJpc3MiOiJodHRwczovL2ZpbGVzLm9wdGlja3MuaW8vYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiMGNiNmY2MGQtZjY2ZS00ZDc3LTlhN2YtYWNhOWY5NzMzOGU1IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsIm5vbmNlIjoiZDdiYzMyM2EtYzlkYS00ZjY1LTg4OGMtNTY0NjU2ZmQxNjAzIiwiYXV0aF90aW1lIjoxNTQyMjc2MjA1LCJzZXNzaW9uX3N0YXRlIjoiNDQ3OTZhNDgtN2U0Ny00NjkwLTlhYTMtNDNlNjZjNzlhZGQ1IiwiYWNyIjoiMSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJHZW9mZnJleSBDbGVhdmVzIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiR2VvZmZyZXkiLCJmYW1pbHlfbmFtZSI6IkNsZWF2ZXMiLCJlbWFpbCI6Imdlb2ZmQG9wdGlja3MuaW8ifQ.F8DBdQAzGfoer1G13lH0mTrVrsLhumL2imgTPS9KdkB8oFhsHz2Jlj98DOUxUQ2Uk5vJXTVljkDdmZnLyChotqYahp-N_sj7yL5HvVLk1Hgrc4oJL7enEcmdz2Sdso4o60Skr-nB5wGeFnKj_hxA3H_2y_p7yKjGWG3B6P912l-Vq3qbAm6-6TSsbewOwv9W1GQthJpILNFBtSWdITqrDfFhIvd741t5qQnu5USQemWGryh4Wzx_yW9ySP6wIAw6iIfI8KOF5OgDoysg7QclLqFmCHR_3goBE-VczUR4MulJt7O_ITdEqSW3cO4T7i0i_odDI9wd3A6Lg6hzXpfRMg], > X-Forwarded-Proto=[https], X-Forwarded-For=[90.74.16.36], > Content-Length=[2950], Content-Type=[application/json;charset=UTF-8], > Cookie=[oc_sessionPassphrase=KktyoSFGbzCOvyEZDn1Uz%2FbfLthgd%2BdkuDuNiWXwBdoANODy1%2Ft0yjlnaAE6nYy8A9gUoERC3xDuonMLSHozCkePQ6LzeEFj9zL48Tg20Om5LHyGkHEZkQx5P33ApnjH; > nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; > ocqxkekcn7nx=d80bbb02ce49e4ac9a1da9da665e1463; nc_username=admin; > nc_token=c7u41tnkmcY8Ph6cjOrKJqlqnOPOIvYw; > nc_session_id=d80bbb02ce49e4ac9a1da9da665e1463; > _ga=GA1.2.356341845.1542269557; _gid=GA1.2.952747941.1542269557; > intercom-session-gp3sy9ng=RjB6ZW5pMVc2RWYwRjdDeG44N1QxL0RmeU9lOHF6VFdFUS8xSGNoY29SMDIvSUxaRnNMd0xnNjFlMzZyVG9JRy0tNWZBclhadjZuRWJnc2ZhdkdZZ3J5Zz09--3c508aa794080345f94f1ac391e38eaf3ce08e86], > Referer=[https://files.opticks.io/auth/admin/master/console/], Host=[ > files.opticks.io]} response {}}: java.lang.RuntimeException > at > io.undertow.server.HttpServerExchange.setStatusCode(HttpServerExchange.java:1410) > at > io.undertow.servlet.spec.HttpServletResponseImpl.setStatus(HttpServletResponseImpl.java:286) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletResponseWrapper.setStatus(HttpServletResponseWrapper.java:76) > at > org.jboss.resteasy.core.ServerResponseWriter.lambda$writeNomapResponse$2(ServerResponseWriter.java:89) > at > org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:398) > at > org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:208) > at > org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85) > at > org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:205) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:459) > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > at > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > > 10:52:26,483 DEBUG > [org.jboss.jca.core.connectionmanager.pool.validator.ConnectionValidator] > (ConnectionValidator) Notifying pools, interval: 30000 > 10:52:26,483 DEBUG > [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] > (ConnectionValidator) Checking for connection within frequency > > > I am using Docker and used the following process to upgrade: > > > docker pull jboss/keycloak > docker tag jboss/keycloak:latest jboss/keycloak:${LATEST_KC} > docker stop keycloak > docker rename keycloak keycloak_${OLD_KC} > docker stop postgres > docker run -it --rm -v postgres-data:/volume -v /root/backup/:/backup > alpine tar -cjf /backup/keycloak_postgres.tar.bz2 -C /volume ./ > docker start postgres > docker run -d -p ${KC_IP}:8080:8080 -e DB_VENDOR=postgres -e > DB_ADDR=${PG_IP} -e DB_PORT=5432 -e DB_DATABASE=keycloak -e > DB_USER=${DB_KC_USER} -e DB_PASSWORD=${DB_KC_PASS} -e > KEYCLOAK_LOGLEVEL=DEBUG -e ROOT_LOGLEVEL=DEBUG -e > PROXY_ADDRESS_FORWARDING=true jboss/keycloak:${LATEST_KC} > > Regards, > Geoffrey Cleaves > > > > > > > > On Thu, 15 Nov 2018 at 10:40, Sebastian Laskawiec > wrote: > >> Adding +Pedro Ruivo . >> >> It seems you lost some of the transactions. This those are volatile data, >> you should be fine. The only thing you might do (if it's not too late) is >> to flush the caches from Keycloak admin panel... just in case... >> >> On Thu, Nov 15, 2018 at 9:30 AM C?dric Couralet >> wrote: >> >> > Le 2018-11-15 08:55, Stian Thorgersen a ?crit : >> > > http://blog.keycloak.org/2018/11/keycloak-460final-released.html >> > > _______________________________________________ >> > >> > Hi all, >> > >> > When updating the docker image, I had a lot of warning in log (stack >> > trace in bottom). This is related to infinispan apparently. Everything >> > seems to work fine, but should I be worried? >> > >> > >> > >> > 08:11:49,642 WARN [org.infinispan.statetransfer.StateConsumerImpl] >> > (transport-thread--p19-t3) ISPN000209: Failed to retrieve transactions >> > of cache client-mappings from node cba19ca69fd1, segments {0-255}: >> > org.infinispan.remoting.RemoteException: ISPN000217: Received exception >> > from cba19ca69fd1, see cause for remote stack trace >> > at >> > >> > >> org.infinispan.remoting.transport.ResponseCollectors.wrapRemoteException(ResponseCollectors.java:27) >> > at >> > >> > >> org.infinispan.remoting.transport.ValidSingleResponseCollector.withException(ValidSingleResponseCollector.java:37) >> > at >> > >> > >> org.infinispan.remoting.transport.ValidSingleResponseCollector.addResponse(ValidSingleResponseCollector.java:21) >> > at >> > >> > >> org.infinispan.remoting.transport.impl.SingleTargetRequest.receiveResponse(SingleTargetRequest.java:52) >> > at >> > >> > >> org.infinispan.remoting.transport.impl.SingleTargetRequest.onResponse(SingleTargetRequest.java:35) >> > at >> > >> > >> org.infinispan.remoting.transport.impl.RequestRepository.addResponse(RequestRepository.java:52) >> > at >> > >> > >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.processResponse(JGroupsTransport.java:1370) >> > at >> > >> > >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.processMessage(JGroupsTransport.java:1273) >> > at >> > >> > >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.access$300(JGroupsTransport.java:125) >> > at >> > >> > >> org.infinispan.remoting.transport.jgroups.JGroupsTransport$ChannelCallbacks.up(JGroupsTransport.java:1418) >> > at org.jgroups.JChannel.up(JChannel.java:816) >> > at >> > org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:134) >> > at org.jgroups.stack.Protocol.up(Protocol.java:340) >> > at org.jgroups.protocols.FORK.up(FORK.java:134) >> > at org.jgroups.protocols.FRAG2.up(FRAG2.java:177) >> > at org.jgroups.protocols.FlowControl.up(FlowControl.java:343) >> > at org.jgroups.protocols.pbcast.GMS.up(GMS.java:873) >> > at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:240) >> > at >> > org.jgroups.protocols.UNICAST3.deliverMessage(UNICAST3.java:1003) >> > at >> > org.jgroups.protocols.UNICAST3.handleDataReceived(UNICAST3.java:729) >> > at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:384) >> > at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:600) >> > at >> org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:130) >> > at org.jgroups.protocols.FD.up(FD.java:212) >> > at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:253) >> > at org.jgroups.protocols.MERGE3.up(MERGE3.java:280) >> > at org.jgroups.protocols.Discovery.up(Discovery.java:269) >> > at org.jgroups.protocols.TP.passMessageUp(TP.java:1248) >> > at >> > >> > >> org.jgroups.util.SubmitToThreadPool$SingleMessageHandler.run(SubmitToThreadPool.java:87) >> > at >> > >> > >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> > at >> > >> > >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> > at >> > >> > >> org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) >> > at java.lang.Thread.run(Thread.java:748) >> > Suppressed: org.infinispan.util.logging.TraceException >> > at >> > >> > >> org.infinispan.remoting.rpc.RpcManagerImpl.blocking(RpcManagerImpl.java:268) >> > at >> > >> > >> org.infinispan.statetransfer.StateConsumerImpl.getTransactions(StateConsumerImpl.java:916) >> > at >> > >> > >> org.infinispan.statetransfer.StateConsumerImpl.requestTransactions(StateConsumerImpl.java:829) >> > at >> > >> > >> org.infinispan.statetransfer.StateConsumerImpl.addTransfers(StateConsumerImpl.java:767) >> > at >> > >> > >> org.infinispan.statetransfer.StateConsumerImpl.handleSegments(StateConsumerImpl.java:470) >> > at >> > >> > >> org.infinispan.statetransfer.StateConsumerImpl.onTopologyUpdate(StateConsumerImpl.java:362) >> > at >> > >> > >> org.infinispan.statetransfer.StateTransferManagerImpl.doTopologyUpdate(StateTransferManagerImpl.java:197) >> > at >> > >> > >> org.infinispan.statetransfer.StateTransferManagerImpl.access$000(StateTransferManagerImpl.java:54) >> > at >> > >> > >> org.infinispan.statetransfer.StateTransferManagerImpl$1.rebalance(StateTransferManagerImpl.java:117) >> > at >> > >> > >> org.infinispan.topology.LocalTopologyManagerImpl.doHandleRebalance(LocalTopologyManagerImpl.java:517) >> > at >> > >> > >> org.infinispan.topology.LocalTopologyManagerImpl.lambda$handleRebalance$3(LocalTopologyManagerImpl.java:475) >> > at >> > >> org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175) >> > at >> > >> > >> org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37) >> > at >> > >> > >> org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227) >> > at >> > >> > >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> > at >> > >> > >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> > at >> > >> > >> org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47) >> > ... 1 more >> > Caused by: java.io.IOException: Unknown type: 132 >> > at >> > >> > >> org.infinispan.marshall.core.GlobalMarshaller.readNonNullableObject(GlobalMarshaller.java:681) >> > at >> > >> > >> org.infinispan.marshall.core.GlobalMarshaller.readNullableObject(GlobalMarshaller.java:355) >> > at >> > >> > >> org.infinispan.marshall.core.BytesObjectInput.readObject(BytesObjectInput.java:40) >> > at >> > >> > >> org.infinispan.commons.marshall.MarshallUtil.unmarshallCollectionUnbounded(MarshallUtil.java:302) >> > at >> > >> > >> org.infinispan.statetransfer.StateRequestCommand.readFrom(StateRequestCommand.java:197) >> > at >> > >> > >> org.infinispan.marshall.exts.ReplicableCommandExternalizer.readCommandParameters(ReplicableCommandExternalizer.java:104) >> > at >> > >> > >> org.infinispan.marshall.exts.CacheRpcCommandExternalizer.readObject(CacheRpcCommandExternalizer.java:130) >> > at >> > >> > >> org.infinispan.marshall.exts.CacheRpcCommandExternalizer.readObject(CacheRpcCommandExternalizer.java:65) >> > at >> > >> > >> org.infinispan.marshall.core.GlobalMarshaller.readWithExternalizer(GlobalMarshaller.java:688) >> > at >> > >> > >> org.infinispan.marshall.core.GlobalMarshaller.readNonNullableObject(GlobalMarshaller.java:671) >> > at >> > >> > >> org.infinispan.marshall.core.GlobalMarshaller.readNullableObject(GlobalMarshaller.java:355) >> > at >> > >> > >> org.infinispan.marshall.core.GlobalMarshaller.objectFromObjectInput(GlobalMarshaller.java:193) >> > at >> > >> > >> org.infinispan.marshall.core.GlobalMarshaller.objectFromByteBuffer(GlobalMarshaller.java:222) >> > at >> > >> > >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.processRequest(JGroupsTransport.java:1278) >> > at >> > >> > >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.processMessage(JGroupsTransport.java:1218) >> > at >> > >> > >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.access$200(JGroupsTransport.java:123) >> > at >> > >> > >> org.infinispan.remoting.transport.jgroups.JGroupsTransport$ChannelCallbacks.receive(JGroupsTransport.java:1356) >> > at org.jgroups.JChannel.up(JChannel.java:819) >> > at >> > org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:134) >> > at org.jgroups.stack.Protocol.up(Protocol.java:340) >> > at org.jgroups.protocols.FORK.up(FORK.java:134) >> > at org.jgroups.protocols.FRAG2.up(FRAG2.java:177) >> > at org.jgroups.protocols.FlowControl.up(FlowControl.java:351) >> > at org.jgroups.protocols.pbcast.GMS.up(GMS.java:864) >> > at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:240) >> > at >> > org.jgroups.protocols.UNICAST3.deliverMessage(UNICAST3.java:1002) >> > at >> > org.jgroups.protocols.UNICAST3.handleDataReceived(UNICAST3.java:728) >> > at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:383) >> > at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:600) >> > at >> org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:119) >> > at org.jgroups.protocols.FD.up(FD.java:212) >> > at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:252) >> > at org.jgroups.protocols.MERGE3.up(MERGE3.java:276) >> > at org.jgroups.protocols.Discovery.up(Discovery.java:267) >> > ... 6 more >> > >> > >> > C?dric >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From Ondrej.Scerba at zoomint.com Thu Nov 15 07:00:50 2018 From: Ondrej.Scerba at zoomint.com (Ondrej Scerba) Date: Thu, 15 Nov 2018 12:00:50 +0000 Subject: [keycloak-user] Spring Boot Multitenancy Message-ID: <4c2b88d59d5f4c27966ee669a798fe1b@zoomint.com> Hi, I'm trying to implement multitenant Spring Boot application using Spring Security Adapter. I'm able to authenticate based on path to correct realm. Now I want to protect endpoints based on realm. How can I achieve it? E.g. endpoint /realm/Customer1/users will be accessible only for authenticated user which belongs to realm Customer1 and endpoint /realm/Customer2/users will be accessible only for authenticated user which belongs to realm Customer2? Thanks, Ondrej From Ondrej.Scerba at zoomint.com Thu Nov 15 07:02:36 2018 From: Ondrej.Scerba at zoomint.com (Ondrej Scerba) Date: Thu, 15 Nov 2018 12:02:36 +0000 Subject: [keycloak-user] Spring Boot Multitenancy Message-ID: <584e3f933ef842ed896e39c59d5a1906@zoomint.com> Hi, I'm trying to implement multitenant Spring Boot application using Spring Security Adapter. I'm able to authenticate based on path to correct realm. Now I want to protect endpoints based on realm. How can I achieve it? E.g. endpoint /realm/Customer1/users will be accessible only for authenticated user which belongs to realm Customer1 and endpoint /realm/Customer2/users will be accessible only for authenticated user which belongs to realm Customer2? Thanks, Ondrej From geoff at opticks.io Thu Nov 15 09:46:39 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Thu, 15 Nov 2018 15:46:39 +0100 Subject: [keycloak-user] End user sharing of his resource removes permission to his resource In-Reply-To: References: Message-ID: I still have this issue in 4.6.0.Final Regards, Geoffrey Cleaves On Mon, 12 Nov 2018 at 13:34, Pedro Igor Silva wrote: > Hi, > > It should be fixed by https://issues.jboss.org/browse/KEYCLOAK-8445. Fix > will be available in the next release. > > Regards. > Pedro Igor > > On Mon, Nov 12, 2018 at 10:23 AM Geoffrey Cleaves > wrote: > >> I'm experiencing unexpected results and believe there is a bug. I am >> losing >> permissions to my resource after sharing my resource with another user. >> >> Resource owner rs1 has read and edit rights to his resource1 through a JS >> policy and permission which grants the resource owner the rights. >> >> If rs1 uses the My resources screen to grant another user, rs2, the read >> scope to resource1, rs1 looses the right to the read scope. >> >> Please see JIRA https://issues.jboss.org/browse/KEYCLOAK-8794 and the >> screen cast within the JIRA. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From nocquidant at gmail.com Thu Nov 15 13:38:59 2018 From: nocquidant at gmail.com (Nicolas Ocquidant) Date: Thu, 15 Nov 2018 19:38:59 +0100 Subject: [keycloak-user] Shared datastore? In-Reply-To: <6c684abf-809f-1a16-453b-5f99dbbe6a14@redhat.com> References: <1408145257.66131813.1541706517375.JavaMail.zimbra@redhat.com> <6c684abf-809f-1a16-453b-5f99dbbe6a14@redhat.com> Message-ID: OK, so I setup one KC node with a remote store, and one JDG (ISPN) server with a shared JDBC store and it seems to work fine. Thanks! I would have preferred not to add a JDG server but at least I have a solution. But a few things remain unclear: - each time I update/insert/delete a session entity from KC, the JDG server will always be updated, right? - what about read operations? Does it mean there are 2 independent caches, one in KC and one in ISPN (JMX shows same numEntriesInMemory for both)? So let's say I am not interested in Cross DC yet, but i want to set up a cluster of 3 VMs (with HAProxy in front of them), each VM holding one KC process + one ISPN process: * VM#1 : kc_node11 && ispn_node11 (kc_node11 uses ispn_node11 as remote cache) * VM#2 : kc_node21 && ispn_node21 (kc_node21 uses ispn_node21 as remote cache) * VM#3 : kc_node31 && ispn_node31 (kc_node31 uses ispn_node31 as remote cache) Which cache mode should I use then and how many owners, for both KC and ISPN? Invalidation mode and numOfOwner=2 for KC, and distributed mode and numOfOwner=2 for ISPN? Would that work? Thanks again --nick Le jeu. 15 nov. 2018 ? 11:55, Marek Posolda a ?crit : > Yes, true. We're using SKIP_CACHE_STORE when writing to sessions. We never > tested with CacheStores enabled. > > The only store, which we're tested with, is the "remote-store" which we're > using for the cross-datacenter setup. We have lots of places when we're not > just writing data to the "cache" directly and let the "remote-store" to > propagate it, but instead we obtain "remoteCache" instance from the > underlying remote-store and CRUD data directly to remoteCache to have some > optimizations and guaranteed consistency and atomicity for remoteCache > operations (EG. putIfAbsent, replace etc). That's also the reason why we're > using SKIP_CACHE_STORE flag. > > Feel free to create JIRA for better support of other CacheStores. > > The other possibility to workaround this (besides what Sebastian already > mentioned) is to have JDG server and configure your cache with the > remote-store as described in our "Cross-Datacenter setup" documentation. On > JDG side, you can configure the JDBC store to your cache. In other words, > the session will be always written to JDG and JDG will write it to the > undrlying JDBC. I know this option is far from ideal (you need to add JDG > server just to workaround things), just mentioning it for completeness. > > Marek > > > On 09/11/18 14:29, Sebastian Laskawiec wrote: > > Yes, I think that could be case, I see a plenty of places where we > use SKIP_CACHE_STORE. > > Let me ask Marek for help here since it has been implemented long before I > joined the team and I don't know the history behind it... > > On Thu, Nov 8, 2018 at 8:48 PM William Burns wrote: > >> >> >> ----- Original Message ----- >> > From: "Sebastian Laskawiec" >> > To: "Nicolas Ocquidant" >> > Cc: keycloak-user at lists.jboss.org, "Will Burns Rosenquist Burns" < >> wburns at redhat.com> >> > Sent: Thursday, November 8, 2018 12:33:47 PM >> > Subject: Re: [keycloak-user] Shared datastore? >> > >> > So I think there are at least two ways to address this problem. This >> first >> > one is to use Offline Tokens [1]. I'm not sure if that fits into your >> > application since it requires your client applications to store the >> token. >> > In other words you can simply delegate this problem one layer below in >> your >> > system. >> > >> > If that doesn't work for you, yes passivation is a way to go. Frankly, I >> > haven't used passivation but from the manual I see it works hand in hand >> > with eviction [2][3]. Will (on CC) can probably correct me here, but my >> > understanding is that whenever an entry gets evicted, the passivation >> > mechanism picks it up and stores somewhere. >> >> It does and it works, the problem is that passivation doesn't play well >> with shared stores in Infinispan. We prevent this configuration in 9.4 or >> newer even. >> >> I recommended that Nicolas just use eviction and a shared store without >> passivation. However it seems that entries are not written to the store in >> this configuration. My guess is that KeyCloak performs write operations >> with the SKIP_CACHE_STORE flag and assumes entries will only be written to >> the store due to passivation. Is there a reason for that? >> >> > >> > [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html >> > [2] >> > >> http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passivation >> > [3] >> > >> https://github.com/infinispan/infinispan/blob/master/core/src/test/java/org/infinispan/eviction/impl/EvictionWithPassivationTest.java#L61-L69 >> > >> > On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant >> > wrote: >> > >> > > My requirements are the following: store tokens emitted by KC during >> one >> > > year. >> > > >> > > I don't know how many users there are, but here are the number I get: >> > > * the number of connections a week is about 700k. >> > > * the number of session refresh a week is about 200k. >> > > >> > > I approximated around 1M of sessions a week, thus 52M a year. >> > > In memory, a user session has been estimated around 4KB (about 1KB in >> > > file/DB). >> > > >> > > But I guess a refresh does not create another session isn't it? And >> maybe >> > > it's possible to ask KC to delete previous emitted tokens when a new >> one is >> > > created for a same user? >> > > >> > > If yes, my estimation is probably a little bit too high here, but I >> > > certainly have several millions of tokens to keep (and maybe dozens of >> > > millions). >> > > >> > > Thanks >> > > --nick >> > > >> > > Le mer. 7 nov. 2018 ? 18:17, Nicolas Ocquidant >> a >> > > ?crit : >> > > >> > > > Hi, >> > > > >> > > > According to Infinispan, when passivation is disabled, every update >> to >> > > the >> > > > cache should always write to the store. >> > > > >> > > > But I can't manage to get it work with Keycloak. If I disable >> > > passivation, >> > > > my SQL store (Postgres) stays empty, even if the cache is full. >> > > > >> > > > So, if passivation is needed for Keycloak to write to the DB, it >> means >> > > > that the use of a shared DB is not possible... >> > > > >> > > > But this leads to another issue for me. Enable passivation without a >> > > > shared DB seems to imply that either 'fetch-state' or 'purge' >> should be >> > > > enabled on startup, in order for the cache to not contain stale >> entries. >> > > > >> > > > 15:27:44,626 WARN >> > > > >> [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] >> > > (MSC >> > > > service thread 1-6) ISPN000149: Fetch persistent state and purge on >> > > startup >> > > > are both disabled, cache may contain stale entries on startup >> > > > >> > > > As I need to keep millions of sessions, this will considerably slow >> down >> > > > the startup of my node (when started again after a crash for >> instance). >> > > > >> > > > So, is shared datastore allowed in Keycloak? If yes, how to enable >> it? >> > > > Otherwise what other options do I have to improve my startup time, >> if >> > > > millions of sessions are in the store? >> > > > >> > > > Thanks >> > > > --nick >> > > > >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > > From psilva at redhat.com Thu Nov 15 16:38:31 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 15 Nov 2018 19:38:31 -0200 Subject: [keycloak-user] End user sharing of his resource removes permission to his resource In-Reply-To: References: Message-ID: Hi Geoffrey, I could not reproduce this in 4.6.0.Final. If that video is still valid, the report from the evaluation tool should not show the "user-managed-permission" if you are running using the resource owner. That is weird. In any case, I've attached to that JIRA the settings I used(and similar to what we have in tests) to try to reproduce the issue. Regards. Pedro Igor On Thu, Nov 15, 2018 at 12:46 PM Geoffrey Cleaves wrote: > I still have this issue in 4.6.0.Final > > Regards, > Geoffrey Cleaves > > > > > > > > On Mon, 12 Nov 2018 at 13:34, Pedro Igor Silva wrote: > >> Hi, >> >> It should be fixed by https://issues.jboss.org/browse/KEYCLOAK-8445. Fix >> will be available in the next release. >> >> Regards. >> Pedro Igor >> >> On Mon, Nov 12, 2018 at 10:23 AM Geoffrey Cleaves >> wrote: >> >>> I'm experiencing unexpected results and believe there is a bug. I am >>> losing >>> permissions to my resource after sharing my resource with another user. >>> >>> Resource owner rs1 has read and edit rights to his resource1 through a JS >>> policy and permission which grants the resource owner the rights. >>> >>> If rs1 uses the My resources screen to grant another user, rs2, the read >>> scope to resource1, rs1 looses the right to the read scope. >>> >>> Please see JIRA https://issues.jboss.org/browse/KEYCLOAK-8794 and the >>> screen cast within the JIRA. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From cedric at couralet.eu Fri Nov 16 02:21:46 2018 From: cedric at couralet.eu (=?UTF-8?Q?C=C3=A9dric_Couralet?=) Date: Fri, 16 Nov 2018 08:21:46 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: References: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu>

Message-ID: <6a959a9d128ff9715a66e3b26d993740@couralet.eu> Le 2018-11-15 16:53, Pedro Ruivo a ?crit?: > Hi Sebastian, > > Which ISPN version is shipped with 4.6.0? > > The StateRequestCommand changed its wire format in 9.3.1/9.4.0. > > From the exception, it looks like some nodes are using an older > version and the "new" nodes can't deserialize it. > Thanks for the answers, I realize now that I the old version was not entirely stopped before the new instance started. I'm guessing the change in format caused those exceptions. I'll change my procedures for future versions. Sorry for the noise. C?dric From marco.scheuermann at daimler.com Fri Nov 16 03:12:34 2018 From: marco.scheuermann at daimler.com (marco.scheuermann at daimler.com) Date: Fri, 16 Nov 2018 08:12:34 +0000 Subject: [keycloak-user] How to package a provider as EAR In-Reply-To: <1C82FBF5-3E14-4E86-B0F1-5D6FECB2229C@daimler.com> References: <1C82FBF5-3E14-4E86-B0F1-5D6FECB2229C@daimler.com> Message-ID: <8C6AB5C1-40DA-4AC2-8A9C-A25337D9709B@daimler.com> Hi together, do you have any example how to package a provider implementation as an EAR file? I packaged it as JAR and it works but then I added some external libs (JARS) so I have the requirement to package it as an EAR. Thank you, Marco Marco Scheuermann Dipl.-Informatiker [id:image001.png at 01D3CB2E.313F1BF0] Software Engineer RD/UIA ? Team Rising Stars Tel.: +49 151 5860 5255 E-Mail: marco.scheuermann at daimler.com Daimler AG Sitz und Registergericht/Domicile and Court of Registry: Stuttgart HRB-Nr./Commercial Register No. 19360 Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Manfred Bischoff Vorstand/Board of Management: Dieter Zetsche (Vorsitzender/Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Hubertus Troska, Bodo Uebber, Thomas Weber If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6523 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181116/a58c3655/attachment-0001.png From callum at well.ox.ac.uk Fri Nov 16 04:16:39 2018 From: callum at well.ox.ac.uk (Callum Smith) Date: Fri, 16 Nov 2018 09:16:39 +0000 Subject: [keycloak-user] krbLastPwdChange - can we use this attribute Message-ID: <76219A0B-5737-47FC-9B90-8D805B4BA0F8@well.ox.ac.uk> Dear Keycloakers, I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum at well.ox.ac.uk From iammikesemail at gmail.com Fri Nov 16 09:11:57 2018 From: iammikesemail at gmail.com (Mike Keith) Date: Fri, 16 Nov 2018 09:11:57 -0500 Subject: [keycloak-user] How to package a provider as EAR Message-ID: Hi Marco, I'm currently exploring this exact thing, and so far haven't gotten it right just yet. Today I plan to figure more about about the maven ear plugin: https://maven.apache.org/plugins/maven-ear-plugin/ I'll reply back if I find anything, and definitely would be interested in your own progress as well if you find anything useful or make progress as well. -Mike -- ---- > Hi together, > do you have any example how to package a provider implementation as an EAR > file? > I packaged it as JAR and it works but then I added some external libs > (JARS) so I have the requirement to > package it as an EAR. > Thank you, > Marco > Marco Scheuermann From geoff at opticks.io Fri Nov 16 09:14:01 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 16 Nov 2018 15:14:01 +0100 Subject: [keycloak-user] End user sharing of his resource removes permission to his resource In-Reply-To: References: Message-ID: Hi Pedro, I appreciate your efforts on this. I imported your JSON config into a new client and have the same exact problem. I've updated the ticket with a screen shot. By default, Alice has album:view and album:edit rights to her Book. But once she give my user the album:view right, she looses that right. Regards, Geoffrey Cleaves On Thu, 15 Nov 2018 at 22:38, Pedro Igor Silva wrote: > Hi Geoffrey, > > I could not reproduce this in 4.6.0.Final. If that video is still valid, > the report from the evaluation tool should not show the > "user-managed-permission" if you are running using the resource owner. That > is weird. > > In any case, I've attached to that JIRA the settings I used(and similar to > what we have in tests) to try to reproduce the issue. > > Regards. > Pedro Igor > > On Thu, Nov 15, 2018 at 12:46 PM Geoffrey Cleaves > wrote: > >> I still have this issue in 4.6.0.Final >> >> Regards, >> Geoffrey Cleaves >> >> >> >> >> >> >> >> On Mon, 12 Nov 2018 at 13:34, Pedro Igor Silva wrote: >> >>> Hi, >>> >>> It should be fixed by https://issues.jboss.org/browse/KEYCLOAK-8445. >>> Fix will be available in the next release. >>> >>> Regards. >>> Pedro Igor >>> >>> On Mon, Nov 12, 2018 at 10:23 AM Geoffrey Cleaves >>> wrote: >>> >>>> I'm experiencing unexpected results and believe there is a bug. I am >>>> losing >>>> permissions to my resource after sharing my resource with another user. >>>> >>>> Resource owner rs1 has read and edit rights to his resource1 through a >>>> JS >>>> policy and permission which grants the resource owner the rights. >>>> >>>> If rs1 uses the My resources screen to grant another user, rs2, the read >>>> scope to resource1, rs1 looses the right to the read scope. >>>> >>>> Please see JIRA https://issues.jboss.org/browse/KEYCLOAK-8794 and the >>>> screen cast within the JIRA. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> From to_sud at yahoo.com Fri Nov 16 09:47:53 2018 From: to_sud at yahoo.com (Sud Ramasamy) Date: Fri, 16 Nov 2018 09:47:53 -0500 Subject: [keycloak-user] Keycloak SAML IdP and URL parameter Message-ID: Hi, We are using Keycloak as a SAML IdP and have plugged in a custom authenticator to handle the browser flow. The authenticator relies on a custom URL parameter that is present in the initial SAML Authn request to Keycloak.? We found that when the Keycloak SAML IdP receives a SAML Authn request (which also contains our custom URL parameter) it exchanges that request with a code and redirects the browser to itself at which point the control reaches our custom authenticator. This redirect causes our custom URL parameter from the initial request to not be available to our custom authenticator. Is there anyway to propagate our custom URL parameter to this second request and thereby have it available to our custom authenticator. Thanks in advance for your help. Regards -sud? From callum at well.ox.ac.uk Fri Nov 16 11:27:35 2018 From: callum at well.ox.ac.uk (Callum Smith) Date: Fri, 16 Nov 2018 16:27:35 +0000 Subject: [keycloak-user] krbLastPwdChange - can we use this attribute In-Reply-To: <76219A0B-5737-47FC-9B90-8D805B4BA0F8@well.ox.ac.uk> References: <76219A0B-5737-47FC-9B90-8D805B4BA0F8@well.ox.ac.uk> Message-ID: <21B3C608-679D-4F3F-8587-769C3BFDC4B2@well.ox.ac.uk> Dear All, I've implemented this as a python script for now, hopefully this is useful to some, and hopefully something similar could be implemented for LDAP (although I imagine politically since SSSD cannot provide this data, and that's the preferred connection route for FreeIPA, it's not going to happen soon). requirements: ldap3, python-keycloak import python_freeipa import json import ldap3 from keycloak import KeycloakAdmin from datetime import datetime options['ipa_host'] = '' options['ipa_admin_user'] = '' options['ipa_base_dn'] = '' options['ipa_admin_dn'] = ','+options['ipa_base_dn'] options['keycloak_host'] = '' options['keycloak_admin_user'] = '' options['keycloak_storage_id'] = '' # Begin Keycloak Clietn keycloakClient = KeycloakAdmin(server_url='https://'+options['keycloak_host']+'/auth/', username=options['keycloak_admin_user'], password=keycloakAdminPassword, realm_name='master', verify=False) # Begin LDAP client ldapServer = ldap3.Server(options['ipa_host']) ldapClient = ldap3.Connection(ldapServer, user=options['ipa_admin_dn'], password=ipaAdminPassword, auto_bind=True) # Generate datestamp date = datetime.utcnow().strftime('%Y%m%d%H%M%S')+'Z' # Perform an LDAP sync for Keycloak keycloakClient.sync_users(storage_id=options['keycloak_storage_id'], action="triggerFullSync") # Search LDAP for expired passwords ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(|(krbPasswordExpiration<='+date+')(!(krbPasswordExpiration=*)))', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) resetPasswordUsers = ldapClient.entries for user in resetPasswordUsers: user_id = keycloakClient.get_user_id(user.uid) keycloakClient.update_user(user_id=user_id, payload={"requiredActions":['UPDATE_PASSWORD']}) # Search LDAP for valid passwords ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(krbPasswordExpiration>='+date+')', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) validPasswordUsers = ldapClient.entries for user in validPasswordUsers: user_id = keycloakClient.get_user_id(user.uid) keycloakClient.update_user(user_id=user_id, payload={"requiredActions":[]}) I've chopped some domain specific stuff from this so it might not be flawless, but hopefully a start for someone. Also no error checking involved here. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum at well.ox.ac.uk On 16 Nov 2018, at 09:16, Callum Smith > wrote: Dear Keycloakers, I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum at well.ox.ac.uk _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From henning.waack at codecentric.de Fri Nov 16 11:29:15 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Fri, 16 Nov 2018 17:29:15 +0100 Subject: [keycloak-user] NullpointerException in AuthenticationManager Message-ID: Dear all. Using KC 4.5.0, I get the following exception in my Custom SPI: 2018-11-16 17:05:23,407 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-3) Uncaught server error: java.lang.NullPointerException at org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyManager.java:249) at org.keycloak.keys.DefaultKeyManager.getKey(DefaultKeyManager.java:104) at org.keycloak.crypto.ServerAsymmetricSignatureVerifierContext.getKey(ServerAsymmetricSignatureVerifierContext.java:29) at org.keycloak.crypto.ServerAsymmetricSignatureVerifierContext.(ServerAsymmetricSignatureVerifierContext.java:25) at org.keycloak.crypto.AsymmetricSignatureProvider.verifier(AsymmetricSignatureProvider.java:39) at org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken(AuthenticationManager.java:1138) at org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:71) at org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:66) at org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:58) at de.sys.keycloak.spi.UserSearchResourceProvider.(UserSearchResourceProvider.java:46) The method invoking it is as follows: * RealmManager realmManager = new RealmManager(session);* * RealmModel realm = realmManager.getRealmByName(realmName);* * this.auth = new AppAuthManager().authenticateBearerToken(session, realm);* Any pointer at what is happening here? Server did function before quite nicely, don't know what could lead to this situation. Thanks & greetings Henning -- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From henning.waack at codecentric.de Fri Nov 16 12:15:13 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Fri, 16 Nov 2018 18:15:13 +0100 Subject: [keycloak-user] NullpointerException in AuthenticationManager In-Reply-To: References: Message-ID: Ok, found something very weird! So I changed the code as follows: * RealmManager realmManager = new RealmManager(session);* * RealmModel realm = realmManager.getRealmByName(realmName);* * session.getContext().setRealm(**realm);* * this.auth = new AppAuthManager().authenticateBearerToken(session, realm);* I.e. I manually added the RealmModel to the session context. Now it works again. This was working perfectly before, so why could this change? Thanks & greetings Henning Am Fr., 16. Nov. 2018 um 17:29 Uhr schrieb Henning Waack < henning.waack at codecentric.de>: > Dear all. > > > Using KC 4.5.0, I get the following exception in my Custom SPI: > > > 2018-11-16 17:05:23,407 ERROR > [org.keycloak.services.error.KeycloakErrorHandler] (default task-3) > Uncaught server error: java.lang.NullPointerException > > at > org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyManager.java:249) > > at org.keycloak.keys.DefaultKeyManager.getKey(DefaultKeyManager.java:104) > > at > org.keycloak.crypto.ServerAsymmetricSignatureVerifierContext.getKey(ServerAsymmetricSignatureVerifierContext.java:29) > > at > org.keycloak.crypto.ServerAsymmetricSignatureVerifierContext.(ServerAsymmetricSignatureVerifierContext.java:25) > > at > org.keycloak.crypto.AsymmetricSignatureProvider.verifier(AsymmetricSignatureProvider.java:39) > > at > org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken(AuthenticationManager.java:1138) > > at > org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:71) > > at > org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:66) > > at > org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:58) > > at > de.sys.keycloak.spi.UserSearchResourceProvider.(UserSearchResourceProvider.java:46) > > The method invoking it is as follows: > > * RealmManager realmManager = new RealmManager(session);* > * RealmModel realm = realmManager.getRealmByName(realmName);* > * this.auth = new AppAuthManager().authenticateBearerToken(session, > realm);* > > Any pointer at what is happening here? Server did function before quite > nicely, don't know what could lead to this situation. > > Thanks & greetings > > Henning > > -- > > Henning Waack | IT Consultant > > > codecentric AG | Hochstra?e 11 > > | > > > 42697 > Solingen > > |Deutschland > > > > tel: +49 (0)151 108 515 29 > > www.codecentric.de | blog.codecentric.de | www.meettheexperts.de > > Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal > > Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns > Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz > > Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche > und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige > Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie > bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. > beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen > evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist > nicht gestattet. > -- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From geoff at opticks.io Fri Nov 16 12:49:00 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 16 Nov 2018 18:49:00 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: <6a959a9d128ff9715a66e3b26d993740@couralet.eu> References: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu>

<6a959a9d128ff9715a66e3b26d993740@couralet.eu> Message-ID: I'm unable to get 4.6.0.Final or 4.7.0.Snapshot Docker images to work properly. The Admin Console throws an error with every action. I've added new info to this ticket https://issues.jboss.org/browse/KEYCLOAK-8832 including this screen cast to prove I'm not loco: https://www.youtube.com/watch?v=prEO19-UQsk Geoff On Fri, 16 Nov 2018 at 08:26, C?dric Couralet wrote: > Le 2018-11-15 16:53, Pedro Ruivo a ?crit : > > Hi Sebastian, > > > > Which ISPN version is shipped with 4.6.0? > > > > The StateRequestCommand changed its wire format in 9.3.1/9.4.0. > > > > From the exception, it looks like some nodes are using an older > > version and the "new" nodes can't deserialize it. > > > > Thanks for the answers, I realize now that I the old version was not > entirely stopped before the new instance started. I'm guessing the > change in format caused those exceptions. I'll change my procedures for > future versions. > Sorry for the noise. > > C?dric > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From cedric at couralet.eu Fri Nov 16 13:19:15 2018 From: cedric at couralet.eu (=?UTF-8?Q?C=C3=A9dric_Couralet?=) Date: Fri, 16 Nov 2018 19:19:15 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: References: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu>

<6a959a9d128ff9715a66e3b26d993740@couralet.eu> Message-ID: <9eb67585f0b666a05c8d0aeb564adfe6@couralet.eu> Le 2018-11-16 18:49, Geoffrey Cleaves a ?crit?: > I'm unable to get 4.6.0.Final or 4.7.0.Snapshot Docker images to work > properly. The Admin Console throws an error with every action. I've > added new info to this ticket > https://issues.jboss.org/browse/KEYCLOAK-8832 [3] including this > screen cast to prove I'm not loco: > https://www.youtube.com/watch?v=prEO19-UQsk [4] > > Geoff > Hello, I manage to get those error by using DEBUG Log level and using chrome to access admin console. I think the problem is here : https://github.com/keycloak/keycloak/blob/e5bb25dd2f8460bfa818a1cbed0b26c3e88d69db/services/src/main/java/org/keycloak/services/resources/Cors.java#L193 in the debug message allowedOrigins..toArray() is called even when null. But I don't understand the difference between Firefox and Chrome on this. I think a simple fix is to configure the log level as INFO. C?dric Couralet From cedric at couralet.eu Fri Nov 16 13:21:26 2018 From: cedric at couralet.eu (=?UTF-8?Q?C=C3=A9dric_Couralet?=) Date: Fri, 16 Nov 2018 19:21:26 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: <9eb67585f0b666a05c8d0aeb564adfe6@couralet.eu> References: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu>

<6a959a9d128ff9715a66e3b26d993740@couralet.eu> <9eb67585f0b666a05c8d0aeb564adfe6@couralet.eu> Message-ID: <2ef4d5df5522c6e45d801a6b4ad6891f@couralet.eu> > But I don't understand the difference between Firefox and Chrome on > this. > This made me understand that difference : https://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request From cedric at couralet.eu Fri Nov 16 13:28:43 2018 From: cedric at couralet.eu (=?UTF-8?Q?C=C3=A9dric_Couralet?=) Date: Fri, 16 Nov 2018 19:28:43 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: <9eb67585f0b666a05c8d0aeb564adfe6@couralet.eu> References: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu>

<6a959a9d128ff9715a66e3b26d993740@couralet.eu> <9eb67585f0b666a05c8d0aeb564adfe6@couralet.eu> Message-ID: Le 2018-11-16 19:19, C?dric Couralet a ?crit?: > Le 2018-11-16 18:49, Geoffrey Cleaves a ?crit?: >> I'm unable to get 4.6.0.Final or 4.7.0.Snapshot Docker images to work >> properly. The Admin Console throws an error with every action. I've >> added new info to this ticket >> https://issues.jboss.org/browse/KEYCLOAK-8832 [3] including this >> screen cast to prove I'm not loco: >> https://www.youtube.com/watch?v=prEO19-UQsk [4] >> >> Geoff >> > > Hello, > > I manage to get those error by using DEBUG Log level and using chrome > to access admin console. > > I think the problem is here : > https://github.com/keycloak/keycloak/blob/e5bb25dd2f8460bfa818a1cbed0b26c3e88d69db/services/src/main/java/org/keycloak/services/resources/Cors.java#L193 > > in the debug message allowedOrigins..toArray() is called even when > null. > But I don't understand the difference between Firefox and Chrome on > this. > This made me understand that difference : https://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request From geoff at opticks.io Fri Nov 16 15:43:17 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 16 Nov 2018 21:43:17 +0100 Subject: [keycloak-user] Keycloak 4.6.0.Final released In-Reply-To: References: <9721fa600ae28dd56d6eecabe76ec884@couralet.eu>

<6a959a9d128ff9715a66e3b26d993740@couralet.eu> <9eb67585f0b666a05c8d0aeb564adfe6@couralet.eu> Message-ID: Thanks, changing the logging level solved the issue. Regards, Geoffrey Cleaves On Fri, 16 Nov 2018 at 19:28, C?dric Couralet wrote: > Le 2018-11-16 19:19, C?dric Couralet a ?crit : > > Le 2018-11-16 18:49, Geoffrey Cleaves a ?crit : > >> I'm unable to get 4.6.0.Final or 4.7.0.Snapshot Docker images to work > >> properly. The Admin Console throws an error with every action. I've > >> added new info to this ticket > >> https://issues.jboss.org/browse/KEYCLOAK-8832 [3] including this > >> screen cast to prove I'm not loco: > >> https://www.youtube.com/watch?v=prEO19-UQsk [4] > >> > >> Geoff > >> > > > > Hello, > > > > I manage to get those error by using DEBUG Log level and using chrome > > to access admin console. > > > > I think the problem is here : > > > https://github.com/keycloak/keycloak/blob/e5bb25dd2f8460bfa818a1cbed0b26c3e88d69db/services/src/main/java/org/keycloak/services/resources/Cors.java#L193 > > > > in the debug message allowedOrigins..toArray() is called even when > > null. > > But I don't understand the difference between Firefox and Chrome on > > this. > > > > This made me understand that difference : > > > https://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request > > From slyge2001 at yahoo.fr Fri Nov 16 17:19:45 2018 From: slyge2001 at yahoo.fr (ge sly) Date: Fri, 16 Nov 2018 22:19:45 +0000 (UTC) Subject: [keycloak-user] Re :Keycloak Idp SLO response location In-Reply-To: <1665888810.3194155.1542406492861@mail.yahoo.com> References: <1665888810.3194155.1542406492861.ref@mail.yahoo.com> <1665888810.3194155.1542406492861@mail.yahoo.com> Message-ID: <873954453.3176887.1542406785280@mail.yahoo.com> Hi I am tringle to configure Keycloak as an Idp with OIOSAML as a SP. OIOSAML has 2 urls for the single logout: I dont see how to enter the Location and the ResponseLocation in the Clients config. If I import the metadata only the Location is used.? Thanks? Regards?Sylvain Envoy? depuis Yahoo Mail pour Android From dt at acutus.pro Fri Nov 16 19:15:01 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 17 Nov 2018 03:15:01 +0300 Subject: [keycloak-user] Re :Keycloak Idp SLO response location In-Reply-To: <873954453.3176887.1542406785280@mail.yahoo.com> References: <1665888810.3194155.1542406492861.ref@mail.yahoo.com> <1665888810.3194155.1542406492861@mail.yahoo.com> <873954453.3176887.1542406785280@mail.yahoo.com> Message-ID: <1542413701.2114.1.camel@acutus.pro> Hello Sylvain, These settings are under the "Fine Grain SAML Endpoint Configuration" section in the client settings. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-11-16 at 22:19 +0000, ge sly wrote: > > ? Hi > I am tringle to configure Keycloak as an Idp with OIOSAML as a SP. > OIOSAML has 2 urls for the single logout: > > I dont see how to enter the Location and the ResponseLocation in the Clients config. If I import the metadata only the Location is used.? > Thanks? > Regards?Sylvain > Envoy? depuis Yahoo Mail pour Android?? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slyge2001 at yahoo.fr Sat Nov 17 02:43:37 2018 From: slyge2001 at yahoo.fr (ge sly) Date: Sat, 17 Nov 2018 07:43:37 +0000 (UTC) Subject: [keycloak-user] Re :Re: Re :Keycloak Idp SLO response location In-Reply-To: <1542413701.2114.1.camel@acutus.pro> References: <1665888810.3194155.1542406492861.ref@mail.yahoo.com> <1665888810.3194155.1542406492861@mail.yahoo.com> <873954453.3176887.1542406785280@mail.yahoo.com> <1542413701.2114.1.camel@acutus.pro> Message-ID: <848358272.3247455.1542440617860@mail.yahoo.com> Hi Dmitry? Yes I saw it but here is only 2 urls: - Logout Service POST Binding URL - POST Binding URL for the Logout Service. - Logout Service Redirect Binding URL - Redirect Binding URL for the Logout Service Where can I set the? Logout Service POST Binding Response URL and Logout Service Redirect Response Binding URL They are optional attributes in the SAML spec? ThanksRegardsSylvain Le sam., nov. 17, 2018 ? 1:15, Dmitry Telegin

a ?crit : Hello Sylvain, These settings are under the "Fine Grain SAML Endpoint Configuration" section in the client settings. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-11-16 at 22:19 +0000, ge sly wrote: > > ? Hi > I am tringle to configure Keycloak as an Idp with OIOSAML as a SP. > OIOSAML has 2 urls for the single logout: > > I dont see how to enter the Location and the ResponseLocation in the Clients config. If I import the metadata only the Location is used.? > Thanks? > Regards?Sylvain > Envoy? depuis Yahoo Mail pour Android?? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From zitrone at gmx-topmail.de Sat Nov 17 06:08:49 2018 From: zitrone at gmx-topmail.de (zitrone at gmx-topmail.de) Date: Sat, 17 Nov 2018 12:08:49 +0100 Subject: [keycloak-user] Adding attributes during login In-Reply-To: <1542148837.10365.2.camel@acutus.pro> References: <1541914268.3830.1.camel@acutus.pro> <7d9b9737-12f5-a48a-7ead-3355f55c257b@gmx-topmail.de> <1542148837.10365.2.camel@acutus.pro> Message-ID: <669483c6-f462-4c7d-67a5-9d40284ae2a2@gmx-topmail.de> Thank you very much. For anyone interested, here is my full script. I check for the Referer header first, if it is empty i go for the direct parameters. Also restricted it to a certain role. / import enum for error lookup AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); function authenticate(context) { if (user.hasRole(realm.getRole("AllowedRole"))){ ? ? var username = user ? user.username : "anonymous"; ? ? var referer = httpRequest.httpHeaders.getHeaderString("Referer"); ? ? var _foo; ? ? if (referer !== null){ ? ? ? ? var uri = new java.net.URI(referer); ? ? ? ? var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri); ? ? ? ? _foo = uriInfo.queryParameters.coBrowsingSSOId; ? ? } else { ? ? ? ? _foo = httpRequest.uri.queryParameters.coBrowsingSSOId; ? ? } ? ? if (_foo !== null ){ ? ? ? ? var foo = _foo[0]; // uriInfo.queryParameters is a multivalued map ? ? ? ? LOG.error(script.name + ": " + username + " foo =" + foo); ? ? ? ? authenticationSession.setUserSessionNote("foo", foo); ? ? ? ? context.success(); ? ? } else { ? ? ? ? LOG.error("Missing query parameter 'foo'"); ? ? ? ? context.failure(AuthenticationFlowError.INVALID_USER); ? ? } } else { ? ? context.success(); } } Regards Am 13.11.2018 um 23:40 schrieb Dmitry Telegin: > Hi, you're welcome, > > In the second scenario (cookie-based auth), there is no HTTP redirect, hence your query params are in the actual URL, not in the referer header. You can extract them as follows: > > var _foo = httpRequest.uri.queryParameters['foo']); > if (_foo !== null) > var foo = _foo[0]; > > Good luck! > Dmitry > > On Tue, 2018-11-13 at 20:11 +0100, zitrone at gmx-topmail.de wrote: >> Hi, >> >> i'm working on a similar problem. I managed to set up a script >> authenticator and a User Session Note Mapper. Works fine on first >> request (like, on the first try. Thanks for the code!). I send the query >> parameter to the auth endpoint, enter the credentials and get a code. >> The token i get for the code contains the query parameter as a field. >> >> But when i query the auth endpoint a second time, it authenticates via >> cookie. Then it starts the script and the script throws a null pointer >> exception. The problen is, that the "Referer" header is null. >> >> The idea behind the second call is to "update" the session note. Any >> ideas how to get the query parameter in this case? Or why it vanishes in >> the first place? >> >> >> Regards >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From luca.stancapiano at vige.it Sat Nov 17 06:35:29 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Sat, 17 Nov 2018 12:35:29 +0100 (CET) Subject: [keycloak-user] Keycloak + JACC Message-ID: <1535719027.93766.1542454529352@pim.register.it> I'm trying out the quickstart example at https://github.com/keycloak/keycloak-quickstarts. I use a keycloak 4.5.0.Final server distribution and a Wildfly 14.0.1 that opts the keycloak adapter and the web application. Once the client is installed on the server distribution and added the correct keycloak.json as required in the README on https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-jee-vanilla/README.md , the application works well. I would like to understand though if JACC can be used as a standard in web applications. For example, if I try to use the PolicyContext class inside a controller class method: ????public boolean isLoggedIn (HttpServletRequest req) throws PolicyContextException { ???? System.out.println ("subject:" + PolicyContext.getContext ("javax.security.auth.Subject.container")); ???????? return getSession (req)! = null; ????} I get null. Also trying to configure a JACC policy like: /Subsystem=elytron/policy=JACC:add(JACC-policy={}) /Subsystem=undertow/application-security-domain=other:write-attribute(name=enable-JACC,value=true) ?I always get null. Is it possible to use JACC inside keycloak? From luca.stancapiano at vige.it Sat Nov 17 07:18:12 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Sat, 17 Nov 2018 13:18:12 +0100 (CET) Subject: [keycloak-user] Keycloak + JACC In-Reply-To: <1535719027.93766.1542454529352@pim.register.it> References: <1535719027.93766.1542454529352@pim.register.it> Message-ID: <2010368485.94191.1542457093148@pim.register.it> The startguide sample I'm using is https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-vanilla > Il 17 novembre 2018 alle 12.35 Luca Stancapiano ha scritto: > > > I'm trying out the quickstart example at https://github.com/keycloak/keycloak-quickstarts. > > I use a keycloak 4.5.0.Final server distribution and a Wildfly 14.0.1 that opts the keycloak adapter and the web application. > > Once the client is installed on the server distribution and added the correct keycloak.json as required in the README on https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-jee-vanilla/README.md , the application works well. > > I would like to understand though if JACC can be used as a standard in web applications. For example, if I try to use the PolicyContext class inside a controller class method: > > public boolean isLoggedIn (HttpServletRequest req) throws PolicyContextException { > System.out.println ("subject:" + PolicyContext.getContext ("javax.security.auth.Subject.container")); > return getSession (req)! = null; > } > > I get null. Also trying to configure a JACC policy like: > /Subsystem=elytron/policy=JACC:add(JACC-policy={}) > /Subsystem=undertow/application-security-domain=other:write-attribute(name=enable-JACC,value=true) > > I always get null. Is it possible to use JACC inside keycloak? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sakodiya at grepruby.com Sat Nov 17 08:46:39 2018 From: sakodiya at grepruby.com (Shubham Akodiya) Date: Sat, 17 Nov 2018 19:16:39 +0530 Subject: [keycloak-user] Create user with API & update the client role Message-ID: Hi, Is there any way to create the user with default password using the API and update the user client role while creating the user? It would be more helpful If you provide any working example of nodeJS for this or suggest the APIs. I've already gone through the link but still, seems incomplete as per my requirement. Thanks, Shubham Akodiya From willyvic17 at gmail.com Sat Nov 17 20:11:04 2018 From: willyvic17 at gmail.com (William Nankap) Date: Sun, 18 Nov 2018 02:11:04 +0100 Subject: [keycloak-user] Deploy keycloak to Kubernetes Cluster on GCP Message-ID: Hi every one, when i deploy docker keycloak4.5.0.Final to kubernetes cluster on GCP i can normaly access to keycloak interface via the extern ip address on port 8080. But i can't access to the WILDFLY Management Interface on port 9990. My questions: 1/ What are the recommandation to use keycloak in production? a/ Install keycloak server side an wildfly server to use it correctly? b/ Install only the keycloak server. How can i manage deployment for an app if i can't access to the wildfly management interface? Is it imperativ to access it? 2/ Need you more details on my deployment to help me? If yes, which? 3/ How can i get the wildfly management interface on my GCP deployment to deploy my app? 4/ Have you suggestions for me, the best way to use keycloak in production? Some support? I will be very thankful for your answer. Kindest regards... From geoff at opticks.io Sun Nov 18 06:27:33 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sun, 18 Nov 2018 12:27:33 +0100 Subject: [keycloak-user] Querying permissions of the Policy API always empty Message-ID: Hi, I'm sending GET requests to http://${host}:${post}/auth/realms/${realm}/authz/protection/uma-policy but only get an empty array. I have a permission/policy assigned to hundreds of resources belonging to dozens of users and some resources owned by the resource server itself. Reading the docs , I expect to be able to get a list of all permissions or query by name. Perhaps I am misunderstanding this: This API is protected by a bearer token that must represent a consent granted by the user to the resource server to manage permissions on his behalf. The bearer token can be a regular access token obtained from the token endpoint using: - Resource Owner Password Credentials Grant Type - Token Exchange, in order to exchange an access token granted to some client (public client) for a token where audience is the resource server But I don't think so because if my token were wrong I'd get a 401 or 403 instead of 200 with an empty array. In any case I've tried with Client Credentials Grant and Resource Owner Password Credentials Grant Type. [image: Screen Shot 2018-11-18 at 12.19.25.png] curl -D - -X GET \ https://.../authz/protection/uma-policy \ -H 'Authorization: Bearer eyJh' \ -H 'Cache-Control: no-cache' \ -H 'Postman-Token: deb09a7a-0499-430f-8164-3097e5ac145d' \ -H 'cache-control: no-cache' HTTP/1.1 200 OK Server: nginx/1.11.10 Date: Sun, 18 Nov 2018 11:23:41 GMT Content-Type: application/json Content-Length: 2 Connection: keep-alive Cache-Control: no-cache [] Any advise? -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2018-11-18 at 12.19.25.png Type: image/png Size: 140604 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181118/8b97b534/attachment-0001.png From sakodiya at grepruby.com Sun Nov 18 08:54:51 2018 From: sakodiya at grepruby.com (Shubham Akodiya) Date: Sun, 18 Nov 2018 19:24:51 +0530 Subject: [keycloak-user] Getting 404 error while calling the create user API of keycloak 4.5 Message-ID: Hi, I'm getting the 404 error while calling the create user API. I've gone through the steps which are explained in this link but still, it gives the 404 error. URL - http://localhost:8080/auth/{realm_name}/users METHOD - Post Headers - Content-Type = "application/json" Authorization = "bearer " Body - { "username": "rodrigo.sasaki", "enabled": true, "totp": false, "emailVerified": false, "firstName": "Rodrigo", "lastName": "Sasaki", "email": "rodrigo.sasaki at email.com.br", "credentials": [ { "type": "password", "value": "myPassword" } ] } From geoff at opticks.io Sun Nov 18 09:51:14 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sun, 18 Nov 2018 15:51:14 +0100 Subject: [keycloak-user] Querying permissions of the Policy API always empty In-Reply-To: References: Message-ID: I now see that I do get a list of *UMA permissions* when using the Resource Owner Password Credentials Grant Type. I has wrongly expected to see the permissions I had created as admin via the Admin Console. Shouldn't it be possible for the resource server's service account to view and create UMA permissions without needing to know the end users' credentials for the Resource Owner Password Credentials Grant Type? Or perhaps that is the whole point of UMA... On Sun, 18 Nov 2018 at 12:27, Geoffrey Cleaves wrote: > Hi, > > I'm sending GET requests to http://${host}:${post}/auth/realms/${realm}/authz/protection/uma-policy > but only get an empty array. I have a permission/policy assigned to > hundreds of resources belonging to dozens of users and some resources owned > by the resource server itself. Reading the docs > , > I expect to be able to get a list of all permissions or query by name. > > Perhaps I am misunderstanding this: > > This API is protected by a bearer token that must represent a consent > granted by the user to the resource server to manage permissions on his > behalf. The bearer token can be a regular access token obtained from the > token endpoint using: > > > - Resource Owner Password Credentials Grant Type > - Token Exchange, in order to exchange an access token granted to > some client (public client) for a token where audience is the resource > server > > But I don't think so because if my token were wrong I'd get a 401 or 403 > instead of 200 with an empty array. In any case I've tried with Client > Credentials Grant and Resource Owner Password Credentials Grant Type. > > [image: Screen Shot 2018-11-18 at 12.19.25.png] > curl -D - -X GET \ > https://.../authz/protection/uma-policy \ > -H 'Authorization: Bearer eyJh' \ > -H 'Cache-Control: no-cache' \ > -H 'Postman-Token: deb09a7a-0499-430f-8164-3097e5ac145d' \ > -H 'cache-control: no-cache' > > HTTP/1.1 200 OK > Server: nginx/1.11.10 > Date: Sun, 18 Nov 2018 11:23:41 GMT > Content-Type: application/json > Content-Length: 2 > Connection: keep-alive > Cache-Control: no-cache > [] > > Any advise? > -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2018-11-18 at 12.19.25.png Type: image/png Size: 140604 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181118/806b81ab/attachment-0001.png From robert.richter.02 at gmail.com Sun Nov 18 10:01:16 2018 From: robert.richter.02 at gmail.com (Robert Richter) Date: Sun, 18 Nov 2018 16:01:16 +0100 Subject: [keycloak-user] internal server error on /permission endpoint Message-ID: Hi all, I'm using keycloak 4.5.0-FINAL in docker ( https://hub.docker.com/r/jboss/keycloak/) I try to issue a permission ticket. Therefore I have requested a PAT for the client "resource-provider" and send this along with the following json body (with and without scopes). I received a http-500 internal server error. without scopes:{ "resource_id": "resource-provider" } with scopes: { "resource_id": "resource-provider", "resource_scopes": [ "private-data.read" ] } Did I miss something? I also tried to investigate the log file (/opt/jboss/keycloak/standalone/log/server.log) and increase the log level in standalone.xml, but it seems that nothing is written to that file. I restarted jboss with jboss-cli.sh /:reload. Do you have any suggestions for me? Kind regards Tobert From sakodiya at grepruby.com Sun Nov 18 10:48:31 2018 From: sakodiya at grepruby.com (Shubham Akodiya) Date: Sun, 18 Nov 2018 21:18:31 +0530 Subject: [keycloak-user] Assigning clientRoles while creating the new user through API Message-ID: Hi, I want to assign the clientRoles while creating the user. I've gone through the link https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_userrepresentation but here the format of clientRoles is not specified. (It specified as a map but no other info provided) Could you please tell me how to assign the clientRoles while creating the user through API? Thanks, Shubham Akodiya From geoff at opticks.io Sun Nov 18 12:55:14 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sun, 18 Nov 2018 18:55:14 +0100 Subject: [keycloak-user] internal server error on /permission endpoint In-Reply-To: References: Message-ID: Is it possible you've got the wrong resource_id? The resource_id should *not* be your client_id and you said the client is resource-provider. I think the Docker images use the standalone-ha.xml. I usually do a docker restart keycloak to reload config files, maybe jboss-cli.sh /:reload works though. On Sun, 18 Nov 2018 at 16:04, Robert Richter wrote: > Hi all, > I'm using keycloak 4.5.0-FINAL in docker ( > https://hub.docker.com/r/jboss/keycloak/) > > I try to issue a permission ticket. Therefore I have requested a PAT for > the client "resource-provider" and send this along with the following json > body (with and without scopes). I received a http-500 internal server > error. > > without scopes:{ > "resource_id": "resource-provider" > } > with scopes: > { > "resource_id": "resource-provider", > "resource_scopes": [ > "private-data.read" > ] > } > > Did I miss something? I also tried to investigate the log file > (/opt/jboss/keycloak/standalone/log/server.log) and increase the log level > in standalone.xml, but it seems that nothing is written to that file. I > restarted jboss with jboss-cli.sh /:reload. Do you have any suggestions for > me? > > Kind regards > Tobert > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From geoff at opticks.io Sun Nov 18 12:57:41 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sun, 18 Nov 2018 18:57:41 +0100 Subject: [keycloak-user] Assigning clientRoles while creating the new user through API In-Reply-To: References: Message-ID: I don't have a direct answer for you, but you could try assigning a client role to a user using the Admin Console and then listing the users via the Admin Rest API to see the format. Regards, Geoffrey Cleaves On Sun, 18 Nov 2018 at 17:03, Shubham Akodiya wrote: > Hi, > > I want to assign the clientRoles while creating the user. I've gone through > the link > > https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_userrepresentation > but > here the format of clientRoles is not specified. (It specified as a map but > no other info provided) > > Could you please tell me how to assign the clientRoles while creating the > user through API? > > Thanks, > Shubham Akodiya > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From geoff at opticks.io Sun Nov 18 13:00:28 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Sun, 18 Nov 2018 19:00:28 +0100 Subject: [keycloak-user] internal server error on /permission endpoint In-Reply-To: References: Message-ID: And I examine the docker logs with docker logs -f keycloak Regards, Geoffrey Cleaves On Sun, 18 Nov 2018 at 18:55, Geoffrey Cleaves wrote: > Is it possible you've got the wrong resource_id? The resource_id should > *not* be your client_id and you said the client is resource-provider. > > I think the Docker images use the standalone-ha.xml. I usually do a docker > restart keycloak to reload config files, maybe jboss-cli.sh /:reload works > though. > > On Sun, 18 Nov 2018 at 16:04, Robert Richter > wrote: > >> Hi all, >> I'm using keycloak 4.5.0-FINAL in docker ( >> https://hub.docker.com/r/jboss/keycloak/) >> >> I try to issue a permission ticket. Therefore I have requested a PAT for >> the client "resource-provider" and send this along with the following json >> body (with and without scopes). I received a http-500 internal server >> error. >> >> without scopes:{ >> "resource_id": "resource-provider" >> } >> with scopes: >> { >> "resource_id": "resource-provider", >> "resource_scopes": [ >> "private-data.read" >> ] >> } >> >> Did I miss something? I also tried to investigate the log file >> (/opt/jboss/keycloak/standalone/log/server.log) and increase the log level >> in standalone.xml, but it seems that nothing is written to that file. I >> restarted jboss with jboss-cli.sh /:reload. Do you have any suggestions >> for >> me? >> >> Kind regards >> Tobert >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From dt at acutus.pro Sun Nov 18 19:05:10 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 03:05:10 +0300 Subject: [keycloak-user] Authenticated Protocol Mapper? In-Reply-To: References: <1542220061.2133.7.camel@acutus.pro> Message-ID: <1542585910.2445.7.camel@acutus.pro> Hello Hannah, you're welcome, Seems like your initial approach (Client Credentials grant aka service account) makes perfect sense. With the only one exception: you don't need that roundabout with authenticating service account and exchanging tokens. As the mapper code is executed on behalf of Keycloak, you're free to generate any token you want programmatically using Keycloak internal APIs. This is how Keycloak produces access token in response to Client Credentials grant request: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L585 This is where it ends up inside a TokenManager: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L606 I think your code could be a simplified combination thereof. You need to construct a truly minimal access token without creating user sessions and stuff. I hope I'll be able to spend some time on a PoC this week. On the other hand, the overall workflow seems a little cumbersome to me. Do you really need to invoke an external REST service each time your mapper is called, which could become a serious performance penalty? Maybe it would be sufficient to do it just once, during login, and then simply propagate the data to the tokens? Could you please elaborate on the overall problem and what you're trying to achieve? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-11-15 at 10:13 +0000, Hannah Short wrote: > Hi Dmitry,? > > Thanks for your help! > > > Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm? > > Yes, both the same Keycloak instance and realm. > > For the offline tokens approach, I?ve understood that they can only be generated programatically, and for a user. In our case this would be an offline token for the API (we could create a user to ?own" this token) - is there a way to generate tokens through the Keycloak UI?? > > Cheers, > Hannah > > > > > On 14 Nov 2018, at 19:27, Dmitry Telegin

wrote: > > > > Hello Hannah, > > > > Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm? > > > > If so, this is probably a use case for offline tokens and/or impersonation. The idea is, the mapper is executed with Keycloak's privileges, hence no need to perform "honest" authentication; you can in fact produce any token you need to act on behalf of another identity. > > > > However, I'd also suggest that you try to "short-circuit" the whole operation, maybe with the help of RMI/RPC. Is that possible? REST has more overhead, which can come to the fore under high load. > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Wed, 2018-11-14 at 11:24 +0000, Hannah Short wrote: > > > Hi,? > > > > > > I?d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is this possible?? > > > > > > The objective is for the mapper to be able to call an API that is protected also by Keycloak. > > > > > > The current approach was for the mapper to use the Client Credentials flow to authenticate, exchange the access token for one for the API client, and use it to call the API. This works OK until I deploy the mapper to Keycloak, where it throws various exceptions and does not seem to attempt the Client Credentials flow. > > > > > > Any guidance, including alternative approaches, would be appreciated! > > > > > > Cheers, > > > Hannah > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From dt at acutus.pro Sun Nov 18 19:15:47 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 03:15:47 +0300 Subject: [keycloak-user] SSO experience In-Reply-To: References: <1542220463.2133.9.camel@acutus.pro> Message-ID: <1542586547.2445.9.camel@acutus.pro> Hi Ori, you're welcome, On Thu, 2018-11-15 at 09:15 +0000, Ori Doolman wrote: > Hi Dmitry, > Thank you for answering. > In fact, the desktop app is not yet integrated to Keycloak and it is work to be done.? > I'm not familiar with the desktop app since it is a 3rd party app not written by us. If Java based, I thought of using one of the Keycloak Java adapters. If not, just get the token with an HTTP[S] call (which seems that this is also what kcinit and KeycloakInstalled are doing as well). > I was not familiar with kcinit or KeycloakInstalled before.? > KeycloakInstalled might be a solution, but with limitations: > 1) The desktop app must be written in Java. > 2) It must be acceptable by the app designers to launch a browser for login.? > 3) If I understand correctly, it only performs a client level authentication, not supporting username/password credentials authentication. > > That leads me to the original question - can I have SSO without using cookies, and by simply send the token to my web app as part of the starting URL (the desktop app will launch the web app in a browser)? Is this correct that your desktop app uses direct grant to authenticate a user with login/password and to obtain tokens from Keycloak OIDC endpoint? This would imply that the features like e.g. password reset or conditional OTP, available via Keycloak interactive login only, would be unavailable. If you're ok with this, I think what you're talking about should be possible.?Token size (and hence URL length) shouldn't be the issue, since modern browsers are able to swallow really gigantic URLs (like "data:"). Obviously, it will be the responsibility of your webapp to parse the token out of URL. And please don't forget that you'll have to pass refresh token too, since access tokens are short-lived and you'll need to refresh them. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > > Thanks, > > Ori Doolman > Lead Software Architect > Amdocs Optima > > +972 9 778 6914 (office) > +972 50 9111442 (mobile) > > > > -----Original Message----- > > From: Dmitry Telegin

? > Sent: Wednesday, November 14, 2018 20:34 > > To: Ori Doolman ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] SSO experience > > Hello Ori, > > How do you implement SSO for your desktop application? Are you using kcinit [1] or KeycloakInstalled [2]? > > Both will do interactive login via the system browser, that means, SSO cookies should be shared with whatever web application that is run therein. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > [1] https://github.com/keycloak/kcinit > [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_installed_adapter > > On Wed, 2018-11-14 at 10:36 +0000, Ori Doolman wrote: > > Hi, > > I have 2 applications: one is desktop (Windows) and the other one is a web application. > > My desktop application performs authentication and login using Keycloak, and getting a JWT Access Token. > > My web application is using the Keycloak JS adapter to perform the same. > > > > After I login to my desktop application, is there a way to pass the generated access token to the web application and continue the same session? Or at least have an SSO experience and get another token for the user without the user entering the credentials again? > > > > > > > > Maybe I can pass the token and refresh token from desktop application as init parameters to the Keycloak-JS ? > > I see the following code is checking if initOptions contains the token: > > > > > > ????????????function processInit() { > > ????????????????var callback = parseCallback(window.location.href); > > > > ????????????????if (callback) { > > ????????????????????window.history.replaceState({}, null, callback.newUrl); > > ????????????????} > > > > ????????????????if (callback && callback.valid) { > > ????????????????????return setupCheckLoginIframe().success(function() { > > ????????????????????????processCallback(callback, initPromise); > > ????????????????????}).error(function (e) { > > ????????????????????????initPromise.setError(); > > ????????????????????}); > > ????????????????} else if (initOptions) { > > ????????????????????if (initOptions.token && initOptions.refreshToken) { > > ????????????????????????setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken); > > > > > > > > > > > > > > Thanks, > > > > Ori Doolman > > Lead Software Architect > > Amdocs Optima > > > > > > > [cid:image001.png at 01D2C8DE.BFF33E10] > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From dt at acutus.pro Sun Nov 18 19:17:50 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 03:17:50 +0300 Subject: [keycloak-user] ldaps configuration --> Bug or regression with ldap connection ulr In-Reply-To: References: Message-ID: <1542586670.2445.11.camel@acutus.pro> Meissa, This looks like an unconfigured SSL truststore. Could it be that you have configured it in standalone.xml instead of standalone-ha.xml (which is used by default in Docker image for Keycloak 4.5.0+)? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-11-15 at 10:12 +0100, Meissa M'baye Sakho wrote: > Hello everyone, > I'm facing a very strange behaviour using keycloak 4.5 Final while > configuring my realm user federation with ldaps. > When I set the ldap connection URL to ldaps://myldaphost. It works fine. > When I change it to LDAPS://myldaphost, the test connexion fails with the > exception below (extract): > > *KC-SERVICES0055: Error when connecting to LDAP: > intra-dev01.bdf-dev01.local:636: javax.naming.CommunicationException: > intra-dev01.bdf-dev01.local:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target]* > *????????at com.sun.jndi.ldap.Connection.(Connection.java:238)* > *????????at com.sun.jndi.ldap.LdapClient.(LdapClient.java:137)* > *????????at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)* > *????????at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)* > *????????at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)* > *????????at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)* > *????????at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)* > > * Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target* > *????????at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)* > *????????at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)* > > With Keycloak 3.4.3Final, I used LDAPS without any problem. > Any advice? > Meissa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ashutosh.kanthi at exfo.com Mon Nov 19 02:11:40 2018 From: ashutosh.kanthi at exfo.com (Ashutosh Kanthi) Date: Mon, 19 Nov 2018 07:11:40 +0000 Subject: [keycloak-user] Keycloak Session timeout issue Message-ID: <616f0c82ace0445abf1114b4b980d7a3@exfo.com> Hi, We are using Keycloak 2.5.5 and we are facing issues with regard to keycloak session timeout. 1. Even after session timeout for a particular user, keycloak is maintaining session for that particular user for some extended time. 2. And if the same user log in again then keycloak is showing that the same user maintains 2 sessions in active session section. (Previous session [it is no longer exists for him at application level] and current session.) We have done following keycloak settings just for checking above scenario. Could anyone please suggest what are the settings to be done in keycloak so that above mentioned scenario could be avoided? [cid:image002.jpg at 01D48002.E6221430] Thanks & regards, Ashutosh Kanthi Le contenu de ce courriel et de toute pi?ce jointe est destin? ? l?usage exclusif de son destinataire. Il contient des renseignements exclusifs, privil?gi?s, confidentiels ou assujettis au droit d?auteur. Toute divulgation, distribution ou reproduction non autoris?e est strictement interdite. Si vous n??tes pas le destinataire pr?vu, veuillez-nous en aviser imm?diatement et supprimer toutes les copies de ce courriel et des pi?ces jointes. Les courriels sont susceptibles d?alt?ration. EXFO Inc. et ses soci?t?s affili?es ne seront pas tenues responsables du message s?il a ?t? contrefait, modifi? ou falsifi?. The content of this email and any of its attachments is intended for the exclusive use of its recipient. It contains information that is proprietary, privileged, confidential and/or subject to copyright. Any unauthorized disclosure, distribution or reproduction is strictly prohibited. If you are not the intended recipient, please notify us immediately and delete all copies of this email and any attachments. E-mails are susceptible to alteration. EXFO Inc. and its affiliates shall not be liable for the message if altered, changed or falsified. -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg Type: image/jpeg Size: 23507 bytes Desc: image002.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181119/cdc83ffa/attachment-0001.jpg From dt at acutus.pro Mon Nov 19 02:34:03 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 10:34:03 +0300 Subject: [keycloak-user] Keycloak Session timeout issue In-Reply-To: <616f0c82ace0445abf1114b4b980d7a3@exfo.com> References: <616f0c82ace0445abf1114b4b980d7a3@exfo.com> Message-ID: <1542612843.2282.1.camel@acutus.pro> Hello Ashutosh, Could you please try to reproduce this with the latest Keycloak (4.6.0)? Version 2.5.5 has been released around 1.5 years ago, quite a lot has been done since then, including session management. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-11-19 at 07:11 +0000, Ashutosh Kanthi wrote: > Hi, > > We are using Keycloak 2.5.5 and we are facing issues with regard to keycloak session timeout. > > > ? 1.??Even after session timeout for a particular user, keycloak is maintaining session for that particular user for some extended time. > ? 2.??And if the same user log in again then keycloak is showing that the same user maintains 2 sessions in active session section. (Previous session [it is no longer exists for him at application level] and current session.) > > We have done following keycloak settings just for checking above scenario.??Could anyone please suggest what are the settings to be done in keycloak so that above mentioned scenario could be avoided? > > > [cid:image002.jpg at 01D48002.E6221430] > > Thanks & regards, > Ashutosh Kanthi > > Le contenu de ce courriel et de toute pi?ce jointe est destin? ? l?usage exclusif de son destinataire. Il contient des renseignements exclusifs, privil?gi?s, confidentiels ou assujettis au droit d?auteur. Toute divulgation, distribution ou reproduction non autoris?e est strictement interdite. Si vous n??tes pas le destinataire pr?vu, veuillez-nous en aviser imm?diatement et supprimer toutes les copies de ce courriel et des pi?ces jointes. Les courriels sont susceptibles d?alt?ration. EXFO Inc. et ses soci?t?s affili?es ne seront pas tenues responsables du message s?il a ?t? contrefait, modifi? ou falsifi?. > > The content of this email and any of its attachments is intended for the exclusive use of its recipient. It contains information that is proprietary, privileged, confidential and/or subject to copyright. Any unauthorized disclosure, distribution or reproduction is strictly prohibited. If you are not the intended recipient, please notify us immediately and delete all copies of this email and any attachments. E-mails are susceptible to alteration. EXFO Inc. and its affiliates shall not be liable for the message if altered, changed or falsified. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From robert.richter.02 at gmail.com Mon Nov 19 02:46:32 2018 From: robert.richter.02 at gmail.com (Robert Richter) Date: Mon, 19 Nov 2018 08:46:32 +0100 Subject: [keycloak-user] internal server error on /permission endpoint In-Reply-To: References:

Message-ID: Hi Geoffrey, you are absolutely right. I didn't use the resource-id, I was using the client-id and your hint to inspect the docker logs shows a parsing error of the request. I missed that the request body has to be a json-array. Now I received a ticket :) wonderful! Am So., 18. Nov. 2018 um 19:00 Uhr schrieb Geoffrey Cleaves < geoff at opticks.io>: > And I examine the docker logs with > > docker logs -f keycloak > > Regards, > Geoffrey Cleaves > > > > > > > > On Sun, 18 Nov 2018 at 18:55, Geoffrey Cleaves wrote: > >> Is it possible you've got the wrong resource_id? The resource_id should >> *not* be your client_id and you said the client is resource-provider. >> >> I think the Docker images use the standalone-ha.xml. I usually do a >> docker restart keycloak to reload config files, maybe jboss-cli.sh /:reload >> works though. >> >> On Sun, 18 Nov 2018 at 16:04, Robert Richter >> wrote: >> >>> Hi all, >>> I'm using keycloak 4.5.0-FINAL in docker ( >>> https://hub.docker.com/r/jboss/keycloak/) >>> >>> I try to issue a permission ticket. Therefore I have requested a PAT for >>> the client "resource-provider" and send this along with the following >>> json >>> body (with and without scopes). I received a http-500 internal server >>> error. >>> >>> without scopes:{ >>> "resource_id": "resource-provider" >>> } >>> with scopes: >>> { >>> "resource_id": "resource-provider", >>> "resource_scopes": [ >>> "private-data.read" >>> ] >>> } >>> >>> Did I miss something? I also tried to investigate the log file >>> (/opt/jboss/keycloak/standalone/log/server.log) and increase the log >>> level >>> in standalone.xml, but it seems that nothing is written to that file. I >>> restarted jboss with jboss-cli.sh /:reload. Do you have any suggestions >>> for >>> me? >>> >>> Kind regards >>> Tobert >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From dt at acutus.pro Mon Nov 19 03:52:13 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 11:52:13 +0300 Subject: [keycloak-user] group mapper per client In-Reply-To: <1541805512.2031.3.camel@acutus.pro> References: <1540868804.2121.1.camel@acutus.pro> <1541805512.2031.3.camel@acutus.pro> Message-ID: <1542617533.2282.3.camel@acutus.pro> Hello Ronald, It has turned out there's an easy way to overcome the issue with SSO cookie, without turning off SSO itself. Let's imagine that your script authenticator looks like the following: ============================================================= AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); function invalidGroup(context) { return context.form() .setError("Invalid group membership", []).createLogin(); } function authenticate(context) { var clientId = authenticationSession.client.clientId; var username = user ? user.username : "anonymous"; LOG.info(script.name + " trace auth for: " + username); var groups = Java.from(user.groups) .filter(function(group) { return RegExp("(.*)-" + clientId + "-(.*)", "i").test(group.name); }); var authShouldFail = !(groups.length); if (authShouldFail) { var challengeResponse = invalidGroup(context) context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse); return; } context.success(); } ============================================================= The idea is to wrap Keycloak's standard browser flow into a subflow, add your authenticator after it, and make both REQUIRED (see attached image). In this case, the authenticator will be executed unconditionally, even in the case of SSO cookie presence (in the opposite to ALTERNATIVE). This should finally solve the problem. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-11-10 at 02:18 +0300, Dmitry Telegin wrote: > Ronald, glad to hear it worked, > > There is however an important moment regarding potential security issue with your authenticator. > > Imagine the following scenario: > 1. a user?with the correct group membership logs into the client app A; > 2. the same user tries to access client B (for which he/she doesn't have group membership); > 3. client B redirects the user to Keycloak for authentication; > 4. due to cookie-based SSO, Keycloak decides that the user is already authenticated and logs him/her in client B. > > To avoid this, you should turn off cookie-based auth for your restricted clients. Go to Authentication, create a copy of your browser flow (which should already have your script authenticator), remove Cookie, then go to your clients' settings and configure Authentication Flow Overrides for browser flow. > > This will actually disable SSO to your clients. If this is not acceptable, there are some other options to consider (however more complex). > > You should also make sure you don't enable token exchange between clients [1] (this is disabled by default). > > [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Wed, 2018-10-31 at 13:49 +0000, Ronald Demneri wrote: > > Hello everyone, > > > > So, thankfully, after some careful reading, I managed to solve the first issue regarding clientSession.client.clientId, which in fact shoud be authenticationSession.client.clientId (there was a mention on using loginSession.client.clientId in place of clientSession.client.clientId on this link https://issues.jboss.org/browse/KEYCLOAK-4505, which I tried to use, without success). > > > > > > Regards, > > Ronald > > > > -----Original Message----- > > From: Ronald Demneri? > > Sent: 30.Oct.2018 3:48 PM > > > To: 'Dmitry Telegin'

; keycloak-user at lists.jboss.org > > > > Subject: RE: [keycloak-user] group mapper per client > > > > Almost forgot, If I set a static group name to compare against (which is not our goal, but just for testing), it works correctly if the account is member of that group. If the user is not a member, then it'll display an error like "Invalid username or password". Is it possible to modify the response in such cases, stating that the account is not a member of required groups, or at least have it like "Invalid group membership". > > > > > > Looking forward to hearing from you! > > > > > > Regards, > > Ronald > > > > -----Original Message----- > > > From: Dmitry Telegin

? > > > > Sent: 30.Oct.2018 4:07 AM > > > To: Ronald Demneri ; keycloak-user at lists.jboss.org > > > > Subject: Re: [keycloak-user] group mapper per client > > > > Hello Ronald, > > > > If there is a literal correspondence between your AD group names and client names (like e.g. if the client is named "foo", and the corresponding AD group is "AD_group_foo"), you can do the following trick: > > - make sure you have group-ldap-mapper configured in LDAP mappers, i.e. AD groups are synced to Keycloak groups; > > - create a Javascript authenticator that would check client name against user's groups, and add it to your authentication flow. If the user tries to authenticate against the client without being a member of the corresponding group, the authenticator should deny login. > > > > If there is no such correspondence (e.g. the client is named "foo", and the group is "AD_group_bar"), you still have the following options: > > - map AD groups to Keycloak roles using role-ldap-mapper, then use your adapter's configuration to restrict access only to the users with this role (e.g. in web.xml); > > - or map AD groups to Keycloak groups, enable authorization services and use group policy (if your client adapter supports authorization, of course). > > > > This, however, will need to be configured per each client, on the contrary to the first approach (configured once per realm). > > > > Let me know if you need further explanations, Dmitry Telegin CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Mon, 2018-10-29 at 15:35 +0000, Ronald Demneri wrote: > > > Hello everyone, > > > > > > Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs. > > > > > > > > > Thanks in advance, > > > Ronald > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: auth-flow-Ronald.png Type: image/png Size: 53760 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181119/63092bcf/attachment-0001.png From luca.stancapiano at vige.it Mon Nov 19 04:06:07 2018 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Mon, 19 Nov 2018 10:06:07 +0100 (CET) Subject: [keycloak-user] Get current user through JACC In-Reply-To: <1542612843.2282.1.camel@acutus.pro> References: <616f0c82ace0445abf1114b4b980d7a3@exfo.com> <1542612843.2282.1.camel@acutus.pro> Message-ID: <1470827227.112986.1542618368007@pim.register.it> I'm testing a javaee webapp inside a Wildfly with a 4.5.0.Final keycloak adapter installed. The authentication is ok but now I would get in my web app the current user id. Using this code: javax.security.jacc.PolicyContext.getContext("javax.security.auth.Subject.container"); I get null. How I miss to receive the user id? You can test the sample of the keycloak quickstart from https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-vanilla and add that code in the Controller class where do you want. From slyge2001 at yahoo.fr Mon Nov 19 05:19:53 2018 From: slyge2001 at yahoo.fr (ge sly) Date: Mon, 19 Nov 2018 10:19:53 +0000 (UTC) Subject: [keycloak-user] Re :Re: Re :Keycloak Idp SLO response location In-Reply-To: <848358272.3247455.1542440617860@mail.yahoo.com> References: <1665888810.3194155.1542406492861.ref@mail.yahoo.com> <1665888810.3194155.1542406492861@mail.yahoo.com> <873954453.3176887.1542406785280@mail.yahoo.com> <1542413701.2114.1.camel@acutus.pro> <848358272.3247455.1542440617860@mail.yahoo.com> Message-ID: <586659305.4611156.1542622793046@mail.yahoo.com> "They are optional attributes in the SAML spec"?I mean the ResponseLocation attribute. Where can I configure it? Le sam., nov. 17, 2018 ? 8:43, ge sly a ?crit : Hi Dmitry? Yes I saw it but here is only 2 urls: - Logout Service POST Binding URL - POST Binding URL for the Logout Service. - Logout Service Redirect Binding URL - Redirect Binding URL for the Logout Service Where can I set the? Logout Service POST Binding Response URL and Logout Service Redirect Response Binding URL They are optional attributes in the SAML spec? ThanksRegardsSylvain Le sam., nov. 17, 2018 ? 1:15, Dmitry Telegin

a ?crit : > Meissa, > > This looks like an unconfigured SSL truststore. Could it be that you have > configured it in standalone.xml instead of standalone-ha.xml (which is used > by default in Docker image for Keycloak 4.5.0+)? > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-11-15 at 10:12 +0100, Meissa M'baye Sakho wrote: > > Hello everyone, > > I'm facing a very strange behaviour using keycloak 4.5 Final while > > configuring my realm user federation with ldaps. > > When I set the ldap connection URL to ldaps://myldaphost. It works fine. > > When I change it to LDAPS://myldaphost, the test connexion fails with the > > exception below (extract): > > > > *KC-SERVICES0055: Error when connecting to LDAP: > > intra-dev01.bdf-dev01.local:636: javax.naming.CommunicationException: > > intra-dev01.bdf-dev01.local:636 [Root exception is > > javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find > > valid certification path to requested target]* > > * at com.sun.jndi.ldap.Connection.(Connection.java:238)* > > * at com.sun.jndi.ldap.LdapClient.(LdapClient.java:137)* > > * at > com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)* > > * at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)* > > * at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)* > > * at > > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)* > > * at > > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)* > > > > * Caused by: javax.net.ssl.SSLHandshakeException: > > sun.security.validator.ValidatorException: PKIX path building failed: > > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find > > valid certification path to requested target* > > * at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)* > > * at > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)* > > > > With Keycloak 3.4.3Final, I used LDAPS without any problem. > > Any advice? > > Meissa > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From lists at merit.unu.edu Mon Nov 19 09:44:07 2018 From: lists at merit.unu.edu (mj) Date: Mon, 19 Nov 2018 15:44:07 +0100 Subject: [keycloak-user] SaaS idp brokering In-Reply-To: <1542219315.2133.5.camel@acutus.pro> References: <1542165306.10365.8.camel@acutus.pro> <7e9acb90-50cb-262d-73c3-421214dc88ac@merit.unu.edu> <1542219315.2133.5.camel@acutus.pro> Message-ID: Hi Dmitri, Just to say thank you for your comments. MJ On 11/14/18 7:15 PM, Dmitry Telegin wrote: > > I used to work with PingIdentity (or rather on-premise PingFederate) > and Okta, using SAML in both cases, and the results were perfect. For > Okta, I'd recommend an excellent article by Michael Furman [1]. > Michael uses SAML too; don't know if you're going to use SAML or > OpenID Connect, but in the latter case the process should be similar. > Please read this [2] on the protocol choice. > > NB you can use whatever combination of protocols you like (OIDC at > Keycloak + SAML at Saas IdP or vice versa), but probably unless > you're seriously considering IdP-initiated login. In that case, > things work more smoothly with pure SAML. > From rsbaibi at hotmail.com Mon Nov 19 09:57:25 2018 From: rsbaibi at hotmail.com (rachid sbaibi) Date: Mon, 19 Nov 2018 14:57:25 +0000 Subject: [keycloak-user] Restrict user's access to a client on keycloak-3.4.3.Final Message-ID: Hi all, I'm using keycloak-3.4.3.Final. For our UXP applications we delegate the authentication to Keycloak but we need to do some additional checks before granting access to the user. Our use case is quite simple: Not All registered users in Keycloak have access to our applications. So we need to insure that the user has permition to access our applications before granting him access to UXP. This is done in the backend. I tried to map roles to user and client but this does not work. Is there a way to achieve that? Thanks in advance. Rachid. From dt at acutus.pro Mon Nov 19 10:21:37 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 18:21:37 +0300 Subject: [keycloak-user] Re :Keycloak Idp SLO response location In-Reply-To: <586659305.4611156.1542622793046@mail.yahoo.com> References: <1665888810.3194155.1542406492861.ref@mail.yahoo.com> <1665888810.3194155.1542406492861@mail.yahoo.com> <873954453.3176887.1542406785280@mail.yahoo.com> <1542413701.2114.1.camel@acutus.pro> <848358272.3247455.1542440617860@mail.yahoo.com> <586659305.4611156.1542622793046@mail.yahoo.com> Message-ID: <1542640897.2122.1.camel@acutus.pro> Hello Sylvain, Seems like this feature is not supported in Keycloak yet: https://issues.jboss.org/browse/KEYCLOAK-6822 Dmitry On Mon, 2018-11-19 at 10:19 +0000, ge sly wrote: > "They are optional attributes in the SAML spec" > ?I mean the ResponseLocation attribute. Where can I configure it? > > > > Le sam., nov. 17, 2018 ? 8:43, ge sly > > a ?crit : > Hi Dmitry? > > Yes I saw it but here is only 2 urls: > > Logout Service POST Binding URL > POST Binding URL for the Logout Service. > > Logout Service Redirect Binding URL > Redirect Binding URL for the Logout Service > > > > Where can I set the? > > Logout Service POST Binding Response URL > > and > > Logout Service Redirect Response Binding URL > > > They are optional attributes in the SAML spec? > > > > > > > > > > > > Thanks > Regards > Sylvain > > > Le sam., nov. 17, 2018 ? 1:15, Dmitry Telegin > >

a ?crit : Hello Sylvain, Seems like this feature is not supported in Keycloak yet: https://issues.jboss.org/browse/KEYCLOAK-6822 Dmitry On Mon, 2018-11-19 at 10:19 +0000, ge sly wrote: > "They are optional attributes in the SAML spec" > ?I mean the ResponseLocation attribute. Where can I configure it? > > > > Le sam., nov. 17, 2018 ? 8:43, ge sly > > a ?crit : > Hi Dmitry? > > Yes I saw it but here is only 2 urls: > > Logout Service POST Binding URL > POST Binding URL for the Logout Service. > > Logout Service Redirect Binding URL > Redirect Binding URL for the Logout Service > > > > Where can I set the? > > Logout Service POST Binding Response URL > > and > > Logout Service Redirect Response Binding URL > > > They are optional attributes in the SAML spec? > > > > > > > > > > > > Thanks > Regards > Sylvain > > > Le sam., nov. 17, 2018 ? 1:15, Dmitry Telegin > >

a ?crit : > Hello Sylvain, > > These settings are under the "Fine Grain SAML Endpoint Configuration" section in the client settings. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > > E-mail: info at acutus.pro? > > On Fri, 2018-11-16 at 22:19 +0000, ge sly wrote: > >? > > ? Hi > > I am tringle to configure Keycloak as an Idp with OIOSAML as a SP. > > OIOSAML has 2 urls for the single logout: > > > > I dont see how to enter the Location and the ResponseLocation in the Clients config. If I import the metadata only the Location is used.? > > Thanks? > > Regards?Sylvain > > Envoy? depuis Yahoo Mail pour Android?? > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at acutus.pro Mon Nov 19 14:11:26 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 22:11:26 +0300 Subject: [keycloak-user] Deploy keycloak to Kubernetes Cluster on GCP In-Reply-To: References: Message-ID: <1542654686.15835.1.camel@acutus.pro> Hello William, answers inline, On Sun, 2018-11-18 at 02:11 +0100, William Nankap wrote: > Hi every one, > > when i deploy docker keycloak4.5.0.Final to kubernetes cluster on GCP i can > normaly access to keycloak interface via the extern ip address on port > 8080. But i can't access to the WILDFLY Management Interface on port 9990. This is because by default Keycloak/Wildfly opens management?ports (9990 and 9993) on the local IP only (127.0.0.1). To override this, you can append the following to the command line of your image: -bmanagement=0.0.0.0 This will bind management interface to all the IPs on the host. However, you shouldn't access your plain HTTP management interface (9990) from the external IP, but rather use HTTPS on port 9993. Google "Wildfly management https" for how to configure it. Alternatively, you can use reverse proxy / load balancer to terminate SSL. > My questions: > > 1/ What are the recommandation to use keycloak in production? > ?????a/ Install keycloak server side an wildfly server to use it correctly? > ?????b/ Install only the keycloak server. How can i manage deployment for > an app if i can't access to the wildfly management interface? Is it > imperativ to access it? You mean -?should you install separate Keycloak and application server instances, or is it possible to deploy WARs right into Keycloak? The answer to the second question is yes in theory, but in practice this is not recommended by many reasons. Your typical setup would include Keycloak as an identity and authentication server, and another app server (Wildfly, Tomcat, Jetty etc.) to host your actual applications that you want secured by Keycloak. > > 2/ Need you more details on my deployment to help me? If yes, which? > > 3/ How can i get the wildfly management interface on my GCP deployment to > deploy my app? Please see above.?Alternatively, you can use jboss-cli tool in the container which operates locally and doesn't require external IP. Finally, you can deploy applications by simply dropping them into the standalone/deployments directory. > 4/ Have you suggestions for me, the best way to use keycloak in production? > Some support? Everything depends on your particular problem. The bare minimum is that you should have a "real" DBMS (PostgreSQL, MySQL etc.) and not an embedded one. > > I will be very thankful for your answer. > > Kindest regards... > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 19 14:14:17 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 22:14:17 +0300 Subject: [keycloak-user] Adding attributes during login In-Reply-To: <669483c6-f462-4c7d-67a5-9d40284ae2a2@gmx-topmail.de> References: <1541914268.3830.1.camel@acutus.pro> <7d9b9737-12f5-a48a-7ead-3355f55c257b@gmx-topmail.de> <1542148837.10365.2.camel@acutus.pro> <669483c6-f462-4c7d-67a5-9d40284ae2a2@gmx-topmail.de> Message-ID: <1542654857.15835.3.camel@acutus.pro> Hi, glad to hear it worked! Another idea might be to install servlet filter into Keycloak that would parse URL param and (re)attach it to HttpSession. This would in theory eliminate the need for such an heuristics, but this needs to be investigated further. Dmitry On Sat, 2018-11-17 at 12:08 +0100, zitrone at gmx-topmail.de wrote: > Thank you very much. > > For anyone interested, here is my full script. I check for the Referer header first, if it is empty i go for the direct parameters. Also restricted it to a certain role. > > / import enum for error lookup? > AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");? > > function authenticate(context) {? > ? ? if (user.hasRole(realm.getRole("AllowedRole"))){? > ? ? ? ? var username = user ? user.username : "anonymous";? > ? ? ? ? var referer = httpRequest.httpHeaders.getHeaderString("Referer");? > ? ? ? ? var _foo;? > ? ? ? ? if (referer !== null){? > ? ? ? ? ? ? var uri = new java.net.URI(referer);? > ? ? ? ? ? ? var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri);? > ? ? ? ? ? ? _foo = uriInfo.queryParameters.coBrowsingSSOId;? > ? ? ? ? } else {? > ? ? ? ? ? ? _foo = httpRequest.uri.queryParameters.coBrowsingSSOId;? > ? ? ? ? }? > ? ? ? ? if (_foo !== null ){? > ? ? ? ? ? ? var foo = _foo[0]; // uriInfo.queryParameters is a multivalued map? > ? ? ? ? ? ? LOG.error(script.name + ": " + username + " foo =" + foo);? > ? ? ? ? ? ? authenticationSession.setUserSessionNote("foo", foo);? > ? ? ? ? ? ? context.success();? > ? ? ? ? } else {? > ? ? ? ? ? ? LOG.error("Missing query parameter 'foo'");? > ? ? ? ? ? ? context.failure(AuthenticationFlowError.INVALID_USER);? > ? ? ? ? }? > ? ? } else {? > ? ? ? ? context.success();? > ? ? }? > } > > Regards > > Am 13.11.2018 um 23:40 schrieb Dmitry Telegin: > > Hi, you're welcome, > > > > In the second scenario (cookie-based auth), there is no HTTP redirect, hence your query params are in the actual URL, not in the referer header. You can extract them as follows: > > > > var _foo = httpRequest.uri.queryParameters['foo']); > > if (_foo !== null) > > ? var foo = _foo[0]; > > > > Good luck! > > Dmitry > > > > > > On Tue, 2018-11-13 at 20:11 +0100, zitrone at gmx-topmail.de wrote: > > > Hi, > > > > > > i'm working on a similar problem. I managed to set up a script? > > > authenticator and a User Session Note Mapper. Works fine on first? > > > request (like, on the first try. Thanks for the code!). I send the query? > > > parameter to the auth endpoint, enter the credentials and get a code.? > > > The token i get for the code contains the query parameter as a field. > > > > > > But when i query the auth endpoint a second time, it authenticates via? > > > cookie. Then it starts the script and the script throws a null pointer? > > > exception. The problen is, that the "Referer" header is null. > > > > > > The idea behind the second call is to "update" the session note. Any? > > > ideas how to get the query parameter in this case? Or why it vanishes in? > > > the first place? > > > > > > > > > Regards > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From dt at acutus.pro Mon Nov 19 14:29:24 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 22:29:24 +0300 Subject: [keycloak-user] Deploy keycloak to Kubernetes Cluster on GCP In-Reply-To: <1542654686.15835.1.camel@acutus.pro> References: <1542654686.15835.1.camel@acutus.pro> Message-ID: <1542655764.15835.6.camel@acutus.pro> P.S. Probably THE article on how to enable HTTPS on management interface: http://www.mastertheboss.com/jboss-server/jboss-security/securing-access-to-jboss-wildfly-management-console Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-11-19 at 22:11 +0300, Dmitry Telegin wrote: > Hello William, answers inline, > > On Sun, 2018-11-18 at 02:11 +0100, William Nankap wrote: > > Hi every one, > > > > when i deploy docker keycloak4.5.0.Final to kubernetes cluster on GCP i can > > normaly access to keycloak interface via the extern ip address on port > > 8080. But i can't access to the WILDFLY Management Interface on port 9990. > > This is because by default Keycloak/Wildfly opens management?ports (9990 and 9993) on the local IP only (127.0.0.1). To override this, you can append the following to the command line of your image: > > -bmanagement=0.0.0.0 > > This will bind management interface to all the IPs on the host. However, you shouldn't access your plain HTTP management interface (9990) from the external IP, but rather use HTTPS on port 9993. Google "Wildfly management https" for how to configure it. > > Alternatively, you can use reverse proxy / load balancer to terminate SSL. > > > My questions: > > > > 1/ What are the recommandation to use keycloak in production? > > ?????a/ Install keycloak server side an wildfly server to use it correctly? > > ?????b/ Install only the keycloak server. How can i manage deployment for > > an app if i can't access to the wildfly management interface? Is it > > imperativ to access it? > > You mean -?should you install separate Keycloak and application server instances, or is it possible to deploy WARs right into Keycloak? The answer to the second question is yes in theory, but in practice this is not recommended by many reasons. > > Your typical setup would include Keycloak as an identity and authentication server, and another app server (Wildfly, Tomcat, Jetty etc.) to host your actual applications that you want secured by Keycloak. > > > > > 2/ Need you more details on my deployment to help me? If yes, which? > > > > 3/ How can i get the wildfly management interface on my GCP deployment to > > deploy my app? > > Please see above.?Alternatively, you can use jboss-cli tool in the container which operates locally and doesn't require external IP. > > Finally, you can deploy applications by simply dropping them into the standalone/deployments directory. > > > 4/ Have you suggestions for me, the best way to use keycloak in production? > > Some support? > > Everything depends on your particular problem. The bare minimum is that you should have a "real" DBMS (PostgreSQL, MySQL etc.) and not an embedded one. > > > > > I will be very thankful for your answer. > > > > Kindest regards... > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 19 14:30:49 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 22:30:49 +0300 Subject: [keycloak-user] krbLastPwdChange - can we use this attribute In-Reply-To: <21B3C608-679D-4F3F-8587-769C3BFDC4B2@well.ox.ac.uk> References: <76219A0B-5737-47FC-9B90-8D805B4BA0F8@well.ox.ac.uk> <21B3C608-679D-4F3F-8587-769C3BFDC4B2@well.ox.ac.uk> Message-ID: <1542655849.15835.7.camel@acutus.pro> Hello Callum, If you want a 100% pure Keycloak solution, you can implement your own mapper by extending this one: https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main/java/org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.java and modifying it so that it uses krbLastPwdChange instead of pwdLastSet (LDAPConstants.PWD_LAST_SET). Then deploy it as a provider and use on your LDAP definition instead of the built-in "msad-user-account-control-mapper". Feel free to ask questions on provider development. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-11-16 at 16:27 +0000, Callum Smith wrote: > Dear All, > > I've implemented this as a python script for now, hopefully this is useful to some, and hopefully something similar could be implemented for LDAP (although I imagine politically since SSSD cannot provide this data, and that's the preferred connection route for FreeIPA, it's not going to happen soon). > > requirements: ldap3, python-keycloak > > > import python_freeipa > import json > import ldap3 > from keycloak import KeycloakAdmin > from datetime import datetime > > options['ipa_host']??????????????= '' > options['ipa_admin_user']????????= '' > options['ipa_base_dn']???????????= '' > options['ipa_admin_dn']??????????= ','+options['ipa_base_dn'] > options['keycloak_host']?????????= '' > options['keycloak_admin_user']???= '' > options['keycloak_storage_id']???= '' > > # Begin Keycloak Clietn > keycloakClient = KeycloakAdmin(server_url='https://'+options['keycloak_host']+'/auth/', username=options['keycloak_admin_user'], password=keycloakAdminPassword, realm_name='master', verify=False) > > # Begin LDAP client > ldapServer = ldap3.Server(options['ipa_host']) > ldapClient = ldap3.Connection(ldapServer, user=options['ipa_admin_dn'], password=ipaAdminPassword, auto_bind=True) > > # Generate datestamp > date = datetime.utcnow().strftime('%Y%m%d%H%M%S')+'Z' > > # Perform an LDAP sync for Keycloak > keycloakClient.sync_users(storage_id=options['keycloak_storage_id'], action="triggerFullSync") > > # Search LDAP for expired passwords > ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(|(krbPasswordExpiration<='+date+')(!(krbPasswordExpiration=*)))', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) > resetPasswordUsers = ldapClient.entries > > for user in resetPasswordUsers: > ? user_id = keycloakClient.get_user_id(user.uid) > ? keycloakClient.update_user(user_id=user_id, payload={"requiredActions":['UPDATE_PASSWORD']}) > > > # Search LDAP for valid passwords > ldapClient.search('cn=users,cn=accounts,'+options['ipa_base_dn'], '(krbPasswordExpiration>='+date+')', attributes=['uid','cn','krbLastPwdChange','krbPasswordExpiration','dn']) > validPasswordUsers = ldapClient.entries > > for user in validPasswordUsers: > ? user_id = keycloakClient.get_user_id(user.uid) > ? keycloakClient.update_user(user_id=user_id, payload={"requiredActions":[]}) > > > > > I've chopped some domain specific stuff from this so it might not be flawless, but hopefully a start for someone. Also no error checking involved here. > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > > > e. callum at well.ox.ac.uk > > > On 16 Nov 2018, at 09:16, Callum Smith > wrote: > > Dear Keycloakers, > > I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement? > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > > > e. callum at well.ox.ac.uk > > _______________________________________________ > keycloak-user mailing list > > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 19 14:52:00 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 22:52:00 +0300 Subject: [keycloak-user] Keycloak SAML IdP and URL parameter In-Reply-To: References: Message-ID: <1542657120.15835.9.camel@acutus.pro> Hello Sud, Please check out this thread: http://lists.jboss.org/pipermail/keycloak-user/2018-November/016228.html The problem under discussion is almost identical to yours, with the only exception being OIDC instead of SAML. But I believe the general principle (fishing request parameters out of the Referer header) remains the same. Another question: is it possible to use SAML RelayState to pass the same parameter? Custom authenticators have direct access to that field via client session note with the same name ("RelayState"), which could let you avoid the hacks like above. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-11-16 at 09:47 -0500, Sud Ramasamy wrote: > Hi, > > We are using Keycloak as a SAML IdP and have plugged in a custom authenticator to handle the browser flow. The authenticator relies on a custom URL parameter that is present in the initial SAML Authn request to Keycloak.? > > We found that when the Keycloak SAML IdP receives a SAML Authn request (which also contains our custom URL parameter) it exchanges that request with a code and redirects the browser to itself at which point the control reaches our custom authenticator. This redirect causes our custom URL parameter from the initial request to not be available to our custom authenticator. Is there anyway to propagate our custom URL parameter to this second request and thereby have it available to our custom authenticator. > > Thanks in advance for your help. > > Regards > -sud? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 19 15:08:40 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 23:08:40 +0300 Subject: [keycloak-user] How to package a provider as EAR In-Reply-To: <8C6AB5C1-40DA-4AC2-8A9C-A25337D9709B@daimler.com> References: <1C82FBF5-3E14-4E86-B0F1-5D6FECB2229C@daimler.com> <8C6AB5C1-40DA-4AC2-8A9C-A25337D9709B@daimler.com> Message-ID: <1542658120.15835.11.camel@acutus.pro> Marco, Mike, Please take a look at the BeerCloak example: https://github.com/dteleguin/beercloak It fully implements EAR packaging for Keycloak providers. In your case probably there won't be similar "beercloak-core" module, but rather a bunch of external dependencies. The rest remains roughly the same. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-11-16 at 08:12 +0000, marco.scheuermann at daimler.com wrote: > Hi together, > > do you have any example how to package a provider implementation as an EAR file? > I packaged it as JAR and it works but then I added some external libs (JARS) so I have the requirement to > package it as an EAR. > > Thank you, > Marco > > > Marco Scheuermann > > Dipl.-Informatiker > > > ?[id:image001.png at 01D3CB2E.313F1BF0] > > Software Engineer > RD/UIA ? Team Rising Stars > Tel.:???????+49 151 5860 5255 > E-Mail:??marco.scheuermann at daimler.com > > Daimler AG > Sitz und Registergericht/Domicile and Court of Registry: Stuttgart > HRB-Nr./Commercial Register No. 19360 > Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Manfred Bischoff > Vorstand/Board of Management: Dieter Zetsche (Vorsitzender/Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Hubertus Troska, Bodo Uebber, Thomas Weber > > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From geoff at opticks.io Mon Nov 19 15:22:28 2018 From: geoff at opticks.io (Geoffrey Cleaves) Date: Mon, 19 Nov 2018 21:22:28 +0100 Subject: [keycloak-user] Permission tab missing, token exchange impossible In-Reply-To: References:

Message-ID: I guess you're putting me to the test, huh, Pedro? ;) So I figured it out. Token exchange is also a preview feature, so I had to start the server with: -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled Then to get the token exchange right I had to use the resource server client_id and secret. Regards, Geoffrey Cleaves On Mon, 19 Nov 2018 at 16:57, Geoffrey Cleaves wrote: > Thanks, I've got the Permissions tab working but am now having trouble > exchanging a token. Perhaps my thought process is incorrect. > > My idea was for the resource server to take the end user's auth token sent > by the Javascript front end public client and exchange it for a token which > would allow the resource server to list UMA permissions of that user. In > other words, the end user logs into the SPA front end (via Keycloak of > course) and then sees the UMA resources he is sharing. > > I set permissions for the public client to exchange token for resource > server client as described in the docs > . > The starting client is the public client and the target client is the > resource server. > [image: Screen Shot 2018-11-19 at 16.45.51.png] > > The problem is that when I try to exchange the token Keycloak gives me > different errors depending on how I send the token exchange request: > > grant_type: urn:ietf:params:oauth:grant-type:token-exchange > audience: opticks-rs (resource server) > requested_token_type: urn:ietf:params:oauth:token-type:refresh_token > subject_token: End user's Bearer token received from SPA public client > > If I don't send client_id and client_secret I get a 400 Bad Request and > "INVALID_CREDENTIALS: Invalid client credentials" error. I thought I could > skip these fields as the subject_token would server as authentication. > If I send cliend_id=opticks-rs and the client_secret, I get a 501 Not > Implemented error: > > 15:49:43,491 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-10) Uncaught server error: > javax.ws.rs.WebApplicationException: Feature not enabled > > at org.keycloak.utils.ProfileHelper.requireFeature(ProfileHelper.java:32) > > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:658) > > at > org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190) > > at sun.reflect.GeneratedMethodAccessor770.invoke(Unknown Source) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > > at > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > > at > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > > at > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > > at > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > > at java.lang.Thread.run(Thread.java:748) > > > If I set the client_id to the public-client-id and remove client_secret, > since it is public and has none, I again get the 501 Not Implemented. > > Any help clearing this up is appreciated. > > On Mon, 19 Nov 2018 at 12:34, Pedro Igor Silva wrote: > >> Hi, >> >> It is not a bug. We no longer enable tech preview features by default. >> You need to enable the feature you want, such as admin fine grained >> permissions, by passing a specific environment variable. Try to boot your >> server using this system property: >> >> - Dkeycloak.profile.feature.admin_fine_grained_authz=enabled >> >> Docs are not reflecting these changes, created >> https://issues.jboss.org/browse/KEYCLOAK-8865. >> >> Regards. >> Pedro Igor >> >> On Mon, Nov 19, 2018 at 9:02 AM Geoffrey Cleaves >> wrote: >> >>> Hello. In Keycloak 4.6, the Permissions tab is gone. The documentation >>> for >>> allowing token exchange depends on the Permissions tab, is this a bug? >>> >>> [image: Screen Shot 2018-11-19 at 11.53.56.png] >>> >>> Somebody else is asking the same question: >>> >>> https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final >>> >>> Geoff >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2018-11-19 at 16.45.51.png Type: image/png Size: 62094 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181119/ce8b7f8b/attachment-0001.png From dt at acutus.pro Mon Nov 19 15:24:45 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 23:24:45 +0300 Subject: [keycloak-user] Welcome Email after Verification Success In-Reply-To: References: <1542005910.7421.11.camel@acutus.pro> Message-ID: <1542659085.15835.14.camel@acutus.pro> Hello Rajib, glad it worked, On Mon, 2018-11-12 at 08:38 +0000, Mitra Rajib, Bedag wrote: > Hi Dmitry, > > Thanks for your reply! I ended up implementing my own EventListenerProvider / Theme-Extension, like you mentioned. > > Unfortunately a few things with this solution are not ideal: > > 1) The EventListenerProviderFactory-Interface resides in a "private" module, assuming meaning the SPI could change at any time (see https://issues.jboss.org/browse/KEYCLOAK-6071). Well, I've been using private SPIs in my projects for years, luckily nothing terrible happened yet :) > 2) The event-type that is sent in my case after a user verified his email is a CUSTOM_REQUIRED_ACTION (see http://lists.jboss.org/pipermail/keycloak-user/2018-May/013935.html), so I have to provide this .ftl accordingly. The event contains a detail so I can differentiate it from other custom required actions. But unfortunately since the template is shared between all the custom required actions, I can only have one email for all of events of the same type. Or I could introduce FreeMaker if-else-statements to differentiate what should be displayed according to the event-detail. Sounds like a definite bug to me. I'd suggest that you file a JIRA issue, but not before you test it with the recent Keycloak. I'm suggesting this because the code from master branch seemingly handles everything correctly (though I didn't test it): https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java#L71 > 3) Since I use the sendEvent-Method, I can't introduce my own attributes for the email-template (e.g. realmName, Custom-Link, etc.). > > > 2) and 3) could be mitigated by providing a new method in FreeMarkerEmailTemplateProvider that could be named for example sendWelcomeEmail, accepting additional attributes as a parameter for the email-template.? > Do you think this is worth contacting the dev-mailing list for? I would be happy to provide a PR for this change with the new EventListener, since I am sure this is a common requirement. Yep absolutely. Please also check out this: https://issues.jboss.org/browse/KEYCLOAK-1835 (that's why I'd suggest also putting Thomas in CC). Good luck! Dmitry > > > Best, > Rajib > > > -----Urspr?ngliche Nachricht----- > > Von: Dmitry Telegin [mailto:dt at acutus.pro]? > Gesendet: Montag, 12. November 2018 07:59 > An: Mitra Rajib, Bedag; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Welcome Email after Verification Success > > Hello Rajib, > > The phrase in the doc "The Email Event Listener only supports the following events at the moment" and those 4 types boil down to the following 4 template files: > > event-login_error.ftl > event-remove_totp.ftl > event-update_password.ftl > event-update_totp.ftl > > They can be found under "html" and "text" subdirs under this subtree: > https://github.com/keycloak/keycloak/tree/master/themes/src/main/resources/theme/base/email > > Other than that, there are no restrictions on email event types.?See this: > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/email/freemarker/FreeMarkerEmailTemplateProvider.java#L109 > > Basically, you need to define your own email theme and include event-verify_email.ftl in it. > See this on creating and deploying custom themes: > https://www.keycloak.org/docs/latest/server_development/index.html#_themes > > Good luck, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Tue, 2018-11-06 at 16:26 +0000, Mitra Rajib, Bedag wrote: > > Hi! > > > > I use Keycloak for User-Registration and would like to send a realm-customized "Welcome"-Email after the user verified his email-account. > > > > The doc at https://www.keycloak.org/docs/3.2/server_admin/topics/events/login.html mentions 4 different type of email events, but none of these events fit my use-case. > > Is there any other way I can (easily) implement such a functionality ? > > > > Thanks, > > Rajib > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 19 15:41:37 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 19 Nov 2018 23:41:37 +0300 Subject: [keycloak-user] Configure EMail failed In-Reply-To: References: Message-ID: <1542660097.15835.16.camel@acutus.pro> Hello Sofiane, There is no built-in functionality for this, but there are at least two ways to solve it: 1. Extend EmailEventListenerProvider [1] and make it route messages to admin instead of user. The solution should be quite concise but will still require coding; 2. Use standard jboss-logging event listener and feed your logs to Logstash [2]. With it, not only you will have instant email notifications (Logstash has them OOTB), but also registration statistics with ElasticSearch [3] and visualization with Kibana [4]. The second solution is obviously more heavyweight, but also much more powerful. I suggest that you'd give it a shot, especially if you're interested in statistics and analysis. [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/events/email/EmailEventListenerProvider.java [2] https://www.elastic.co/products/logstash [3] https://www.elastic.co/products/elasticsearch [4] https://www.elastic.co/products/kibana Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-10-19 at 15:14 +0200, So Be wrote: > Hi, > > as an administrator, I like to receive notifications when users log into > Keycloak. > I tried to configure the EMail for the realm but I got > > Logged in user does not have an e-mail. > > Any idea about what causing this? > > Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From to_sud at yahoo.com Mon Nov 19 15:55:46 2018 From: to_sud at yahoo.com (Sud Ramasamy) Date: Mon, 19 Nov 2018 15:55:46 -0500 Subject: [keycloak-user] Keycloak SAML IdP and URL parameter In-Reply-To: <1542657120.15835.9.camel@acutus.pro> References: <1542657120.15835.9.camel@acutus.pro> Message-ID: Thanks. This is a handy little tip to use the JS Authenticators. We found another way accomplish this using a JAX-RS feature to parse the custom URL parameter out in the first request and stuff it into the context where we could retrieve it from in the second request processing flow. Please let me know if for any reason this is approach is discouraged. Regards -sud On November 19, 2018 at 2:52:05 PM, Dmitry Telegin (dt at acutus.pro) wrote: Hello Sud, Please check out this thread: http://lists.jboss.org/pipermail/keycloak-user/2018-November/016228.html The problem under discussion is almost identical to yours, with the only exception being OIDC instead of SAML. But I believe the general principle (fishing request parameters out of the Referer header) remains the same. Another question: is it possible to use SAML RelayState to pass the same parameter? Custom authenticators have direct access to that field via client session note with the same name ("RelayState"), which could let you avoid the hacks like above. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2018-11-16 at 09:47 -0500, Sud Ramasamy wrote: > Hi, > > We are using Keycloak as a SAML IdP and have plugged in a custom authenticator to handle the browser flow. The authenticator relies on a custom URL parameter that is present in the initial SAML Authn request to Keycloak.? > > We found that when the Keycloak SAML IdP receives a SAML Authn request (which also contains our custom URL parameter) it exchanges that request with a code and redirects the browser to itself at which point the control reaches our custom authenticator. This redirect causes our custom URL parameter from the initial request to not be available to our custom authenticator. Is there anyway to propagate our custom URL parameter to this second request and thereby have it available to our custom authenticator. > > Thanks in advance for your help. > > Regards > -sud? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Nov 19 16:13:22 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 20 Nov 2018 00:13:22 +0300 Subject: [keycloak-user] Users/Groups access restrictions In-Reply-To: References: Message-ID: <1542662002.15835.22.camel@acutus.pro> Hello Lyderic, sorry for late reply, The similar problem has surfaced on the ML several times recently. There are different ways to solve it; let's start by finding out whether your apps A, B and C are Java EE apps using Keycloak adapter. In this case, you should be able to use Keycloak authorization services. Otherwise, the problem could be solved with the help of script authenticator. Let me know if this is still topical for you, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-11-06 at 10:54 +0100, Lyderic Dubut wrote: > Hi Keycloak peoples! > > I'm slowly introduce keycloak in production environnement, but I still > do not Know how to restric permissions to users or groups. > > To picture my words,? > I have 3 Applications A,B and C > > All company people can access to the application A > > For the application B I want prohibit access to non-admin group member. > So when a non-admin clic on OIDC button to login in app an redirect to > keycloak, I wan't a message like "you don't have permissions". > > > And for the application C all people can access except Bob because he > have broken twice this application :-) > > > It's posisble to do it?? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Gregor.Tudan at cofinpro.de Mon Nov 19 20:15:26 2018 From: Gregor.Tudan at cofinpro.de (Gregor Tudan) Date: Tue, 20 Nov 2018 01:15:26 +0000 Subject: [keycloak-user] Persistent Redirect Params in Registration Message-ID: <22421F9C-BF93-4833-92A0-F37CEB6E00DC@cofinpro.de> Hi, I?m trying to find a solution for passing redirect parameters reliably through the registration page. Our users will go through some steps prior to the registration. We generate an anonymous profile for saving the user input of this step. Then we trigger a registration in Keycloak and pass the id of the profile as parameter in the redirect url. This works fine in happy path, but breaks on some occasions: - we use email-verification. If registration works, but the user fails to confirm the mail-address before the link expires, he will be promted to complete the confirmation the next time he logs in. But the mail in the Confirmation-link will now no longer contain the redirect params of the original mail - if an error occurs during the registration (the user fails multiple times to fill out the form) an error message will be shown prompting the user to restart the registration. The original params will be lost. Is there a way to pass the query params in a more reliable manner through Keycloak? Or is it better to implement this kind of logic in the application code? If so, are there any recommendations? Email-Verification makes this quiet hard to do, as the registration can be completed on a completely different device. Thanks, Gregor From David.Leonard at flexential.com Tue Nov 20 00:50:29 2018 From: David.Leonard at flexential.com (David Leonard) Date: Tue, 20 Nov 2018 05:50:29 +0000 Subject: [keycloak-user] Using Gatekeeper with ingress-nginx Message-ID: Hello everyone, We're attempting to use Gatekeeper to integrate into a workflow with auth_request to provide authorization from Keycloak. We're wanting to use this in our Kubernetes stack to sidecar Gatekeeper to our nginx-ingress controller. We're attempting to follow a setup similar to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth but replacing oauth2_proxy with Gatekeeper. We are able to complete a full authorization cycle using /oauth/expired to test if we have a current token. This doesn't seem to work though because the X-Auth-* headers get passed only into the "proxied" application. Specifically oauth2_proxy provides the following config item: -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) We're wanting to sidecar Gatekeeper because we get the infinite flexibility of nginx-ingress. Is it possible to set a flag similar to -set-xauthrequest? Looking at the code itself it seems this is not possible, as the headers are only ever set in the middleware. Thanks! -- David Leonard Director of Professional Services, South Region 303.245.4509 3010 Waterview Parkway, Richardson, TX, 75080 This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message. From kkcmadhu at yahoo.com Tue Nov 20 04:27:21 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Tue, 20 Nov 2018 09:27:21 +0000 (UTC) Subject: [keycloak-user] null pointer in org.keycloak.models.jpa.JpaUserProvider.getUsersCount(JpaUserProvider.java:598) while starting keycloak References: <150793993.3088662.1542706041246.ref@mail.yahoo.com> Message-ID: <150793993.3088662.1542706041246@mail.yahoo.com> Hi ,I am starting keycloak where i have about 400 realms and the startup was timing out, after i tweaked the wildfly? ?server setting , i get the following error ,and the application fails to start. Help will be appriciated., why is? getUsersCount throwoing null pointer? Caused by: java.lang.NullPointerException? ? ? ? at org.keycloak.models.jpa.JpaUserProvider.getUsersCount(JpaUserProvider.java:598)? ? ? ? at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:451)? ? ? ? at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:460)? ? ? ? at org.keycloak.services.managers.ApplianceBootstrap.isNoMasterUser(ApplianceBootstrap.java:55) :07:24,279 INFO? [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 62) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect09:07:24,323 INFO? [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 62) Envers integration enabled? : true09:07:24,893 INFO? [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 62) HV000001: Hibernate Validator 5.3.6.Final09:07:25,718 INFO? [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 62) HHH000397: Using ASTQueryTranslatorFactory09:13:12,576 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 62) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)? ? ? ? at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)? ? ? ? at java.util.concurrent.FutureTask.run(FutureTask.java:266)? ? ? ? at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)? ? ? ? at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)? ? ? ? at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)? ? ? ? at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)? ? ? ? at java.lang.Thread.run(Thread.java:748)? ? ? ? at org.jboss.threads.JBossThread.run(JBossThread.java:485)Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)? ? ? ? at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676)? ? ? ? at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361)? ? ? ? at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274)? ? ? ? at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119)? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)? ? ? ? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)? ? ? ? at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)? ? ? ? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)? ? ? ? at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300)? ? ? ? at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140)? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584)? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555)? ? ? ? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)? ? ? ? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97)? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)? ? ? ? ... 8 moreCaused by: java.lang.NullPointerException? ? ? ? at org.keycloak.models.jpa.JpaUserProvider.getUsersCount(JpaUserProvider.java:598)? ? ? ? at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:451)? ? ? ? at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:460)? ? ? ? at org.keycloak.services.managers.ApplianceBootstrap.isNoMasterUser(ApplianceBootstrap.java:55)? ? ? ? at org.keycloak.services.resources.KeycloakApplication$2.run(KeycloakApplication.java:163)? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)? ? ? ? at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:159)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)? ? ? ? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)? ? ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423)? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)? ? ? ? ... 31 more 09:13:12,581 INFO? [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal09:13:12,654 INFO? [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000080: Disconnecting JGroups channel ee09:13:12,662 INFO? [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000080: Disconnecting JGroups channel ee09:13:12,663 INFO? [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thre From nocquidant at gmail.com Tue Nov 20 05:04:09 2018 From: nocquidant at gmail.com (Nicolas Ocquidant) Date: Tue, 20 Nov 2018 11:04:09 +0100 Subject: [keycloak-user] OOM at startup with 1 million sessions Message-ID: Hi My UC is to keep one year of sessions, this is what I have done to simulate it: 1. I use JDBC to store 1 million of session objects, 2.8KB (in memory) each 2. I start one Infinispan node with passivation=false and shared=true, and Xmx=8G 3. I start one Keycloak node configured with a remote-cache and Xmx=4G Note that I use a remote-store in KC as it is the only way to set passivation=false and shared=true (see http://lists.jboss.org/pipermail/keycloak-user/2018-November/016180.html). No problem in step 2, ISPN process is less than 300MB large in memory. But after 3, ISPN process goes up to around 6GB. See below for the traces, but basically I get OOM. Using the debugger, I can see that getting the size of the cache is a really slow operation, and bump memory to 3GB in ISPN process. From org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer: RemoteCacheSessionsLoader.computeLoaderContext(KeycloakSession session) // ... int sessionsTotal = remoteCache.size(); <--- HERE //... } And then (OOM here): InfinispanCacheInitializer.startLoadingImpl(InitializerState state, SessionLoader.LoaderContext ctx) { // ... for (Future future : futures) { // Called 4X (ie the number of segments), but 1st one does not terminate: OOM // -> org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart WorkerResult result = future.get(); <--- Very slow and bump mem to 8GB // ... } So, with 1M of sessions in store, I cannot get KC/ISPN to start. And I am far from my goal which is to keep one year of sessions (which has been estimated to ~52M of sessions)... Is it something I can't achieve with KC/ISPN? Any help appreciated. Thanks nick Note, versions I used are: * ISPN 9.4.1 Wildfly * KC 4.6.0 Wildfly -- ISPN process 10:42:22,969 ERROR [stderr] (Periodic Recovery) Exception in thread "Periodic Recovery" java.lang.OutOfMemoryError: Java heap space 10:42:22,977 ERROR [stderr] (Periodic Recovery) at sun.text.resources.fr.FormatData_fr.getContents(FormatData_fr.java:86) 10:42:22,975 ERROR [org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory] (pool-9-thread-1) ISPN008018: Sql failure retrieving connection from datasource: java.sql.SQLException: javax.resource.ResourceException: IJ000456: Unchecked throwable in ManagedConnection.getConnection() cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener at 3e3890ff[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 3f033728 connection handles=0 lastReturned=1542706942971 lastValidated=1542706738387 lastCheckedOut=1542706916019 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool at 2772dcff mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool at 5e82b87d[pool=InfinispanDS] xaResource=LocalXAResourceImpl at 308d2c98[connectionListener=3e3890ff connectionManager=1691f7d6 warned=false currentXid=null productName=PostgreSQL productVersion=10.5 jndiName=java:jboss/datasources/InfinispanDS] txSync=null] at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory.getConnection(ManagedConnectionFactory.java:83) at org.infinispan.persistence.jdbc.stringbased.JdbcStringBasedStore.purge(JdbcStringBasedStore.java:461) at org.infinispan.persistence.manager.PersistenceManagerImpl.lambda$purgeExpired$6(PersistenceManagerImpl.java:459) at java.util.ArrayList.forEach(ArrayList.java:1257) at org.infinispan.persistence.manager.PersistenceManagerImpl.purgeExpired(PersistenceManagerImpl.java:462) at org.infinispan.expiration.impl.ClusterExpirationManager.processExpiration(ClusterExpirationManager.java:119) at org.infinispan.expiration.impl.ExpirationManagerImpl$ScheduledTask.run(ExpirationManagerImpl.java:245) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: javax.resource.ResourceException: IJ000456: Unchecked throwable in ManagedConnection.getConnection() cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener at 3e3890ff[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 3f033728 connection handles=0 lastReturned=1542706942971 lastValidated=1542706738387 lastCheckedOut=1542706916019 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool at 2772dcff mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool at 5e82b87d[pool=InfinispanDS] xaResource=LocalXAResourceImpl at 308d2c98[connectionListener=3e3890ff connectionManager=1691f7d6 warned=false currentXid=null productName=PostgreSQL productVersion=10.5 jndiName=java:jboss/datasources/InfinispanDS] txSync=null] at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:811) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 15 more Caused by: java.lang.OutOfMemoryError: Java heap space -- KC process 10:42:23,216 WARN [org.infinispan.client.hotrod.impl.protocol.Codec21] (Thread-0) ISPN004005: Error received from the server: java.lang.RuntimeException: java.sql.SQLException: Error java.sql.SQLException: Error java.lang.OutOfMemoryError: Java heap space 10:42:23,359 WARN [org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader] (pool-16-thread-4) Error loading sessions from remote cache 'sessions' for segment '3': org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=55 returned server error (status=0x85): java.lang.RuntimeException: java.sql.SQLException: Error java.sql.SQLException: Error java.lang.OutOfMemoryError: Java heap space at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:333) at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:179) at org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:138) at org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:98) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647) at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582) at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461) at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) From nocquidant at gmail.com Tue Nov 20 05:25:02 2018 From: nocquidant at gmail.com (Nicolas Ocquidant) Date: Tue, 20 Nov 2018 11:25:02 +0100 Subject: [keycloak-user] Unable to unmarshall bytes for CLIENT_CACHE_ENTRY_CREATED Message-ID: Hi This is my very simple UC to reproduce: 1. Start one Infinispan node with passivation=false and shared=true (I don't think parameters are important here) 2. Start one Keycloak node configured with a remote-cache 3. Populate Keycloak using admin console (one realm, one client, one role and one user) 3. Ask for an access token with curl (no client_secret) Than, in Codec21.readCacheEvent(): case CLIENT_CACHE_ENTRY_CREATED: Object createdKey = dataFormat.keyToObj(ByteBufUtil.readArray(buf), status, whitelist); <-- BOOM My config is:

true org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory

The stack trace is (see below). It is a config issue? Thanks for your help --nick 11:09:13,373 WARN [org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder] (Thread-0) ISPN004039: Unable to complete reading event from server / 127.0.0.1:11222: org.infinispan.client.hotrod.exceptions.HotRodClientException:: ISPN004034: Unable to unmarshall bytes 01012926033E2439633136373130642D653432332D343134342D396163652D393461356564353639313462 at org.infinispan.client.hotrod.marshall.MarshallerUtil.bytes2obj(MarshallerUtil.java:48) at org.infinispan.client.hotrod.DataFormat.keyToObj(DataFormat.java:93) at org.infinispan.client.hotrod.impl.protocol.Codec21.readCacheEvent(Codec21.java:75) at org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:153) at org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:98) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647) at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582) at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461) at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.io.IOException: Unsupported protocol version 1 at org.jboss.marshalling.river.RiverUnmarshaller.start(RiverUnmarshaller.java:1349) at org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.startObjectInput(AbstractJBossMarshaller.java:129) at org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.objectFromByteBuffer(AbstractJBossMarshaller.java:110) at org.infinispan.commons.marshall.AbstractMarshaller.objectFromByteBuffer(AbstractMarshaller.java:82) at org.infinispan.client.hotrod.marshall.MarshallerUtil.bytes2obj(MarshallerUtil.java:32) ... 25 more From psilva at redhat.com Tue Nov 20 05:49:40 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 20 Nov 2018 08:49:40 -0200 Subject: [keycloak-user] Permission tab missing, token exchange impossible In-Reply-To: References:

Message-ID: Yeah, and you are passing the test :) I've submitted a PR with changes to documentation. Thanks. Pedro Igor On Mon, Nov 19, 2018 at 6:22 PM Geoffrey Cleaves wrote: > I guess you're putting me to the test, huh, Pedro? ;) So I figured it out. > Token exchange is also a preview feature, so I had to start the server with: > -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled > -Dkeycloak.profile.feature.token_exchange=enabled > > Then to get the token exchange right I had to use the resource server > client_id and secret. > > Regards, > Geoffrey Cleaves > > On Mon, 19 Nov 2018 at 16:57, Geoffrey Cleaves wrote: > >> Thanks, I've got the Permissions tab working but am now having trouble >> exchanging a token. Perhaps my thought process is incorrect. >> >> My idea was for the resource server to take the end user's auth token >> sent by the Javascript front end public client and exchange it for a token >> which would allow the resource server to list UMA permissions of that user. >> In other words, the end user logs into the SPA front end (via Keycloak of >> course) and then sees the UMA resources he is sharing. >> >> I set permissions for the public client to exchange token for resource >> server client as described in the docs >> . >> The starting client is the public client and the target client is the >> resource server. >> [image: Screen Shot 2018-11-19 at 16.45.51.png] >> >> The problem is that when I try to exchange the token Keycloak gives me >> different errors depending on how I send the token exchange request: >> >> grant_type: urn:ietf:params:oauth:grant-type:token-exchange >> audience: opticks-rs (resource server) >> requested_token_type: urn:ietf:params:oauth:token-type:refresh_token >> subject_token: End user's Bearer token received from SPA public client >> >> If I don't send client_id and client_secret I get a 400 Bad Request and >> "INVALID_CREDENTIALS: Invalid client credentials" error. I thought I could >> skip these fields as the subject_token would server as authentication. >> If I send cliend_id=opticks-rs and the client_secret, I get a 501 Not >> Implemented error: >> >> 15:49:43,491 ERROR [org.keycloak.services.error.KeycloakErrorHandler] >> (default task-10) Uncaught server error: >> javax.ws.rs.WebApplicationException: Feature not enabled >> >> at org.keycloak.utils.ProfileHelper.requireFeature(ProfileHelper.java:32) >> >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:658) >> >> at >> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190) >> >> at sun.reflect.GeneratedMethodAccessor770.invoke(Unknown Source) >> >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> >> at java.lang.reflect.Method.invoke(Method.java:498) >> >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) >> >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) >> >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) >> >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) >> >> at >> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) >> >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) >> >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) >> >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) >> >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) >> >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) >> >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) >> >> at >> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) >> >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) >> >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) >> >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) >> >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >> >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >> >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> >> at >> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) >> >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) >> >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) >> >> at >> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) >> >> at >> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >> >> at >> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) >> >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) >> >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) >> >> at >> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) >> >> at >> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) >> >> at >> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) >> >> at >> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) >> >> at java.lang.Thread.run(Thread.java:748) >> >> >> If I set the client_id to the public-client-id and remove client_secret, >> since it is public and has none, I again get the 501 Not Implemented. >> >> Any help clearing this up is appreciated. >> >> On Mon, 19 Nov 2018 at 12:34, Pedro Igor Silva wrote: >> >>> Hi, >>> >>> It is not a bug. We no longer enable tech preview features by default. >>> You need to enable the feature you want, such as admin fine grained >>> permissions, by passing a specific environment variable. Try to boot your >>> server using this system property: >>> >>> - Dkeycloak.profile.feature.admin_fine_grained_authz=enabled >>> >>> Docs are not reflecting these changes, created >>> https://issues.jboss.org/browse/KEYCLOAK-8865. >>> >>> Regards. >>> Pedro Igor >>> >>> On Mon, Nov 19, 2018 at 9:02 AM Geoffrey Cleaves >>> wrote: >>> >>>> Hello. In Keycloak 4.6, the Permissions tab is gone. The documentation >>>> for >>>> allowing token exchange depends on the Permissions tab, is this a bug? >>>> >>>> [image: Screen Shot 2018-11-19 at 11.53.56.png] >>>> >>>> Somebody else is asking the same question: >>>> >>>> https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final >>>> >>>> Geoff >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2018-11-19 at 16.45.51.png Type: image/png Size: 62094 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181120/25cfb099/attachment-0001.png From dt at acutus.pro Tue Nov 20 07:00:51 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 20 Nov 2018 15:00:51 +0300 Subject: [keycloak-user] Persistent Redirect Params in Registration In-Reply-To: <22421F9C-BF93-4833-92A0-F37CEB6E00DC@cofinpro.de> References: <22421F9C-BF93-4833-92A0-F37CEB6E00DC@cofinpro.de> Message-ID: <1542715251.2146.1.camel@acutus.pro> Hi Gregor, Is the overall idea the following: upon successful registration, the user should be redirected back to the application for which the anonymous profile has been created, and the app should know the profile ID to link the user to? I think passing back the ID in the redirect URI is unreliable. I'd rather suggest that upon registration you persist the profile ID as a user attribute in Keycloak, and propagate it back to the application as a token claim. The application, obviously, will need to be modified to be able to handle that custom claim. To extract the ID from the request URI and to persist it as an attribute in Keycloak, you can use custom execution within the Registration flow (I'd suggest script-based). To push the attribute to the token claims, use custom protocol mapper. To overcome the issue with?parameter loss due to restarted registration, I'd suggest that you use browser local storage to hold your profile ID. This will however require modifications to the Keycloak registration screens (via login theme) so that the ID could be retrieved from the local storage and sent to Keycloak. Most likely your pre-Keycloak profile wizard will reside on a separate (sub)domain, so you should use some tricks to share your local storage between the domains (Google for "local storage shared"). This scheme will obviously rely on working JavaScript and local storage support?in the browser. As for email verification,?this should be also mitigated by the attribute/claim approach described above. If your user has reached this step, this means that technically the registration has been successful, and the profile ID attribute should have been created already. Upon completing email verification, the user will be taken to the application with the claim already in the token. Feel free to ask any questions, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-11-20 at 01:15 +0000, Gregor Tudan wrote: > Hi, > > I?m trying to find a solution for passing redirect parameters reliably through the registration page. > > Our users will go through some steps prior to the registration. We generate an anonymous profile for saving the user input of this step. Then we trigger a registration in Keycloak and pass the id of the profile as parameter in the redirect url.? > > This works fine in happy path, but breaks on some occasions:? > - we use email-verification. If registration works, but the user fails to confirm the mail-address before the link expires, he will be promted to complete the confirmation the next time he logs in. But the mail in the Confirmation-link will now no longer contain the redirect params of the original mail > - if an error occurs during the registration (the user fails multiple times to fill out the form) an error message will be shown prompting the user to restart the registration. The original params will be lost. > > Is there a way to pass the query params in a more reliable manner through Keycloak? > Or is it better to implement this kind of logic in the application code? If so, are there any recommendations? Email-Verification makes this quiet hard to do, as the registration can be completed on a completely different device. > > Thanks, > Gregor? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Tue Nov 20 07:04:43 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 20 Nov 2018 15:04:43 +0300 Subject: [keycloak-user] Keycloak SAML IdP and URL parameter In-Reply-To: References: <1542657120.15835.9.camel@acutus.pro> Message-ID: <1542715483.2146.3.camel@acutus.pro> Hello Sud, On Mon, 2018-11-19 at 15:55 -0500, Sud Ramasamy wrote: > Thanks. This is a handy little tip to use the JS Authenticators. > > We found another way accomplish this using a JAX-RS feature to parse the custom URL parameter out in the first request and stuff it into the context where we could retrieve it from in the second request processing flow. Please let me know if for any reason this is approach is discouraged. In fact I?was thinking about something similar, but with servlet filter rather than JAX-RS feature. Your solution seems even better. Do you register a JAX-RS interceptor on SamlService endpoint and push the extracted parameter into a session context? Dmitry > > Regards > -sud > > > > > > On November 19, 2018 at 2:52:05 PM, Dmitry Telegin (dt at acutus.pro) wrote: > > Hello Sud,?? > > Please check out this thread:?? > http://lists.jboss.org/pipermail/keycloak-user/2018-November/016228.html?? > > The problem under discussion is almost identical to yours, with the only exception being OIDC instead of SAML. But I believe the general principle (fishing request parameters out of the Referer header) remains the same.?? > > Another question: is it possible to use SAML RelayState to pass the same parameter? Custom authenticators have direct access to that field via client session note with the same name ("RelayState"), which could let you avoid the hacks like above.?? > > Cheers,?? > Dmitry Telegin?? > CTO, Acutus s.r.o.?? > Keycloak Consulting and Training?? > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic?? > +42 (022) 888-30-71?? > > E-mail: info at acutus.pro?? > > On Fri, 2018-11-16 at 09:47 -0500, Sud Ramasamy wrote:?? > > Hi,?? > > ? > > We are using Keycloak as a SAML IdP and have plugged in a custom authenticator to handle the browser flow. The authenticator relies on a custom URL parameter that is present in the initial SAML Authn request to Keycloak.??? > > ? > > We found that when the Keycloak SAML IdP receives a SAML Authn request (which also contains our custom URL parameter) it exchanges that request with a code and redirects the browser to itself at which point the control reaches our custom authenticator. This redirect causes our custom URL parameter from the initial request to not be available to our custom authenticator. Is there anyway to propagate our custom URL parameter to this second request and thereby have it available to our custom authenticator.?? > > ? > > Thanks in advance for your help.?? > > ? > > Regards?? > > -sud??? > > _______________________________________________?? > > keycloak-user mailing list?? > > keycloak-user at lists.jboss.org?? > > https://lists.jboss.org/mailman/listinfo/keycloak-user?? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Tue Nov 20 07:42:10 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Tue, 20 Nov 2018 13:42:10 +0100 Subject: [keycloak-user] OOM at startup with 1 million sessions In-Reply-To: References: Message-ID: If I'm not mistaken (+William Burns is an expert here), invoking RemoteCache#size() method requires to pull all entries from the store into the memory. If so, that's why it blows up. The only way that comes into my mind is to get rid of RemoteCache#size() calls from Keycloak (+Marek Posolda WDYT, is it doable?). I'm just wondering if adding more memory to the ISPN process is an option in your case? On Tue, Nov 20, 2018 at 11:12 AM Nicolas Ocquidant wrote: > Hi > > My UC is to keep one year of sessions, this is what I have done to simulate > it: > > 1. I use JDBC to store 1 million of session objects, 2.8KB (in memory) each > 2. I start one Infinispan node with passivation=false and shared=true, and > Xmx=8G > 3. I start one Keycloak node configured with a remote-cache and Xmx=4G > > Note that I use a remote-store in KC as it is the only way to set > passivation=false and shared=true (see > http://lists.jboss.org/pipermail/keycloak-user/2018-November/016180.html). > > No problem in step 2, ISPN process is less than 300MB large in memory. But > after 3, ISPN process goes up to around 6GB. > > See below for the traces, but basically I get OOM. > > Using the debugger, I can see that getting the size of the cache is a > really slow operation, and bump memory to 3GB in ISPN process. > > From > > org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer: > > RemoteCacheSessionsLoader.computeLoaderContext(KeycloakSession session) > // ... > int sessionsTotal = remoteCache.size(); <--- HERE > //... > } > > And then (OOM here): > > InfinispanCacheInitializer.startLoadingImpl(InitializerState state, > SessionLoader.LoaderContext ctx) { > // ... > for (Future future : futures) { > // Called 4X (ie the number of segments), but 1st one does not > terminate: OOM > // -> > org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart > WorkerResult result = future.get(); <--- Very slow and bump mem to 8GB > // ... > } > > So, with 1M of sessions in store, I cannot get KC/ISPN to start. And I am > far from my goal which is to keep one year of sessions (which has been > estimated to ~52M of sessions)... > > Is it something I can't achieve with KC/ISPN? > Any help appreciated. > > Thanks > nick > > Note, versions I used are: > > * ISPN 9.4.1 Wildfly > * KC 4.6.0 Wildfly > > -- ISPN process > > 10:42:22,969 ERROR [stderr] (Periodic Recovery) Exception in thread > "Periodic Recovery" java.lang.OutOfMemoryError: Java heap space > 10:42:22,977 ERROR [stderr] (Periodic Recovery) at > sun.text.resources.fr.FormatData_fr.getContents(FormatData_fr.java:86) > 10:42:22,975 ERROR > > [org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory] > (pool-9-thread-1) ISPN008018: Sql failure retrieving connection from > datasource: java.sql.SQLException: javax.resource.ResourceException: > IJ000456: Unchecked throwable in ManagedConnection.getConnection() > > cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener at 3e3890ff > [state=NORMAL > managed > > connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 3f033728 > connection handles=0 lastReturned=1542706942971 lastValidated=1542706738387 > lastCheckedOut=1542706916019 trackByTx=false > pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool at 2772dcff > mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool at 5e82b87d > [pool=InfinispanDS] > xaResource=LocalXAResourceImpl at 308d2c98[connectionListener=3e3890ff > connectionManager=1691f7d6 warned=false currentXid=null > productName=PostgreSQL productVersion=10.5 > jndiName=java:jboss/datasources/InfinispanDS] txSync=null] > at > > org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) > at > > org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) > at > > org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory.getConnection(ManagedConnectionFactory.java:83) > at > > org.infinispan.persistence.jdbc.stringbased.JdbcStringBasedStore.purge(JdbcStringBasedStore.java:461) > at > > org.infinispan.persistence.manager.PersistenceManagerImpl.lambda$purgeExpired$6(PersistenceManagerImpl.java:459) > at java.util.ArrayList.forEach(ArrayList.java:1257) > at > > org.infinispan.persistence.manager.PersistenceManagerImpl.purgeExpired(PersistenceManagerImpl.java:462) > at > > org.infinispan.expiration.impl.ClusterExpirationManager.processExpiration(ClusterExpirationManager.java:119) > at > > org.infinispan.expiration.impl.ExpirationManagerImpl$ScheduledTask.run(ExpirationManagerImpl.java:245) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: javax.resource.ResourceException: IJ000456: Unchecked throwable > in ManagedConnection.getConnection() > > cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener at 3e3890ff > [state=NORMAL > managed > > connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 3f033728 > connection handles=0 lastReturned=1542706942971 lastValidated=1542706738387 > lastCheckedOut=1542706916019 trackByTx=false > pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool at 2772dcff > mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool at 5e82b87d > [pool=InfinispanDS] > xaResource=LocalXAResourceImpl at 308d2c98[connectionListener=3e3890ff > connectionManager=1691f7d6 warned=false currentXid=null > productName=PostgreSQL productVersion=10.5 > jndiName=java:jboss/datasources/InfinispanDS] txSync=null] > at > > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:811) > at > > org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) > ... 15 more > Caused by: java.lang.OutOfMemoryError: Java heap space > > > -- KC process > > 10:42:23,216 WARN [org.infinispan.client.hotrod.impl.protocol.Codec21] > (Thread-0) ISPN004005: Error received from the server: > java.lang.RuntimeException: java.sql.SQLException: Error > > java.sql.SQLException: Error > java.lang.OutOfMemoryError: Java heap space > 10:42:23,359 WARN > > [org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader] > (pool-16-thread-4) Error loading sessions from remote cache 'sessions' for > segment '3': > org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for > messageId=55 returned server error (status=0x85): > java.lang.RuntimeException: java.sql.SQLException: Error > java.sql.SQLException: Error > java.lang.OutOfMemoryError: Java heap space > at > > org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:333) > at > > org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:179) > at > > org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:138) > at > > org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:98) > at > > io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) > at > > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > at > > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) > at > > io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) > at > > io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) > at > > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > at > > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) > at > > io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) > at > > io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) > at > > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > at > > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) > at > > io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) > at > > io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) > at > io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647) > at > > io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582) > at > > io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) > at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461) > at > > io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Tue Nov 20 08:11:55 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 20 Nov 2018 14:11:55 +0100 Subject: [keycloak-user] OOM at startup with 1 million sessions In-Reply-To: References: Message-ID: On 20/11/2018 13:42, Sebastian Laskawiec wrote: > If I'm not mistaken (+William Burns ?is an > expert here), invoking RemoteCache#size() method requires to pull all > entries from the store into the memory. If so, that's why it blows up. > > The only way that comes into my mind is to get rid of > RemoteCache#size() calls from Keycloak (+Marek Posolda > ?WDYT, is it doable?). Hmm... I think that remoteCache#size doesn't need to load the entries to the memory? I see that HotRod protocol has "size" operation and that one seem to be called under the covers when you call RemoteCache#size (on client side, the Java class is org.infinispan.client.hotrod.impl.operations.SizeOperation ). I am not sure how much memory is needed to have 1 million of user sessions. We plan to have some tests for this, but didn't test yet this with the cross-dc enabled. Do you have both JDG and Keycloak on same machine? Maybe it will help to increase or decrease the value of "Xmx" for both JDG and Keycloak. AFAIK if it's too big, it means that garbage collectors are not called very often and new records are added to the memory and JDK process doesn't have enough space to handle it. But not 100% sure if that can help. Marek > > I'm just wondering if adding more memory to the ISPN process is an > option in your case? > > On Tue, Nov 20, 2018 at 11:12 AM Nicolas Ocquidant > > wrote: > > Hi > > My UC is to keep one year of sessions, this is what I have done to > simulate > it: > > 1. I use JDBC to store 1 million of session objects, 2.8KB (in > memory) each > 2. I start one Infinispan node with passivation=false and > shared=true, and > Xmx=8G > 3. I start one Keycloak node configured with a remote-cache and Xmx=4G > > Note that I use a remote-store in KC as it is the only way to set > passivation=false and shared=true (see > http://lists.jboss.org/pipermail/keycloak-user/2018-November/016180.html). > > No problem in step 2, ISPN process is less than 300MB large in > memory. But > after 3, ISPN process goes up to around 6GB. > > See below for the traces, but basically I get OOM. > > Using the debugger, I can see that getting the size of the cache is a > really slow operation, and bump memory to 3GB in ISPN process. > > From > org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer: > > RemoteCacheSessionsLoader.computeLoaderContext(KeycloakSession > session) > ? ?// ... > ? ? int sessionsTotal = remoteCache.size(); <--- HERE > ? ?//... > } > > And then (OOM here): > > InfinispanCacheInitializer.startLoadingImpl(InitializerState state, > SessionLoader.LoaderContext ctx) { > ? // ... > ? ?for (Future future : futures) { > ? ? ?// Called 4X (ie the number of segments), but 1st one does not > terminate: OOM > ? ? ?// -> > org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart > ? ? WorkerResult result = future.get(); <--- Very slow and bump > mem to 8GB > ? ? ?// ... > } > > So, with 1M of sessions in store, I cannot get KC/ISPN to start. > And I am > far from my goal which is to keep one year of sessions (which has been > estimated to ~52M of sessions)... > > Is it something I can't achieve with KC/ISPN? > Any help appreciated. > > Thanks > nick > > Note, versions I used are: > > * ISPN 9.4.1 Wildfly > * KC 4.6.0 Wildfly > > -- ISPN process > > 10:42:22,969 ERROR [stderr] (Periodic Recovery) Exception in thread > "Periodic Recovery" java.lang.OutOfMemoryError: Java heap space > 10:42:22,977 ERROR [stderr] (Periodic Recovery)? ? ? ? ?at > sun.text.resources.fr > .FormatData_fr.getContents(FormatData_fr.java:86) > 10:42:22,975 ERROR > [org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory] > (pool-9-thread-1) ISPN008018: Sql failure retrieving connection from > datasource: java.sql.SQLException: javax.resource.ResourceException: > IJ000456: Unchecked throwable in ManagedConnection.getConnection() > cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener at 3e3890ff[state=NORMAL > managed > connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 3f033728 > connection handles=0 lastReturned=1542706942971 > lastValidated=1542706738387 > lastCheckedOut=1542706916019 trackByTx=false > pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool at 2772dcff > mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool at 5e82b87d[pool=InfinispanDS] > xaResource=LocalXAResourceImpl at 308d2c98[connectionListener=3e3890ff > connectionManager=1691f7d6 warned=false currentXid=null > productName=PostgreSQL productVersion=10.5 > jndiName=java:jboss/datasources/InfinispanDS] txSync=null] > ? ? ? ? at > org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) > ? ? ? ? at > org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) > ? ? ? ? at > org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory.getConnection(ManagedConnectionFactory.java:83) > ? ? ? ? at > org.infinispan.persistence.jdbc.stringbased.JdbcStringBasedStore.purge(JdbcStringBasedStore.java:461) > ? ? ? ? at > org.infinispan.persistence.manager.PersistenceManagerImpl.lambda$purgeExpired$6(PersistenceManagerImpl.java:459) > ? ? ? ? at java.util.ArrayList.forEach(ArrayList.java:1257) > ? ? ? ? at > org.infinispan.persistence.manager.PersistenceManagerImpl.purgeExpired(PersistenceManagerImpl.java:462) > ? ? ? ? at > org.infinispan.expiration.impl.ClusterExpirationManager.processExpiration(ClusterExpirationManager.java:119) > ? ? ? ? at > org.infinispan.expiration.impl.ExpirationManagerImpl$ScheduledTask.run(ExpirationManagerImpl.java:245) > ? ? ? ? at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > ? ? ? ? at > java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > ? ? ? ? at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > ? ? ? ? at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > ? ? ? ? at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > ? ? ? ? at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > ? ? ? ? at java.lang.Thread.run(Thread.java:748) > Caused by: javax.resource.ResourceException: IJ000456: Unchecked > throwable > in ManagedConnection.getConnection() > cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener at 3e3890ff[state=NORMAL > managed > connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 3f033728 > connection handles=0 lastReturned=1542706942971 > lastValidated=1542706738387 > lastCheckedOut=1542706916019 trackByTx=false > pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool at 2772dcff > mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool at 5e82b87d[pool=InfinispanDS] > xaResource=LocalXAResourceImpl at 308d2c98[connectionListener=3e3890ff > connectionManager=1691f7d6 warned=false currentXid=null > productName=PostgreSQL productVersion=10.5 > jndiName=java:jboss/datasources/InfinispanDS] txSync=null] > ? ? ? ? at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:811) > ? ? ? ? at > org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) > ? ? ? ? ... 15 more > Caused by: java.lang.OutOfMemoryError: Java heap space > > > -- KC process > > 10:42:23,216 WARN [org.infinispan.client.hotrod.impl.protocol.Codec21] > (Thread-0) ISPN004005: Error received from the server: > java.lang.RuntimeException: java.sql.SQLException: Error > > java.sql.SQLException: Error > java.lang.OutOfMemoryError: Java heap space > 10:42:23,359 WARN > [org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader] > (pool-16-thread-4) Error loading sessions from remote cache > 'sessions' for > segment '3': > org.infinispan.client.hotrod.exceptions.HotRodClientException:Request > for > messageId=55 returned server error (status=0x85): > java.lang.RuntimeException: java.sql.SQLException: Error > java.sql.SQLException: Error > java.lang.OutOfMemoryError: Java heap space > ? ? ? ? at > org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:333) > ? ? ? ? at > org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:179) > ? ? ? ? at > org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:138) > ? ? ? ? at > org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:98) > ? ? ? ? at > io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) > ? ? ? ? at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > ? ? ? ? at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) > ? ? ? ? at > io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) > ? ? ? ? at > io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) > ? ? ? ? at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > ? ? ? ? at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) > ? ? ? ? at > io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) > ? ? ? ? at > io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) > ? ? ? ? at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) > ? ? ? ? at > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) > ? ? ? ? at > io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) > ? ? ? ? at > io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) > ? ? ? ? at > io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647) > ? ? ? ? at > io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582) > ? ? ? ? at > io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) > ? ? ? ? at > io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461) > ? ? ? ? at > io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) > ? ? ? ? at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > ? ? ? ? at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > ? ? ? ? at java.lang.Thread.run(Thread.java:748) > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From chapani at protonmail.com Tue Nov 20 08:27:58 2018 From: chapani at protonmail.com (chapani) Date: Tue, 20 Nov 2018 13:27:58 +0000 Subject: [keycloak-user] how to get a token in js webapp for bearer-only backend api client Message-ID: <95vk969vP7l6RZk3M-aDsc-GFmOTK15dymTcMmoR2zk7q9wWDoGIAgu8BOTKL7K33IsWCIATlFZ7YQe7MHkl3miLbTGhKqKKNK_GWSI5xVg=@protonmail.com> Hi, I got this setup for my app: 1. Keycloak server 2. Keycloak-protected nodejs backend (bearer-only) 3. PHP/Reactjs frontend The frontend is optionally login-protected. For some users it will be required to login which will redirect the user to Keycloak server. After a user is logged in, the frontend will have a bearer token to make api calls to the keycloak-protected backend. My problem is how to get a bearer token for users that don't need to be logged in (anonymous users). I tried this approach: 1. Created "confidential" client to be used by PHP. 2. Frontend PHP gets a bearer token using client_id and client_secret and passes them to javascript (by that I mean, printing out token values inside