From r.goyard at groupeonepoint.com  Sat Sep  1 01:52:30 2018
From: r.goyard at groupeonepoint.com (=?utf-8?B?UsOpbWkgR09ZQVJE?=)
Date: Sat, 1 Sep 2018 05:52:30 +0000
Subject: [keycloak-user] Keycloak & SAMLInvalid Response
In-Reply-To: <etPan.5b84f71a.674d174c.eef7@groupeonepoint.com>
References: <etPan.5b8404fd.5a3710aa.9b77@groupeonepoint.com>
	<etPan.5b84f71a.674d174c.eef7@groupeonepoint.com>
Message-ID: <etPan.5b8a291e.6db59606.14cb3@groupeonepoint.com>

Hi All,

Thanks all
I finally get Workplace and keycloak working together.
And I wrote this article https://www.mimiz.fr/keycloak-workplace-sso-saml.html
Feel free to give feedback or leave any comments.

Regards

Remi



On 28 August 2018 at 09:17:46, r.goyard at groupeonepoint.com (r.goyard at groupeonepoint.com<mailto:r.goyard at groupeonepoint.com>) wrote:

Hi All,

I just tried to use the Auth0 service and it worked with Workplace by facebook (following this documentation : https://scontent-cdt1-1.xx.fbcdn.net/v/t39.2365-6/33246377_951880651638808_7491240743177027584_n.pdf?_nc_cat=0&oh=266ec47aacfd6aad53e67d33b4b5a502&oe=5C2DC62A)

It seems that keycloak  do not produce a Valid response for the email mapping, The above documentation precise the following configuration steps but I really don?t know how to map it In Keycloak :


{
"audience": "https://www.facebook.com/company/ID?,
"recipient": "https://workplace.facebook.com/work/saml.php?,
"mappings": { "email": "Email", },
 "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email?,
"nameIdentifierProbes?: [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ],
}

I think that I need to precise the informations :   "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email?,
"nameIdentifierProbes?: [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ],

Does anyone have ideas ?

Regards

R?mi

From esteiner at inventage.com  Sun Sep  2 08:45:28 2018
From: esteiner at inventage.com (Edwin Steiner)
Date: Sun, 2 Sep 2018 14:45:28 +0200
Subject: [keycloak-user] Access to EntityManager/KeycloakSession from a
 MessageDrivenBean inside Keycloak
In-Reply-To: <1535412039.4014.5.camel@acutus.pro>
References: <C057D07E-EA2C-453A-8318-C242814E09EC@inventage.com>
	<1535412039.4014.5.camel@acutus.pro>
Message-ID: <0F8AEC27-361A-4BF1-9EA0-D717BFE69989@inventage.com>

Hello Dmitry

Thank you very much for your reply.

Unfortunately it didn?t solve my problem. I think it is because I want to access the EntityManager of the Keycloak persistence unit itself. This persistence unit is defined in the keycloak-model-jpa JAR referenced by the module "org.keycloak.keycloak-model-jpa? and it is named ?keycloak-default?. I can not access it, because it is not exposed via JNDI (e.g. with <property name="jboss.entity.manager.jndi.name" value="java:/yourEntityManagerName"/>).

We use the Keycloak SPI org.keycloak.connections.jpa.entityprovider.JpaEntityProviderFactory to persist our own JPA entities.

More precisely my question is the following: is there a way to get access to the Keycloak EntityManager in a MDB or EJB within a custom deployment? 

Best regards,
Edwin

-- 
Edwin Steiner
phone +41 43 343 20 22 | mobile +41 79 441 57 56
Inventage AG | CH-8005 Z?rich | www.inventage.com

> On 28 Aug 2018, at 01:20, Dmitry Telegin <dt at acutus.pro> wrote:
> 
> Hello Edwin,
> 
> Keycloak does support stateful EJBs as extensions: https://www.keycloak.org/docs/latest/server_development/index.html#leveraging-java-ee
> 
> These EJBs are able to obtain an EntityManager as follows, without specifying unitName:
> 
>    @PersistenceContext
>    protected EntityManager em;
> 
> Could you try the same in your MDB? If that doesn't work, I think you could create a dummy stateful EJB whose sole purpose would be to propagate EntityManager, KeycloakSession etc. to your MDB (via e.g. JNDI).
> 
> Good luck!
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> On Sun, 2018-08-26 at 16:19 +0200, Edwin Steiner wrote:
>> Hello All
>> 
>> We would like to extended our Keycloak instance with a MessageDrivenBean for user synchronization. Inside the MessageDrivenBean we need access to the EntityManager for storing the imported users in the database.
>> 
>> @MessageDriven(name = "ImportUserMessageHandler", activationConfig = {
>>         @ActivationConfigProperty(propertyName = "destinationType", propertyValue = "javax.jms.Queue"),
>>         @ActivationConfigProperty(propertyName = "destination", propertyValue = ?ImportQueue"),
>>         @ActivationConfigProperty(propertyName = "acknowledgeMode", propertyValue = "Auto-acknowledge") })
>> @ApplicationScoped
>> public class ImportUserMessageHandler extends AbstractMessageDrivenBean {
>> 
>>     @PersistenceContext(unitName="keycloak-default")
>>     private EntityManager entityManager;
>> 
>> }
>> 
>> But the above code results in the following error message:
>> 
>> ????????
>> Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYEE0041: Component class com.inventage.iam.import.ImportUserMessageHandler for component ImportUserMessageHandler has errors: 
>> WFLYJPA0033: Can't find a persistence unit named keycloak-default in deployment "keycloak-spi.jar"
>> 	at org.jboss.as.ee.component.deployers.ModuleJndiBindingProcessor$1.handle(ModuleJndiBindingProcessor.java:157)
>> 	at org.jboss.as.ee.component.ClassDescriptionTraversal.run(ClassDescriptionTraversal.java:54)
>> 	at org.jboss.as.ee.component.deployers.ModuleJndiBindingProcessor.processClassConfigurations(ModuleJndiBindingProcessor.java:186)
>> 	at org.jboss.as.ee.component.deployers.ModuleJndiBindingProcessor.deploy(ModuleJndiBindingProcessor.java:143)
>> 	at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:165)
>> 	... 5 more
>> ????????
>> 
>> Normally the EntityManager is gotten via keycloakSession.getProvider(JpaConnectionProvider.class).getEntityManager(), but in the MessageDrivenBean we have no access a KeycloakSession instance.
>> 
>> Is there an other way to get the EntityManager? Or can we get somehow a KeycloakSession instance inside the MessageDrivenBean?
>> 
>> Thanks
>> Edwin
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user



From ian at ianduffy.ie  Sun Sep  2 08:59:37 2018
From: ian at ianduffy.ie (Ian Duffy)
Date: Sun, 2 Sep 2018 13:59:37 +0100
Subject: [keycloak-user] Realm resolution by username
Message-ID: <CAEJ3w4WGjYiRxM0JGr0QGuVZjt31sALjr27KRTOzStzmA8Zt5w@mail.gmail.com>

Hi all,

I'm using keycloak in a multi-tenant scenario where each tenant is a realm
and the clients are duplicated across them.

The username for each user is an email address of username at tenant.tld

Is there any way to use the @tenant.tld part of the email address as a
realm resolver and have all users access the system
via the same login page?

Thanks,
Ian.

From amavisto at gmail.com  Sun Sep  2 17:04:44 2018
From: amavisto at gmail.com (Milan Simonovic)
Date: Sun, 2 Sep 2018 23:04:44 +0200
Subject: [keycloak-user] group membership policy was: How to implement this
	using Keycloak
Message-ID: <0EC58C89-710D-4ED2-903B-8E5906BEAD71@gmail.com>

Hi all,

there was a post in 2016 that kind of descibes my problem: http://lists.jboss.org/pipermail/keycloak-user/2016-July/007069.html <http://lists.jboss.org/pipermail/keycloak-user/2016-July/007069.html>  unfortunately without any concrete pointers or examples. 

To paraphrase: 
there?s a protected resource called Project, 
and an owner a Project Manager. Each project manager has access to only their own projects (owner-only policy). 
Project Managers in turn report to one or more Portfolio Managers. A Portfolio Manager should be able to access all his/her project manager's projects (portforlio-manager policy). 

Let?s assume the system design if flexible and this fact who are the Portfolio Managers for a particular Project Manager 
can be either kept inside Keycloak or in the client app itself. How can this be implemented as a JavaScrtipt 
authorization policy in Keycloak? I guess the request can be injected with this info somehow but can?t figure it out from the docs.


regards,
Milan


From postmaster at lists.jboss.org  Sun Sep  2 20:59:57 2018
From: postmaster at lists.jboss.org (MAILER-DAEMON)
Date: Mon, 3 Sep 2018 08:59:57 +0800
Subject: [keycloak-user] Returned mail: Data format error
Message-ID: <201809030102.w8312L8M008571@lists01.dmz-a.mwc.hst.phx2.redhat.com>

The original message was received at Mon, 3 Sep 2018 08:59:57 +0800
from 163.226.228.203

----- The following addresses had permanent fatal errors -----
<keycloak-user at lists.jboss.org>



-------------- next part --------------
A non-text attachment was scrubbed...
Name: transcript.zip
Type: application/octet-stream
Size: 29116 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180903/9a7ff9bc/attachment-0001.obj 

From dt at acutus.pro  Mon Sep  3 00:26:33 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 03 Sep 2018 07:26:33 +0300
Subject: [keycloak-user] org.keycloak.keycloak-services
In-Reply-To: <001201d44100$590d3430$0b279c90$@netsetglobal.rs>
References: <001201d44100$590d3430$0b279c90$@netsetglobal.rs>
Message-ID: <1535948793.17806.1.camel@acutus.pro>

Hello Nikola,

Declaring dependencies in pom.xml alone is not sufficient for them to be resolved in runtime.

Seems that you're deploying your authenticator via the standalone/deployments directory. In this case, you should include a META-INF/jboss-deployment-structure.xml into your JAR.

Example: https://github.com/dteleguin/beercloak/blob/14da8578310f2d257bdc1b059a8d355343174180/src/main/resources/META-INF/jboss-deployment-structure.xml

You should change the module name to "deployment.aas" and leave only the dependencies you need.

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-08-31 at 09:58 +0200, Nikola Malenic wrote:
> I developed an authentication provider and am trying to deploy it on the KC
> server. My project depends on the Keycloak-services:?
> 
> ?
> 
> <dependency>
> 
> ???????<groupId>org.keycloak</groupId>
> 
> ???????<artifactId>keycloak-services</artifactId>
> 
> ???????<scope>provided</scope>
> 
> ???????<version>${keycloak.version}</version>
> 
> </dependency>
> 
> ?
> 
> My version is the same as running Keycloak server.?
> 
> I'm getting error:?
> 
> java.lang.NoClassDefFoundError: Failed to link
> rs/netset/aas/authenticator/user_pass/CustomUsernamePasswordForm (Module
> \"deployment.aas-1.0.DEBUG.jar\" from Service Module Loader):
> org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthe
> nticator"}}
> 
> ?
> 
> And wildfly succeeds in finding other dependencies, like keycloak-server-spi
> etc.
> 
> Any clue why is this happening?
> 
> ?
> 
> Many thanks,
> 
> Nikola
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From keycloak-list at vergien.net  Mon Sep  3 03:23:17 2018
From: keycloak-list at vergien.net (keycloak-list at vergien.net)
Date: Mon, 3 Sep 2018 09:23:17 +0200
Subject: [keycloak-user] Handling long time running non interactive
 "sessions" (offline-tokens ?)
Message-ID: <412ece19-9f01-f6ca-19f1-19b3f47739f0@vergien.net>

Hi list,

I wonder how to implement long running non interactive sessions. This is
whats works for me (both ui and data-service use the spring-stack):

  - in the ui the user gets redirected to keycloak on login
  - we pass the access token form the KeycloakSecurtyContext as an
"Authroization" Header to calls to the data-service
  - the data-service validates that token and returns data

What I need extra is:

  - the authorized user starts an action in the ui which access our
"im-export-service"
  - the "im-export-service" starts a long running action using the
data-service
  - this long running action must still run even the user has logged off

I wonder if offline tokens are the right thing to use here? As much as I
understand the docs the offline token must be requested on login - it
can not be created later by the "im-export-service" if its needed?

I hope my problem is clear...

Best wishes

Daniel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180903/adddef91/attachment.bin 

From nikola.malenic at netsetglobal.rs  Mon Sep  3 03:44:06 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Mon, 3 Sep 2018 09:44:06 +0200
Subject: [keycloak-user] org.keycloak.keycloak-services
In-Reply-To: <1535948793.17806.1.camel@acutus.pro>
References: <001201d44100$590d3430$0b279c90$@netsetglobal.rs>
	<1535948793.17806.1.camel@acutus.pro>
Message-ID: <002901d44359$e442cb40$acc861c0$@netsetglobal.rs>

Thanky you very much. 
That's how I already done it after some research and it's working like a charm.

Thanks again,
Nikola

-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro] 
Sent: Monday, September 3, 2018 6:27 AM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] org.keycloak.keycloak-services

Hello Nikola,

Declaring dependencies in pom.xml alone is not sufficient for them to be resolved in runtime.

Seems that you're deploying your authenticator via the standalone/deployments directory. In this case, you should include a META-INF/jboss-deployment-structure.xml into your JAR.

Example: https://github.com/dteleguin/beercloak/blob/14da8578310f2d257bdc1b059a8d355343174180/src/main/resources/META-INF/jboss-deployment-structure.xml

You should change the module name to "deployment.aas" and leave only the dependencies you need.

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-08-31 at 09:58 +0200, Nikola Malenic wrote:
> I developed an authentication provider and am trying to deploy it on 
> the KC server. My project depends on the Keycloak-services:
> 
>  
> 
> <dependency>
> 
>        <groupId>org.keycloak</groupId>
> 
>        <artifactId>keycloak-services</artifactId>
> 
>        <scope>provided</scope>
> 
>        <version>${keycloak.version}</version>
> 
> </dependency>
> 
>  
> 
> My version is the same as running Keycloak server.
> 
> I'm getting error:
> 
> java.lang.NoClassDefFoundError: Failed to link 
> rs/netset/aas/authenticator/user_pass/CustomUsernamePasswordForm 
> (Module \"deployment.aas-1.0.DEBUG.jar\" from Service Module Loader):
> org/keycloak/authentication/authenticators/browser/AbstractUsernameFor
> mAuthe
> nticator"}}
> 
>  
> 
> And wildfly succeeds in finding other dependencies, like 
> keycloak-server-spi etc.
> 
> Any clue why is this happening?
> 
>  
> 
> Many thanks,
> 
> Nikola
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sthorger at redhat.com  Mon Sep  3 04:26:00 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 3 Sep 2018 10:26:00 +0200
Subject: [keycloak-user] How to delete an federated identity?
In-Reply-To: <CAP4n9Q-Joe2yj5TSNqj9Le2t6v=4R_-Y=U03KdYFjoUrKoyT2g@mail.gmail.com>
References: <CAP4n9Q-Joe2yj5TSNqj9Le2t6v=4R_-Y=U03KdYFjoUrKoyT2g@mail.gmail.com>
Message-ID: <CAJgngAeyYrfZ0ghgZuk-+py0En075Fzh6PYt8e1qEizENQdzsw@mail.gmail.com>

On Wed, 29 Aug 2018 at 20:13, Eric Wittmann <eric.wittmann at redhat.com>
wrote:

> Apicurio uses Keycloak to support Account Linking with GitHub, GitLab, and
> Bitbucket.  Creating a link works well, but deleting the link does not.
> It's been awhile since I've checked for this functionality - but is there
> an API call in KC 4.x that Apicurio can use to delete the linked account
> for an authenticated user?
>
> Previously I was trying to use this:
>
>
> /auth/realms/apicurio/account/federated-identity-update?action=REMOVE&provider_id=gitlab
>
> But I don't think this ever worked, and it's definitely returning a 404
> now.
>

We don't currently have a rest API to remove the link, this will come as
part of the work we are doing around REST API for account management.


>
> In a related followup question - in Keycloak 4.3.0 (most recent testing) if
> I delete the linked account record in Apicurio, I cannot re-create it.
> When I try, the result is a PK violation in the Keycloak database.  I can
> work around this problem only by logging into Keycloak and deleting the
> "Identity Provider Link" in Manage->Users.  The URL Apicurio uses when
> initiating an account link is:
>
>
> /auth/realms/apicurio/broker/gitlab/link?nonce=abc&hash=xyz&client_id=apicurio-studio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fstudio%2Fsettings%2Faccounts%2FGitLab%2Fcreated
>
> If the user already has an identity provider link for "gitlab" then the
> result is:
>
> Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
> violation: "PRIMARY_KEY_40 ON PUBLIC.FEDERATED_IDENTITY(IDENTITY_PROVIDER,
> USER_ID) VALUES ('gitlab', 'c0e35a37-ad19-49d1-a030-42ac1a1b1dae', 3)"; SQL
> statement:
> insert into FEDERATED_IDENTITY (REALM_ID, TOKEN, FEDERATED_USER_ID,
> FEDERATED_USERNAME, IDENTITY_PROVIDER, USER_ID) values (?, ?, ?, ?, ?, ?)
> [23505-193]
>         at
> org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
>         at org.h2.message.DbException.get(DbException.java:179)
>         at org.h2.message.DbException.get(DbException.java:155)
>         at
> org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:103)
>         at
> org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:231)
>         at
> org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:190)
>         at org.h2.mvstore.db.MVTable.addRow(MVTable.java:704)
>         at org.h2.command.dml.Insert.insertRows(Insert.java:156)
>         at org.h2.command.dml.Insert.update(Insert.java:114)
>         at org.h2.command.CommandContainer.update(CommandContainer.java:98)
>         at org.h2.command.Command.executeUpdate(Command.java:258)
>         at
>
> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:160)
>         at
>
> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:146)
>         at
>
> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
>         at
>
> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
>         ... 82 more
>
> Seeking help on both issues.  I'm likely just doing the wrong thing.  :)
>

Not sure what would be the expected behaviour when you are trying to add a
link to a provider that already exists. As the app can't always detect if
there is a link I guess it should really redirect to the app with a message
stating already added or something. Shouldn't throw an error like that
though. Can you open a bug for this one please?


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From clehingue at gmail.com  Mon Sep  3 09:39:08 2018
From: clehingue at gmail.com (Christophe Lehingue)
Date: Mon, 3 Sep 2018 15:39:08 +0200
Subject: [keycloak-user] How to configure keycloak with let's Encrypt
Message-ID: <CADf9yZPg6sBJD_N_V+E=nT5saBbx7cdLhOtDhgUkQmoEVFuu_A@mail.gmail.com>

Hello,

how to configure Keycloak with Let's Encrypts ?

Regards,

Christophe

From janci.babel at gmail.com  Mon Sep  3 10:39:28 2018
From: janci.babel at gmail.com (troger19)
Date: Mon, 3 Sep 2018 07:39:28 -0700 (MST)
Subject: [keycloak-user] How to specify redirect URL when reseting user
	password
Message-ID: <1535985568308-0.post@n6.nabble.com>

Hi guys
When reseting user password on Logged In User, after specifying user email
address and clicking submit button, user is redirected on Account
application. I would like to specify the redirection URL, so the user is
redirecting on the Login page (or on some other static page with the message
Password was reset, check the email). I am speculating about
session.invalidate, but maybe there is more elegant solution.
I have found the URL in login-reset-password.ftl, :  
action="${url.loginAction}" . 
*The user must be logged in when reseting password!!!. If the user is logged
out, after specifying email address he is redirected on Login which is OK.*



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From matthias.kesternich at moneymeets.com  Mon Sep  3 11:15:35 2018
From: matthias.kesternich at moneymeets.com (Matthias Kesternich)
Date: Mon, 3 Sep 2018 15:15:35 +0000
Subject: [keycloak-user] Internal server error with event logging
In-Reply-To: <CAJgngAc7njo225gpB1T11v0+xuYFb9JVM7HsOjcD-ehfKyF1SA@mail.gmail.com>
References: <1C08CC91-C06C-410C-B937-DE95ED19161E@moneymeets.com>
	<CAJgngAc7njo225gpB1T11v0+xuYFb9JVM7HsOjcD-ehfKyF1SA@mail.gmail.com>
Message-ID: <D6E8DBE9-981F-438D-B5BC-AA082EC293CB@moneymeets.com>

Hello Stian,

thanks for your help.

I temporarily increased the size of the database column for the event details. When looking in there I found a few redirect uris that were too long. The whole event details field was consuming ~3800 bytes. I convinced the application developers to use shorter redirect uris to fix the issue. This works for now.

If somebody exceeds the limit I will get a 500 again of course.

Best,
-Matthias

Von: Stian Thorgersen <sthorger at redhat.com>
Antworten an: "stian at redhat.com" <stian at redhat.com>
Datum: Donnerstag, 16. August 2018 um 17:20
An: Matthias Kesternich <matthias.kesternich at moneymeets.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] Internal server error with event logging

Seems like something is putting to much information in the details of the events. It should be short and concise to prevent filling up the database. Do you know what event it is and how to reproduce?

On Thu, 16 Aug 2018 at 14:30, Matthias Kesternich <matthias.kesternich at moneymeets.com<mailto:matthias.kesternich at moneymeets.com>> wrote:
Hello,

with event detail logging enabled I keep getting 500 Internal Server Error. There was also a post on this list in May detailing the same problem (see http://lists.jboss.org/pipermail/keycloak-dev/2018-May/010807.html ).

As outlined in the post the problematic piece of code is

    @Column(name="DETAILS_JSON", length = 2550)
    private String detailsJson;

This hardcodes length to 2550 and apparently some of my event details get bigger than that.

Any idea what I can do about this? Manually changing the database column could work, but I?m afraid a future  keycloak db migration will badly interfere with this.

Is there any ?official? way to override values like this? E.g. some configuration setting or JPA way to overwrite this?

Thanks,
-Matthias
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From matthias.kesternich at moneymeets.com  Mon Sep  3 11:22:12 2018
From: matthias.kesternich at moneymeets.com (Matthias Kesternich)
Date: Mon, 3 Sep 2018 15:22:12 +0000
Subject: [keycloak-user] redirect_uris in registration broken
Message-ID: <37DC9A68-8B31-4B70-943A-79D27B9D9197@moneymeets.com>

Hello,

if I perform the following steps, then the redirect_uris that are sent upon registration are just ignored:

1. Register user with redirect_uri=myapp
2. Receive the verification mail
3. Clear your browser cache or switch to another browser. This step is very important!
4. Open the link from the verification mail, see a tab open with the right redirect_uri in the url bar
5. Click the button.
6. Another registration verification tab opens which features redirect_uri=account
7. Click the button
8. Get redirected to the login form with redirect_uri = account
9. Login
10. Get redirect to the account page instead of myapp .

Is this expected behavior? I also noticed that if you clear your browser cache then keycloak will show an additional screen for verification of the e-mail address plus the login screen. If I don't clear the browser cache I only get one verification screen and I am then redirected to my application.

Should I file a bug report?

Best,
-Matthias



From uo67113 at gmail.com  Mon Sep  3 12:38:56 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Mon, 3 Sep 2018 18:38:56 +0200
Subject: [keycloak-user] SAML Logout fails with: "Invalid query param
	signature"
Message-ID: <CACp70MnaQdUsLRKwe9_hKwegNGu7jj3Xt8poNaJNmO+uiCz0Xg@mail.gmail.com>

Hello there,

Using keycloak-saml-tomcat8-adapter-dist-4.2.1.Final, I always get
"org.keycloak.common.VerificationException: Invalid query param signature"
when the IdP sends the LogoutResponse.

I've compared the implementation of
AbstractSamlAuthenticationHandler.verifyRedirectBindingSignature [1] with a
custom one that I developed myself and the only differences are:
- The way on how the parameters are decoded. Me I use java.util.Base64
while keycloak use its own (org.keycloak.saml.common.util.Base64)

I am using the REDIRECT for the SingleLogoutService.responseBinding

Any thoughts on this?

Thanks in advance,

Luis



[1]
https://github.com/keycloak/keycloak/blob/79774d2f0730593d504072aaabb1b87d77e3968c/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java#L602

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From russell at zeroflux.net  Mon Sep  3 12:50:48 2018
From: russell at zeroflux.net (Russell Davies)
Date: Mon, 3 Sep 2018 18:50:48 +0200
Subject: [keycloak-user] Cross Realm Administration
Message-ID: <CAPBQaZq8ALAOjFzGp2_GfB9VF38DirYP8_ZJxN-QLGUssfzYLA@mail.gmail.com>

I've found a few list posts musing about cross realm administration but
nothing concrete to say whether or not it's possible. So what's the status
of it?

To give some background on my use case, I have three kinds of users: staff,
contract staff, and customers. It seems to me that a realm for each kind of
user is the best way to model this so that way groups, roles, and login
screens are specific for them. Certain staff users (admins or managers)
need to be able to manage the contract and customer users like master realm
admins can manage users in other realms.

So how is this done? Or if it's not possible then should I use the master
realm as the staff realm, or should I just have one realm and model it by
way of roles and groups (still the issue of different login screens then)?

From eric.wittmann at redhat.com  Mon Sep  3 15:37:41 2018
From: eric.wittmann at redhat.com (Eric Wittmann)
Date: Mon, 3 Sep 2018 15:37:41 -0400
Subject: [keycloak-user] How to delete an federated identity?
In-Reply-To: <CAJgngAeyYrfZ0ghgZuk-+py0En075Fzh6PYt8e1qEizENQdzsw@mail.gmail.com>
References: <CAP4n9Q-Joe2yj5TSNqj9Le2t6v=4R_-Y=U03KdYFjoUrKoyT2g@mail.gmail.com>
	<CAJgngAeyYrfZ0ghgZuk-+py0En075Fzh6PYt8e1qEizENQdzsw@mail.gmail.com>
Message-ID: <CAP4n9Q8BPPn+8WrdEsQV1V=1Dg7McpWzFN=mUhmkWDQ-g=NCpw@mail.gmail.com>

Ok, thanks.  Will do.

On Mon, Sep 3, 2018 at 4:26 AM Stian Thorgersen <sthorger at redhat.com> wrote:

>
>
> On Wed, 29 Aug 2018 at 20:13, Eric Wittmann <eric.wittmann at redhat.com>
> wrote:
>
>> Apicurio uses Keycloak to support Account Linking with GitHub, GitLab, and
>> Bitbucket.  Creating a link works well, but deleting the link does not.
>> It's been awhile since I've checked for this functionality - but is there
>> an API call in KC 4.x that Apicurio can use to delete the linked account
>> for an authenticated user?
>>
>> Previously I was trying to use this:
>>
>>
>> /auth/realms/apicurio/account/federated-identity-update?action=REMOVE&provider_id=gitlab
>>
>> But I don't think this ever worked, and it's definitely returning a 404
>> now.
>>
>
> We don't currently have a rest API to remove the link, this will come as
> part of the work we are doing around REST API for account management.
>
>
>>
>> In a related followup question - in Keycloak 4.3.0 (most recent testing)
>> if
>> I delete the linked account record in Apicurio, I cannot re-create it.
>> When I try, the result is a PK violation in the Keycloak database.  I can
>> work around this problem only by logging into Keycloak and deleting the
>> "Identity Provider Link" in Manage->Users.  The URL Apicurio uses when
>> initiating an account link is:
>>
>>
>> /auth/realms/apicurio/broker/gitlab/link?nonce=abc&hash=xyz&client_id=apicurio-studio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fstudio%2Fsettings%2Faccounts%2FGitLab%2Fcreated
>>
>> If the user already has an identity provider link for "gitlab" then the
>> result is:
>>
>> Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key
>> violation: "PRIMARY_KEY_40 ON PUBLIC.FEDERATED_IDENTITY(IDENTITY_PROVIDER,
>> USER_ID) VALUES ('gitlab', 'c0e35a37-ad19-49d1-a030-42ac1a1b1dae', 3)";
>> SQL
>> statement:
>> insert into FEDERATED_IDENTITY (REALM_ID, TOKEN, FEDERATED_USER_ID,
>> FEDERATED_USERNAME, IDENTITY_PROVIDER, USER_ID) values (?, ?, ?, ?, ?, ?)
>> [23505-193]
>>         at
>> org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
>>         at org.h2.message.DbException.get(DbException.java:179)
>>         at org.h2.message.DbException.get(DbException.java:155)
>>         at
>> org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:103)
>>         at
>> org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:231)
>>         at
>> org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:190)
>>         at org.h2.mvstore.db.MVTable.addRow(MVTable.java:704)
>>         at org.h2.command.dml.Insert.insertRows(Insert.java:156)
>>         at org.h2.command.dml.Insert.update(Insert.java:114)
>>         at
>> org.h2.command.CommandContainer.update(CommandContainer.java:98)
>>         at org.h2.command.Command.executeUpdate(Command.java:258)
>>         at
>>
>> org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:160)
>>         at
>>
>> org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:146)
>>         at
>>
>> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
>>         at
>>
>> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
>>         ... 82 more
>>
>> Seeking help on both issues.  I'm likely just doing the wrong thing.  :)
>>
>
> Not sure what would be the expected behaviour when you are trying to add a
> link to a provider that already exists. As the app can't always detect if
> there is a link I guess it should really redirect to the app with a message
> stating already added or something. Shouldn't throw an error like that
> though. Can you open a bug for this one please?
>
>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From zitrone at gmx-topmail.de  Mon Sep  3 16:51:37 2018
From: zitrone at gmx-topmail.de (zitrone at gmx-topmail.de)
Date: Mon, 3 Sep 2018 22:51:37 +0200
Subject: [keycloak-user] Passwords with umlauts
In-Reply-To: <trinity-7a81a84b-f8bf-4897-93e5-4082eac47c35-1535703589502@3c-app-gmx-bs33>
References: <trinity-7a81a84b-f8bf-4897-93e5-4082eac47c35-1535703589502@3c-app-gmx-bs33>
Message-ID: <6983ecaa-7436-dd2b-1625-34b5e20ef315@gmx-topmail.de>

Hi,

I have a problem with user passwords which contain umlauts (like ? ? ?, 
common ones in germany). They will be stored, but when i try to get a 
token, it always fails with "Invalid user credentials".
I read 
https://www.keycloak.org/docs/3.4/server_installation/index.html#unicode-considerations-for-databases 
on how to enable unicode in the DB, but i don't get which columns to 
alter. Since the password will be stored hashed and salted, will 
altering the DB have any effect at all?

Technical setup:
Keycloak 3.4.3.Final
with an Oracle DB

Regards

zitrone


From slaskawi at redhat.com  Tue Sep  4 04:07:50 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Tue, 4 Sep 2018 10:07:50 +0200
Subject: [keycloak-user] How to configure keycloak with let's Encrypt
In-Reply-To: <CADf9yZPg6sBJD_N_V+E=nT5saBbx7cdLhOtDhgUkQmoEVFuu_A@mail.gmail.com>
References: <CADf9yZPg6sBJD_N_V+E=nT5saBbx7cdLhOtDhgUkQmoEVFuu_A@mail.gmail.com>
Message-ID: <CAA9R9O6P1npkoG80rVnxhAKqCDm9LhpyfVwUf+15FQuxkv9SaQ@mail.gmail.com>

This is a two step procedure. At first, you need to create a JKS file from
the Let's Encrypt certificates. You may find a nice article on this here
[1]. Once this is done, just use the JKS file for the HTTPS in Undertow.
You may find how to do it in Wildfly manual [2].

[1]
https://community.letsencrypt.org/t/tutorial-java-keystores-jks-with-lets-encrypt/34754/5
[2]
https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-ConfigureSSL%2FTLS

On Mon, Sep 3, 2018 at 4:12 PM Christophe Lehingue <clehingue at gmail.com>
wrote:

> Hello,
>
> how to configure Keycloak with Let's Encrypts ?
>
> Regards,
>
> Christophe
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From stuarta at squashedfrog.net  Tue Sep  4 07:22:49 2018
From: stuarta at squashedfrog.net (Stuart Auchterlonie)
Date: Tue, 4 Sep 2018 12:22:49 +0100
Subject: [keycloak-user] How to configure keycloak with let's Encrypt
In-Reply-To: <CADf9yZPg6sBJD_N_V+E=nT5saBbx7cdLhOtDhgUkQmoEVFuu_A@mail.gmail.com>
References: <CADf9yZPg6sBJD_N_V+E=nT5saBbx7cdLhOtDhgUkQmoEVFuu_A@mail.gmail.com>
Message-ID: <811c6ebb-d0a7-37bd-cca7-37bd8cc2dc87@squashedfrog.net>

On 03/09/18 14:39, Christophe Lehingue wrote:
> Hello,
> 
> how to configure Keycloak with Let's Encrypts ?
> 

The alternative is SSL termination on your webserver
and proxy through to keycloak.


Regards
Stuart

From matthias.kesternich at moneymeets.com  Tue Sep  4 08:31:57 2018
From: matthias.kesternich at moneymeets.com (Matthias Kesternich)
Date: Tue, 4 Sep 2018 12:31:57 +0000
Subject: [keycloak-user] redirect_uris in registration broken
Message-ID: <A45B2D0A-49BB-4801-A365-FFEBD7816AEE@moneymeets.com>

Hello again,

I think I might have found the bug by looking at the source code and my tokens.

I'm looking at this file: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java . Especially lines 102 and 107.

The token from the verification mail contains this:

  "asid": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee"

This contains the right client id ' bf56158d-3e48-4ece-bb17-48c5143204ee' (myclient).

When I open that link, the code in lines 78-93 is triggered creating yet another token with a compound session id. That token looks like this:

  "oasid": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee",
  "asid": "9449b12e-9364-43d9-a4ab-3f29e9fe1bdb.KbiccXfmQyE.453f147b-011f-4b40-a8c4-6bdac6eabc85"
  "compoundOriginalAuthenticationSessionId": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee",

You can see the client id in 'oasid' is ' bf56158d-3e48-4ece-bb17-48c5143204ee' (myclient) while in 'asid' the client id '453f147b-011f-4b40-a8c4-6bdac6eabc85' points to the "account" client!

Now when I click the link with this token, lines 102-110 are triggered. There it checks whether the original authentication session id is present (is is) and then proceeds to the form with the *current* authSession. The current auth session will be taken from "asid" which features the wrong client "account"!

A potential fix might be to use the original authentication session in line 107 instead of the current one.

Is there anything I can do about this bug? Right now this means all users opening the mail in a new browser window/on a different device will be stuck on their accounts page and don't get back to the client they registered from.

Best,
-Matthias


?Am 03.09.18, 18:30 schrieb "keycloak-user-bounces at lists.jboss.org im Auftrag von Matthias Kesternich" <keycloak-user-bounces at lists.jboss.org im Auftrag von matthias.kesternich at moneymeets.com>:

    Hello,
    
    if I perform the following steps, then the redirect_uris that are sent upon registration are just ignored:
    
    1. Register user with redirect_uri=myapp
    2. Receive the verification mail
    3. Clear your browser cache or switch to another browser. This step is very important!
    4. Open the link from the verification mail, see a tab open with the right redirect_uri in the url bar
    5. Click the button.
    6. Another registration verification tab opens which features redirect_uri=account
    7. Click the button
    8. Get redirected to the login form with redirect_uri = account
    9. Login
    10. Get redirect to the account page instead of myapp .
    
    Is this expected behavior? I also noticed that if you clear your browser cache then keycloak will show an additional screen for verification of the e-mail address plus the login screen. If I don't clear the browser cache I only get one verification screen and I am then redirected to my application.
    
    Should I file a bug report?
    
    Best,
    -Matthias
    
    
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From java at neposoft.com  Tue Sep  4 11:17:25 2018
From: java at neposoft.com (java_os)
Date: Tue, 4 Sep 2018 11:17:25 -0400
Subject: [keycloak-user] KC4.3.0.Final- mariadb db errors on fresh install
Message-ID: <e5e12180f7a4e93efb4dc526f9433512.squirrel@neposoft.com>

Struggled with this fresh install.
You get this error on startup:
You have an error in your SQL syntax; check the manual      that
corresponds to your MariaDB server version for the right syntax to use
near 'INT DEFAULT 30 NULL, ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1'  
NULL' at line 1 [Failed SQL: ALTER TABLE keycloak.CREDENTIAL ADD COUNTER
INT DEFAULT 0 NULL, ADD DIGITS INT DEFAULT 6 NULL, ADD PERIOD INT DEFAULT 
  30 NULL, ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1' NULL]^M

======

I ran it in manual mode db upgrade to get the generated .sql, changed the
alter on credentials as follows (injecting COLUMN into the sql - weird?)
ALTER TABLE keycloak.CREDENTIAL ADD COLUMN COUNTER INT DEFAULT 0 NULL, ADD
COLUMN DIGITS INT DEFAULT 6 NULL, ADD COLUMN PERIOD INT DEFAULT 30 NULL,
ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1' NULL;

especially before PERIOD when it bailed out.

Re-run the sql update - works, able to bring kc up.

Really? why ? Anyone gone through this?





From ryprice at redhat.com  Tue Sep  4 11:38:01 2018
From: ryprice at redhat.com (Ryan Price)
Date: Tue, 4 Sep 2018 08:38:01 -0700
Subject: [keycloak-user] keycloak-js on Edge causes CORS issues
Message-ID: <CACJzm_VOP9DJZYXWJ+nJaxUJS3U7DcvO3LjzHw-HGKBsh89=2Q@mail.gmail.com>

I am getting ready to roll out a new client app that uses keycloak-js, and
we're testing with BrowserStack on MS Edge.

Edge does not pick up the user's authentication on an init('check-sso') and
in the error console we see:

SEC7120: [CORS] the origin 'http://HOST.com' failed to allow a cross-origin
document resource at 'ms-appx-web://assets/errorpages/sslnavcancel.html#
https://KEYCLOAK-SERVER/auth/realms/REALM/protocol/openid-connect/login-status-iframe.html
".

Since I am testing on development servers over browserstack there are lots
of self-signed SSL certificates and things that would not exist in
production, not sure if that's the case here or some policy that only
exists in Edge.

We can get this to work in other major browsers and platforms.

-- 

Ryan Price

Senior Web Application Developer

Red Hat

<https://www.redhat.com>

ryprice at redhat.com    IM: @liberatr
<https://red.ht/sig>

From balaji_bl at yahoo.com  Tue Sep  4 12:58:06 2018
From: balaji_bl at yahoo.com (Balaji Balakrishnan)
Date: Tue, 4 Sep 2018 16:58:06 +0000 (UTC)
Subject: [keycloak-user] "id_token_hint" support
References: <505949002.1109372.1536080286454.ref@mail.yahoo.com>
Message-ID: <505949002.1109372.1536080286454@mail.yahoo.com>


Hi,

Is id_token_hint supported for OIDC login? I am trying to emulate theauto login for an user interaction. This goes something like this. A usersign-up for a ?thing?. The ?thing? is provisioned and userid/pwd is autogenerated and mailed to user. At the same time a user (userid/pwd) is createdin keycloak as well. As soon as the ?thing? is provisioned, user will be takento the home page without asking for credentials.

?

We enabled the ?Direct Access Grants Enabled? atthe client level. We get a ID token using the auto generated userid/pwd using?password? grant. Then we use the generated Id Token as id_token_hint andinitiate the ?code? grant login. I could see a session was created when the Idtoken was obtained but keycloak still shows me the Login screen.

?

Thanks

Balaji


From hcsgzh at gmail.com  Tue Sep  4 16:32:21 2018
From: hcsgzh at gmail.com (hugh shangguan)
Date: Wed, 5 Sep 2018 08:32:21 +1200
Subject: [keycloak-user] How to configure Mutual SSL between Keycloak and
	Postgresql
Message-ID: <CAJGrADEa3QO=RgF=R=-wVX2SL=Mym=54SYisLa1pij0-CP5AzA@mail.gmail.com>

Hi there,

I was interested in Keycloak work on SSL client certs for JDBC to connect
PostgreSQL.  I hope someone can give me some help.

First of all, I should mention that my client cert authentication is
working fine with psql in both 1-way and 2-way(mutual ssl) ssl
authentication. So I am satisfied with the certs and keys because I can use
psql connect keycloak server and postgresql server via mutual SSL. There
are two servers, one is keycloak server, another is postgresql server.

postgresql.crt
postgresql.key / postgresql.pk8
root.crt

Those files located in ${user.home}/.postgresql/ in my postgresql server.

In my PostgreSQL server, if I configure like this. (one-way SSL)
hostssl    all      all       0.0.0.0/0    md5

It is fine. My keycloak server will connect with my postgresql server very
well.

However when I configure like this. (Mutual SSL)
hostssl    all      all       0.0.0.0/0    md5   clientcert=1

The connection will fail. The log is below.
    Caused by: java.lang.RuntimeException: Failed to connect to database
    Caused by: java.sql.SQLException: javax.resource.ResourceException:
IJ000453: Unable to get managed connection for
java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ000453: Unable to get
managed connection for java:jboss/datasources/KeycloakDS
    Caused by: javax.resource.ResourceException: IJ031084: Unable to create
connection
    Caused by: org.postgresql.util.PSQLException: FATAL: connection
requires a valid client certificate"}}


*"connection requires a valid client certificate".*

I don't know how to config the client certificate in
keycloak (standalone.xml). At the meantime, I still can use 'psql' connect
viamutual SSL to my postgresql server from my keycloak server.

Questions:
1. Does keycloak support mutual authentication ssl, when I try to connect
keycloak to postgresql in 2-way authentication? (I guess so because this is
about security. This should be JDBC's problem. But I am not sure. And I
trid the instructions form Postgresql JDBC Driver Doc.
https://jdbc.postgresql.org/documentation/head/ssl-client.html. It still
doesn't work.)

2. How to configure Keycloak to connect via mutual ssl between keycloak and
postgresql?


Thank you for your time!

Cheers!
-- 
Hugh
Zhaohui Shangguan

From ruslan.rusu at clearme.com  Tue Sep  4 18:25:57 2018
From: ruslan.rusu at clearme.com (Ruslan Rusu)
Date: Tue, 4 Sep 2018 18:25:57 -0400
Subject: [keycloak-user] OIDC biometrics authentication
Message-ID: <CAEFCP_fL1ym8Gtw=qAop7deC+6zqhWtAM1fD9CooVa6+9qvb5g@mail.gmail.com>

Hi here!

I'm new in this space, my sincere apologies if my language is ambiguous or
not precise.

What I'm trying to achieve:
Identify users with biometrics. Specifically the identification part from
png image => userId will be done by internal system. keycloak here will use
the
back channel(rest call) to communicate with internal identification system.
the happy path
will produce token and 401 otherwise.

Here is how I anticipate keycloak to be called :

require 'httparty'
require 'jwt'
require 'securerandom'
require 'base64'

result =  HTTParty.post(
    "http://......../auth/realms/face-idf/protocol/openid-connect/token",
  :body => {
    :grant_type => :password,
    :client_id => "56a4acc2",
    :client_secret => "ea539549",
    :request => {
                "imageFormat"=>"png",
                "base64image"=> "R0lGODlbEh.....more...here...AAOw=="
        }.to_json.to_s
  },
  :headers => { 'Accept' => "application/json" },
)
pp JSON.parse(result.body)


I tried 2 options and one succeeded so far.

option 1: extend Authenticator call inside authenticate()

this option implies that users are available in keycloak. in my case
keycloak is just fronting my real identity management system. I've tried
to return InMemoryUserAdapter but there is code down stream which goes
to cache and persistence and if it cannot be found then it blows with
unexpected AuthenticationExecption.

Workaround:
UserModel userModel = KeycloakModelUtils
.findUserByNameOrEmail(context.getSession(), context.getRealm(), memberId);

        if(userModel == null){
            userModel = context.getSession()
            .userStorageManager().addUser(context.getRealm(), memberId);
            userModel.setUsername(memberId);
            userModel.setEnabled(true);
        }

    Status: Seems unnecessary but it works end to end.


option 2: extend PropertyFileUserStorageProvider call inside isValid()

this seems better fit for external identities. though could not
figure out from docs how do i get a custom UserCredentialModel
for biometrics. if i try to hijack grant_type=password and
username/password is missing then it fails before my isValid() gets
called.

Status: Could not get this to work


The documentation and code were very helpful to hit the ground running.
I understand my use case is not what keycloak does by default, but man,
I'm impressed what it can do.

I would not be surprised if I'm over thinking this :)

Have a couple questions:
0) is ruby above oauth/oidc compliant ? could not find anything on
oauth/oidc rfc or google
1) is grant_type => :password appropriate for external biometrics
identification
context ?
2) if I try federation how do I get access to biometrics from request ?

Any suggestion, hint, advice of how to enable keycloak to accept biometric
identification
requests is highly appreciated!

Thank you,
Ruslan

From timmy.ccl at gmail.com  Tue Sep  4 22:32:13 2018
From: timmy.ccl at gmail.com (=?UTF-8?B?Q2hpaC1DaHVuIExlZSDmnY7lv5fntJQ=?=)
Date: Wed, 5 Sep 2018 10:32:13 +0800
Subject: [keycloak-user] How to update defaultGroups via kcadm
Message-ID: <CAEvJjXcgZBtX5mDkZ9n5-DAViAWGrPoeSXKop0EgU556GmnV7A@mail.gmail.com>

Hello,

I tried to update defaultGroups via kcadm command line, but it didn't work

I want to add a existing group to defaultGroups. The followings I've been
tried:
$ bin/kcadm.sh update realms/demo -b '{"defaultGroups":["/demogroup"]}'
$ bin/kcadm.sh update realms/demo -s 'defaultGroups=["/demogroup"]'

Didn't work, even configure defaultGroups when creating realm
$ bin/kcadm.sh create realms -b '{"realm":"demo", "enabled":true,
"defaultGroups":["/demogroup"]}'

It's weird because defaultRoles property seems to work fine.
$ bin/kcadm.sh update realms/demo -b '{"defaultRoles":["test", "demo"]}'

To verify the changes, run the following:
$ bin/kcadm.sh get realms/demo | grep default

The result shows:
  "defaultRoles" : [ "test", "demo" ],

defaultGroups never shows.

Am I doing something wrong? Please help me, thanks.

Best regards,
Timothy

From patrick.bucher at peax.ch  Wed Sep  5 02:36:17 2018
From: patrick.bucher at peax.ch (Patrick Bucher)
Date: Wed, 5 Sep 2018 06:36:17 +0000
Subject: [keycloak-user] unsubscribe
Message-ID: <1173326C-EFD3-499C-920D-7F364F9B5A70@contoso.com>



From hmlnarik at redhat.com  Wed Sep  5 02:50:07 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 5 Sep 2018 08:50:07 +0200
Subject: [keycloak-user] KC4.3.0.Final- mariadb db errors on fresh
	install
In-Reply-To: <e5e12180f7a4e93efb4dc526f9433512.squirrel@neposoft.com>
References: <e5e12180f7a4e93efb4dc526f9433512.squirrel@neposoft.com>
Message-ID: <CAMvXD=Enu0mMT1Gxc+SEV-1ZFh1cmOtPsFD16fw_dJBeQ6KwDA@mail.gmail.com>

This will be fixed in 4.4.0. See
https://issues.jboss.org/browse/KEYCLOAK-6411 for details

On Tue, Sep 4, 2018 at 6:26 PM java_os <java at neposoft.com> wrote:

> Struggled with this fresh install.
> You get this error on startup:
> You have an error in your SQL syntax; check the manual      that
> corresponds to your MariaDB server version for the right syntax to use
> near 'INT DEFAULT 30 NULL, ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1'
> NULL' at line 1 [Failed SQL: ALTER TABLE keycloak.CREDENTIAL ADD COUNTER
> INT DEFAULT 0 NULL, ADD DIGITS INT DEFAULT 6 NULL, ADD PERIOD INT DEFAULT
>   30 NULL, ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1' NULL]^M
>
> ======
>
> I ran it in manual mode db upgrade to get the generated .sql, changed the
> alter on credentials as follows (injecting COLUMN into the sql - weird?)
> ALTER TABLE keycloak.CREDENTIAL ADD COLUMN COUNTER INT DEFAULT 0 NULL, ADD
> COLUMN DIGITS INT DEFAULT 6 NULL, ADD COLUMN PERIOD INT DEFAULT 30 NULL,
> ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1' NULL;
>
> especially before PERIOD when it bailed out.
>
> Re-run the sql update - works, able to bring kc up.
>
> Really? why ? Anyone gone through this?
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From erik.g.haugen at gmail.com  Wed Sep  5 04:05:32 2018
From: erik.g.haugen at gmail.com (Erik G. Haugen)
Date: Wed, 5 Sep 2018 10:05:32 +0200
Subject: [keycloak-user] Can't access REST service with valid keycloak token
	after secure with keycloak
Message-ID: <CAKJ_sf-mBy0Uf=T0-rZfMafq_iAX6RvTnVkD+XYymD+7o-fi7A@mail.gmail.com>

I used the keycloak Java API to get a valid token then using this token to
try to access a rest service that has been secured with keycloak but get
404 error, Not Found.

Here is my java code to get the token from keycloak. This appears to work:

   AuthzClient authzClient = AuthzClient.create();
AccessTokenResponse response = authzClient.obtainAccessToken(user,
password);


I get a valid token in the response. I then try to use this token to
access the REST service secured with keycloak:

    String urlString =
"http://localhost:3333/appname-1.0.0-SNAPSHOT/project/0.1/device/return/all";

    URL url = new URL(urlString);
    HttpURLConnection con = (HttpURLConnection) url.openConnection();
    con.setRequestMethod("GET");
    String authString = "Bearer " + tokenStr;
    con.setRequestProperty("Authorization", authString);
    basicStatus = con.getResponseCode();

The basicStatus returns 404

I secured the war file with the REST service by adding a web.xml file and a
keycloak.json file. If I remove the web.xml and keycloak.json file from the
war, then above code returns 200. But then the service is not secure.


web.xml:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
      version="3.0">
	
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Device</web-resource-name>
            <url-pattern>/device/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>device</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>

    <security-role>
        <role-name>device</role-name>
    </security-role>

</web-app>

user has role of device in keycloak.

Any idea what might be wrong?

From K.Buler at adbglobal.com  Wed Sep  5 05:45:04 2018
From: K.Buler at adbglobal.com (Karol Buler)
Date: Wed, 5 Sep 2018 11:45:04 +0200
Subject: [keycloak-user] Delete session strange behaviour
Message-ID: <c5a4c479-4f00-d891-9294-c3039b20af09@adbglobal.com>

Hi Keycloaks,

I'am using my custom User's Provider and when I'm trying to delete
session by "sessionId" there is something strange, because my provider
is asking for User. In my opinion when you are trying to delete session,
it should be done as is. Problem is, that in my CRM I'm deleting the
user, so after trying to delete session error is occurred, because there
is no user in CRM, but Provider is expecting it.

Is there any "flag" or something to disable this lets say "checking"? Or
can I distinguish asking for user during the login and deleting session?

Karol

[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.


From princeanand.anandaraj at object-frontier.com  Wed Sep  5 07:17:00 2018
From: princeanand.anandaraj at object-frontier.com (Prince Anand Anandaraj)
Date: Wed, 05 Sep 2018 16:47:00 +0530
Subject: [keycloak-user] Queries regarding keycloak api usage
Message-ID: <WC20180905111655.180082@object-frontier.com>


Hi,

     I am currently working on to secure an application using keycloak. 
Currently, I am using keycloak version 3.4.3.

     I have some questions..

     I face some problem using authz-client. I do not find any provision 
(methods) to logout of a user who has been authenticated using the 
authz-client api. Is there a way to logout of user authenticated using 
authz-client?

     Is there a way to change the user password by consuming the keycloak 
api other than keycloak admin api?

     I am trying to get userModel, userSessionModel and realmModel using api 
call to get some information of current loggedin user. Most of the api in 
keycloak expects an instance of "KeycloakSession" including some classes and 
methods that are used to change user credentials. How do I get this 
keycloakSession?

Thanks in advance..


Thanks and regards,
Prince Anand



Disclaimer : http://www.objectfrontier.com/maildisclaimer.html

Disclaimer : http://www.objectfrontier.com/maildisclaimer.html

From lilian.benoit at lbenoit.fr  Wed Sep  5 11:57:44 2018
From: lilian.benoit at lbenoit.fr (Lilian BENOIT)
Date: Wed, 05 Sep 2018 17:57:44 +0200
Subject: [keycloak-user] Direct link to register page
Message-ID: <74f392e08f17a763ca5788bd0196335d@lbenoit.fr>

Hi,

I would access directly to registration page without login page.

I have founded one response on this mailing-list :
http://keycloak-user.88327.x6.nabble.com/keycloak-user-Direct-link-to-register-page-td629.html

I have tried to use URL link : 
http://localhost:8081/auth/realms/master/protocol/openid-connect/registrations

I have obtained a error message : Missing parameters: client_id

I have added this parameter and i have obtained a other error message :  
Page Not Found.
But i have seen in URL : 
https://.../account?error=invalid_request&error_description=Missing+parameter%3A+response_type

What parameter should i add to URL ?

I use Keycloak 4.1.0.Final

Regards,
Lilian.

From Kevin.Fox at pnnl.gov  Wed Sep  5 12:17:16 2018
From: Kevin.Fox at pnnl.gov (Fox, Kevin M)
Date: Wed, 5 Sep 2018 16:17:16 +0000
Subject: [keycloak-user] authentication / authorization / 3rd party web
	services
Message-ID: <1A3C52DFCD06494D8528644858247BF01C189C40@EX10MBOX03.pnnl.gov>

Hi All,

I'm trying to get a handle on Keycloak and have a use case it may be good for, but it is unclear how I proceed.

I would like to use Keycloak to provide unified authentication and provide some additional info useful for authorization. So this is OpenID Connect type things. Allow a user to login with Kerberos or some social provider such as Google/Github.  And then tack on some groups/roles/whatever to allow authorization downstream. Keycloak seems to support this piece very well.

I'd like to be able to do something similar to google or github, where you have a self service website a user can go to, to get client credentials to allow external web services to auth to the web services on the users behalf. As things like Kubernetes become more widely deployed, I see users needing to launch their own web serivces and hook them into the auth system easily. I see pieces of this in keycloak but not sure how this should work.

I can see the organization providing some services, and other users providing services. How would you arrange it so that one tenants services could be authorized by a user to be used by another tenants services.

Like, in the attached diagram, I could see user logging in, then going to the Processing web service, then being asked to give access permissions to the Storage web service so that it can retrieve data.

To do something like this, would you have one master Domain users login through, and then have per tenant domains which are an openidc client of the master domain and give each tenant their own admin acccess to their own tenant?

Is there a totally different way to do this? Is this something that is out of scope for Keycloak?

Thanks,
Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak.png
Type: image/png
Size: 63146 bytes
Desc: keycloak.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180905/4f34a608/attachment-0001.png 

From lilian.benoit at lbenoit.fr  Wed Sep  5 15:56:59 2018
From: lilian.benoit at lbenoit.fr (Lilian BENOIT)
Date: Wed, 05 Sep 2018 21:56:59 +0200
Subject: [keycloak-user] Direct link to register page
In-Reply-To: <74f392e08f17a763ca5788bd0196335d@lbenoit.fr>
References: <74f392e08f17a763ca5788bd0196335d@lbenoit.fr>
Message-ID: <26cedc194693bbe5906035dc1b42f127@lbenoit.fr>

Hi,

I have succeeded to access directly registration page.
I must add parameter response_type with value "code".

Why ? what raison ?


http://localhost:8081/auth/realms/master/protocol/openid-connect/registrations?client_id=account&response_type=code


Regards,
Lilian.


Le 2018-09-05 17:57, Lilian BENOIT a ?crit?:
> Hi,
> 
> I would access directly to registration page without login page.
> 
> I have founded one response on this mailing-list :
> http://keycloak-user.88327.x6.nabble.com/keycloak-user-Direct-link-to-register-page-td629.html
> 
> I have tried to use URL link :
> http://localhost:8081/auth/realms/master/protocol/openid-connect/registrations
> 
> I have obtained a error message : Missing parameters: client_id
> 
> I have added this parameter and i have obtained a other error message :
> Page Not Found.
> But i have seen in URL :
> https://.../account?error=invalid_request&error_description=Missing+parameter%3A+response_type
> 
> What parameter should i add to URL ?
> 
> I use Keycloak 4.1.0.Final
> 
> Regards,
> Lilian.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From gfoster at loyalsource.com  Wed Sep  5 16:19:00 2018
From: gfoster at loyalsource.com (Grant Foster)
Date: Wed, 5 Sep 2018 20:19:00 +0000
Subject: [keycloak-user] Realm Admin Console x509 Certificate Login
Message-ID: <BN6PR15MB1555827BD24F1772D075F442A1020@BN6PR15MB1555.namprd15.prod.outlook.com>

Hi all,


Is there a way to configure Keycloak to use a user's certificate for logging in to a realm's admin console?

Here's the documentation I read for client x509 authentication: https://www.keycloak.org/docs/3.4/server_admin/index.html#_x509

I don't see anything in regard to authenticating a realm admin into the admin console using x509 authentication - just for authenticating with a client.

I've googled but haven't found anyone asking the same question, so I figured I'd ask here.

Just to be clear, I want to be able to go to localhost:8180/auth/admin/{realm-name}/console and be asked to authenticate using my user certificate instead of username/password. Can this be done? Thanks.


From serialoverflow at gmail.com  Thu Sep  6 06:34:47 2018
From: serialoverflow at gmail.com (Max Demian)
Date: Thu, 6 Sep 2018 12:34:47 +0200
Subject: [keycloak-user] Getting current users access token inside User
	Storage Federation Provider?
In-Reply-To: <002901d44359$e442cb40$acc861c0$@netsetglobal.rs>
References: <001201d44100$590d3430$0b279c90$@netsetglobal.rs>
	<1535948793.17806.1.camel@acutus.pro>
	<002901d44359$e442cb40$acc861c0$@netsetglobal.rs>
Message-ID: <CAAocJpEWxUc8mDgzFaCGv-XCC-79ATUuqojt0LcUegL24yFFfg@mail.gmail.com>

Hi,

is it possible to obtain the users oauth2/oidc authentication context
inside a User Storage Federation Provider?

Once the user has successfully authenticated, we would like to internally
perform an action using his access token.

I assume Keycloak only creates the oidc token once the user storage
federation provider has successfully finished and the user is authenticated.
In that case, what is the next best place to hook into to perform an action
with the users oidc tokens, at least the access token?

Thanks!

From ulrik.lejon at mollyware.se  Thu Sep  6 09:24:48 2018
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Thu, 6 Sep 2018 15:24:48 +0200
Subject: [keycloak-user] Client role scope param
Message-ID: <CAG2z6=Tke72_X8eYVnrZCcr0GwdWzeMkhuq2KNabOf_W6Fq-Pw@mail.gmail.com>

Hi,

I'm having some issues understanding how to use the "Scope Param Required"
switch when creating a role on my client. I have created a new client in
the master realm, lets call it "master-client". Next I went to Clients >
Master-client -> Roles and added a role named "role-one". In the wizard
where I created the role I selected true on the switch "Scope Param
Required". After that I created a new user and added the role "role-one" to
that user.

When I look at the access token the user receives when logging in using the
javascript adapter I can not see "role-one" in the roles array in the
resource_access object. I get this: "resource_access": {}.
However, If I edit the role and select false on the switch "Scope Param
Required" I can see "role-one" in the JWT: "resource_access": {
"master-client": { "roles": [ "role-one" ] } }

What am I missing? I'm using Keycloak 3.1.0.FINAL and keycloak-js 3.4.3,
Cheers,
Ulrik

From ulrik.lejon at mollyware.se  Thu Sep  6 09:36:40 2018
From: ulrik.lejon at mollyware.se (Ulrik Lejon)
Date: Thu, 6 Sep 2018 15:36:40 +0200
Subject: [keycloak-user] Client role scope param
Message-ID: <CAG2z6=Syns0oOzf0vMQib4HbvsAgGi2rx-EcXvqnkhFLBdtBHA@mail.gmail.com>

Hi,

I'm having some issues understanding how to use the "Scope Param Required"
switch when creating a role on my client. I have created a new client in
the master realm, lets call it "master-client". Next I went to Clients >
Master-client -> Roles and added a role named "role-one". In the wizard
where I created the role I selected true on the switch "Scope Param
Required". After that I created a new user and added the role "role-one" to
that user.

When I look at the access token the user receives when logging in using the
javascript adapter I can not see "role-one" in the roles array in the
resource_access object. I get this: "resource_access": {}.
However, If I edit the role and select false on the switch "Scope Param
Required" I can see "role-one" in the JWT: "resource_access": {
"master-client": { "roles": [ "role-one" ] } }

What am I missing? I'm using Keycloak 3.1.0.FINAL and keycloak-js 3.4.3,
Cheers,
Ulrik

From chris.nguyen at intradiem.com  Thu Sep  6 11:34:43 2018
From: chris.nguyen at intradiem.com (Chris Nguyen)
Date: Thu, 6 Sep 2018 15:34:43 +0000
Subject: [keycloak-user] Client Authentication on Android with Signed JWT
Message-ID: <529B968F-04E2-4FD5-8BCE-3507206EA26F@intradiem.com>

All,

I am trying to implement client authentication with a signed JWT. The example in the documentation shows how it works for a web adapter. How would one perform this on Android, for example with AppAuth-Android or AeroGear for Android?

Client Authentication: https://www.keycloak.org/docs/3.1/securing_apps/topics/oidc/java/client-authentication.html

Thanks,
Chris Nguyen

From java at neposoft.com  Thu Sep  6 11:46:10 2018
From: java at neposoft.com (java_os)
Date: Thu, 6 Sep 2018 11:46:10 -0400
Subject: [keycloak-user] KC4.3.0.Final- mariadb db errors on fresh
 install
In-Reply-To: <CAMvXD=Enu0mMT1Gxc+SEV-1ZFh1cmOtPsFD16fw_dJBeQ6KwDA@mail.gmail.com>
References: <e5e12180f7a4e93efb4dc526f9433512.squirrel@neposoft.com>
	<CAMvXD=Enu0mMT1Gxc+SEV-1ZFh1cmOtPsFD16fw_dJBeQ6KwDA@mail.gmail.com>
Message-ID: <e93b624c2e57fe98f1308a130759fc9d.squirrel@neposoft.com>


Thanks
> This will be fixed in 4.4.0. See
> https://issues.jboss.org/browse/KEYCLOAK-6411 for details
>
> On Tue, Sep 4, 2018 at 6:26 PM java_os <java at neposoft.com> wrote:
>
>> Struggled with this fresh install.
>> You get this error on startup:
>> You have an error in your SQL syntax; check the manual      that
>> corresponds to your MariaDB server version for the right syntax to use
>> near 'INT DEFAULT 30 NULL, ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1'
>> NULL' at line 1 [Failed SQL: ALTER TABLE keycloak.CREDENTIAL ADD COUNTER
>> INT DEFAULT 0 NULL, ADD DIGITS INT DEFAULT 6 NULL, ADD PERIOD INT
>> DEFAULT
>>   30 NULL, ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1' NULL]^M
>>
>> ======
>>
>> I ran it in manual mode db upgrade to get the generated .sql, changed
>> the
>> alter on credentials as follows (injecting COLUMN into the sql - weird?)
>> ALTER TABLE keycloak.CREDENTIAL ADD COLUMN COUNTER INT DEFAULT 0 NULL,
>> ADD
>> COLUMN DIGITS INT DEFAULT 6 NULL, ADD COLUMN PERIOD INT DEFAULT 30 NULL,
>> ADD ALGORITHM VARCHAR(36) DEFAULT 'HmacSHA1' NULL;
>>
>> especially before PERIOD when it bailed out.
>>
>> Re-run the sql update - works, able to bring kc up.
>>
>> Really? why ? Anyone gone through this?
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>



From jkenefick at eircom.net  Thu Sep  6 13:42:26 2018
From: jkenefick at eircom.net (Jack Kenefick)
Date: Thu, 6 Sep 2018 18:42:26 +0100 (IST)
Subject: [keycloak-user] Retrieve terms and conditions text through
	Rest/Java API?
Message-ID: <743484450.853126.1536255746259.JavaMail.zimbra@eircom.net>

Hi,
Is there any way to retrieve the terms and conditions text through the API?

Users logging in need to accept terms and conditions, no problem there.  But after they log in, there is an option on the UI to show the T&C's again (read-only) that were agreed to.  I've been looking for a way to retrieve this text through APIs but I cannot see any way to accomplish this.

More generally, is there a way to retrieve files from the themes folders through the REST or Java APIs? E.g. the message properties file so that we could retrieve key/values of licence text rather than the formatted html.

If anyone knows of a way to do any of this I would be grateful.

Best regards,
Jack.

From riz_sbia at yahoo.com  Thu Sep  6 14:50:26 2018
From: riz_sbia at yahoo.com (Rizwan Ashraf)
Date: Thu, 6 Sep 2018 18:50:26 +0000 (UTC)
Subject: [keycloak-user] Guidance for Joomla CMS user authentication using
	KeyCloak
References: <1268567938.661377.1536259826273.ref@mail.yahoo.com>
Message-ID: <1268567938.661377.1536259826273@mail.yahoo.com>

Greetings friends,
I am new to Keycloak so please forgive me if I am not clear about the guidance question.
I am setting up Joomla CMS 3.8.x and would like users provisioned and authenticated using KeyCloak.
Has anyone setup a POC or working configuration of how to setup Joomla CMS authentication using Keycloak please. I would need detailed working guidance.
Thank you very much for your guidance and help!
Sincerely,
Riz

From mposolda at redhat.com  Thu Sep  6 15:29:29 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 6 Sep 2018 21:29:29 +0200
Subject: [keycloak-user] Client role scope param
In-Reply-To: <CAG2z6=Syns0oOzf0vMQib4HbvsAgGi2rx-EcXvqnkhFLBdtBHA@mail.gmail.com>
References: <CAG2z6=Syns0oOzf0vMQib4HbvsAgGi2rx-EcXvqnkhFLBdtBHA@mail.gmail.com>
Message-ID: <8e1075ea-6ddc-3bca-cd44-42bfd418c8f8@redhat.com>

I suggest to migrate to latest 4.4.0. The "Scope Param Required" switch 
is not here anymore and there is much better support for the "scope" 
parameter.

Marek

On 06/09/18 15:36, Ulrik Lejon wrote:
> Hi,
>
> I'm having some issues understanding how to use the "Scope Param Required"
> switch when creating a role on my client. I have created a new client in
> the master realm, lets call it "master-client". Next I went to Clients >
> Master-client -> Roles and added a role named "role-one". In the wizard
> where I created the role I selected true on the switch "Scope Param
> Required". After that I created a new user and added the role "role-one" to
> that user.
>
> When I look at the access token the user receives when logging in using the
> javascript adapter I can not see "role-one" in the roles array in the
> resource_access object. I get this: "resource_access": {}.
> However, If I edit the role and select false on the switch "Scope Param
> Required" I can see "role-one" in the JWT: "resource_access": {
> "master-client": { "roles": [ "role-one" ] } }
>
> What am I missing? I'm using Keycloak 3.1.0.FINAL and keycloak-js 3.4.3,
> Cheers,
> Ulrik
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Thu Sep  6 15:34:37 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 6 Sep 2018 21:34:37 +0200
Subject: [keycloak-user] Client Authentication on Android with Signed JWT
In-Reply-To: <529B968F-04E2-4FD5-8BCE-3507206EA26F@intradiem.com>
References: <529B968F-04E2-4FD5-8BCE-3507206EA26F@intradiem.com>
Message-ID: <d209c503-ee84-9462-2b2e-21b95269d01e@redhat.com>

I am not sure, but maybe you will need to implement the adapter side for 
this platform.

In shortcut, what needs to be done is to generate JWT, Sign it with a 
client private key (corresponding public key must be available on 
Keycloak server side, so Keycloak can later verify signature. See docs 
for more details), encode to appropriate parameters (client_assertion, 
client_assertion_type) and send to the server. See class 
JWTClientCredentialsProvider as an example adapter implementation for 
the java adapter.

Marek

On 06/09/18 17:34, Chris Nguyen wrote:
> All,
>
> I am trying to implement client authentication with a signed JWT. The example in the documentation shows how it works for a web adapter. How would one perform this on Android, for example with AppAuth-Android or AeroGear for Android?
>
> Client Authentication: https://www.keycloak.org/docs/3.1/securing_apps/topics/oidc/java/client-authentication.html
>
> Thanks,
> Chris Nguyen
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Thu Sep  6 15:37:16 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 6 Sep 2018 21:37:16 +0200
Subject: [keycloak-user] Realm Admin Console x509 Certificate Login
In-Reply-To: <BN6PR15MB1555827BD24F1772D075F442A1020@BN6PR15MB1555.namprd15.prod.outlook.com>
References: <BN6PR15MB1555827BD24F1772D075F442A1020@BN6PR15MB1555.namprd15.prod.outlook.com>
Message-ID: <354cf47b-9645-0482-5ff6-8b332541c517@redhat.com>

If you want it just for this client, you may need to add "Authentication 
flow override" for the "security-admin-console" client and configure the 
authentication flow with the x509 certificate and use just that one for 
login to this security-admin-console client.

Marek

On 05/09/18 22:19, Grant Foster wrote:
> Hi all,
>
>
> Is there a way to configure Keycloak to use a user's certificate for logging in to a realm's admin console?
>
> Here's the documentation I read for client x509 authentication: https://www.keycloak.org/docs/3.4/server_admin/index.html#_x509
>
> I don't see anything in regard to authenticating a realm admin into the admin console using x509 authentication - just for authenticating with a client.
>
> I've googled but haven't found anyone asking the same question, so I figured I'd ask here.
>
> Just to be clear, I want to be able to go to localhost:8180/auth/admin/{realm-name}/console and be asked to authenticate using my user certificate instead of username/password. Can this be done? Thanks.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From jonathan.j.carrasco at jpl.nasa.gov  Thu Sep  6 19:47:59 2018
From: jonathan.j.carrasco at jpl.nasa.gov (Carrasco, Jonathan J (173F))
Date: Thu, 6 Sep 2018 23:47:59 +0000
Subject: [keycloak-user] RSA SecureID Support
Message-ID: <3AEE5B0D-A716-4C7F-AE93-907E590A63FD@jpl.nasa.gov>

Hello,

Can anyone point me in direction for integrating RSA Auth for Keycloak?  This is a hard requirement for project.

Thanks.

--
Jonathan Carrasco (173F)
Jet Propulsion Laboratory

From jonathan.j.carrasco at jpl.nasa.gov  Thu Sep  6 19:58:01 2018
From: jonathan.j.carrasco at jpl.nasa.gov (Carrasco, Jonathan J (173F))
Date: Thu, 6 Sep 2018 23:58:01 +0000
Subject: [keycloak-user] Best Practice AWS+ECS implementation
Message-ID: <ABD36425-6C8A-4DC0-B965-DFD37506B263@jpl.nasa.gov>

Hello.

I?m working on implementing Keycloak on ECS. The proposed architecture is:
                2x ? Keycloak Docker images (customized for Domain Mode)
                RDS Postgres Instance

My question- and I?m open to comments- is what is best practice for Load Balancing and what is the community using?  I was thinking of spinning up another docker instance with Nginx for load balancing instead of Amazon?s ALB.  Is that something that makes sense or better to just use ALB?  The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?

--
Jonathan Carrasco (173F)
Jet Propulsion Laboratory

From dt at acutus.pro  Thu Sep  6 22:55:17 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 07 Sep 2018 05:55:17 +0300
Subject: [keycloak-user] Best Practice AWS+ECS implementation
In-Reply-To: <ABD36425-6C8A-4DC0-B965-DFD37506B263@jpl.nasa.gov>
References: <ABD36425-6C8A-4DC0-B965-DFD37506B263@jpl.nasa.gov>
Message-ID: <1536288917.14278.3.camel@acutus.pro>

Hello Jonathan,

On Thu, 2018-09-06 at 23:58 +0000, Carrasco, Jonathan J (173F) wrote:
> Hello.
> 
> I?m working on implementing Keycloak on ECS. The proposed architecture is:
> ????????????????2x ? Keycloak Docker images (customized for Domain Mode)
> ????????????????RDS Postgres Instance

Before we move on to the LB topic: please remember that AWS (incl. ECS) doesn't allow for IP multicast between the nodes/containers, and IP multicast is what Keycloak clustering relies upon (at least in default configuration).
In more detail, you'll have to configure alternate node discovery mechanism for JGroups, like JDBC_PING or S3_PING.

See the doc for more details, especially the "Troubleshooting AWS specifics" section at the end: https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws.html
Or google for "Keycloak AWS", there have been a lot of postings on this ML on that topic.

> 
> My question- and I?m open to comments- is what is best practice for Load Balancing and what is the community using???I was thinking of spinning up another docker instance with Nginx for load balancing instead of Amazon?s ALB.

In addition to nginx, I'd also recommend that you take a look at HAProxy: http://www.haproxy.org/

Nginx is a web server first and foremost, and reverse proxying / load balancing are kinda secondary functions for Nginx.
On the other hand, haproxy implements a lot of LB-specific stuff, like e.g throttling based on HTTP headers, which might be topical (depends on your architecture of course).

> Is that something that makes sense or better to just use ALB???

This is pretty reasonable.?The main points here are:
- you can have something more?powerful and feature-rich than ALB;
- you can take full control of it.

For example, Keycloak recommends using sticky sessions for performance
purposes:
https://www.keycloak.org/docs/4.4/server_installation/#sticky-sessions
This is absolutely doable with nginx/HAproxy, but I'm not sure if it is
possible with ALB.

> The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?

Could you please elaborate on what do you mean by "credential collector"?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> --
> Jonathan Carrasco (173F)
> Jet Propulsion Laboratory
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Fri Sep  7 02:20:45 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 7 Sep 2018 08:20:45 +0200
Subject: [keycloak-user] Keycloak 4.4.0.Final is out
Message-ID: <CAJgngAcUNAHVjiZh9gUrck0PsbzY_wjhSnqcQyVYG755-Qj3Hg@mail.gmail.com>

https://www.keycloak.org/docs/latest/release_notes/index.html

From tony.vu at industrie.co  Fri Sep  7 02:50:47 2018
From: tony.vu at industrie.co (Tony Vu)
Date: Fri, 7 Sep 2018 16:50:47 +1000
Subject: [keycloak-user] Different subjects for verification and password
	reset emails
Message-ID: <CAA9CzQgd80k5Z7gOpFy2NW1L4KCfgGSg3S_7wEeY6KjMqzud9g@mail.gmail.com>

Hi

We are using Keycloak in one of our products and we want to customise the
verification and password reset email content and subjects.

But we recognise that both of the emails use the same template
executeActions.ftl and there is only 1 field for subject line of that email:
executeActionsSubject. I saw emailVerificationSubject
and passwordResetSubject but these were not used.

What can I do to use different subject lines for keycloak verification
email and password reset email?

Thanks
Tony Vu

-- 


This email is confidential and intended solely for the person(s) to whom 
it is addressed.

From triveni.chegireddy at tcs.com  Fri Sep  7 03:12:20 2018
From: triveni.chegireddy at tcs.com (Triveni Chegireddy)
Date: Fri, 7 Sep 2018 12:42:20 +0530
Subject: [keycloak-user] Keycloak single Log Out not working
Message-ID: <OF6B4BEE16.97988AE0-ON65258301.00277B30-65258301.0027FB88@tcs.com>

Hi Team,

I am securing many tools using Keycloak for Single sign on and Single 
Logout. We are securing tools like Jira, Confluence using Miniorange 
plugin. We have few Spring boot applications which are to be secured. They 

are secured using Spring Boot with KeycloakWebSecurityConfigurerAdapter. 
Single Sign on is working fine. The landing application is spring boot web 

application, which is accessed by giving LDAP credentials. From that 
application, we will be accessing the Jira, Confluence. They are opened 
without asking me for credentials. But Single Logout is not working. In 
Spring boot application, on click of Logout, I am calling 
HttpServletRequest.logout(), which is logging me out of Spring boot 
application successfully. But the sessions in Jira and Confluence are not 
killed. Similarly once I open the tools from Spring boot application, on 
logout of any tools both Jira and confluence are logging out using Single 
Logout but session in Spring boot application is not killed.

Could you please help us resolving this issue.


Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



From Sebastian.Schuster at bosch-si.com  Fri Sep  7 03:20:54 2018
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS))
Date: Fri, 7 Sep 2018 07:20:54 +0000
Subject: [keycloak-user] Best Practice AWS+ECS implementation
In-Reply-To: <1536288917.14278.3.camel@acutus.pro>
References: <ABD36425-6C8A-4DC0-B965-DFD37506B263@jpl.nasa.gov>
	<1536288917.14278.3.camel@acutus.pro>
Message-ID: <2206d5d98b204a789d55c072a067166b@bosch-si.com>

Hi Jonathan,

Sticky sessions are also possible with AWS ALB. I have a ECS/ALB setup running as a sandbox system for nearly a year without any problems. Setting this up was quite straightforward.

In the long run, I am not sure ECS is the way to go since Amazon is offering EKS now. We also switched to Kubernetes for production.

Whether you want to roll your own really depends on your requirements. For example we have to go for TLS from LB to Keycloak in production as well, that?s not supported by ALB AFAIK.

Best regards,
Sebastian


Mit freundlichen Gr??en / Best regards

Dr.-Ing.  Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn 




-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Dmitry Telegin
Sent: Freitag, 7. September 2018 04:55
To: Carrasco, Jonathan J (173F) <jonathan.j.carrasco at jpl.nasa.gov>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation

Hello Jonathan,

On Thu, 2018-09-06 at 23:58 +0000, Carrasco, Jonathan J (173F) wrote:
> Hello.
> 
> I?m working on implementing Keycloak on ECS. The proposed architecture is:
> ????????????????2x ? Keycloak Docker images (customized for Domain 
> Mode)
> ????????????????RDS Postgres Instance

Before we move on to the LB topic: please remember that AWS (incl. ECS) doesn't allow for IP multicast between the nodes/containers, and IP multicast is what Keycloak clustering relies upon (at least in default configuration).
In more detail, you'll have to configure alternate node discovery mechanism for JGroups, like JDBC_PING or S3_PING.

See the doc for more details, especially the "Troubleshooting AWS specifics" section at the end: https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws.html
Or google for "Keycloak AWS", there have been a lot of postings on this ML on that topic.

> 
> My question- and I?m open to comments- is what is best practice for Load Balancing and what is the community using???I was thinking of spinning up another docker instance with Nginx for load balancing instead of Amazon?s ALB.

In addition to nginx, I'd also recommend that you take a look at HAProxy: http://www.haproxy.org/

Nginx is a web server first and foremost, and reverse proxying / load balancing are kinda secondary functions for Nginx.
On the other hand, haproxy implements a lot of LB-specific stuff, like e.g throttling based on HTTP headers, which might be topical (depends on your architecture of course).

> Is that something that makes sense or better to just use ALB?

This is pretty reasonable.?The main points here are:
- you can have something more?powerful and feature-rich than ALB;
- you can take full control of it.

For example, Keycloak recommends using sticky sessions for performance
purposes:
https://www.keycloak.org/docs/4.4/server_installation/#sticky-sessions
This is absolutely doable with nginx/HAproxy, but I'm not sure if it is possible with ALB.

> The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?

Could you please elaborate on what do you mean by "credential collector"?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> --
> Jonathan Carrasco (173F)
> Jet Propulsion Laboratory
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From rob.noble at origamienergy.com  Fri Sep  7 06:09:18 2018
From: rob.noble at origamienergy.com (Rob Noble)
Date: Fri, 7 Sep 2018 10:09:18 +0000
Subject: [keycloak-user] 4.4.0.Final tag on Docker Hub?
Message-ID: <VI1PR06MB42535793E331A25F2E48FAD6FA000@VI1PR06MB4253.eurprd06.prod.outlook.com>

Hello,

The 4.4.0.Final tag hasn't appeared on https://hub.docker.com/r/jboss/keycloak/tags/ yet?  Did something fail, or am I just being too impatient?

Thanks,
Rob.

The contents of this email and any attachment are confidential to the intended recipient(s). If you are not an intended recipient: (i) do not use, disclose, distribute, copy or publish this email or its contents; (ii) please contact the sender immediately; and (iii) delete this email. Our privacy policy is available here: https://origamienergy.com/privacy-policy/. Origami Energy Limited (company number 8619644); Origami Storage Limited (company number 10436515) and OSSPV001 Limited (company number 10933403), each registered in England and each with a registered office at: Ashcombe Court, Woolsack Way, Godalming, GU7 1LQ.

From Marcel.Nemet at gmail.com  Fri Sep  7 09:11:08 2018
From: Marcel.Nemet at gmail.com (=?UTF-8?Q?Marcel_N=C3=A9met?=)
Date: Fri, 7 Sep 2018 15:11:08 +0200
Subject: [keycloak-user] Deploying Claim Information Point SPI
Message-ID: <CAFsxa5W+RpQxwp7UhuX4zeWAd6mfr_+kVNC_u6xtox5541gq0g@mail.gmail.com>

Hi, I have a wildfly server with keycloak adapter and a simple Java EE
application which uses keycloak-policy-enforcer configured using
keycloak.json.

The documentation mentions how to develop a custom Claim Information
Provider SPI but I do not know how to deploy it. I assume I should deploy
it in the wildfly server where the keycloak policy enforcer runs and not in
the Keycloak server itself.

after copying the jar with claims provider to standalone/deployments folder
of the wildfly server with my app protected by the policy enforcer, the jar
is deployed successfully but my claims provider is never called.

in keycloak.json of the policy enforcer I have added
"claim-information-point": {
"claims": {.......},
"my-claims": {.......}
                                }

"claims" works and adds the claims to the RPT, but "my-claims" which should
call my custom claims provider does not do anything.

Kind regards
Marcel

From jonathan.j.carrasco at jpl.nasa.gov  Fri Sep  7 10:31:01 2018
From: jonathan.j.carrasco at jpl.nasa.gov (Carrasco, Jonathan J (173F))
Date: Fri, 7 Sep 2018 14:31:01 +0000
Subject: [keycloak-user] Best Practice AWS+ECS implementation
In-Reply-To: <2206d5d98b204a789d55c072a067166b@bosch-si.com>
References: <ABD36425-6C8A-4DC0-B965-DFD37506B263@jpl.nasa.gov>
	<1536288917.14278.3.camel@acutus.pro>
	<2206d5d98b204a789d55c072a067166b@bosch-si.com>
Message-ID: <2D173B19-7D24-4314-B48C-EBBDB1DCA941@jpl.nasa.gov>

@Sebastian
Thanks for your comments.
Is migrating from ECS to EKS beneficial? Or is it a preference seeing that both are managed services. 

@Dmitry
Thanks for your comments.
    > The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?
    
    Could you please elaborate on what do you mean by "credential collector"?

I want to spin up a web tier for load balancing and running a "small" web application to receive the username and password credentials, and this web tier will direct credentials to the keycloak server for authentication.
Currently, a user is directed to the keycloak server for authentication. I want to break to break into two pieces the collection of the username and password collection and the authentication.
Has anyone execute this architecture?
-- 
Jonathan Carrasco (173F)
Jet Propulsion Laboratory

?On 9/7/18, 12:21 AM, "Schuster Sebastian (INST-CSS/BSV-OS)" <Sebastian.Schuster at bosch-si.com> wrote:

    Hi Jonathan,
    
    Sticky sessions are also possible with AWS ALB. I have a ECS/ALB setup running as a sandbox system for nearly a year without any problems. Setting this up was quite straightforward.
    
    In the long run, I am not sure ECS is the way to go since Amazon is offering EKS now. We also switched to Kubernetes for production.
    
    Whether you want to roll your own really depends on your requirements. For example we have to go for TLS from LB to Keycloak in production as well, that?s not supported by ALB AFAIK.
    
    Best regards,
    Sebastian
    
    
    Mit freundlichen Gr??en / Best regards
    
    Dr.-Ing.  Sebastian Schuster
    
    Engineering and Support (INST/ESY1) 
    Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
    Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
    
    Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
    Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn 
    
    
    
    
    -----Original Message-----
    From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Dmitry Telegin
    Sent: Freitag, 7. September 2018 04:55
    To: Carrasco, Jonathan J (173F) <jonathan.j.carrasco at jpl.nasa.gov>; keycloak-user at lists.jboss.org
    Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation
    
    Hello Jonathan,
    
    On Thu, 2018-09-06 at 23:58 +0000, Carrasco, Jonathan J (173F) wrote:
    > Hello.
    > 
    > I?m working on implementing Keycloak on ECS. The proposed architecture is:
    >                 2x ? Keycloak Docker images (customized for Domain 
    > Mode)
    >                 RDS Postgres Instance
    
    Before we move on to the LB topic: please remember that AWS (incl. ECS) doesn't allow for IP multicast between the nodes/containers, and IP multicast is what Keycloak clustering relies upon (at least in default configuration).
    In more detail, you'll have to configure alternate node discovery mechanism for JGroups, like JDBC_PING or S3_PING.
    
    See the doc for more details, especially the "Troubleshooting AWS specifics" section at the end: https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws.html
    Or google for "Keycloak AWS", there have been a lot of postings on this ML on that topic.
    
    > 
    > My question- and I?m open to comments- is what is best practice for Load Balancing and what is the community using?  I was thinking of spinning up another docker instance with Nginx for load balancing instead of Amazon?s ALB.
    
    In addition to nginx, I'd also recommend that you take a look at HAProxy: http://www.haproxy.org/
    
    Nginx is a web server first and foremost, and reverse proxying / load balancing are kinda secondary functions for Nginx.
    On the other hand, haproxy implements a lot of LB-specific stuff, like e.g throttling based on HTTP headers, which might be topical (depends on your architecture of course).
    
    > Is that something that makes sense or better to just use ALB?
    
    This is pretty reasonable. The main points here are:
    - you can have something more powerful and feature-rich than ALB;
    - you can take full control of it.
    
    For example, Keycloak recommends using sticky sessions for performance
    purposes:
    https://www.keycloak.org/docs/4.4/server_installation/#sticky-sessions
    This is absolutely doable with nginx/HAproxy, but I'm not sure if it is possible with ALB.
    
    > The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?
    
    Could you please elaborate on what do you mean by "credential collector"?
    
    Cheers,
    Dmitry Telegin
    CTO, Acutus s.r.o.
    Keycloak Consulting and Training
    
    Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
    +42 (022) 888-30-71
    E-mail: info at acutus.pro
    
    > 
    > --
    > Jonathan Carrasco (173F)
    > Jet Propulsion Laboratory
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From gfoster at loyalsource.com  Fri Sep  7 10:40:17 2018
From: gfoster at loyalsource.com (Grant Foster)
Date: Fri, 7 Sep 2018 14:40:17 +0000
Subject: [keycloak-user] Realm Admin Console x509 Certificate Login
In-Reply-To: <354cf47b-9645-0482-5ff6-8b332541c517@redhat.com>
References: <BN6PR15MB1555827BD24F1772D075F442A1020@BN6PR15MB1555.namprd15.prod.outlook.com>,
	<354cf47b-9645-0482-5ff6-8b332541c517@redhat.com>
Message-ID: <BN6PR15MB1555C889614A4799B00CACF7A1000@BN6PR15MB1555.namprd15.prod.outlook.com>

I deployed a simple web app in WildFly whose standalone.xml points to the security-admin-console client, but when it tries to authenticate with keycloak, it keeps trying to redirect back to localhost even though the Valid Redirect URI points to /auth/admin/my-realm/console/*. It's only happy when the Valid Redirect URI points back to the app. Am I missing something? I'm guessing the security-admin-console client has /auth/admin/my-realm/console/* for a reason, so it should work. Do you know why this isn't working as expected? Thanks.

________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Thursday, September 6, 2018 3:37:16 PM
To: Grant Foster; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Realm Admin Console x509 Certificate Login

If you want it just for this client, you may need to add "Authentication
flow override" for the "security-admin-console" client and configure the
authentication flow with the x509 certificate and use just that one for
login to this security-admin-console client.

Marek

On 05/09/18 22:19, Grant Foster wrote:
> Hi all,
>
>
> Is there a way to configure Keycloak to use a user's certificate for logging in to a realm's admin console?
>
> Here's the documentation I read for client x509 authentication: https://www.keycloak.org/docs/3.4/server_admin/index.html#_x509
>
> I don't see anything in regard to authenticating a realm admin into the admin console using x509 authentication - just for authenticating with a client.
>
> I've googled but haven't found anyone asking the same question, so I figured I'd ask here.
>
> Just to be clear, I want to be able to go to localhost:8180/auth/admin/{realm-name}/console and be asked to authenticate using my user certificate instead of username/password. Can this be done? Thanks.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From Sebastian.Schuster at bosch-si.com  Fri Sep  7 11:10:06 2018
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS))
Date: Fri, 7 Sep 2018 15:10:06 +0000
Subject: [keycloak-user] Best Practice AWS+ECS implementation
In-Reply-To: <2D173B19-7D24-4314-B48C-EBBDB1DCA941@jpl.nasa.gov>
References: <ABD36425-6C8A-4DC0-B965-DFD37506B263@jpl.nasa.gov>
	<1536288917.14278.3.camel@acutus.pro>
	<2206d5d98b204a789d55c072a067166b@bosch-si.com>
	<2D173B19-7D24-4314-B48C-EBBDB1DCA941@jpl.nasa.gov>
Message-ID: <093380b70fc54a17a3dccb110ee959bf@bosch-si.com>

It's mostly just preference. To me, it looks like Kubernetes (or something based on it) has won when it comes to orchestrating containers. I wouldn't go for something proprietary like ECS right now. Also makes it a bit easier to go to other clouds as all major players are offering managed Kubernetes now...

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

Dr.-Ing.  Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn 




-----Original Message-----
From: Carrasco, Jonathan J (173F) <jonathan.j.carrasco at jpl.nasa.gov> 
Sent: Freitag, 7. September 2018 16:31
To: Schuster Sebastian (INST-CSS/BSV-OS) <Sebastian.Schuster at bosch-si.com>
Cc: keycloak-user at lists.jboss.org; Dmitry Telegin <dt at acutus.pro>
Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation

@Sebastian
Thanks for your comments.
Is migrating from ECS to EKS beneficial? Or is it a preference seeing that both are managed services. 

@Dmitry
Thanks for your comments.
    > The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?
    
    Could you please elaborate on what do you mean by "credential collector"?

I want to spin up a web tier for load balancing and running a "small" web application to receive the username and password credentials, and this web tier will direct credentials to the keycloak server for authentication.
Currently, a user is directed to the keycloak server for authentication. I want to break to break into two pieces the collection of the username and password collection and the authentication.
Has anyone execute this architecture?
-- 
Jonathan Carrasco (173F)
Jet Propulsion Laboratory

?On 9/7/18, 12:21 AM, "Schuster Sebastian (INST-CSS/BSV-OS)" <Sebastian.Schuster at bosch-si.com> wrote:

    Hi Jonathan,
    
    Sticky sessions are also possible with AWS ALB. I have a ECS/ALB setup running as a sandbox system for nearly a year without any problems. Setting this up was quite straightforward.
    
    In the long run, I am not sure ECS is the way to go since Amazon is offering EKS now. We also switched to Kubernetes for production.
    
    Whether you want to roll your own really depends on your requirements. For example we have to go for TLS from LB to Keycloak in production as well, that?s not supported by ALB AFAIK.
    
    Best regards,
    Sebastian
    
    
    Mit freundlichen Gr??en / Best regards
    
    Dr.-Ing.  Sebastian Schuster
    
    Engineering and Support (INST/ESY1) 
    Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
    Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
    
    Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
    Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn 
    
    
    
    
    -----Original Message-----
    From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Dmitry Telegin
    Sent: Freitag, 7. September 2018 04:55
    To: Carrasco, Jonathan J (173F) <jonathan.j.carrasco at jpl.nasa.gov>; keycloak-user at lists.jboss.org
    Subject: Re: [keycloak-user] Best Practice AWS+ECS implementation
    
    Hello Jonathan,
    
    On Thu, 2018-09-06 at 23:58 +0000, Carrasco, Jonathan J (173F) wrote:
    > Hello.
    > 
    > I?m working on implementing Keycloak on ECS. The proposed architecture is:
    >                 2x ? Keycloak Docker images (customized for Domain 
    > Mode)
    >                 RDS Postgres Instance
    
    Before we move on to the LB topic: please remember that AWS (incl. ECS) doesn't allow for IP multicast between the nodes/containers, and IP multicast is what Keycloak clustering relies upon (at least in default configuration).
    In more detail, you'll have to configure alternate node discovery mechanism for JGroups, like JDBC_PING or S3_PING.
    
    See the doc for more details, especially the "Troubleshooting AWS specifics" section at the end: https://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws.html
    Or google for "Keycloak AWS", there have been a lot of postings on this ML on that topic.
    
    > 
    > My question- and I?m open to comments- is what is best practice for Load Balancing and what is the community using?  I was thinking of spinning up another docker instance with Nginx for load balancing instead of Amazon?s ALB.
    
    In addition to nginx, I'd also recommend that you take a look at HAProxy: http://www.haproxy.org/
    
    Nginx is a web server first and foremost, and reverse proxying / load balancing are kinda secondary functions for Nginx.
    On the other hand, haproxy implements a lot of LB-specific stuff, like e.g throttling based on HTTP headers, which might be topical (depends on your architecture of course).
    
    > Is that something that makes sense or better to just use ALB?
    
    This is pretty reasonable. The main points here are:
    - you can have something more powerful and feature-rich than ALB;
    - you can take full control of it.
    
    For example, Keycloak recommends using sticky sessions for performance
    purposes:
    https://www.keycloak.org/docs/4.4/server_installation/#sticky-sessions
    This is absolutely doable with nginx/HAproxy, but I'm not sure if it is possible with ALB.
    
    > The reasoning that I want to have another instance for load balancing is because I want to separate the credential collector. Is there some docs on best way to execute separating the credential collector?
    
    Could you please elaborate on what do you mean by "credential collector"?
    
    Cheers,
    Dmitry Telegin
    CTO, Acutus s.r.o.
    Keycloak Consulting and Training
    
    Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
    +42 (022) 888-30-71
    E-mail: info at acutus.pro
    
    > 
    > --
    > Jonathan Carrasco (173F)
    > Jet Propulsion Laboratory
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From riz_sbia at yahoo.com  Fri Sep  7 11:35:14 2018
From: riz_sbia at yahoo.com (Rizwan Ashraf)
Date: Fri, 7 Sep 2018 15:35:14 +0000 (UTC)
Subject: [keycloak-user] Request to help install KeyCloak
References: <1179251576.1133766.1536334514348.ref@mail.yahoo.com>
Message-ID: <1179251576.1133766.1536334514348@mail.yahoo.com>

Greetings,
I am working for a non profit and need help to install KeyCloak. I do not have the expertise to setup the Keycloak hence asking if anyone can help setup the KeyCloak.
Thank you sincerely,
Riz

From Alexander.Bloor at kandy.io  Fri Sep  7 16:06:37 2018
From: Alexander.Bloor at kandy.io (Bloor, Alexander)
Date: Fri, 7 Sep 2018 20:06:37 +0000
Subject: [keycloak-user] Is it possible to direct a query to one active
	directory by user?
Message-ID: <CY1PR03MB2139B94CB209FA76F046112195000@CY1PR03MB2139.namprd03.prod.outlook.com>

Hello,

I am planning a realm structure that may result in a large number of LDAP components (10+) in a single realm.
When a user wants to authenticate, I would like Keycloak to query the AD where it lives without querying any others (except the first time the user authenticates).
Is there a way to do this?

Alex

From David.Erie at datapath.com  Fri Sep  7 17:44:40 2018
From: David.Erie at datapath.com (David Erie (US))
Date: Fri, 7 Sep 2018 21:44:40 +0000
Subject: [keycloak-user] Need help getting authorization code flow working
Message-ID: <SN6PR17MB21129BAB04784F9732545E74E3000@SN6PR17MB2112.namprd17.prod.outlook.com>

Hi,
I am having trouble exchanging an OIDC auth code for an access token after logging in with Keycloak. I am getting this error back in the response:

	{error: "invalid_grant", error_description: "Code not valid"}

The Keycloak log has these entries:

	WARN  [org.keycloak.services.managers.CodeGenerateUtil] (default task-51) Code '6023c45e-c4de-4094-a29e-f8ef36b5a937' already used for userSession 'e8eb1e32-dbed-42d9-97f3-fc8e5be6e6ae' and client 'cb65bac8-abdb-4e55-b098-efa686127460'.
	WARN  [org.keycloak.events] (default task-51) type=CODE_TO_TOKEN_ERROR, realmId=<snip>, clientId=<snip>, userId=null, ipAddress=<snip>, error=invalid_code, grant_type=authorization_code, code_id=e8eb1e32-dbed-42d9-97f3-fc8e5be6e6ae, client_auth_method=client-secret

My request looks like this:

	http://<snip>/auth/realms/<snip>/protocol/openid-connect/token

Headers:

	Authorization: Basic <snip>
	Content-Type: application/x-www-form-urlencoded

Form data:

	grant_type=authorization_code&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..Z5T9_-SBkuEy25gr8rUyrQ.L4_ZTTybr9vWOli6Yb42Qk1vfGGmCIk3hdNHF9-y7khYqoDG_MH8f9_qQqF83v9kjLOUT8vDNpH9Eu7QFB8hnWnVXbAuwJbJNz5b8ui_7fvZsxcr3PPzpaLEXLW16unghsLtToqXy8sWcFq-ceSJ8ebmyoFNkEUG_1sy0-02iK7s2TConuXTkhVeSvDj4sPz3TsllIP0ZxxfX3TSgrmgd7TfZnw4-JZy1M3blqC6i8Ba9F3t_XrER-HeaxHgpj6K.asPxD74Yr-k2wDeAsTRlZw&redirect_uri=<snip>


I am not using the Keycloak JS adapter (it's a long story), but I'm using it as a guide for what to do after getting the code back in order to get the tokens.

Any help would be appreciated.

Thank you,
Dave


From Yann.Jouanin at witbe.net  Sat Sep  8 06:51:07 2018
From: Yann.Jouanin at witbe.net (Yann Jouanin)
Date: Sat, 8 Sep 2018 10:51:07 +0000
Subject: [keycloak-user] IdP selection based on email address
In-Reply-To: <d9e4fe1c31d442f4b17c43f9cce51761@witbe.net>
References: <dba15758c41b4f0aa58828ebcc1c8a57@witbe.net>
	<1532562567.2078.7.camel@acutus.pro>
	<d9e4fe1c31d442f4b17c43f9cce51761@witbe.net>
Message-ID: <486804b848ef4e488dde416be853208e@witbe.net>

Following my previous messages, I managed to redirect to the right IdP base on the email address.
Does anyone have an idea of how can I force the redirector to pass a login_hint (assuming it is already configured in the idp configuration) ?

Best,

Yann

> Hello,
> 
> Thanks for your reply.
> Indeed I managed to write the function attached in javascript and I was able
> to redirect to an IdP for specific domains.
> 
> I have an additional question, I there a way to continue the flow (In my case I
> would like to optionaly prompt for OTP).
> My current flow is:
> 
> "cookies"(alternative)
> " Choose User"(required)
> Script(select idp) (required) (the script redirect to idp for a domains,
> otherwise triggers context.success) Subflow forms(optional):
>  - Username Password Form (required)
> OTP Form (optional).
> 
> Did I misunderstood the flow usage? Now when a user is authenticated using
> my idp but has an OTP, the OTP is not prompted.
> 
> Best regards ,
> 
> Yann
> 
> -------- FUNCTIONS ---------
> 
> 
> Authenticate function:
> function authenticate(context) {
> 
>     var username = user ? user.username : "anonymous";
>     if (username.endsWith("mydomain.com")) {
>         redirect_to_idp(context, "idpformydomain");
>         return;
>     }
>     context.success();
>     return;
> }
> 
> 
> Function:
> 
> 
> AuthenticationFlowError =
> Java.type("org.keycloak.authentication.AuthenticationFlowError");
> ClientSessionCode =
> Java.type("org.keycloak.services.managers.ClientSessionCode");
> Urls = Java.type("org.keycloak.services.Urls");
> OAuth2Constants = Java.type("org.keycloak.OAuth2Constants");
> Response = Java.type("javax.ws.rs.core.Response");
> 
> /**
>  * Redirect to Identification provider
>  *
>  * @param context {@see
> org.keycloak.authentication.AuthenticationFlowContext}
>  * @param providerId : the alias of the provider to use  */
> 
> function redirect_to_idp(context, providerId) {
>     var identityProviders = context.getRealm().getIdentityProviders();
>     var identityProvidersLen = identityProviders.length;
>     for (var i = 0; i < identityProvidersLen; i++) {
>         identityProvider = identityProviders[i];
>         if (identityProvider.isEnabled() &&
> providerId.equals(identityProvider.getAlias())) {
>             var accessCode = new ClientSessionCode(context.getSession(),
> context.getRealm(),
> context.getAuthenticationSession()).getOrGenerateCode();
>             var clientId =
> context.getAuthenticationSession().getClient().getClientId();
>             var tabId = context.getAuthenticationSession().getTabId();
>             var location =
> Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(),
> providerId, context.getRealm().getName(), accessCode, clientId, tabId);
>             if
> (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLA
> Y) != null)
>             {
>                 location =
> UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY,
> context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY
> )).build();
>             }
>             var response = Response.seeOther(location).build();
>             LOG.info("Redirecting to %s" + providerId);
>             context.forceChallenge(response);
>             return;
>         }
>     }
> }
> 



From wasedaxiao at gmail.com  Sat Sep  8 21:31:50 2018
From: wasedaxiao at gmail.com (x)
Date: Sun, 9 Sep 2018 10:31:50 +0900
Subject: [keycloak-user] Keycloak SAML response redirection stuck in loop
	after logging in
Message-ID: <CAETHjxYqoc8eaSyiSc7vyD3+M0gWrxj2yqx5o1YLEDk9QQ9ZHA@mail.gmail.com>

Hello

I am using Keycloak as IdP integrated with my application(SP) by using
SAMLFilter adapter. After authentication is successful by checking the SAML
assertion response from Keycloak containing the expected username, the
redirect visited Keycloak again which resulted "You are already logged in"
on my Chrome screen.

The same question was asked on stackoverflow and we have same phenomenon.

https://stackoverflow.com/questions/50681822/keycloak-saml-redirection-stuck-in-loop-after-logging-in

I see there is a Javascript code below with a response form together on my
Chrome dev tool which likely redirects to Keycloak again instead of SP.

<SCRIPT> if (typeof history.replaceState === 'function') {
history.replaceState({}, "some title", "
http://localhost:6161/auth/realms/UAAAltDemo/login-actions/authenticate?client_id=CCenter_SSOSAML&tab_id=CM4uq1MRqng");
}</SCRIPT>

Could some please help how to fix the problem? Where I need to configure to
workaround this.

Best Regards,
Xj

From slaskawi at redhat.com  Mon Sep 10 03:14:59 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 10 Sep 2018 09:14:59 +0200
Subject: [keycloak-user] Request to help install KeyCloak
In-Reply-To: <1179251576.1133766.1536334514348@mail.yahoo.com>
References: <1179251576.1133766.1536334514348.ref@mail.yahoo.com>
	<1179251576.1133766.1536334514348@mail.yahoo.com>
Message-ID: <CAA9R9O58kBHts60Sh=4smKupVFNToL6adKOEM-H4Kc98GmHfFw@mail.gmail.com>

Hey Riz,

Yes, this is the right place to ask questions about installation. What is
the exact problem you're facing?

Thanks,
Sebastian

On Fri, Sep 7, 2018 at 6:46 PM Rizwan Ashraf <riz_sbia at yahoo.com> wrote:

> Greetings,
> I am working for a non profit and need help to install KeyCloak. I do not
> have the expertise to setup the Keycloak hence asking if anyone can help
> setup the KeyCloak.
> Thank you sincerely,
> Riz
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From uo67113 at gmail.com  Mon Sep 10 03:21:33 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Mon, 10 Sep 2018 09:21:33 +0200
Subject: [keycloak-user] Keycloak SAML response redirection stuck in
 loop after logging in
In-Reply-To: <CAETHjxYqoc8eaSyiSc7vyD3+M0gWrxj2yqx5o1YLEDk9QQ9ZHA@mail.gmail.com>
References: <CAETHjxYqoc8eaSyiSc7vyD3+M0gWrxj2yqx5o1YLEDk9QQ9ZHA@mail.gmail.com>
Message-ID: <CACp70MnqMasNpp9mhY+DEAcadez-Dt6N3DxmAn27YLYn0pvuJQ@mail.gmail.com>

Hello Xj,

May I suggest you to add org.keycloak.level = ALL in
${CATALINA_BASE}/logging.properties in order to get some debug info in the
tomcat output?

You mention SAMLFilter adapter.but in the SO question you mention the
tomcat valve adapter. May I ask you to clarify this? There are a couple of
differences regarding the configuration [1]

Hope it helps,

Luis

[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter

El dom., 9 sept. 2018 a las 7:44, x (<wasedaxiao at gmail.com>) escribi?:

> Hello
>
> I am using Keycloak as IdP integrated with my application(SP) by using
> SAMLFilter adapter. After authentication is successful by checking the SAML
> assertion response from Keycloak containing the expected username, the
> redirect visited Keycloak again which resulted "You are already logged in"
> on my Chrome screen.
>
> The same question was asked on stackoverflow and we have same phenomenon.
>
>
> https://stackoverflow.com/questions/50681822/keycloak-saml-redirection-stuck-in-loop-after-logging-in
>
> I see there is a Javascript code below with a response form together on my
> Chrome dev tool which likely redirects to Keycloak again instead of SP.
>
> <SCRIPT> if (typeof history.replaceState === 'function') {
> history.replaceState({}, "some title", "
>
> http://localhost:6161/auth/realms/UAAAltDemo/login-actions/authenticate?client_id=CCenter_SSOSAML&tab_id=CM4uq1MRqng
> ");
> }</SCRIPT>
>
> Could some please help how to fix the problem? Where I need to configure to
> workaround this.
>
> Best Regards,
> Xj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From Marcel.Nemet at gmail.com  Mon Sep 10 10:13:24 2018
From: Marcel.Nemet at gmail.com (=?UTF-8?Q?Marcel_N=C3=A9met?=)
Date: Mon, 10 Sep 2018 16:13:24 +0200
Subject: [keycloak-user] Support authorization for dynamic resources not
 saved in Keycloak resources DB,
 and querying for additional information from "PIP" service inside of policy
Message-ID: <CAFsxa5WqdE41Yy1VK8HKsL4i_DeHmx7GGy1f=hargJMJWEFXJg@mail.gmail.com>

It would be great to support dynamic resources using more complex Wildcards
mechanism. It would be very useful for our company. But I will rather
explain the use case on better-known use-case: Groups and Events on
Facebook.



Groups on Facebook have members and admins.  Groups are created and deleted
often, and one user can be member and admin of multiple groups.

Example:

Group for hikers

Admins: Alice, Adam

Members: Mark, Michelle



Group for dancers:

Admins: Antoni

Members: Martin



Admins can create and delete events

e.g. Hiking in Himalayas event

Members can subscribe and unsubscribe from events



The REST API might look like:



GET api/groups/{groupID}/events/

?         Can be done by members or admins



DELETE api/groups/{groupID}/events/{eventID}

?         Only by admins



POST api/groups/{groupID}/events/{eventID}/subscribe

?         Here the danger is that Martin who is not a member of Group for
hikers could manipulate the request and do:

?         POST
api/groups/Group-for-dancers/events/Hiking-in-Himalayas/subscribe

?         So, it is not enough to check whether Martin is a member of the
group in the request. It must also be checked that the Event belongs to
that group.



Or directly, without referencing the group

POST api/events/{eventID}/subscribe

In the second case, the system would have to check whether the user is a
member of the group. This has to be queried from the facebook DB.

POST api/groups/{groupID}/events/{eventID}/unsubscribe



When the user subscribes to an event he can see it under

GET api/user/{userID}/subscribedEvents/{eventID}



And he can unsubscribe under

POST api/events/{eventID}/unsubscribe



==============================



Challenges in Keycloak:

Currently, all the resources would have to be created in the Keycloak
server one by one

E.g.

/groups/Group for hikers/events/Hiking in Himalayas

?         With scopes GET and DELETE

/groups/Group for hikers/events/Hiking in Himalayas/subscribe

/groups/Group for hikers/events/Hiking in Himalayas/unsubscribe



And when the user subscribes to the event, another resource would need to
be added

/user/Mark/subscribedEvents/Hiking in Himalayas

?         With scopes GET

/user/Mark/subscribedEvents/Hiking in Himalayas/unsubscribe

/user/Michelle/subscribedEvents/Hiking in Himalayas

?         With scopes GET

/user/Michelle/subscribedEvents/Hiking in Himalayas/unsubscribe



And when the Mark and Michelle unsubscribe, the last resources should be
removed. This adds additional overhead.



The permissions can be then applied to the resource type if the resources
are properly typed, this works well.



If Keycloak supported dynamic URLs and multiple wildcards or parameters
inside URI

It would be possible to simply define general permissions for the API
routes

For example, it would be great to be able to define a resource with a
wildcard parameter such as

api/groups/{groupID}/events/{eventID}

?         With scope DELETE

Then the permission could be added simply with a policy that permits the
action if the user is admin of the group with ID {groupID}.



Having to create resources in Keycloak resources DB is a drawback because
it creates another single point of failure - we have a complicated system
that is quite critical. Constantly creating and deleting resources is
complicated. If at any time the synchronization between resource DB in
Keycloak and our system fails, it would be very hard to recover.



======================================

At the moment I see a workaround of using different REST API routes such as

DELETE api/groups/events?groupID={groupID}&eventID={eventID}



But this forces us to use sub-optimal paths which do not conform to the
usually recommended syntax of REST APIs.



Then I can define a resource in keycloak as

api/groups/events/*

With scope DELTE



And inside policy enforcer I can push claim such as

"event-delete-claim"="eventID : {request.parameter['eventID']}"

Or even use the whole relative URI as a claim - adding a unique claim to
the RPT makes sure that the user gains access only to single resources or
group fo resources and not to all resources that match api/groups/events/*.





Then in a permission for the resource "api/groups/events/*" with scope
"DELETE" I must check somehow whether the user who is trying to call this
API is admin of a group where the event is hosted. It is hard to know
whether the event belongs to a group from such request since we cannot
trust the information in the HTTP request even if group ID was part of the
request. Here I would need to query the system DB with the eventID and get
the groupID or even better directly list of the admins of the group to
which the event belongs.



=========================================

Summary

?         It would be great to support dynamic resources with multiple
wildcards/parameters so we do not need to sync all existing and newly
created resources with the Keycloak DB

?         It would be great to be able to query external service from
inside of a policy (e.g. something like Java Policy Provider (SPI?) with an
ability to call a trusted Policy Information Point ("PIP") to get
additional information necessary to make a decision)

o    For example, the Policy "Allow if the user is an administrator of the
group of the event" would be applied to the resource "DELETE
api/groups/*/events/*". The policy code would be able to query some backend
service and check that the event really belongs to the group and that the
user is admin of that group.



I would love to hear your thoughts on this, or whether any of the two
propositions could be added or whether another strategy to achieve this
exists.



-- 
Marcel N?met
marcel.nemet at gmail.com

From psilva at redhat.com  Mon Sep 10 12:06:49 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 10 Sep 2018 13:06:49 -0300
Subject: [keycloak-user] Support authorization for dynamic resources not
 saved in Keycloak resources DB,
 and querying for additional information from "PIP" service inside of policy
In-Reply-To: <CAFsxa5WqdE41Yy1VK8HKsL4i_DeHmx7GGy1f=hargJMJWEFXJg@mail.gmail.com>
References: <CAFsxa5WqdE41Yy1VK8HKsL4i_DeHmx7GGy1f=hargJMJWEFXJg@mail.gmail.com>
Message-ID: <CAJrcDBeGyQN+H++DU3mQpU0Fb7CBV3rekmdFdpkJHuBy94k04g@mail.gmail.com>

Hi,

AFAIK, you should be able to define URIs for resources like that:

  "/api/groups/{groupID}/events",
  "/api/groups/{groupID}/events/{eventID}",
  "/api/groups/{groupID}/events/{eventID}/subscribe",
  "/api/groups/{groupID}/events/{eventID}/unsubscribe"

And have specific permissions for each path/resource above.

Regarding the issue around making sure the user is indeed admin of a group,
you could probably push a claim obtained from an external service [1].
Another option could be implementing a custom CIP provider [2] as an
alternative to the http one in order to query your database.

What version of Keycloak are you using, btw ?

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#obtaining-information-from-an-external-http-service
[2]
https://github.com/keycloak/keycloak/blob/035ebc881abfe78544861f394c30b1dd9623f879/adapters/oidc/adapter-core/src/main/resources/META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory

Regards.
Pedro Igor

On Mon, Sep 10, 2018 at 11:13 AM, Marcel N?met <Marcel.Nemet at gmail.com>
wrote:

> It would be great to support dynamic resources using more complex Wildcards
> mechanism. It would be very useful for our company. But I will rather
> explain the use case on better-known use-case: Groups and Events on
> Facebook.
>
>
>
> Groups on Facebook have members and admins.  Groups are created and deleted
> often, and one user can be member and admin of multiple groups.
>
> Example:
>
> Group for hikers
>
> Admins: Alice, Adam
>
> Members: Mark, Michelle
>
>
>
> Group for dancers:
>
> Admins: Antoni
>
> Members: Martin
>
>
>
> Admins can create and delete events
>
> e.g. Hiking in Himalayas event
>
> Members can subscribe and unsubscribe from events
>
>
>
> The REST API might look like:
>
>
>
> GET api/groups/{groupID}/events/
>
> ?         Can be done by members or admins
>
>
>
> DELETE api/groups/{groupID}/events/{eventID}
>
> ?         Only by admins
>
>
>
> POST api/groups/{groupID}/events/{eventID}/subscribe
>
> ?         Here the danger is that Martin who is not a member of Group for
> hikers could manipulate the request and do:
>
> ?         POST
> api/groups/Group-for-dancers/events/Hiking-in-Himalayas/subscribe
>
> ?         So, it is not enough to check whether Martin is a member of the
> group in the request. It must also be checked that the Event belongs to
> that group.
>
>
>
> Or directly, without referencing the group
>
> POST api/events/{eventID}/subscribe
>
> In the second case, the system would have to check whether the user is a
> member of the group. This has to be queried from the facebook DB.
>
> POST api/groups/{groupID}/events/{eventID}/unsubscribe
>
>
>
> When the user subscribes to an event he can see it under
>
> GET api/user/{userID}/subscribedEvents/{eventID}
>
>
>
> And he can unsubscribe under
>
> POST api/events/{eventID}/unsubscribe
>
>
>
> ==============================
>
>
>
> Challenges in Keycloak:
>
> Currently, all the resources would have to be created in the Keycloak
> server one by one
>
> E.g.
>
> /groups/Group for hikers/events/Hiking in Himalayas
>
> ?         With scopes GET and DELETE
>
> /groups/Group for hikers/events/Hiking in Himalayas/subscribe
>
> /groups/Group for hikers/events/Hiking in Himalayas/unsubscribe
>
>
>
> And when the user subscribes to the event, another resource would need to
> be added
>
> /user/Mark/subscribedEvents/Hiking in Himalayas
>
> ?         With scopes GET
>
> /user/Mark/subscribedEvents/Hiking in Himalayas/unsubscribe
>
> /user/Michelle/subscribedEvents/Hiking in Himalayas
>
> ?         With scopes GET
>
> /user/Michelle/subscribedEvents/Hiking in Himalayas/unsubscribe
>
>
>
> And when the Mark and Michelle unsubscribe, the last resources should be
> removed. This adds additional overhead.
>
>
>
> The permissions can be then applied to the resource type if the resources
> are properly typed, this works well.
>
>
>
> If Keycloak supported dynamic URLs and multiple wildcards or parameters
> inside URI
>
> It would be possible to simply define general permissions for the API
> routes
>
> For example, it would be great to be able to define a resource with a
> wildcard parameter such as
>
> api/groups/{groupID}/events/{eventID}
>
> ?         With scope DELETE
>
> Then the permission could be added simply with a policy that permits the
> action if the user is admin of the group with ID {groupID}.
>
>
>
> Having to create resources in Keycloak resources DB is a drawback because
> it creates another single point of failure - we have a complicated system
> that is quite critical. Constantly creating and deleting resources is
> complicated. If at any time the synchronization between resource DB in
> Keycloak and our system fails, it would be very hard to recover.
>
>
>
> ======================================
>
> At the moment I see a workaround of using different REST API routes such as
>
> DELETE api/groups/events?groupID={groupID}&eventID={eventID}
>
>
>
> But this forces us to use sub-optimal paths which do not conform to the
> usually recommended syntax of REST APIs.
>
>
>
> Then I can define a resource in keycloak as
>
> api/groups/events/*
>
> With scope DELTE
>
>
>
> And inside policy enforcer I can push claim such as
>
> "event-delete-claim"="eventID : {request.parameter['eventID']}"
>
> Or even use the whole relative URI as a claim - adding a unique claim to
> the RPT makes sure that the user gains access only to single resources or
> group fo resources and not to all resources that match api/groups/events/*.
>
>
>
>
>
> Then in a permission for the resource "api/groups/events/*" with scope
> "DELETE" I must check somehow whether the user who is trying to call this
> API is admin of a group where the event is hosted. It is hard to know
> whether the event belongs to a group from such request since we cannot
> trust the information in the HTTP request even if group ID was part of the
> request. Here I would need to query the system DB with the eventID and get
> the groupID or even better directly list of the admins of the group to
> which the event belongs.
>
>
>
> =========================================
>
> Summary
>
> ?         It would be great to support dynamic resources with multiple
> wildcards/parameters so we do not need to sync all existing and newly
> created resources with the Keycloak DB
>
> ?         It would be great to be able to query external service from
> inside of a policy (e.g. something like Java Policy Provider (SPI?) with an
> ability to call a trusted Policy Information Point ("PIP") to get
> additional information necessary to make a decision)
>
> o    For example, the Policy "Allow if the user is an administrator of the
> group of the event" would be applied to the resource "DELETE
> api/groups/*/events/*". The policy code would be able to query some backend
> service and check that the event really belongs to the group and that the
> user is admin of that group.
>
>
>
> I would love to hear your thoughts on this, or whether any of the two
> propositions could be added or whether another strategy to achieve this
> exists.
>
>
>
> --
> Marcel N?met
> marcel.nemet at gmail.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From corentin.dupont at gmail.com  Mon Sep 10 12:08:29 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 10 Sep 2018 18:08:29 +0200
Subject: [keycloak-user] standalone.xml + docker
Message-ID: <CAEyhvmpkZ3XgJHg2-XtcK1h9_zbV4uasbiSMQkOTVRca_phLOw@mail.gmail.com>

Hello,
I have a configuration working with docker, and I wonder how to change some
parameter in standalone.xml (specifically for HTTPS).
Where should I get the standalone.xml file with the correct version? From
Github?
How should I insert it in the docker image?
I figured out:

FROM jboss/keycloak:3.4.3.Final
COPY standalone.xml /opt/jboss/keycloak/standalone/configuration/

Is that correct?

Thanks a lot!
Corentin

From paul at templeman.co  Tue Sep 11 00:25:49 2018
From: paul at templeman.co (Paul Templeman)
Date: Tue, 11 Sep 2018 04:25:49 +0000
Subject: [keycloak-user] UMA 2.0 Implementations
Message-ID: <SYBPR01MB410899EBB50DFA51C2F77934B7040@SYBPR01MB4108.ausprd01.prod.outlook.com>

Hi


Just wanting to connect with anyone using KeyCloak for a use case that requires User Managed Access (UMA) 2.0 support. Particularly interested in use cases that involve an ecosystem of platforms/applications and multiple organisations - not just a single organisation context.


Particularly keen to hear from any Australian use cases.


Thanks

Paul...

From lahari.guntha at tcs.com  Tue Sep 11 01:32:51 2018
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Tue, 11 Sep 2018 05:32:51 +0000
Subject: [keycloak-user] Group-Mapping
In-Reply-To: <1525956497800.9251@tcs.com>
References: <1521200921834.37549@tcs.com>
	<CAPZw1G61CNou2p7fWqtUZ9bAm71av89qGOoW371JpARJnHUCsg@mail.gmail.com>
	<1521812778054.55506@tcs.com>
	<CAPZw1G4BfihXTy6BK+4_keU0MMcWr80xTj4mgXwKkTc6i1RF_Q@mail.gmail.com>
	<1522128470918.36450@tcs.com>
	<CAPZw1G5c-WSJco5s4s7+k_PtahNGXeaB8ARb+9Cqnq2OSsOuTg@mail.gmail.com>
	<1522213483195.38672@tcs.com> <1522732009031.20269@tcs.com>
	<CAPZw1G4hFMEHJ1+3cPeTKTKa8z-jdCTFn1nHEV-WdeeqGQyoRg@mail.gmail.com>
	<1523338962307.3970@tcs.com>
	<CAPZw1G41zU9MYFpDiB=QhnEx4OQS+03yPEJAA2eW1hBLvfN7zw@mail.gmail.com>
	<1525688494185.73604@tcs.com>,
	<CAPZw1G73i+spg988znfC7xJCKi_R-HuTGFu5_7HeojokA8xQdA@mail.gmail.com>,
	<1525956497800.9251@tcs.com>
Message-ID: <1536643970535.3413@tcs.com>

Hi All,


Did anyone face the same Issue of Group Syncing from LDAP to Keycloak??


Thanks and Regards,

Lahari Guntha

________________________________
From: Lahari Guntha
Sent: 10 May 2018 18:18
To: keycloak-user at lists.jboss.org
Cc: keycloak-user at lists.jboss.org; Aishwarya Bositty; Praveen Dhandu
Subject: Re: [keycloak-user] Group-Mapping


Hi Simon,


We have tried that. We updated the configuration of group DN in keycloak as ou=groups,dc=example,dc=com.

But still the groups are not getting synced properly.


May I know whether am missing any configuration any where else??


Thanks and Regards,

Lahari G

________________________________
From: Simon Payne <simonpayne58 at gmail.com>
Sent: 10 May 2018 14:44
To: Lahari Guntha
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Group-Mapping

Hi Lahari, i would suggest to try the LDAP group DN as ou=groups,dc=example,dc=com rather than  cn=testgroup,ou=groups,dc=example,dc=com

here you need to specify the group tree.

regards,

Simon.



On Mon, May 7, 2018 at 11:21 AM, Lahari Guntha <lahari.guntha at tcs.com<mailto:lahari.guntha at tcs.com>> wrote:

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



From Sebastian.Schuster at bosch-si.com  Tue Sep 11 03:03:15 2018
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS))
Date: Tue, 11 Sep 2018 07:03:15 +0000
Subject: [keycloak-user] standalone.xml + docker
In-Reply-To: <CAEyhvmpkZ3XgJHg2-XtcK1h9_zbV4uasbiSMQkOTVRca_phLOw@mail.gmail.com>
References: <CAEyhvmpkZ3XgJHg2-XtcK1h9_zbV4uasbiSMQkOTVRca_phLOw@mail.gmail.com>
Message-ID: <f127101be7cc44babea1fee4c00d5fb4@bosch-si.com>

If you take the current 4.4.0.Final docker image. TLS support is available OOTB, you just have to add certificate files to a specific directory.
Otherwise just have a look at the official image https://github.com/jboss-dockerfiles/keycloak/tree/master/server. They use jboss-cli to change
the default standalone.xml according to provided parameters instead of providing a custom standalone.xml.

Best regards,
Sebastian


Mit freundlichen Gr??en / Best regards

Dr.-Ing.  Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn 



-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Corentin Dupont
Sent: Montag, 10. September 2018 18:08
To: keycloak-user <keycloak-user at lists.jboss.org>
Subject: [keycloak-user] standalone.xml + docker

Hello,
I have a configuration working with docker, and I wonder how to change some parameter in standalone.xml (specifically for HTTPS).
Where should I get the standalone.xml file with the correct version? From Github?
How should I insert it in the docker image?
I figured out:

FROM jboss/keycloak:3.4.3.Final
COPY standalone.xml /opt/jboss/keycloak/standalone/configuration/

Is that correct?

Thanks a lot!
Corentin
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From testoauth55 at gmail.com  Tue Sep 11 05:58:07 2018
From: testoauth55 at gmail.com (keycloak demo)
Date: Tue, 11 Sep 2018 15:28:07 +0530
Subject: [keycloak-user] Obtaining RPT with Keycloak installed
Message-ID: <CANAVTmPpNTE4isG05eBZrCoEEDK+BQg--imJXxX7j=-b2t0org@mail.gmail.com>

I am using keycloak installed through which I can obtain access token. like
this:

*keycloakinstalled.loginDesktop();*
*AccessToken token = keycloak.getToken();*

But how can I obtain RPT (Requesting Party Token) in case of
keycloakinstalled?

I have followed the doc:
https://www.keycloak.org/docs/4.3/authorization_services/#obtaining-user-entitlements
which
gives a way to request RPT by using AuthzClient. But how can it be done if
I am using keycloakinstalled?

Also by decoding the RPT and accessToken I can see that RPT has
authorization & permissions info which Access Token does not have:

"authorization": { "permissions": [.....


In summary, I have 2 questions:

1. Which one (Access token or RPT) should be used if I want to use
authorization in my client application? What is the exact difference in
terms of usage between the two?

2. How can the RPT be obtained in case of Keycloak installed?

From corentin.dupont at gmail.com  Tue Sep 11 06:24:55 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 11 Sep 2018 12:24:55 +0200
Subject: [keycloak-user] standalone.xml + docker
In-Reply-To: <f127101be7cc44babea1fee4c00d5fb4@bosch-si.com>
References: <CAEyhvmpkZ3XgJHg2-XtcK1h9_zbV4uasbiSMQkOTVRca_phLOw@mail.gmail.com>
	<f127101be7cc44babea1fee4c00d5fb4@bosch-si.com>
Message-ID: <CAEyhvmpUFOSfmMS3P+WNAnGbCZ79XWXQ2stS+kcSCg=yAh4mjQ@mail.gmail.com>

Thanks Sebastian.

On Tue, Sep 11, 2018 at 9:03 AM, Schuster Sebastian (INST-CSS/BSV-OS) <
Sebastian.Schuster at bosch-si.com> wrote:

> If you take the current 4.4.0.Final docker image. TLS support is available
> OOTB, you just have to add certificate files to a specific directory.
> Otherwise just have a look at the official image https://github.com/jboss-
> dockerfiles/keycloak/tree/master/server. They use jboss-cli to change
> the default standalone.xml according to provided parameters instead of
> providing a custom standalone.xml.
>
> Best regards,
> Sebastian
>
>
> Mit freundlichen Gr??en / Best regards
>
> Dr.-Ing.  Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> On Behalf Of Corentin Dupont
> Sent: Montag, 10. September 2018 18:08
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] standalone.xml + docker
>
> Hello,
> I have a configuration working with docker, and I wonder how to change
> some parameter in standalone.xml (specifically for HTTPS).
> Where should I get the standalone.xml file with the correct version? From
> Github?
> How should I insert it in the docker image?
> I figured out:
>
> FROM jboss/keycloak:3.4.3.Final
> COPY standalone.xml /opt/jboss/keycloak/standalone/configuration/
>
> Is that correct?
>
> Thanks a lot!
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Tue Sep 11 06:25:57 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 11 Sep 2018 12:25:57 +0200
Subject: [keycloak-user] DB error
Message-ID: <CAEyhvmra+bqfZcnFn3iguR0-G0DqcWzq6F5QbaNGPbRk+GdQJg@mail.gmail.com>

Hi,
I currently have this problem when starting keycloak:

Caused by:
com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
Duplicate entry 'master-role_list' for key 'UK_CLI_SCOPE'

Any idea?
Thanks

From vramik at redhat.com  Tue Sep 11 06:36:52 2018
From: vramik at redhat.com (Vlasta Ramik)
Date: Tue, 11 Sep 2018 12:36:52 +0200
Subject: [keycloak-user] DB error
In-Reply-To: <CAEyhvmra+bqfZcnFn3iguR0-G0DqcWzq6F5QbaNGPbRk+GdQJg@mail.gmail.com>
References: <CAEyhvmra+bqfZcnFn3iguR0-G0DqcWzq6F5QbaNGPbRk+GdQJg@mail.gmail.com>
Message-ID: <b3eeea10-124b-a1d7-5b2e-619db13b72f3@redhat.com>

Hello,

I'd need additional information.

What keycloak version are you using? Do you start keycloak with empty 
database? Are you migrating from one version to another? And also full 
stacktrace would be helpful.

Thank you.

Vlasta

On 09/11/2018 12:25 PM, Corentin Dupont wrote:
> Hi,
> I currently have this problem when starting keycloak:
>
> Caused by:
> com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
> Duplicate entry 'master-role_list' for key 'UK_CLI_SCOPE'
>
> Any idea?
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From corentin.dupont at gmail.com  Tue Sep 11 06:54:45 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 11 Sep 2018 12:54:45 +0200
Subject: [keycloak-user] DB error
In-Reply-To: <344a-5b979b80-1-7e62ee80@57640469>
References: <CAEyhvmra+bqfZcnFn3iguR0-G0DqcWzq6F5QbaNGPbRk+GdQJg@mail.gmail.com>
	<344a-5b979b80-1-7e62ee80@57640469>
Message-ID: <CAEyhvmqtxjRxb-mSZVbBxf-wbnDBkPZCFO7HcQPayQG3HA5bBQ@mail.gmail.com>

Hi Cedric,

On Tue, Sep 11, 2018 at 12:39 PM, cedric at couralet.eu <cedric at couralet.eu>
wrote:

> Hi,
>
> I just had the same problem. Mine was from the fact the database was
> already in version 4.x (table CLIENT_SCOPE created), but the value in table
> MIGRATION_MODEL was 3.4.3 so Keycloak was trying to execute the migration
> steps here :
> https://github.com/keycloak/keycloak/blob/master/server-
> spi-private/src/main/java/org/keycloak/migration/migrators/
> MigrateTo4_0_0.java#L77
>
> and failed due to the constraint.
> My solution (surely not the best) was to update the value in
> MIGRATION_MODEL to 4.0.0 and restart the service.
>
> I think I was in that situation because I started an old instance (in
> 3.4.3) after the database ws migrated, but I'm not really sure how it is
> possible.
>


Exactly, I started keycloak version 3.4.3, while the DB was already
migrated to 4.3.0. It usually goes pretty badly.

Is there anything we can do to prevent crashes when starting (by mistake) a
previous versions of Keycloak?



>
> C?dric Couralet
>
> Le Mardi, Septembre 11, 2018 12:25 CEST, Corentin Dupont <
> corentin.dupont at gmail.com> a ?crit:
>
> > Hi,
> > I currently have this problem when starting keycloak:
> >
> > Caused by:
> > com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolat
> ionException:
> > Duplicate entry 'master-role_list' for key 'UK_CLI_SCOPE'
> >
> > Any idea?
> > Thanks
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From triveni.chegireddy at tcs.com  Tue Sep 11 07:00:15 2018
From: triveni.chegireddy at tcs.com (Triveni Chegireddy)
Date: Tue, 11 Sep 2018 16:30:15 +0530
Subject: [keycloak-user] Keycloak single Log Out not working
In-Reply-To: <OF6B4BEE16.97988AE0-ON65258301.00277B30-65258301.0027FB88@LocalDomain>
References: <OF6B4BEE16.97988AE0-ON65258301.00277B30-65258301.0027FB88@LocalDomain>
Message-ID: <OF2A411907.30F037F4-ON65258305.003C474F-65258305.003CD932@tcs.com>

Hi All,

The below issue is blocking in our application. Could anyone help us in 
resolving the Single Logout issue.

Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Consulting
____________________________________________




From:   Triveni Chegireddy/LATAM/TCS
To:     keycloak-user at lists.jboss.org
Date:   09/07/2018 12:42 PM
Subject:        Keycloak single Log Out not working


Hi Team,

I am securing many tools using Keycloak for Single sign on and Single 
Logout. We are securing tools like Jira, Confluence using Miniorange 
plugin. We have few Spring boot applications which are to be secured. They 

are secured using Spring Boot with KeycloakWebSecurityConfigurerAdapter. 
Single Sign on is working fine. The landing application is spring boot web 

application, which is accessed by giving LDAP credentials. From that 
application, we will be accessing the Jira, Confluence. They are opened 
without asking me for credentials. But Single Logout is not working. In 
Spring boot application, on click of Logout, I am calling 
HttpServletRequest.logout(), which is logging me out of Spring boot 
application successfully. But the sessions in Jira and Confluence are not 
killed. Similarly once I open the tools from Spring boot application, on 
logout of any tools both Jira and confluence are logging out using Single 
Logout but session in Spring boot application is not killed.

Could you please help us resolving this issue.


Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Consulting
____________________________________________

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



From psilva at redhat.com  Tue Sep 11 07:30:30 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 11 Sep 2018 08:30:30 -0300
Subject: [keycloak-user] Obtaining RPT with Keycloak installed
In-Reply-To: <CANAVTmPpNTE4isG05eBZrCoEEDK+BQg--imJXxX7j=-b2t0org@mail.gmail.com>
References: <CANAVTmPpNTE4isG05eBZrCoEEDK+BQg--imJXxX7j=-b2t0org@mail.gmail.com>
Message-ID: <CAJrcDBfHdPJWtjd2NRsOJWfXVYGU97bCZGmVK_uQpqna5MvG4g@mail.gmail.com>

On Tue, Sep 11, 2018 at 6:58 AM, keycloak demo <testoauth55 at gmail.com>
wrote:

> I am using keycloak installed through which I can obtain access token. like
> this:
>
> *keycloakinstalled.loginDesktop();*
> *AccessToken token = keycloak.getToken();*
>
> But how can I obtain RPT (Requesting Party Token) in case of
> keycloakinstalled?
>
> I have followed the doc:
> https://www.keycloak.org/docs/4.3/authorization_services/#
> obtaining-user-entitlements
> which
> gives a way to request RPT by using AuthzClient. But how can it be done if
> I am using keycloakinstalled?
>
> Also by decoding the RPT and accessToken I can see that RPT has
> authorization & permissions info which Access Token does not have:
>
> "authorization": { "permissions": [.....
>
>
> In summary, I have 2 questions:
>
> 1. Which one (Access token or RPT) should be used if I want to use
> authorization in my client application? What is the exact difference in
> terms of usage between the two?
>

The main difference between the two is that RPT gives you additional claims
representing permissions with a specific audience set to the target
resource server. RPTs are also obtained using a different grant type.


>
> 2. How can the RPT be obtained in case of Keycloak installed?
>

I have never tested this before, could you please fill a JIRA with more
details about what you are trying to achieve with keycloak installed. Need
to check if we could implement something for better support of RPTs.


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From remy at grunblatt.org  Tue Sep 11 07:39:26 2018
From: remy at grunblatt.org (=?UTF-8?Q?R=c3=a9my_Gr=c3=bcnblatt?=)
Date: Tue, 11 Sep 2018 13:39:26 +0200
Subject: [keycloak-user] Only accept some email adress, for registration?
Message-ID: <63af7b55-4c8e-f2e0-7525-a89aca928331@grunblatt.org>

Hello,

I'm searching for a way to allow registration via the web interface from
keycloak (the default one, if possible, not something I'd code myself)
to be limited to certain email domains.

Is it possible? If no: how do you do it in practice?

Thanks,



ps: still searching for a way to automatically set up profile attribute
at user registration, such as a unique numerique attribute (1, 2, 3, ?)
for each user


From corentin.dupont at gmail.com  Tue Sep 11 12:19:37 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 11 Sep 2018 18:19:37 +0200
Subject: [keycloak-user] Requires uma_protection scope
Message-ID: <CAEyhvmpYpF9aSP096mcX2tK6eDgkfSyU=aS4C5nCKHPuwxoBjg@mail.gmail.com>

Hi,
I updated my keycloak to 4.4.0.
When I get my resources:
GET on: http://localhost:8080/auth/realms/waziup/authz/
protection/resource_set

I now get error 403: invalid_scope, Requires uma_protection scope

What did I miss?
I activated User-Managed Access at realm level.
Thanks
Corentin

From vandana0242 at gmail.com  Tue Sep 11 14:17:01 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Tue, 11 Sep 2018 13:17:01 -0500
Subject: [keycloak-user] keycloak & tomcat
Message-ID: <CAL_K0exqzZS3Wo6X1tk0P7j3EVDxc91K7=Sp-BXWu7v-_Gn5Jw@mail.gmail.com>

Hello

Can we do  SAML authentication  by having keycloak  and tomcat ?

IT's single sign on configuration .

Thanks,
Vandana

From vandana0242 at gmail.com  Tue Sep 11 14:30:46 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Tue, 11 Sep 2018 13:30:46 -0500
Subject: [keycloak-user] where can we see the username & password
Message-ID: <CAL_K0eymzxYy+mVTUCA6q-Xhjv2qKm51o9RRmymQ4TigrRQexA@mail.gmail.com>

Hello

After setting up username/password  by running the below  command for
Master and Demo realm

./add-user-keycloak.sh -r  Master -u xxxxx  -p xyxyxy
./add-user-keycloak.sh -r  Demo Realm -u xxxxx  -p xyxyxy.

Where can we see that user names  /passwords  on keycloak servers in which
file and  exactly  under which directory structure ?

Thanks,
Vandana

From psilva at redhat.com  Tue Sep 11 17:28:11 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 11 Sep 2018 18:28:11 -0300
Subject: [keycloak-user] Requires uma_protection scope
In-Reply-To: <CAEyhvmpYpF9aSP096mcX2tK6eDgkfSyU=aS4C5nCKHPuwxoBjg@mail.gmail.com>
References: <CAEyhvmpYpF9aSP096mcX2tK6eDgkfSyU=aS4C5nCKHPuwxoBjg@mail.gmail.com>
Message-ID: <CAJrcDBeVOqSpXUBg8g2_rcKeo8Qe21se6j7+qsUvX40j-53BdQ@mail.gmail.com>

Hi,

Your users must be granted with this client role in order to access the
protection api. This allows user to consent whether or not access should be
granted to resource servers to act on his behalf when managing user
resources.

On Tue, Sep 11, 2018 at 1:19 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi,
> I updated my keycloak to 4.4.0.
> When I get my resources:
> GET on: http://localhost:8080/auth/realms/waziup/authz/
> protection/resource_set
>
> I now get error 403: invalid_scope, Requires uma_protection scope
>
> What did I miss?
> I activated User-Managed Access at realm level.
> Thanks
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dv at glyphy.com  Tue Sep 11 18:25:32 2018
From: dv at glyphy.com (D V)
Date: Tue, 11 Sep 2018 18:25:32 -0400
Subject: [keycloak-user] Standalone HA tokens not immediately shared among
	nodes
Message-ID: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>

Hi list,

I'm trying to cluster several Keycloak 4.0.0 nodes running in docker
containers. I'm seeing "interesting" (unexpected) behaviour when requesting
new OIDC tokens with "grant_type=password" (Direct Grant/ROPC) and then
attempting to get a new set with "grant_type=refresh_token" .

After I start two nodes (containers), if I issue a "grant_type=password"
request to the node that started first, requests for
"grant_type=refresh_token" on the newer node fail. If I issue the
"grant_type=password" request to the node that started last, requests for
"grant_type=refresh_token" succeed on any node AND all future
password/refresh_token requests work correctly no matter which node handles
the request.

So, let's say node1 starts first and node2 starts second:
1. Password auth on node1: OK
2. Refresh token auth on node2 with token from previous step: Error:
invalid_grant (Invalid refresh token)
3. Refresh token auth on node1 with token from step 1: OK (new set of
refresh+access tokens)
BUT!
4. Password auth on node2: OK
5. Refresh token auth on node1 with token from previous step: OK! (new set
of refresh+access tokens)
6. Refresh token auth on node2 with token from step 4: OK
7. Password auth sequence from steps 1-3: also OK!

It's as though the node that starts most recently needs a password auth
request to "wake up" and start communicating with the rest of the cluster.
Once it does, everything's in sync.

Some facts that are hopefully relevant:
* Keycloak 4.0.0 docker image base
* standalone-ha.xml from distribution with changes in JGroups subsystem.
I'm using JDBC PING configured for the same DB as Keycloak itself, which is
MySQL 5.7. See the subsystem config below.
* Custom org.keycloak.storage.UserStorageProviderFactory SPI, which creates
a provider that makes an HTTP call to an external authentication service to
validate username/password credentials.
* A couple of custom themes.
* One realm with a handful of clients provisioned via a shell script that
just calls kcadm.sh and jboss-cli.sh
* There's a simple LB in front of both instances


JGroups subsystem config:
        <subsystem xmlns="urn:jboss:domain:jgroups:5.0">
            <channels default="ee">
                <channel name="ee" stack="tcp" cluster="ejb"/>
            </channels>
            <stacks>
                <stack name="tcp">
                    <transport type="TCP" socket-binding="jgroups-tcp">
                        <property
name="external_addr">${env.HOST}</property>
                        <property
name="external_port">${env.PORT_7600}</property>
                    </transport>
                    <protocol type="org.jgroups.protocols.JDBC_PING">
                        <property name="datasource_jndi_name">
                            java:jboss/datasources/KeycloakDS
                        </property>
                    </protocol>
                    <protocol type="MERGE3"/>
                    <protocol type="FD_SOCK"/>
                    <protocol type="FD_ALL"/>
                    <protocol type="VERIFY_SUSPECT"/>
                    <protocol type="pbcast.NAKACK2"/>
                    <protocol type="UNICAST3"/>
                    <protocol type="pbcast.STABLE"/>
                    <protocol type="pbcast.GMS"/>
                    <protocol type="MFC"/>
                    <protocol type="FRAG2"/>
                </stack>
            </stacks>
        </subsystem>

$HOST and $PORT_7600 are set to external host:port combination that allows
the two instances to communicate.

There's also a socket-binding to a public interface:
<socket-binding name="jgroups-tcp" port="7600"/>

In the JGroups and Infinispan log entries I can see the two nodes do find
each other and are able to communicate. I haven't been able to get
ispn-cli.sh to connect to the internal Infinispan instances running in
containers, so I can't confirm that they have the same entries, but as
described in flows above they do eventually work together.

Is there a configuration change I'm missing somewhere to make the new node
joining the cluster become aware of the other one?

Thanks for any help,
DV

From kclark at mbopartners.com  Wed Sep 12 00:18:06 2018
From: kclark at mbopartners.com (Kenyatta Clark)
Date: Wed, 12 Sep 2018 04:18:06 +0000
Subject: [keycloak-user] Forgot Password Flow And Cookies
Message-ID: <9F3428C1-5381-41CE-B52B-DA4711D4BA80@mbopartners.com>

When a user is uses the forgot password and resets their password and there is a clientId then they are redirected to the appropriate client only when they initiate the forgot password and complete the reset password in the same browser.  We have noticed that Keycloak does not honor the clientId request parameter when the KC_RESTART token is not present (for example the user initiated the forgot password in one browser and completes the reset in another).  Is there a work around to allow Keycloak to honor the clientId passed in even when the cookie is not present?

From slaskawi at redhat.com  Wed Sep 12 03:22:16 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Wed, 12 Sep 2018 09:22:16 +0200
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
Message-ID: <CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>

Hmmm this sounds a bit weird... like there was some delay in the
communication path.

Could you please look through your logs and look for lines including "view"
keyword? Are there two nodes, as expected? How the timestamps relate to
your experiment?

On Wed, Sep 12, 2018 at 1:01 AM D V <dv at glyphy.com> wrote:

> Hi list,
>
> I'm trying to cluster several Keycloak 4.0.0 nodes running in docker
> containers. I'm seeing "interesting" (unexpected) behaviour when requesting
> new OIDC tokens with "grant_type=password" (Direct Grant/ROPC) and then
> attempting to get a new set with "grant_type=refresh_token" .
>
> After I start two nodes (containers), if I issue a "grant_type=password"
> request to the node that started first, requests for
> "grant_type=refresh_token" on the newer node fail. If I issue the
> "grant_type=password" request to the node that started last, requests for
> "grant_type=refresh_token" succeed on any node AND all future
> password/refresh_token requests work correctly no matter which node handles
> the request.
>
> So, let's say node1 starts first and node2 starts second:
> 1. Password auth on node1: OK
> 2. Refresh token auth on node2 with token from previous step: Error:
> invalid_grant (Invalid refresh token)
> 3. Refresh token auth on node1 with token from step 1: OK (new set of
> refresh+access tokens)
> BUT!
> 4. Password auth on node2: OK
> 5. Refresh token auth on node1 with token from previous step: OK! (new set
> of refresh+access tokens)
> 6. Refresh token auth on node2 with token from step 4: OK
> 7. Password auth sequence from steps 1-3: also OK!
>
> It's as though the node that starts most recently needs a password auth
> request to "wake up" and start communicating with the rest of the cluster.
> Once it does, everything's in sync.
>
> Some facts that are hopefully relevant:
> * Keycloak 4.0.0 docker image base
> * standalone-ha.xml from distribution with changes in JGroups subsystem.
> I'm using JDBC PING configured for the same DB as Keycloak itself, which is
> MySQL 5.7. See the subsystem config below.
> * Custom org.keycloak.storage.UserStorageProviderFactory SPI, which creates
> a provider that makes an HTTP call to an external authentication service to
> validate username/password credentials.
> * A couple of custom themes.
> * One realm with a handful of clients provisioned via a shell script that
> just calls kcadm.sh and jboss-cli.sh
> * There's a simple LB in front of both instances
>
>
> JGroups subsystem config:
>         <subsystem xmlns="urn:jboss:domain:jgroups:5.0">
>             <channels default="ee">
>                 <channel name="ee" stack="tcp" cluster="ejb"/>
>             </channels>
>             <stacks>
>                 <stack name="tcp">
>                     <transport type="TCP" socket-binding="jgroups-tcp">
>                         <property
> name="external_addr">${env.HOST}</property>
>                         <property
> name="external_port">${env.PORT_7600}</property>
>                     </transport>
>                     <protocol type="org.jgroups.protocols.JDBC_PING">
>                         <property name="datasource_jndi_name">
>                             java:jboss/datasources/KeycloakDS
>                         </property>
>                     </protocol>
>                     <protocol type="MERGE3"/>
>                     <protocol type="FD_SOCK"/>
>                     <protocol type="FD_ALL"/>
>                     <protocol type="VERIFY_SUSPECT"/>
>                     <protocol type="pbcast.NAKACK2"/>
>                     <protocol type="UNICAST3"/>
>                     <protocol type="pbcast.STABLE"/>
>                     <protocol type="pbcast.GMS"/>
>                     <protocol type="MFC"/>
>                     <protocol type="FRAG2"/>
>                 </stack>
>             </stacks>
>         </subsystem>
>
> $HOST and $PORT_7600 are set to external host:port combination that allows
> the two instances to communicate.
>
> There's also a socket-binding to a public interface:
> <socket-binding name="jgroups-tcp" port="7600"/>
>
> In the JGroups and Infinispan log entries I can see the two nodes do find
> each other and are able to communicate. I haven't been able to get
> ispn-cli.sh to connect to the internal Infinispan instances running in
> containers, so I can't confirm that they have the same entries, but as
> described in flows above they do eventually work together.
>
> Is there a configuration change I'm missing somewhere to make the new node
> joining the cluster become aware of the other one?
>
> Thanks for any help,
> DV
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From slaskawi at redhat.com  Wed Sep 12 03:25:39 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Wed, 12 Sep 2018 09:25:39 +0200
Subject: [keycloak-user] keycloak & tomcat
In-Reply-To: <CAL_K0exqzZS3Wo6X1tk0P7j3EVDxc91K7=Sp-BXWu7v-_Gn5Jw@mail.gmail.com>
References: <CAL_K0exqzZS3Wo6X1tk0P7j3EVDxc91K7=Sp-BXWu7v-_Gn5Jw@mail.gmail.com>
Message-ID: <CAA9R9O7aDCx=O5k9f-AHiHj_bAMd9tWtk1ejxfd6+yZVMLP_xw@mail.gmail.com>

Yes you can. See our SAML adapters at the download page [1] as well as in
the docs [2].

[1] https://www.keycloak.org/downloads.html
[2]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_adapter

On Tue, Sep 11, 2018 at 8:55 PM vandana thota <vandana0242 at gmail.com> wrote:

> Hello
>
> Can we do  SAML authentication  by having keycloak  and tomcat ?
>
> IT's single sign on configuration .
>
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From uo67113 at gmail.com  Wed Sep 12 03:43:57 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 12 Sep 2018 09:43:57 +0200
Subject: [keycloak-user] keycloak & tomcat
In-Reply-To: <CAL_K0exqzZS3Wo6X1tk0P7j3EVDxc91K7=Sp-BXWu7v-_Gn5Jw@mail.gmail.com>
References: <CAL_K0exqzZS3Wo6X1tk0P7j3EVDxc91K7=Sp-BXWu7v-_Gn5Jw@mail.gmail.com>
Message-ID: <CACp70MnhppUJ5T3e_GXURW_vbVkJp6M3PGjh9OgL4rFzxCrQHg@mail.gmail.com>

Hello Vandana,

Yes you can. Please, have a look at the documentation [1].

I do think that also this link can help [2]

Cheers,

Luis

[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter
[2] http://www.catb.org/~esr/faqs/smart-questions.html

El mi?., 12 sept. 2018 a las 2:09, vandana thota (<vandana0242 at gmail.com>)
escribi?:

> Hello
>
> Can we do  SAML authentication  by having keycloak  and tomcat ?
>
> IT's single sign on configuration .
>
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From sblanc at redhat.com  Wed Sep 12 03:48:30 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 12 Sep 2018 09:48:30 +0200
Subject: [keycloak-user] keycloak & tomcat
In-Reply-To: <CAA9R9O7aDCx=O5k9f-AHiHj_bAMd9tWtk1ejxfd6+yZVMLP_xw@mail.gmail.com>
References: <CAL_K0exqzZS3Wo6X1tk0P7j3EVDxc91K7=Sp-BXWu7v-_Gn5Jw@mail.gmail.com>
	<CAA9R9O7aDCx=O5k9f-AHiHj_bAMd9tWtk1ejxfd6+yZVMLP_xw@mail.gmail.com>
Message-ID: <CAMZCGg--3TSnt_8e=j=DuBs9trWMALbj=wpSjU4EKF_HPVjP7A@mail.gmail.com>

For the docs this is the correct link :
https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-tomcat-adapter


On Wed, Sep 12, 2018 at 9:25 AM, Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> Yes you can. See our SAML adapters at the download page [1] as well as in
> the docs [2].
>
> [1] https://www.keycloak.org/downloads.html
> [2]
> https://www.keycloak.org/docs/latest/securing_apps/index.
> html#_tomcat_adapter
>
> On Tue, Sep 11, 2018 at 8:55 PM vandana thota <vandana0242 at gmail.com>
> wrote:
>
> > Hello
> >
> > Can we do  SAML authentication  by having keycloak  and tomcat ?
> >
> > IT's single sign on configuration .
> >
> > Thanks,
> > Vandana
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Wed Sep 12 04:02:44 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 12 Sep 2018 10:02:44 +0200
Subject: [keycloak-user] Requires uma_protection scope
In-Reply-To: <CAJrcDBeVOqSpXUBg8g2_rcKeo8Qe21se6j7+qsUvX40j-53BdQ@mail.gmail.com>
References: <CAEyhvmpYpF9aSP096mcX2tK6eDgkfSyU=aS4C5nCKHPuwxoBjg@mail.gmail.com>
	<CAJrcDBeVOqSpXUBg8g2_rcKeo8Qe21se6j7+qsUvX40j-53BdQ@mail.gmail.com>
Message-ID: <CAEyhvmomzw2=XgwgovhWzVvsa+EBqU+7FoTQoOYFxSq9bi=KFA@mail.gmail.com>

At the moment I try to create the resource with a client token (not a user
token):

CLIENTTOKEN=`curl -X POST -H "Content-Type:
application/x-www-form-urlencoded" -d
'grant_type=client_credentials&client_id=api-server&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`

curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d
'{"name":"Sensortest3",
"scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont",
"ownerManagedAccess": true}'

Is this correct?
Thanks

On Tue, Sep 11, 2018 at 11:28 PM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Hi,
>
> Your users must be granted with this client role in order to access the
> protection api. This allows user to consent whether or not access should be
> granted to resource servers to act on his behalf when managing user
> resources.
>
> On Tue, Sep 11, 2018 at 1:19 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi,
>> I updated my keycloak to 4.4.0.
>> When I get my resources:
>> GET on: http://localhost:8080/auth/realms/waziup/authz/
>> protection/resource_set
>>
>> I now get error 403: invalid_scope, Requires uma_protection scope
>>
>> What did I miss?
>> I activated User-Managed Access at realm level.
>> Thanks
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From corentin.dupont at gmail.com  Wed Sep 12 04:40:18 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 12 Sep 2018 10:40:18 +0200
Subject: [keycloak-user] Requires uma_protection scope
In-Reply-To: <CAEyhvmomzw2=XgwgovhWzVvsa+EBqU+7FoTQoOYFxSq9bi=KFA@mail.gmail.com>
References: <CAEyhvmpYpF9aSP096mcX2tK6eDgkfSyU=aS4C5nCKHPuwxoBjg@mail.gmail.com>
	<CAJrcDBeVOqSpXUBg8g2_rcKeo8Qe21se6j7+qsUvX40j-53BdQ@mail.gmail.com>
	<CAEyhvmomzw2=XgwgovhWzVvsa+EBqU+7FoTQoOYFxSq9bi=KFA@mail.gmail.com>
Message-ID: <CAEyhvmq+3oZknvypVpjB=8r1Q+-mL9Ss06wkzEycg8gCzLsriQ@mail.gmail.com>

Ho, I think I understood. Even when the resource is created by the client
on behalf of a user, that user must have uma_protection client role.
I.e. in my example above, cdupont must have it. I think I'll create a group
so that every new user have it.

On Wed, Sep 12, 2018 at 10:02 AM, Corentin Dupont <corentin.dupont at gmail.com
> wrote:

> At the moment I try to create the resource with a client token (not a user
> token):
>
> CLIENTTOKEN=`curl -X POST -H "Content-Type: application/x-www-form-urlencoded"
> -d 'grant_type=client_credentials&client_id=api-
> server&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0' "
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
> jq .access_token -r`
>
> curl -X POST "http://localhost:8080/auth/realms/waziup/authz/
> protection/resource_set" -H "Authorization: Bearer $CLIENTTOKEN" -H
> "Content-Type: application/json" -d '{"name":"Sensortest3",
> "scopes":["sensors:create","sensors:view","sensors:update"
> ,"sensors:delete"],"owner":"cdupont", "ownerManagedAccess": true}'
>
> Is this correct?
> Thanks
>
> On Tue, Sep 11, 2018 at 11:28 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> Your users must be granted with this client role in order to access the
>> protection api. This allows user to consent whether or not access should be
>> granted to resource servers to act on his behalf when managing user
>> resources.
>>
>> On Tue, Sep 11, 2018 at 1:19 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi,
>>> I updated my keycloak to 4.4.0.
>>> When I get my resources:
>>> GET on: http://localhost:8080/auth/realms/waziup/authz/
>>> protection/resource_set
>>>
>>> I now get error 403: invalid_scope, Requires uma_protection scope
>>>
>>> What did I miss?
>>> I activated User-Managed Access at realm level.
>>> Thanks
>>> Corentin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From testoauth55 at gmail.com  Wed Sep 12 05:19:38 2018
From: testoauth55 at gmail.com (keycloak demo)
Date: Wed, 12 Sep 2018 14:49:38 +0530
Subject: [keycloak-user] Has the EntitlementResponse renamed / deprecated in
	keycloak 4.x?
Message-ID: <CANAVTmNSS9sq74=3y0f6Cu=L=b_2_nVhuRUpYfv7vwpUSH7=hg@mail.gmail.com>

Till keycloak 3.4.3, the keycloak-services artifact used to have
*org.keycloak.authorization.entitlement* package, which contained
EntitlementResponse
class, but keycloak 4.x onwards, this package is no longer present, has
this package & class renamed / deprecated?

Reference for jars/artifacts, maven repo:

https://maven-repository.com/artifact/org.keycloak/keycloak-services

From mposolda at redhat.com  Wed Sep 12 05:30:26 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 12 Sep 2018 11:30:26 +0200
Subject: [keycloak-user] DB error
In-Reply-To: <CAEyhvmqtxjRxb-mSZVbBxf-wbnDBkPZCFO7HcQPayQG3HA5bBQ@mail.gmail.com>
References: <CAEyhvmra+bqfZcnFn3iguR0-G0DqcWzq6F5QbaNGPbRk+GdQJg@mail.gmail.com>
	<344a-5b979b80-1-7e62ee80@57640469>
	<CAEyhvmqtxjRxb-mSZVbBxf-wbnDBkPZCFO7HcQPayQG3HA5bBQ@mail.gmail.com>
Message-ID: <f806e19c-ce65-3053-dc4f-eeb80d1f9542@redhat.com>

On 11/09/18 12:54, Corentin Dupont wrote:
> Hi Cedric,
>
> On Tue, Sep 11, 2018 at 12:39 PM, cedric at couralet.eu <cedric at couralet.eu>
> wrote:
>
>> Hi,
>>
>> I just had the same problem. Mine was from the fact the database was
>> already in version 4.x (table CLIENT_SCOPE created), but the value in table
>> MIGRATION_MODEL was 3.4.3 so Keycloak was trying to execute the migration
>> steps here :
>> https://github.com/keycloak/keycloak/blob/master/server-
>> spi-private/src/main/java/org/keycloak/migration/migrators/
>> MigrateTo4_0_0.java#L77
>>
>> and failed due to the constraint.
>> My solution (surely not the best) was to update the value in
>> MIGRATION_MODEL to 4.0.0 and restart the service.
>>
>> I think I was in that situation because I started an old instance (in
>> 3.4.3) after the database ws migrated, but I'm not really sure how it is
>> possible.
>>
>
> Exactly, I started keycloak version 3.4.3, while the DB was already
> migrated to 4.3.0. It usually goes pretty badly.
>
> Is there anything we can do to prevent crashes when starting (by mistake) a
> previous versions of Keycloak?

You can create JIRA for support this.

Not sure when we fix it. Hopefully there is something easy, which can be 
done to achieve "fail fast" and kill server quickly if it detects that 
Keycloak server version is lower than the DB version.

Marek
>
>
>
>> C?dric Couralet
>>
>> Le Mardi, Septembre 11, 2018 12:25 CEST, Corentin Dupont <
>> corentin.dupont at gmail.com> a ?crit:
>>
>>> Hi,
>>> I currently have this problem when starting keycloak:
>>>
>>> Caused by:
>>> com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolat
>> ionException:
>>> Duplicate entry 'master-role_list' for key 'UK_CLI_SCOPE'
>>>
>>> Any idea?
>>> Thanks
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From studtry at gmail.com  Wed Sep 12 07:03:50 2018
From: studtry at gmail.com (Fedor Chernogorskiy)
Date: Wed, 12 Sep 2018 14:03:50 +0300
Subject: [keycloak-user] Embedded login form
Message-ID: <CABEqOrsJ_0jyRu+WDi5EahB0_PronfT=fvSB1JnbaXsGBekkwQ@mail.gmail.com>

Hello,

I wonder if the keycloak supports embedding the login form into my app
instead of redirecting the user to it? I didn't see it in the admin
console. I'm interested in an out-of-the-box feature or minimal
development/configuration

Best regards

From sthorger at redhat.com  Wed Sep 12 09:42:54 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 12 Sep 2018 13:42:54 +0000
Subject: [keycloak-user] Embedded login form
In-Reply-To: <CABEqOrsJ_0jyRu+WDi5EahB0_PronfT=fvSB1JnbaXsGBekkwQ@mail.gmail.com>
References: <CABEqOrsJ_0jyRu+WDi5EahB0_PronfT=fvSB1JnbaXsGBekkwQ@mail.gmail.com>
Message-ID: <CAJgngAcDk_Ux+Su4-rLdTQhz32d7+yyBb3=7QY3gs7sGbTygDg@mail.gmail.com>

We don't recommend embedding the login form for security reasons and as
such don't provide any documentation or help setting it up. That being said
you can do it, but you need to tune the security headers primarily.

On Wed, 12 Sep 2018 at 11:09, Fedor Chernogorskiy <studtry at gmail.com> wrote:

> Hello,
>
> I wonder if the keycloak supports embedding the login form into my app
> instead of redirecting the user to it? I didn't see it in the admin
> console. I'm interested in an out-of-the-box feature or minimal
> development/configuration
>
> Best regards
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From clehingue at gmail.com  Wed Sep 12 14:44:55 2018
From: clehingue at gmail.com (Christophe Lehingue)
Date: Wed, 12 Sep 2018 20:44:55 +0200
Subject: [keycloak-user] Keycloak with react-native application
Message-ID: <CADf9yZPuFnRhS5s3N9VeVqp4M4+K-+9u4v+fwSvthQ6pyyPUgA@mail.gmail.com>

Hello,
what should you put as an address in the "redirect url" section of the
keycloak configuration panel for a native application made with
react-native (or native-view)?

Thank you.

Regards,
Christophe

From ssilvert at redhat.com  Wed Sep 12 19:34:07 2018
From: ssilvert at redhat.com (Stan Silvert)
Date: Wed, 12 Sep 2018 19:34:07 -0400
Subject: [keycloak-user] Keycloak with react-native application
In-Reply-To: <CADf9yZPuFnRhS5s3N9VeVqp4M4+K-+9u4v+fwSvthQ6pyyPUgA@mail.gmail.com>
References: <CADf9yZPuFnRhS5s3N9VeVqp4M4+K-+9u4v+fwSvthQ6pyyPUgA@mail.gmail.com>
Message-ID: <59ccc7c9-d9cd-16fb-7fc3-d0f4f22e49b5@redhat.com>

I don't know of anyone who has tried Keycloak with react-native yet, but 
I suspect there is someone out there who has.? And, btw, I'd love to 
hear about it.

I assume you are talking about the "Valid Redirect URIs" in the client 
section of the admin console?? I don't see why setting this up for 
react-native would be any different from any other native client?


On 9/12/2018 2:44 PM, Christophe Lehingue wrote:
> Hello,
> what should you put as an address in the "redirect url" section of the
> keycloak configuration panel for a native application made with
> react-native (or native-view)?
>
> Thank you.
>
> Regards,
> Christophe
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From craig at baseventure.com  Wed Sep 12 22:25:35 2018
From: craig at baseventure.com (Craig Setera)
Date: Thu, 13 Sep 2018 02:25:35 +0000
Subject: [keycloak-user] OAuth and SAML autnentication
Message-ID: <CAPVdwjrzDuLhb0zgi_foDnwDanT8yf35NNGN_=pvZE4SV7=ALg@mail.gmail.com>

Reading the documentation, there is a statement that makes it appear that
you can't support *both* OAuth and SAML authentication to the same
resources?  Is that really the case?  We would like to allow both OAuth and
SAML authentication to access our API (along with appropriate differences
in functionality).  Is that possible?

Thanks,
Craig

From vidhya.kannan at hpe.com  Thu Sep 13 04:25:44 2018
From: vidhya.kannan at hpe.com (Kannan, Vidhya (CMS))
Date: Thu, 13 Sep 2018 08:25:44 +0000
Subject: [keycloak-user] keycloak and AD
Message-ID: <AT5PR8401MB05639968CC556E31A537B185E81A0@AT5PR8401MB0563.NAMPRD84.PROD.OUTLOOK.COM>


Hello Keycloak users:

I need to integrate Keycloak with AD auth. I see from the doc, Kerberos is proposed https://www.keycloak.org/docs/3.2/server_admin/topics/authentication/kerberos.html

>From Tomcat site, there are other options like https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Reverse_proxies

Would this work?

Any experience shared will help.

Thanks,
Vidhya


From amjad.qau at gmail.com  Thu Sep 13 11:30:21 2018
From: amjad.qau at gmail.com (Amjad Ullah)
Date: Thu, 13 Sep 2018 16:30:21 +0100
Subject: [keycloak-user] Keycloak single logout
Message-ID: <CALC=gWqKUC+f41pTxct1f+L1pCVTD+s+JaEzV2UF3EZ1iEzzdg@mail.gmail.com>

Hi,
I have two applications, i.e. one django based protected using
mod_auth_openidc and another java based hosted on wildfly and protected
using keycloak specific java adapter. The SSO works fine on both
applications. However, the problem occurs in case of Logout. When I perform
logout from django application, then both applications are redirected to
login on next request (as expected). However, when I perform logout on java
application, then django application still works as normal rather than
asking for login again on next request. As per the keycloak documentation,
Admin URL shall be set for a particular client that can be used by Keycloak
server to send backend requests to the application for various tasks, like
logout users or push revocation policies. From the apache logs, I can see
that no back-end request generated by keycloak against the logout perform
from java based application. If I generate the logout from keycloak admin
utility then apache logs shows a post action for k_logout.

Any idea/help in this regard will be much appreciated. Many thanks.

-- 
*Regards,*
*Amjad Ullah*

From amjad.qau at gmail.com  Thu Sep 13 11:45:25 2018
From: amjad.qau at gmail.com (Amjad)
Date: Thu, 13 Sep 2018 08:45:25 -0700 (MST)
Subject: [keycloak-user] Unable to perform Keycloak single logout
Message-ID: <1536853525912-0.post@n6.nabble.com>

Hi,
I have two applications, i.e. one django based protected using
mod_auth_openidc and another java based hosted on wildfly and protected
using keycloak specific java adapter. The SSO works fine on both
applications. However, the problem occurs in case of Logout. When I perform
logout from django application, then both applications are redirected to
login on next request (as expected). However, when I perform logout on java
application, then django application still works as normal rather than
asking for login again on next request. As per the keycloak documentation,
Admin URL shall be set for a particular client that can be used by Keycloak
server to send backend requests to the application for various tasks, like
logout users or push revocation policies. From the apache logs, I can see
that no back-end request generated by keycloak against the logout perform
from java based application. If I generate the logout from keycloak admin
utility then apache logs shows a post action for k_logout.

Any idea/help in this regard will be much appreciated. Many thanks.

I used,
mod_auth_openidc 2.3.7
apache 2.4.34
Ubuntu 16.4
Keycloak 4.2.1



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From dv at glyphy.com  Thu Sep 13 12:53:05 2018
From: dv at glyphy.com (D V)
Date: Thu, 13 Sep 2018 12:53:05 -0400
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
Message-ID: <CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>

Weird indeed. Yes, the logs indicate two nodes. I've uploaded the full
start-up logs here:
https://drive.google.com/drive/folders/1AiyLtTXu2AxEbVBdR-5kfJLxqoYladBn?usp=sharing
. I started node 1, let it settle, then started node 2. You can see that
node1 starts with just itself, but later node2 joins the cluster and caches
are rebalanced.

As for the experiment, I tried waiting for a few minutes after both nodes
started in case there's some synchronization delay somewhere, but it didn't
change the outcome.

Thanks,
DV

On Wed, Sep 12, 2018 at 3:22 AM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> Hmmm this sounds a bit weird... like there was some delay in the
> communication path.
>
> Could you please look through your logs and look for lines including
> "view" keyword? Are there two nodes, as expected? How the timestamps relate
> to your experiment?
>

From andy at decent.com  Thu Sep 13 14:26:33 2018
From: andy at decent.com (Andy Skiba)
Date: Thu, 13 Sep 2018 20:26:33 +0200
Subject: [keycloak-user] User registration outside of Keycloak and automatic
	authentication, 
Message-ID: <CA+WR8aAEM1a71Kp3R6RDbLPdSxwnzZd4sRLsM3iV8qA2C1nW6Q@mail.gmail.com>

Hi All,

I'm trying to integrate Keycloak into our project and I'm running into the
following problem. We have a pretty involved registration flow, so my idea
was to go through that flow and create users in Keycloak via admin REST
API. That works fine but I end up with a user that is not authenticated
after registration. Is there a way to register users outside of keycloak
and then end up with an authenticated SSO session?

I've seen this thread
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008018.html
from two years ago, and it proposes writing a custom Authenticator. Is that
still the easiest/only option?

Thanks for any pointers,

Andy

From roland.tepp at indoor.ninja  Thu Sep 13 14:32:12 2018
From: roland.tepp at indoor.ninja (Roland Tepp)
Date: Thu, 13 Sep 2018 21:32:12 +0300
Subject: [keycloak-user] Fetch user groups from Google IAM account
Message-ID: <CANZGaeeXjHx03GcT2kQ-j92c_=H3cjdjgB06+9YkOx4s2a8D8Q@mail.gmail.com>

Hey,

Please bear with me as I am quite new at this stuff and I am still
struggling with getting to grips with all the terms and relationships in
Keycloak.

I am trying to set up Keycloak realm to use Google OIDC IDP and whole
setting up oidc login flow was rather straight forward, there are still few
things I can not figure out.

First - I want to limit set of users who can gain access to a single google
hosted domain.

The google identity token contains a claim called ?hd? but I can?t figure
out how can I use it to limit/restrict logins from other google hosted
domains.

I suppose it should be part of initial login flow, but I can?t really see
how or where should I configure this.

(Google oidc endpoint also supports  a proprietary argument with the same
name that should be used to restrict google account selection dialogue to
only the specified hosted domain, but again, I do not see where I can hard
code it?s value for an IDP authentication request)


Second. How do I get google domain groups for the authenticated users?

They are not returned as user claims in a token.  Google?s documentation
suggests I need to ask google directory services for that information.

Has anyone managed to integrate google hosted domains with Keycloak ad do
you have a recepie for how one can fetch google group memberships for
logged in users into Keycloak.?

Roland

From vandana0242 at gmail.com  Thu Sep 13 15:00:17 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 13 Sep 2018 14:00:17 -0500
Subject: [keycloak-user] GATEWAY_TIMEOUT
Message-ID: <CAL_K0ewCNNKbGR-EFjvxLJSj7o44_gU5P9ACcozN_VYq1iC-9A@mail.gmail.com>

Hello

After I have installed 4.2.1 keycloak and  bring up the server . Checked
logs  no errors were shown up  but when I  hit the  url showing the below
error.

Date: Thu, 13 Sep 2018 13:57:46 CDT
Username:
Source IP: 10.101.69.143
URL: GET http://nl005382:/auth/
Category: Global NoAuth
Reason: UNKNOWN
Notification: GATEWAY_TIMEOUT

Server is up and running and pinging .  Installed keyclaok on separate VM
not on wildfly server.
All ports  in standalone.xml is configured  well . and  all ports were
listening though

From vandana0242 at gmail.com  Thu Sep 13 15:02:35 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 13 Sep 2018 14:02:35 -0500
Subject: [keycloak-user] GATEWAY_TIMEOUT
Message-ID: <CAL_K0eysUzFb=UokvyhgHVW895qtP5PSccxs6SGLW3iV=hRKyg@mail.gmail.com>

Hello

After I have installed 4.2.1 keycloak and  bring up the server . Checked
logs  no errors were shown up  but when I  hit the  url showing the below
error.

Date: Thu, 13 Sep 2018 13:57:46 CDT
Username:
Source IP: 10.101.69.143
URL: GET http://nl005382:/auth/
Category: Global NoAuth
Reason: UNKNOWN
Notification: GATEWAY_TIMEOUT

Server is up and running and pinging .  Installed keyclaok on separate VM
not on wildfly server.
All ports  in standalone.xml is configured  well . and  all ports were
listening though.

How  to resolve this error ?

Thanks,

From vandana0242 at gmail.com  Thu Sep 13 16:06:28 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 13 Sep 2018 15:06:28 -0500
Subject: [keycloak-user] keycloak installation doubts
Message-ID: <CAL_K0ez4knT15um=V3Xf6HUkWUDDsYKtD8uAJSoBGywZzGd31Q@mail.gmail.com>

Hello

Is it must  to  installe the keycloak  server on top of the wildfly server ?

or can we have saparate keycloak  server without putting on top of wildfly ?

which is  best practice

From pkboucher801 at gmail.com  Thu Sep 13 17:22:00 2018
From: pkboucher801 at gmail.com (pkboucher801 at gmail.com)
Date: Thu, 13 Sep 2018 17:22:00 -0400
Subject: [keycloak-user] connection URL to your LDAP store should be single
	host?
Message-ID: <001d01d44ba7$cf168c10$6d43a430$@gmail.com>

Hi,

 

Using the LDAP/AD provider, if we set our connection URL to our LDAP store
like this "ldaps://mydomain.local:636" and we have 3 domain controllers,
then we get whichever one DNS says to use when we look up mydomain.local.

 

Is there any way to get it to fail-over to another one if the first one
fails to respond?

 

Is it best practice to use the domain name, or should we specify one domain
controller, by IP address, and stick to it (e.g., "ldaps://10.1.2.3:636")?

 

Thanks!

 

Regards,

Peter Boucher


From Doyle.Collings at zionsbancorp.com  Fri Sep 14 01:06:05 2018
From: Doyle.Collings at zionsbancorp.com (Doyle Collings)
Date: Fri, 14 Sep 2018 05:06:05 +0000
Subject: [keycloak-user] Using the Keycloak Client Adapter for JBOSS as a
 Relying Party (RP) to a non-keycloak OpenID Provider (OP)
Message-ID: <CY1PR01MB2172E2E6A1B9A85AC8122665FD190@CY1PR01MB2172.prod.exchangelabs.com>

Is it possible to use the Keycloak Client Adapter for JBOSS as a Relying Party to a non-keycloak OpenID Provider? My CA Single Sign-On (Siteminder) OP uses the following endpoints:
  "authorization_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/authorize",
  "token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/token",
  "userinfo_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/userinfo",
  "validate_token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/introspect",
  "revoke_token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/revoke",
  "jwks_uri": https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=ZNBC-CASSO-Auth-Authorization-Provider-Dev


The Keycloak Client Adapter does not allow me to use those exact URL's .  It builds the URLs, based on the auth-server-url

and the realm specified within the <subsystem> element in my standalone.xml, using the following code in the package org.keycloak.constants :


public interface ServiceUrlConstants {





    public static final String AUTH_PATH = "/realms/{realm-name}/protocol/openid-connect/auth";


    public static final String TOKEN_PATH = "/realms/{realm-name}/protocol/openid-connect/token";


    public static final String TOKEN_SERVICE_LOGOUT_PATH = "/realms/{realm-name}/protocol/openid-connect/logout";


    public static final String ACCOUNT_SERVICE_PATH = "/realms/{realm-name}/account";


    public static final String REALM_INFO_PATH = "/realms/{realm-name}";


    public static final String CLIENTS_MANAGEMENT_REGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/register-node";


    public static final String CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/unregister-node";


    public static final String JWKS_URL = "/realms/{realm-name}/protocol/openid-connect/certs";





}


I am thinking that I can edit the source code so that if https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc is entered as my auth-server-url in the standalone.xml, I could achieve the following needed endpoint urls:
"authorization_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/authorize"
  "token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/token"
  "userinfo_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/userinfo"
  "jwks_uri": https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=ZNBC-CASSO-Auth-Authorization-Provider-Dev



 using the following altered source code:



  public static final String AUTH_PATH = "/authorize";

  public static final String TOKEN_PATH = "/token";

  public static final String TOKEN_SERVICE_LOGOUT_PATH = "/realms/{realm-name}/protocol/openid-connect/logout";

  public static final String ACCOUNT_SERVICE_PATH = "/userinfo";

  public static final String REALM_INFO_PATH = "/realms/{realm-name}";

  public static final String CLIENTS_MANAGEMENT_REGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/register-node";

  public static final String CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/unregister-node";

  public static final String JWKS_URL = "/jwks?AuthorizationProvider=ZNBC-CASSO-Auth-Authorization-Provider-Dev";



Is my logic flawed?  Or does anybody know of another OIDC Client Adapter that can be used for JBOSS that can be used as a Relying Party for a Non-Keycloak OpenID Provider?



Thank You for your Help.

Doyle Collings

Distributed Services Application Engineer and Single Sign-On Implementer/Administrator

Zions Bancorporation

======================================================================
THIS ELECTRONIC MESSAGE, INCLUDING ANY ACCOMPANYING DOCUMENTS, IS CONFIDENTIAL and may contain information that is privileged and exempt from disclosure under applicable law. If you are neither the intended recipient nor responsible for delivering the message to the intended recipient, please note that any dissemination, distribution, copying or the taking of any action in reliance upon the message is strictly prohibited. If you have received this communication in error, please notify the sender immediately.  Thank you.

From mposolda at redhat.com  Fri Sep 14 02:10:04 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 14 Sep 2018 08:10:04 +0200
Subject: [keycloak-user] keycloak and AD
In-Reply-To: <AT5PR8401MB05639968CC556E31A537B185E81A0@AT5PR8401MB0563.NAMPRD84.PROD.OUTLOOK.COM>
References: <AT5PR8401MB05639968CC556E31A537B185E81A0@AT5PR8401MB0563.NAMPRD84.PROD.OUTLOOK.COM>
Message-ID: <02e5e97b-3a55-b3ad-7bf1-b5e694c80828@redhat.com>

We did not test anything like this. If you use reverse proxy in front of 
Keycloak and this reverse proxy is doing the SPNEGO handshake, you will 
probably need to change some code on the Keycloak side as well and 
rewrite SpnegoAuthenticator a bit. Maybe it is possible if you create 
your own authenticator and replace the builtin SpnegoAuthenticator it in 
the authentication flow with yours. No guarantees... Another question is 
why/if the proxy is needed?

Marek

On 13/09/18 10:25, Kannan, Vidhya (CMS) wrote:
> Hello Keycloak users:
>
> I need to integrate Keycloak with AD auth. I see from the doc, Kerberos is proposedhttps://www.keycloak.org/docs/3.2/server_admin/topics/authentication/kerberos.html
>
> >From Tomcat site, there are other options like https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Reverse_proxies
>
> Would this work?
>
> Any experience shared will help.
>
> Thanks,
> Vidhya
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From testoauth55 at gmail.com  Fri Sep 14 03:42:08 2018
From: testoauth55 at gmail.com (keycloak demo)
Date: Fri, 14 Sep 2018 13:12:08 +0530
Subject: [keycloak-user] Obtaining RPT with Keycloak installed
In-Reply-To: <CAJrcDBfHdPJWtjd2NRsOJWfXVYGU97bCZGmVK_uQpqna5MvG4g@mail.gmail.com>
References: <CANAVTmPpNTE4isG05eBZrCoEEDK+BQg--imJXxX7j=-b2t0org@mail.gmail.com>
	<CAJrcDBfHdPJWtjd2NRsOJWfXVYGU97bCZGmVK_uQpqna5MvG4g@mail.gmail.com>
Message-ID: <CANAVTmNtgrrrDAoTAweiVKGPj2cER0r-4CNtmH_RCO7DhdN-ng@mail.gmail.com>

Thanks Pedro,

Is it okay to use *Access Token* generated through *KeycloakInstalled *for
the purpose of performing authorization through policy enforcer on my
client app?

On Tue, Sep 11, 2018 at 5:00 PM Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Tue, Sep 11, 2018 at 6:58 AM, keycloak demo <testoauth55 at gmail.com>
> wrote:
>
>> I am using keycloak installed through which I can obtain access token.
>> like
>> this:
>>
>> *keycloakinstalled.loginDesktop();*
>> *AccessToken token = keycloak.getToken();*
>>
>> But how can I obtain RPT (Requesting Party Token) in case of
>> keycloakinstalled?
>>
>> I have followed the doc:
>>
>> https://www.keycloak.org/docs/4.3/authorization_services/#obtaining-user-entitlements
>> which
>> gives a way to request RPT by using AuthzClient. But how can it be done if
>> I am using keycloakinstalled?
>>
>> Also by decoding the RPT and accessToken I can see that RPT has
>> authorization & permissions info which Access Token does not have:
>>
>> "authorization": { "permissions": [.....
>>
>>
>> In summary, I have 2 questions:
>>
>> 1. Which one (Access token or RPT) should be used if I want to use
>> authorization in my client application? What is the exact difference in
>> terms of usage between the two?
>>
>
> The main difference between the two is that RPT gives you additional
> claims representing permissions with a specific audience set to the target
> resource server. RPTs are also obtained using a different grant type.
>
>
>>
>> 2. How can the RPT be obtained in case of Keycloak installed?
>>
>
> I have never tested this before, could you please fill a JIRA with more
> details about what you are trying to achieve with keycloak installed. Need
> to check if we could implement something for better support of RPTs.
>
>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From remigio.dimuzio at gmail.com  Fri Sep 14 06:13:35 2018
From: remigio.dimuzio at gmail.com (Remigio Di Muzio)
Date: Fri, 14 Sep 2018 12:13:35 +0200
Subject: [keycloak-user] Issue with reset password mail link
Message-ID: <CA+BBe6P5iuoZk8x4YQjwxWJpxx8-YwnUgN66g+upg+dD3rKP5Q@mail.gmail.com>

Hi to everyone,
I'm getting an issue with Keycloak 3.4.3. When clicking the reset password
link, which I've been sent upon clicking on th "Forgot password" link in
the login page, instead of being redirected to the change password page I'm
always redirected to my application skipping the change password screen and
even the login screen, despite being logged out.
Did anyone experienced the same issue?

From imperimus_2k at hotmail.com  Fri Sep 14 06:18:53 2018
From: imperimus_2k at hotmail.com (Mark Hunt)
Date: Fri, 14 Sep 2018 10:18:53 +0000
Subject: [keycloak-user] Script Mapper
In-Reply-To: <AM6PR10MB22626717EF670C026F4E07A5A8270@AM6PR10MB2262.EURPRD10.PROD.OUTLOOK.COM>
References: <AM6PR10MB22626717EF670C026F4E07A5A8270@AM6PR10MB2262.EURPRD10.PROD.OUTLOOK.COM>
Message-ID: <AM6PR10MB22621E7158C3019A6C47C8A5A8190@AM6PR10MB2262.EURPRD10.PROD.OUTLOOK.COM>

Hi,

I am looking to filter groups into a claim but I am a little stuck  as to how to use the script mapper. I have got the script below and I am happy with writing the mechanism to filter the groups by names. The bit I can?t seem to find any information is how I return the data for the claim either as an array or a string.


var groups = user.getGroups();
groups.forEach(function(entry) {
    var gName = entry.getName();
    print(entry);
    print(gName);
});
print(groups);

Regards

Mark


From erik.g.haugen at gmail.com  Fri Sep 14 08:49:20 2018
From: erik.g.haugen at gmail.com (Erik G. Haugen)
Date: Fri, 14 Sep 2018 14:49:20 +0200
Subject: [keycloak-user] Do I need anything else besides a keycloak token to
 access a service secured with keycloak?
Message-ID: <CAKJ_sf_er2p0Q5bCQcot8U2_ehSX1pvtYq-JDSQE4bMAEgzu=A@mail.gmail.com>

 hello all,
<https://stackoverflow.com/questions/52332348/do-i-need-anything-else-besides-a-keycloak-token-to-access-a-service-secured-wit#>

I can get a valid token from keycloak, but I still get a 404 not found
response from a service secured with keycloak when I try to access it with
the token. What else do I have to do? What else is needed to access a
service secured with keycloak?

I am getting a bearer token back.

Kind regards,

Erik

From jpperata at gmail.com  Fri Sep 14 08:52:55 2018
From: jpperata at gmail.com (Juan Pablo Perata)
Date: Fri, 14 Sep 2018 09:52:55 -0300
Subject: [keycloak-user] keycloak installation doubts
In-Reply-To: <CAL_K0ez4knT15um=V3Xf6HUkWUDDsYKtD8uAJSoBGywZzGd31Q@mail.gmail.com>
References: <CAL_K0ez4knT15um=V3Xf6HUkWUDDsYKtD8uAJSoBGywZzGd31Q@mail.gmail.com>
Message-ID: <CA+BZ0jjLd_v62xc-74=G7xrq9ck9v5tQdFX3rh2hCxFp7+YVpw@mail.gmail.com>

Hi,

It is recommended to install keycloak server as a separate server in
production environments. It allows you to concentrate all authentication
(and authorization) in keycloak server and separated from your secured
applications.

It allows you to upgrade keycloak without affecting (or affecting as less
as possible) your secures applications (hosted in other Application
Server). Also in the same way, if there are known security holes, it helps
you manage that situation better in order to apply updates and security
fixes independently.

Kind regards,
Juan

On Thu, Sep 13, 2018 at 6:53 PM vandana thota <vandana0242 at gmail.com> wrote:

> Hello
>
> Is it must  to  installe the keycloak  server on top of the wildfly server
> ?
>
> or can we have saparate keycloak  server without putting on top of wildfly
> ?
>
> which is  best practice
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From triton.oidc at gmail.com  Fri Sep 14 11:18:13 2018
From: triton.oidc at gmail.com (triton oidc)
Date: Fri, 14 Sep 2018 15:18:13 +0000
Subject: [keycloak-user] add self signed certificate for external IDP
	without root acces
Message-ID: <CAGE7c6AyiKoDUDZocXFHcCiN-sojwDfDA76+nLkXbCO_V0g6cA@mail.gmail.com>

Hi,

It may be a wildfly issue but i'm not sure.
I'm not root on the server (i can't do an update-ca-trust)
i configured an external IDP, when keycloak wants to exchange the code for
the ID token to the external IDP, i get a certificate exception.

I tried adding the certificate in the keystore.

There is no trustore.jks in the standalone.xml, i guess it's using the
system trustore

Should i create an empty trustore.jks and try to put it in the
standalone.xml ?
but i might loose other external IDP with real public certificate.

I'm sure it's very simple, but i can't get it to work.

I'll take any hints
I'll update if i find the solution.

Thanks

Amaury

From hossein.doutaghy at gmail.com  Fri Sep 14 19:00:37 2018
From: hossein.doutaghy at gmail.com (Hossein Doutaghy)
Date: Fri, 14 Sep 2018 19:00:37 -0400
Subject: [keycloak-user] Keycloak OAuth_Token_Request_State Cookie is not
	secure
Message-ID: <CAMuSSiN5VK8E9jeV+ARvmadxUSjgHMokExz-z3VvFZ3-hnN1+w@mail.gmail.com>

Hi,

I have observed that all the keycloak cookies are secured except the
OAuth_Token_Request_State cookie.

1) Does this cookie need to be flagged as secure?
2) What kind of data is stored in this cookie? And what is it used for?

This keycloak commit shows the work was done to set the secure flag on
the OAuth_Token_Request_State
cookie back in 2016 but I am not seeing this cookie to be secure in my
keycloak server.

https://github.com/keycloak/keycloak/commit/57b6ddbace135e4701f3d3e309282ed8459d58ff


Thanks,
Moe

From lists at merit.unu.edu  Sat Sep 15 04:21:48 2018
From: lists at merit.unu.edu (mj)
Date: Sat, 15 Sep 2018 10:21:48 +0200
Subject: [keycloak-user] connection URL to your LDAP store should be
 single host?
In-Reply-To: <001d01d44ba7$cf168c10$6d43a430$@gmail.com>
References: <001d01d44ba7$cf168c10$6d43a430$@gmail.com>
Message-ID: <42b63a8a-491c-a4f7-2e8f-c8e6644aab86@merit.unu.edu>

We are doing this via a haproxy listener on the localhost, which points 
to our three DCs.

MJ

On 09/13/2018 11:22 PM, pkboucher801 at gmail.com wrote:
> Hi,
> 
>   
> 
> Using the LDAP/AD provider, if we set our connection URL to our LDAP store
> like this "ldaps://mydomain.local:636" and we have 3 domain controllers,
> then we get whichever one DNS says to use when we look up mydomain.local.
> 
>   
> 
> Is there any way to get it to fail-over to another one if the first one
> fails to respond?
> 
>   
> 
> Is it best practice to use the domain name, or should we specify one domain
> controller, by IP address, and stick to it (e.g., "ldaps://10.1.2.3:636")?
> 
>   
> 
> Thanks!
> 
>   
> 
> Regards,
> 
> Peter Boucher
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From ionel.gardais at tech-advantage.com  Sun Sep 16 04:23:18 2018
From: ionel.gardais at tech-advantage.com (GARDAIS Ionel)
Date: Sun, 16 Sep 2018 10:23:18 +0200 (CEST)
Subject: [keycloak-user] Securing keycloak
Message-ID: <1446556795.533894.1537086198213.JavaMail.zimbra@tech-advantage.com>

Hi list, 

Beside /auth/admin, are there any other URI that should be secured/restricted to limit attack surface for a public facing keycloak ? 

By the way, could it be useful to add a dedicated configuration entry directly inside keycloak to restrict IPs allowed to make to low-level actions ? 

Thanks, 
Ionel 

--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
-------------- next part --------------
A non-text attachment was scrubbed...
Name: GARDAIS, Ionel.vcf
Type: text/directory
Size: 399 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180916/ddcae4cc/attachment.bin 

From cedric at couralet.eu  Mon Sep 17 02:38:47 2018
From: cedric at couralet.eu (=?UTF-8?Q?C=C3=A9dric_Couralet?=)
Date: Mon, 17 Sep 2018 08:38:47 +0200
Subject: [keycloak-user] Changing welcomeTheme with packaged theme
Message-ID: <9820632c1aa2dbc16c19b151ed3f31c6@couralet.eu>

Hello,

I am trying to define a welcomeTheme for keycloak server with a theme 
packaged and deployed in "/standalone/deployments".

When trying the welcome page http://localhost:8080/auth/, I get an error 
page and the stack trace :

08:24:48,001 ERROR [org.keycloak.services.error.KeycloakErrorHandler] 
(default task-1) Uncaught server error: 
javax.ws.rs.WebApplicationException: HTTP 500 Internal Server Error
         at 
org.keycloak.services.resources.WelcomeResource.createWelcomePage(WelcomeResource.java:213)
         at 
org.keycloak.services.resources.WelcomeResource.getWelcomePage(WelcomeResource.java:98)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         [...]

I am guessing, it (something) doesn't find the theme. Is it supposed to 
be working?

I am testing on keycloak 4.4.0.Final with the standalone conf as :

             <theme>
                 <staticMaxAge>2592000</staticMaxAge>
                 <cacheThemes>true</cacheThemes>
                 <cacheTemplates>true</cacheTemplates>
                 <welcomeTheme>myTheme</welcomeTheme>
                 <dir>${jboss.home.dir}/themes</dir>
             </theme>

I see my theme jar is deploying in the configuration and it works when I 
take the welcome folder from the jar and put it in the "themes" 
directory.

Best regards,
C?dric Couralet

From slaskawi at redhat.com  Mon Sep 17 03:15:31 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 17 Sep 2018 09:15:31 +0200
Subject: [keycloak-user] Securing keycloak
In-Reply-To: <1446556795.533894.1537086198213.JavaMail.zimbra@tech-advantage.com>
References: <1446556795.533894.1537086198213.JavaMail.zimbra@tech-advantage.com>
Message-ID: <CAA9R9O4m+bq1fcptvL14V1yp+=6rho5V+OvrvoCYfX0c5kbh+g@mail.gmail.com>

This documentation piece should do exactly what you want:
https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction

On Sun, Sep 16, 2018 at 10:25 AM GARDAIS Ionel <
ionel.gardais at tech-advantage.com> wrote:

> Hi list,
>
> Beside /auth/admin, are there any other URI that should be
> secured/restricted to limit attack surface for a public facing keycloak ?
>
> By the way, could it be useful to add a dedicated configuration entry
> directly inside keycloak to restrict IPs allowed to make to low-level
> actions ?
>
> Thanks,
> Ionel
>
> --
> 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
> Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832
> 301_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From slaskawi at redhat.com  Mon Sep 17 04:27:08 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 17 Sep 2018 10:27:08 +0200
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
Message-ID: <CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>

So the only thing that look suspicious is this:
JGRP000006: failed accepting connection from peer:
java.net.SocketTimeoutException: Read timed out

It might indicate that some other application tried to connect to Keycloak
on port 7600 and immediately disconnected. That leads to a question on your
environment, are you sure you are looking into proper applications servers?
Perhaps some other applications (Wildfly for example, since Keycloak is
built on Wildfly) are trying to join the cluster.

However, if the answer is yes, the next thing to check are Infinispan
statistics over JMX or JBoss CLI. Here's a sample query you may use:
/subsystem=infinispan/cache-container=keycloak/replicated-cache=*:query
And then have a look at number of entries and number of entries in the
cluster.

@Marek Posolda <mposolda at redhat.com>. perhaps this ring you any bell? ISPN
seems fine here (at least from the logs and symptoms DV's describing.

On Thu, Sep 13, 2018 at 6:53 PM D V <dv at glyphy.com> wrote:

> Weird indeed. Yes, the logs indicate two nodes. I've uploaded the full
> start-up logs here:
> https://drive.google.com/drive/folders/1AiyLtTXu2AxEbVBdR-5kfJLxqoYladBn?usp=sharing
> . I started node 1, let it settle, then started node 2. You can see that
> node1 starts with just itself, but later node2 joins the cluster and caches
> are rebalanced.
>
> As for the experiment, I tried waiting for a few minutes after both nodes
> started in case there's some synchronization delay somewhere, but it didn't
> change the outcome.
>
> Thanks,
> DV
>
> On Wed, Sep 12, 2018 at 3:22 AM Sebastian Laskawiec <slaskawi at redhat.com>
> wrote:
>
>> Hmmm this sounds a bit weird... like there was some delay in the
>> communication path.
>>
>> Could you please look through your logs and look for lines including
>> "view" keyword? Are there two nodes, as expected? How the timestamps relate
>> to your experiment?
>>
>

From Linda.Sauder at amdocs.com  Mon Sep 17 05:49:21 2018
From: Linda.Sauder at amdocs.com (Linda Sauder)
Date: Mon, 17 Sep 2018 09:49:21 +0000
Subject: [keycloak-user] Why doesn't the login module get called on Wildfly
	with Keycloak?
Message-ID: <AM6PR06MB44538B88B52242DE17777CA0F61E0@AM6PR06MB4453.eurprd06.prod.outlook.com>

We have a Wildfly 10 AS, and we have the Keycloak 4.1 SAML Adapter installed according to the description in ?3.1.2 of the Keycloak documentation<https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter-2>



That means, our standalone.xml has
?         loaded the org.keycloak.keycloak-saml-adapter-subsystem extension
?         added the urn:jboss:domain:keycloak-saml:1.1 subsystem to our server's profile
?         defined a security domain (although in our case it's not called keycloak)
?         defined org.keycloak.adapters.jboss.KeycloakLoginModule as a <login-module> on that domain


Furthermore, we have an Application.war, which
?         contains some HTML to deliver
?         has a keycloak-saml.xml
?         has a jboss-web.xml, configuring the deployment's security-domain to the one defined in standalone.xml
?         has a web.xml which sets the auth-method configured to KEYCLOAK-SAML


And yet, the login module never gets called. Why?

Is there any logging we can enable to shed more light? Any places in undertow, picketlink, or picketbox to set breakpoints?

?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?.

From muhammad.hamza75 at gmail.com  Mon Sep 17 07:23:31 2018
From: muhammad.hamza75 at gmail.com (Muhammad Hamza Shahid)
Date: Mon, 17 Sep 2018 16:23:31 +0500
Subject: [keycloak-user] Keycloak extension using Admin Client
Message-ID: <FAC29CF8-97F4-41E8-AA7B-FB68B6A6F5DE@gmail.com>

Hi,
 I am trying to extend keycloak using Admin client my pom is as follow



<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <parent>
        <artifactId>keycloak-examples-providers-parent</artifactId>
        <groupId>org.keycloak</groupId>
        <version>3.4.3.Final</version>
    </parent>

    <name>Authenticator Example</name>
    <description/>
    <modelVersion>4.0.0</modelVersion>

    <artifactId>authenticator-required-action-example</artifactId>
    <packaging>jar</packaging>

    <dependencies>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-core</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-server-spi</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-server-spi-private</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.jboss.logging</groupId>
            <artifactId>jboss-logging</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-services</artifactId>
            <scope>provided</scope>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.keycloak/keycloak-admin-client -->
		<dependency>
		    <groupId>org.keycloak</groupId>
		    <artifactId>keycloak-admin-client</artifactId>
		    <version>4.0.0.Final</version>
		</dependency>
    
    </dependencies>
    
    <build>
        <finalName>authenticator-required-action-example</finalName>
        <plugins>
        	<plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <configuration>
                    <source>1.8</source>
                    <target>1.8</target>
                </configuration>
            </plugin>
            
            <plugin>
                <groupId>org.wildfly.plugins</groupId>
                <artifactId>wildfly-maven-plugin</artifactId>
                <configuration>
                    <skip>false</skip>
                </configuration>
            </plugin>
         
	      
            <plugin>
			    <groupId>org.apache.maven.plugins</groupId>
			    <artifactId>maven-shade-plugin</artifactId>
			    <version>3.2.0</version>    
			    <executions>
			        <execution>
			            <phase>package</phase>
			            <goals>
			                <goal>shade</goal>
			            </goals>                        
			            <configuration>
			                <minimizeJar>true</minimizeJar>    
			                <filters> 
			                    <filter>
			                       <artifact>org.keycloak:keycloak-admin-client</artifact>
			                       <includes>
			                           <include>org/keycloak/admin/client/**</include>
			                           <include>org/keycloak/admin/client/token/TokenManager.java</include>
			                           <include>org/keycloak/admin/client/token/TokenService.java</include>
			                           <include>org/keycloak/admin/client/resource/**</include>
			                       </includes>
			                       <excludes>
				                    <exclude>org/keycloak/admin/client/Keycloak$1.java</exclude>
				                  </excludes>			
			                    </filter>                   
			                </filters>
			            </configuration>
			        </execution>
			    </executions> 
			</plugin>
        </plugins>
    </build>
</project>

But while initiating admin client as follow

Keycloak keycloak =   KeycloakBuilder.builder() //
				 .serverUrl("http://localhost:8080/auth") //
				 .realm("master")//
				 .username("admin") //
				 .password("admin") //
				 .clientId("admin-cli") //
				 .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) //
				 .build();

I am getting following exception

16:07:04,642 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-42) Uncaught server error: java.lang.IllegalArgumentException: interface org.keycloak.admin.client.token.TokenService is not visible from class loader
	at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:581)
	at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:557)
	at java.lang.reflect.WeakCache$Factory.get(WeakCache.java:230)
	at java.lang.reflect.WeakCache.get(WeakCache.java:127)
	at java.lang.reflect.Proxy.getProxyClass0(Proxy.java:419)
	at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:719)
	at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:79)
	at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:131)
	at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:93)
	at org.keycloak.admin.client.token.TokenManager.<init>(TokenManager.java:55)
	at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:60)
	at org.keycloak.admin.client.KeycloakBuilder.build(KeycloakBuilder.java:147)
	at org.keycloak.examples.authenticator.SecretQuestionRequiredAction.processAction(SecretQuestionRequiredAction.java:68)
	at org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:927)
	at org.keycloak.services.resources.LoginActionsService.requiredActionPOST(LoginActionsService.java:880)
	at sun.reflect.GeneratedMethodAccessor384.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)




From callum at well.ox.ac.uk  Mon Sep 17 09:06:09 2018
From: callum at well.ox.ac.uk (Callum Smith)
Date: Mon, 17 Sep 2018 13:06:09 +0000
Subject: [keycloak-user] Keycloak > FreeIPA 2FA integration
Message-ID: <8D465691-CC9B-4845-A8F4-4ADFD85067B3@well.ox.ac.uk>

Dear All,

Keycloak and FreeIPA have separate integrations of 2FA, though very different obviously store keys in a different database. I was wondering whether you can configure Keycloak to authenticate against FreeIPA using the recommended SSSD method and also use the OTP/2FA as configured in FreeIPA on the backend?

https://www.keycloak.org/docs/3.0/server_admin/topics/user-federation/sssd.html

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk>


From katariakhyati11 at gmail.com  Mon Sep 17 09:19:26 2018
From: katariakhyati11 at gmail.com (Khyati Kataria)
Date: Mon, 17 Sep 2018 09:19:26 -0400
Subject: [keycloak-user] Set custom theme by default during deployment
Message-ID: <CACVn=voHQrKcT-zMoOFykSpLO2a3-MPv_L4SFwT2A7fYV7hiQw@mail.gmail.com>

Hello,

I am new to keycloak, As per one request we need to set our custom
theme by default for all realms.
Could you please explain or provide a procedure how to enable by
default or set it up during deployment procedure our custom theme?


Thank you
khyati

From andreas.lau at outlook.com  Mon Sep 17 09:31:05 2018
From: andreas.lau at outlook.com (Andreas Lau)
Date: Mon, 17 Sep 2018 13:31:05 +0000
Subject: [keycloak-user] Passwords with umlauts
In-Reply-To: <6983ecaa-7436-dd2b-1625-34b5e20ef315@gmx-topmail.de>
References: <trinity-7a81a84b-f8bf-4897-93e5-4082eac47c35-1535703589502@3c-app-gmx-bs33>
	<6983ecaa-7436-dd2b-1625-34b5e20ef315@gmx-topmail.de>
Message-ID: <VI1PR10MB04451D211AA6F781739CF5D3E41E0@VI1PR10MB0445.EURPRD10.PROD.OUTLOOK.COM>

Hi,
Not quite sure how to solve this in first place. But as long nobody has a real answer to this. Have you considered to disallow umlauts for password via the password policy?
You possibly could define a regexp using the password policy type "Regular Expression" that disallow such umlauts. I know it's not the answer of your question, but may be a workaround until someone can give you a more sophisticated answer.
https://www.keycloak.org/docs/3.2/server_admin/topics/authentication/password-policies.html
Regards

Am 3. September 2018 22:51:37 MESZ schrieb zitrone at gmx-topmail.de:

Hi,

I have a problem with user passwords which contain umlauts (like ? ? ?,
common ones in germany). They will be stored, but when i try to get a
token, it always fails with "Invalid user credentials".
I read
https://www.keycloak.org/docs/3.4/server_installation/index.html#unicode-considerations-for-databases
on how to enable unicode in the DB, but i don't get which columns to
alter. Since the password will be stored hashed and salted, will
altering the DB have any effect at all?

Technical setup:
Keycloak 3.4.3.Final
with an Oracle DB

Regards

zitrone
________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From jochen at jochen.org  Mon Sep 17 11:52:24 2018
From: jochen at jochen.org (Jochen Hein)
Date: Mon, 17 Sep 2018 17:52:24 +0200
Subject: [keycloak-user] Keycloak > FreeIPA 2FA integration
In-Reply-To: <8D465691-CC9B-4845-A8F4-4ADFD85067B3@well.ox.ac.uk> (Callum
	Smith's message of "Mon, 17 Sep 2018 13:06:09 +0000")
References: <8D465691-CC9B-4845-A8F4-4ADFD85067B3@well.ox.ac.uk>
Message-ID: <83o9cw15qf.fsf@jochen.org>

Callum Smith <callum at well.ox.ac.uk> writes:

> Keycloak and FreeIPA have separate integrations of 2FA, though very
> different obviously store keys in a different database. I was
> wondering whether you can configure Keycloak to authenticate against
> FreeIPA using the recommended SSSD method and also use the OTP/2FA as
> configured in FreeIPA on the backend?
>
> https://www.keycloak.org/docs/3.0/server_admin/topics/user-federation/sssd.html

Yes, that works fine for password+OTP authentication.  I couldn't get
Kerberos authentication with password+OTP going in keycloak, but
logging in with a kerberos ticket works fine.

Jochen

-- 
This space is intentionally left blank.

From peterson.dean at gmail.com  Mon Sep 17 11:56:16 2018
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 17 Sep 2018 10:56:16 -0500
Subject: [keycloak-user] SAML Token contains carriage returns (&#xD)
Message-ID: <CAFGzvPn8N_P2JbrbkPX8p4Dh5s12aLgHiCNZSXC-TEZ8ObHS3w@mail.gmail.com>

Is there a way to remove the carriage returns keycloak uses in the saml
assertion token? This is incompatible with Websphere idAssertion using
keycloak as the Identity provider. Ex, notice the &#xD characters in the
content:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_a42073de-3815-4951-8db4-5d07d46dbf75"
IssueInstant="2018-09-17T05:35:29.198Z" Version="2.0"><saml:Issuer>
http://localhost:8080/auth/realms/unemployment-insurance</saml:Issuer><dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:CanonicalizationMethod><dsig:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></dsig:SignatureMethod><dsig:Reference
URI="#ID_a42073de-3815-4951-8db4-5d07d46dbf75"><dsig:Transforms><dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></dsig:Transform><dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></dsig:Transform></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256
"></dsig:DigestMethod><dsig:DigestValue>8aoA9CDfFV8PXBnuafSS3JU/MXuGX3to93E+go9DJrk=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>UpQPIpNTXMuds8BP5a/N08sXeVMV9Bo6/gxb+rZo38tJwu9GGdrX2SeUlQUWVKRcH0qQRlWzVLfO&#xD;
nvb9gbIs/qGrIRQf2nvb40ywN0V8QqCaQr8VU++2rOJGSUfByGjazopvp2WrOM0JdlD6WjeqCs27&#xD;
L+fpbVKC8GGZQB+KblqQ08xJ17yN0VDxwDAk+QDwkGpioe9p6/nSZZYCIimPF8BR0TxgwCm9KZl7&#xD;
ASNv+d7m6Zaarj/CnqjLG0zDWPfAdW6R5sWuRmUzHiDG3AwpOaxxLP2d5HGPCRCfmiCHMVN3EVx4&#xD;
FoQg/ej8QQ1Z0fCOg/N9qRJnFxYbnjMdc1w4rw==</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyName>Ayvm2xqFD1Xb_CeLG0LbFdh2PuBAflqKnI7kCiTwqjw</dsig:KeyName><dsig:X509Data><dsig:X509Certificate>MIICuzCCAaMCBgFlsHW+ezANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZVbmVtcGxveW1lbnQg&#xD;
SW5zdXJhbmNlMB4XDTE4MDkwNjE5NTUzMVoXDTI4MDkwNjE5NTcxMVowITEfMB0GA1UEAwwWVW5l&#xD;.....

From princeanand.anandaraj at object-frontier.com  Mon Sep 17 12:07:27 2018
From: princeanand.anandaraj at object-frontier.com (Prince Anand Anandaraj)
Date: Mon, 17 Sep 2018 21:37:27 +0530
Subject: [keycloak-user] Not able to retrieve password from using keycloak
	admin api
Message-ID: <WC20180917160721.660104@object-frontier.com>


Hi,

     I am pretty new to keycloak and currently working on to secure an 
application using keycloak. Currently, I am using keycloak version 3.4.3.


     I am trying to retrieve password of a user using the keycloak admin api 
in java. 

     keycloak = 
Keycloak.getInstance(keyCloakProperties.getProperty("keycloak.baseURL"), 
                keyCloakProperties.getProperty("keycloak.loginRealm"),
                keyCloakProperties.getProperty("keycloak.loginId"),
                keyCloakProperties.getProperty("keycloak.loginPwd"),
                keyCloakProperties.getProperty("keycloak.clientId"),
                keyCloakProperties.getProperty("keycloak.secretKey"));

     realmResource = 
keycloak.realm(keyCloakProperties.getProperty("keycloak.userRealm"));    
     realmResource.users().get(userId).toRepresentation().getCredentials();

     The last line of code suppose to return a list with type 
<CredentialRepresentation> but I get only null. Am I missing something.

     Did anyone else face this issue.. If yes please help!!


Thanks in advance..

Thanks and regards,
Prince Anand

Disclaimer : http://www.objectfrontier.com/maildisclaimer.html


Disclaimer : http://www.objectfrontier.com/maildisclaimer.html

From triton.oidc at gmail.com  Mon Sep 17 12:17:47 2018
From: triton.oidc at gmail.com (triton oidc)
Date: Mon, 17 Sep 2018 16:17:47 +0000
Subject: [keycloak-user] add self signed certificate for external IDP
	without root acces
In-Reply-To: <CAGE7c6AyiKoDUDZocXFHcCiN-sojwDfDA76+nLkXbCO_V0g6cA@mail.gmail.com>
References: <CAGE7c6AyiKoDUDZocXFHcCiN-sojwDfDA76+nLkXbCO_V0g6cA@mail.gmail.com>
Message-ID: <CAGE7c6DjLBudD9eCOTf_ha=6eos8ejCwYPET1OMFeHEi0fCVZw@mail.gmail.com>

Hi,

i found a solution.

#i copy the system trustore

cp /etc/pki/java/cacerts $keycloak_cert_path/


#Then i import the new ca in the trustore copy

keytool -importcert -file $path_to_cert -keystore
$keycloak_cert_path/cacerts -alias "manual-self-signed" -noprompt
-storepass $mypassword



#then i add the option for starting the JVM

./standalone.sh -b $listening_address
*-Djavax.net.ssl.trustStore=$keycloak_cert_path/cacerts
-Djavax.net.ssl.trustStorePassword=**$mypassword "*

issue : if the system trustore is updated : this trick wont work.

Where should i put this trick so nobody with google have to loose 2 days on
this ?


On Fri, Sep 14, 2018 at 3:18 PM triton oidc <triton.oidc at gmail.com> wrote:

> Hi,
>
> It may be a wildfly issue but i'm not sure.
> I'm not root on the server (i can't do an update-ca-trust)
> i configured an external IDP, when keycloak wants to exchange the code for
> the ID token to the external IDP, i get a certificate exception.
>
> I tried adding the certificate in the keystore.
>
> There is no trustore.jks in the standalone.xml, i guess it's using the
> system trustore
>
> Should i create an empty trustore.jks and try to put it in the
> standalone.xml ?
> but i might loose other external IDP with real public certificate.
>
> I'm sure it's very simple, but i can't get it to work.
>
> I'll take any hints
> I'll update if i find the solution.
>
> Thanks
>
> Amaury
>

From dv at glyphy.com  Mon Sep 17 12:28:26 2018
From: dv at glyphy.com (D V)
Date: Mon, 17 Sep 2018 12:28:26 -0400
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
Message-ID: <CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>

Hmm ... maybe the lb is pinging the port? I'm running dockercloud/haproxy,
which autodetects open ports. However, I'm excluding port 7600 so that it
doesn't try to route application requests to JGroups ports. The
SocketTimeoutException only happens once at startup, though. I don't see it
later when I start running auth tests.

Thanks for the pointer to Infinispan statistics query. I ran it for both
nodes and saved the results in the "ispn-cluster-query" subdirectory in
(previous shared)
https://drive.google.com/drive/folders/1AiyLtTXu2AxEbVBdR-5kfJLxqoYladBn?usp=sharing
:
- "start" prefix is for the output of the query right after starting the
nodes. Node1 starts first, then node2.
- "first-auth" is the initial grant_type=password auth. In this set of
tests it was done on node1.
- "refresh-auth" is the subsequent failing grant_type=refresh_token . It's
successful on node1 and failing on node2.
- "post-node2-auth" is after grant_type=password auth is executed on node2
(which brings the cluster in-sync).

I couldn't spot any issues in the output with my untrained eyes. I wonder,
should the statistics be pulled from the sessions distributed cache as
well? Is that the one that would be consulted during
grant_type=refresh_token auth?

Thanks,
DV

On Mon, Sep 17, 2018 at 4:27 AM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> So the only thing that look suspicious is this:
> JGRP000006: failed accepting connection from peer:
> java.net.SocketTimeoutException: Read timed out
>
> It might indicate that some other application tried to connect to Keycloak
> on port 7600 and immediately disconnected. That leads to a question on your
> environment, are you sure you are looking into proper applications servers?
> Perhaps some other applications (Wildfly for example, since Keycloak is
> built on Wildfly) are trying to join the cluster.
>
> However, if the answer is yes, the next thing to check are Infinispan
> statistics over JMX or JBoss CLI. Here's a sample query you may use:
> /subsystem=infinispan/cache-container=keycloak/replicated-cache=*:query
> And then have a look at number of entries and number of entries in the
> cluster.
>
> @Marek Posolda <mposolda at redhat.com>. perhaps this ring you any bell?
> ISPN seems fine here (at least from the logs and symptoms DV's describing.
>
> On Thu, Sep 13, 2018 at 6:53 PM D V <dv at glyphy.com> wrote:
>
>> Weird indeed. Yes, the logs indicate two nodes. I've uploaded the full
>> start-up logs here:
>> https://drive.google.com/drive/folders/1AiyLtTXu2AxEbVBdR-5kfJLxqoYladBn?usp=sharing
>> . I started node 1, let it settle, then started node 2. You can see that
>> node1 starts with just itself, but later node2 joins the cluster and caches
>> are rebalanced.
>>
>> As for the experiment, I tried waiting for a few minutes after both nodes
>> started in case there's some synchronization delay somewhere, but it didn't
>> change the outcome.
>>
>> Thanks,
>> DV
>>
>> On Wed, Sep 12, 2018 at 3:22 AM Sebastian Laskawiec <slaskawi at redhat.com>
>> wrote:
>>
>>> Hmmm this sounds a bit weird... like there was some delay in the
>>> communication path.
>>>
>>> Could you please look through your logs and look for lines including
>>> "view" keyword? Are there two nodes, as expected? How the timestamps relate
>>> to your experiment?
>>>
>>

From dv at glyphy.com  Mon Sep 17 14:25:21 2018
From: dv at glyphy.com (D V)
Date: Mon, 17 Sep 2018 14:25:21 -0400
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
Message-ID: <CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>

I should also follow-up and say that I've got the same setup running in a
remote Mesos+Marathon cluster. It's got a different lb setup, but is
exhibiting the same behaviour.
One other note: I've uploaded the load balancer logs in the same directory.
Not sure if they're of any use.

Cheers,
DV

On Mon, Sep 17, 2018 at 12:28 PM D V <dv at glyphy.com> wrote:

> Hmm ... maybe the lb is pinging the port? I'm running dockercloud/haproxy,
> which autodetects open ports. However, I'm excluding port 7600 so that it
> doesn't try to route application requests to JGroups ports. The
> SocketTimeoutException only happens once at startup, though. I don't see it
> later when I start running auth tests.
>
> Thanks for the pointer to Infinispan statistics query. I ran it for both
> nodes and saved the results in the "ispn-cluster-query" subdirectory in
> (previous shared)
> https://drive.google.com/drive/folders/1AiyLtTXu2AxEbVBdR-5kfJLxqoYladBn?usp=sharing
> :
> - "start" prefix is for the output of the query right after starting the
> nodes. Node1 starts first, then node2.
> - "first-auth" is the initial grant_type=password auth. In this set of
> tests it was done on node1.
> - "refresh-auth" is the subsequent failing grant_type=refresh_token . It's
> successful on node1 and failing on node2.
> - "post-node2-auth" is after grant_type=password auth is executed on node2
> (which brings the cluster in-sync).
>
> I couldn't spot any issues in the output with my untrained eyes. I wonder,
> should the statistics be pulled from the sessions distributed cache as
> well? Is that the one that would be consulted during
> grant_type=refresh_token auth?
>
> Thanks,
> DV
>
> On Mon, Sep 17, 2018 at 4:27 AM Sebastian Laskawiec <slaskawi at redhat.com>
> wrote:
>
>> So the only thing that look suspicious is this:
>> JGRP000006: failed accepting connection from peer:
>> java.net.SocketTimeoutException: Read timed out
>>
>> It might indicate that some other application tried to connect to
>> Keycloak on port 7600 and immediately disconnected. That leads to a
>> question on your environment, are you sure you are looking into proper
>> applications servers? Perhaps some other applications (Wildfly for example,
>> since Keycloak is built on Wildfly) are trying to join the cluster.
>>
>> However, if the answer is yes, the next thing to check are Infinispan
>> statistics over JMX or JBoss CLI. Here's a sample query you may use:
>> /subsystem=infinispan/cache-container=keycloak/replicated-cache=*:query
>> And then have a look at number of entries and number of entries in the
>> cluster.
>>
>> @Marek Posolda <mposolda at redhat.com>. perhaps this ring you any bell?
>> ISPN seems fine here (at least from the logs and symptoms DV's describing.
>>
>> On Thu, Sep 13, 2018 at 6:53 PM D V <dv at glyphy.com> wrote:
>>
>>> Weird indeed. Yes, the logs indicate two nodes. I've uploaded the full
>>> start-up logs here:
>>> https://drive.google.com/drive/folders/1AiyLtTXu2AxEbVBdR-5kfJLxqoYladBn?usp=sharing
>>> . I started node 1, let it settle, then started node 2. You can see that
>>> node1 starts with just itself, but later node2 joins the cluster and caches
>>> are rebalanced.
>>>
>>> As for the experiment, I tried waiting for a few minutes after both
>>> nodes started in case there's some synchronization delay somewhere, but it
>>> didn't change the outcome.
>>>
>>> Thanks,
>>> DV
>>>
>>> On Wed, Sep 12, 2018 at 3:22 AM Sebastian Laskawiec <slaskawi at redhat.com>
>>> wrote:
>>>
>>>> Hmmm this sounds a bit weird... like there was some delay in the
>>>> communication path.
>>>>
>>>> Could you please look through your logs and look for lines including
>>>> "view" keyword? Are there two nodes, as expected? How the timestamps relate
>>>> to your experiment?
>>>>
>>>

From triveni.chegireddy at tcs.com  Tue Sep 18 01:27:17 2018
From: triveni.chegireddy at tcs.com (Triveni Chegireddy)
Date: Tue, 18 Sep 2018 10:57:17 +0530
Subject: [keycloak-user] Keycloak single Log Out not working
In-Reply-To: <OF2A411907.30F037F4-ON65258305.003C474F-65258305.003CD932@LocalDomain>
References: <OF6B4BEE16.97988AE0-ON65258301.00277B30-65258301.0027FB88@LocalDomain>
	<OF2A411907.30F037F4-ON65258305.003C474F-65258305.003CD932@LocalDomain>
Message-ID: <OFB3901F9C.28A46364-ON6525830B.0048D2A0-6525830C.001E5FE5@tcs.com>

Hi,


I have few applications, i.e. one Spring Boot application using keycloak 
specific java starter, another jira and confluence applications protected 
using Miniorange plugin from Atlassian and another jenkins application 
protected
using keycloak specific plugin from Jenkins available plugins for single 
sign on and single Logout out. The SSO works fine on all applications. 
However, the problem occurs in case of Logout. Below are my observations:

1. When I perform logout on java application, then jira, confluence and 
jenkins application still works as normal rather than asking for login 
again on next request. 
2. And when I perform logout from Jira, then Confluence is getting 
redirected to Login page on next request but the Spring boot application 
works as normal.
3. When I see keycloak admin console, on logout of any application all the 
sessions of all opened clients in the Realm are killed, but applications 
are working normal instead of redirecting to Login page.
4. As per the keycloak documentation,Admin URL shall be set for a 
particular client that can be used by Keycloak
server to send backend requests to the application for logout users. 

Any idea/help in this regard will be much appreciated. Many thanks.


Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Consulting
____________________________________________




From:   Triveni Chegireddy/LATAM/TCS
To:     keycloak-user at lists.jboss.org
Date:   09/11/2018 04:30 PM
Subject:        Re: Keycloak single Log Out not working


Hi All,

The below issue is blocking in our application. Could anyone help us in 
resolving the Single Logout issue.

Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Consulting
____________________________________________





From:   Triveni Chegireddy/LATAM/TCS
To:     keycloak-user at lists.jboss.org
Date:   09/07/2018 12:42 PM
Subject:        Keycloak single Log Out not working


Hi Team,

I am securing many tools using Keycloak for Single sign on and Single 
Logout. We are securing tools like Jira, Confluence using Miniorange 
plugin. We have few Spring boot applications which are to be secured. They 

are secured using Spring Boot with KeycloakWebSecurityConfigurerAdapter. 
Single Sign on is working fine. The landing application is spring boot web 

application, which is accessed by giving LDAP credentials. From that 
application, we will be accessing the Jira, Confluence. They are opened 
without asking me for credentials. But Single Logout is not working. In 
Spring boot application, on click of Logout, I am calling 
HttpServletRequest.logout(), which is logging me out of Spring boot 
application successfully. But the sessions in Jira and Confluence are not 
killed. Similarly once I open the tools from Spring boot application, on 
logout of any tools both Jira and confluence are logging out using Single 
Logout but session in Spring boot application is not killed.

Could you please help us resolving this issue.


Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Consulting
____________________________________________

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



From kkcmadhu at yahoo.com  Tue Sep 18 01:57:18 2018
From: kkcmadhu at yahoo.com (Madhu)
Date: Tue, 18 Sep 2018 05:57:18 +0000 (UTC)
Subject: [keycloak-user] how to create a user with restricted manager-user
 rights/role for a group
References: <1286130129.5758978.1537250238051.ref@mail.yahoo.com>
Message-ID: <1286130129.5758978.1537250238051@mail.yahoo.com>

Hi,
I need to create a group in master realm, where any user in this group can do manage-users? for any other user belong to the group.?users in this group will not be able to manage any other user (example the master realm's admin user).
I need this kind of facility to work around the issue of every growing access token mentioned in?https://issues.jboss.org/browse/KEYCLOAK-1268
My idea is to have a seperate group in? master realm? who will have view-users, create-realm and manage-user permissions. (but they should be able to manage other co users in this group alone).Once a new realm is created, the user who created becomes the default admin in the newly provisioned realm, after creating the realm? the logged in user will appoint a? new user (beloning to the new realm) as the admin and relinquish his own rights to be the admin of the new realm.. (thus, keeping his own auth token size at bay)...
But since the user who created the realm belongs to mater realm and has manage-user access, i would like to ensure that this user does not inadvently/or intentionally? mess up the master realm's admin users access.

Can some one guide on how to setup a group which has restricted manage-user access (i.e. perform manage users for group members alone)..
Regards,Madhu

From callum at well.ox.ac.uk  Tue Sep 18 03:30:40 2018
From: callum at well.ox.ac.uk (Callum Smith)
Date: Tue, 18 Sep 2018 07:30:40 +0000
Subject: [keycloak-user] Keycloak > FreeIPA 2FA integration
In-Reply-To: <83o9cw15qf.fsf@jochen.org>
References: <8D465691-CC9B-4845-A8F4-4ADFD85067B3@well.ox.ac.uk>
	<83o9cw15qf.fsf@jochen.org>
Message-ID: <05C91856-0830-4522-95F2-E92080522699@well.ox.ac.uk>

I?m confused by your response, does it work fine with the OTP as defined in FreeIPA? I?m not expecting users to re-configure their OTP codes for Keycloak once they?ve already configured them in FreeIPA.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk>

On 17 Sep 2018, at 16:52, Jochen Hein <jochen at jochen.org<mailto:jochen at jochen.org>> wrote:

Callum Smith <callum at well.ox.ac.uk<mailto:callum at well.ox.ac.uk>> writes:

Keycloak and FreeIPA have separate integrations of 2FA, though very
different obviously store keys in a different database. I was
wondering whether you can configure Keycloak to authenticate against
FreeIPA using the recommended SSSD method and also use the OTP/2FA as
configured in FreeIPA on the backend?

https://www.keycloak.org/docs/3.0/server_admin/topics/user-federation/sssd.html

Yes, that works fine for password+OTP authentication.  I couldn't get
Kerberos authentication with password+OTP going in keycloak, but
logging in with a kerberos ticket works fine.

Jochen

--
This space is intentionally left blank.


From killman123 at gmail.com  Tue Sep 18 04:32:12 2018
From: killman123 at gmail.com (=?UTF-8?Q?Spur_von_Haseln=C3=BCssen?=)
Date: Tue, 18 Sep 2018 10:32:12 +0200
Subject: [keycloak-user] Roles in Keycloak not updated from external
 identityprovider after first login
Message-ID: <CABK5Fj7iuT4+LOyawfcZezi1Pt_jyBC8eHEy6GL04ik-r5jNow@mail.gmail.com>

Hello,

I'm using Keycloak 4.4.0.Final in combination with an external
identityprovider to authenticate users.
The eIdP is using the OpenID Connect protocol and has mappers in KC
defined to map from a claim in the ID token received from the eIdPs
token endpoint to roles defined in my Keycloak server.

This works as expected for the first login (when the user was
previously unknown to Keycloak) and the user is assigned all roles it
has with the external identityprovider.
Unfortunately the roles for the user aren't updated when the user logs
in any time after that and the ID token contains extra or less roles.
(Mappers are defined and work on the first login).

The user info endpoint is currently unused and disabled.
"First broker login" is used as the first login flow.
Nothing for post login flow yet (experimented with that but didn't
find anything useful so far, but I guess I need to define something
here, but what exactly?).

How would I go about updating the roles of a user from the claims in
an ID token from an external identityprovider at their second login
like at their first login?

Greetings,
Stephan

From stuarta at squashedfrog.net  Tue Sep 18 05:33:52 2018
From: stuarta at squashedfrog.net (Stuart Auchterlonie)
Date: Tue, 18 Sep 2018 10:33:52 +0100
Subject: [keycloak-user] 4.4.0.Final tag on Docker Hub?
In-Reply-To: <VI1PR06MB42535793E331A25F2E48FAD6FA000@VI1PR06MB4253.eurprd06.prod.outlook.com>
References: <VI1PR06MB42535793E331A25F2E48FAD6FA000@VI1PR06MB4253.eurprd06.prod.outlook.com>
Message-ID: <ac3a5d17-1004-1b4c-b091-a2f2e9a72e69@squashedfrog.net>

On 07/09/2018 11:09, Rob Noble wrote:
> Hello,
> 
> The 4.4.0.Final tag hasn't appeared on https://hub.docker.com/r/jboss/keycloak/tags/ yet?  Did something fail, or am I just being too impatient?
> 
> Thanks,
> Rob.
> 

The tag appears to be there now, but when I pull the image I still get
4.3.0.Final

# docker inspect jboss/keycloak | grep KEYCLOAK_VERSION
                 "KEYCLOAK_VERSION=4.3.0.Final",

Regards
Stuart

From Brian.Brooks at datapath.com  Tue Sep 18 10:26:14 2018
From: Brian.Brooks at datapath.com (Brian Brooks (US))
Date: Tue, 18 Sep 2018 14:26:14 +0000
Subject: [keycloak-user] Keycloak 4.x Fine Grained Authorization - OAuth /
 UMA - Permissions That Deny Rather Than Grant?
Message-ID: <DM6PR17MB2378EF48F04F3FE1EAE0F85FF81D0@DM6PR17MB2378.namprd17.prod.outlook.com>

Thanks for providing keycloak as an free open source security solution.  It's awesome!

**QUESTIONS**

1. Is there any way to design a keycloak policy for a oauth/uma/bearer token authorization client/resource owner that efficiently expresses the idea that a user is granted access to most items but denied access to a few?

Our system manages devices and for some customer systems we have as many as 0.1 million devices.  We'd like the app's keycloak policy to default to granting a user write access to all devices but deny access to maybe a few dozen.  Ideally, the Requesting Party Token (RPT) response would contain a list of permissions like 

Permission {id=3e633107-2291-4694-9f07-728ea6fa7744, name=All Devices Resource, scopes=[device:grant:write]}
Permission {id=86d95056-7e24-4888-93ed-2afe33199212, name=Device 123 Resource, scopes=[device:deny]}
Permission {id=33333333-3333-3333-3333-333333333333, name=Device 456 Resource, scopes=[device:deny]}

2. Does this make sense; is there a better way to implement this idea?  
3. Is this possible with keycloak? 
4. Are there any quickstart examples that demonstrate use of denials?

I've been working with the keycloak quickstarts app-authz-uma-photoz and  app-authz-jee-servlet for a while but I don't see them using any "denial" permissions.  All the permissions seem to be "grants".

I've also have been searching the keycloak mailing list for similar questions.  I have not seen an answer to this question in these policy related threads:
1. [keycloak-user] Additional attributes for an authorization request
http://lists.jboss.org/pipermail/keycloak-user/2017-February/009451.html
2. [keycloak-user] How to implement this using Keycloak
http://lists.jboss.org/pipermail/keycloak-user/2016-July/007069.html
3. [keycloak-user] Keycloak authorization protected resource with user attributes
http://lists.jboss.org/pipermail/keycloak-user/2016-December/008821.html
4. [keycloak-user] understanding the photoz example
http://lists.jboss.org/pipermail/keycloak-user/2016-December/008917.html

**DETAILS ABOUT APPLICATION**
We're upgrading our device management application with keycloak authentication and authorization.  We sell our device management application to customers that install and operate the device management application to run the customer's systems.  Our device management application consists of:

1. Single Page Application that runs in a web browser.
2. Google Dart-based server-side application from which the SPA gets its data (we wish it was Tomcat-based but don't own the source code).
3. OSGi container running many bundles from which the Dart application get its data.
4. Several other parts e.g. Reporting, Device Data Collectors, database

For this generation of the application and due to our atypical architecture, we'll probably be manually walking the claims in the RPT in JavaScript to govern our SPA's user interface authorization.

The most important data in our system are devices.  Devices consist of commands, alarms, values, grids.  Devices are typed similar to the relation between Java objects (device) and Java classes (device_type).  Devices and parts of devices can be logically grouped into one or more "circuits".  A device is attached to a computer (Device Data Collector).

A typical system has:
1,000 devices; a very large system may have 0.1 million devices.
100 circuits
Each device has <100 commands, <300 fields, <50 grids, <100values
Each circuit has 5-20 devices
<15 computers
<100 users; a very large system may have 500 users

Here are some of our application's use cases.  Write for our use cases means send commands, change values, etc.
Administrators can write to all devices and circuits.
Operator A can only read all devices.
Operator B can write to all devices except device123, device456, and device678.
Operator C can only write circuit1.
Operation D can only write computer1.

Thanks for reading this far!

5. Any advice on how to implement these use cases with a keycloak policy?  Is it too ambitious to model this hiearchical permission scheme?  What do you recommend?  We're a very small development team trying to implement finish this in 2018.

Brian



From Mattia.Bello at horsa.it  Tue Sep 18 10:34:38 2018
From: Mattia.Bello at horsa.it (Mattia Bello)
Date: Tue, 18 Sep 2018 14:34:38 +0000
Subject: [keycloak-user] Configure spring application with Spring Security
 Adapter and Multi Tenancy
Message-ID: <92E1246EF925084F978BEEDBCF3711F10275F12EC5@barcellona.horsa.local>

Hello,
                i tried to integrate keycloak Spring Security Adapter and Multi Tenancy but i encountered some problems.

I followed the guide step by step:

1. I installed keycloak on server and runned it in standalone mode on port 8180.

2. I added the dependency in pom file:

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-spring-security-adapter</artifactId>
    <version>4.4.0.Final</version>
</dependency>

Because my spring app is a old spring app, i prefer use the xml configure to manage the security.
I created keycloakApplicationContext.xml with the configuration describe in the guide (attached keycloakApplicationContext.xml file).

The guide continue introduce the Multi tenancy:
The Keycloak Spring Security adapter also supports multi tenancy. Instead of injecting AdapterDeploymentContextFactoryBean with the path to keycloak.json you can inject an implementation of the KeycloakConfigResolver interface. More details on how to implement the KeycloakConfigResolver can be found in Multi Tenancy.

3. Then, to implement the Multi tenancy i followed the section:
I created the PathBasedKeycloakConfigResolver java class (attached PathBasedKeycloakConfigResolver.java file) and added rows in web.xml file (attached web.xml file).

In the previous point, the guide describe that:
Instead of injecting AdapterDeploymentContextFactoryBean with the path to keycloak.json you can inject an implementation of the KeycloakConfigResolver interface. More details on how to implement the KeycloakConfigResolver can be found in Multi Tenancy
But in the Multi Tenancy section i didn't found the istructions to do that.

In the web.xml i specify the path to keycloak.json and it is required to create the bean. If i delete it the app when starting will will go to error.

What do i do to use Multi Tenancy? 

Thanks to all


 


Mattia Bello
Developer

[Descrizione: cid:image001.jpg at 01CEB308.188717E0]
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile  (+39) 347 37 64 875
www.horsa.it<http://www.horsa.it/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PathBasedKeycloakConfigResolver.java
Type: application/octet-stream
Size: 1824 bytes
Desc: PathBasedKeycloakConfigResolver.java
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180918/f94b0639/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: web.xml
Type: text/xml
Size: 11027 bytes
Desc: web.xml
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180918/f94b0639/attachment-0002.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloakApplicationContext.xml
Type: text/xml
Size: 14101 bytes
Desc: keycloakApplicationContext.xml
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180918/f94b0639/attachment-0003.xml 

From ebenzacar at gmail.com  Tue Sep 18 11:17:53 2018
From: ebenzacar at gmail.com (Eric B)
Date: Tue, 18 Sep 2018 11:17:53 -0400
Subject: [keycloak-user] Implicit or Auth code flow for Angular/SPA apps
Message-ID: <CA+T+PjHU6Kt4jr-e+SX==iUsEOC7Zf26JGfsgoYWoru2zO2sVw@mail.gmail.com>

We are deploying a new Angular SPA which leverages Keycloak for its SSO
abilities using OIDC.  The app is currently designed using Implicit flow to
retrieve short-lived access tokens via the keycloak JS adapter.

However, recently, I've been seeing some emails in the ietf mailing list (
https://www.ietf.org/mail-archive/web/oauth/current/msg16969.html)
indicating that Auth code should be preferred over implicit flow due to
security issues of having access tokens show up in browser history and/or
log files (if any SSL termination/inspection is in place/etc).

I understand the security concerns with having an AT show up anywhere in a
log file.  I do not, however, understand how the Auth Code flow can be
considered as more secure, or why it should be preferred over Implicit
flow.  Isn't having the Refresh Token in the browser/SPA a higher security
risk than having a short-lived AT in a log file?

What is the preferred mechanism to use today?  Is there a recommended
approach?

Thanks,

Eric

From jochen at jochen.org  Tue Sep 18 11:35:53 2018
From: jochen at jochen.org (Jochen Hein)
Date: Tue, 18 Sep 2018 17:35:53 +0200
Subject: [keycloak-user] Keycloak > FreeIPA 2FA integration
In-Reply-To: <05C91856-0830-4522-95F2-E92080522699@well.ox.ac.uk> (Callum
	Smith's message of "Tue, 18 Sep 2018 07:30:40 +0000")
References: <8D465691-CC9B-4845-A8F4-4ADFD85067B3@well.ox.ac.uk>
	<83o9cw15qf.fsf@jochen.org>
	<05C91856-0830-4522-95F2-E92080522699@well.ox.ac.uk>
Message-ID: <83d0ta24yu.fsf@jochen.org>

Callum Smith <callum at well.ox.ac.uk> writes:

> I?m confused by your response, does it work fine with the OTP as
> defined in FreeIPA? I?m not expecting users to re-configure their OTP
> codes for Keycloak once they?ve already configured them in FreeIPA.

I used RADIUS authentication for FreeIPA, so it's somewhat different to
your setup. But entering password+OTP at the password prompt worked fine
for me.

Jochen

-- 
This space is intentionally left blank.

From hfuss at bandwidth.com  Tue Sep 18 13:09:49 2018
From: hfuss at bandwidth.com (Hayden Fuss)
Date: Tue, 18 Sep 2018 13:09:49 -0400
Subject: [keycloak-user] keycloak-openshift:4.4.0.Final Docker image
Message-ID: <CAL2PBZb1OmoQZtqu535YpkOkWRYy==p5q6Rs0Rjy346v9DD1ow@mail.gmail.com>

Hello,

I noticed the Keycloak 4.4.0.Final Docker image was released a week or two
ago for jboss/keycloak but not for jboss/keycloak-openshift. Was this
intentional? If not, could one please be made?

We've been using the master tag in the meantime, and it seems like
something broke in it today when trying to apply the MariaDB CLI scripts
and on startup due to it always using a period file handler that can't
write to the disk in OpenShift. I've ensured that my standalone-ha.xml file
does not have a handler called "FILE" in it... see the stack trace below. I
can file a JIRA if need be.

Thanks!

Failed to read or configure the org.jboss.logmanager.LogManager
java.lang.IllegalArgumentException: Failed to instantiate class
"org.jboss.logmanager.handlers.PeriodicRotatingFileHandler" for handler
"FILE"
at
org.jboss.logmanager.config.AbstractPropertyConfiguration$ConstructAction.validate(AbstractPropertyConfiguration.java:117)
at
org.jboss.logmanager.config.LogContextConfigurationImpl.doPrepare(LogContextConfigurationImpl.java:335)
at
org.jboss.logmanager.config.LogContextConfigurationImpl.prepare(LogContextConfigurationImpl.java:288)
at
org.jboss.logmanager.config.LogContextConfigurationImpl.commit(LogContextConfigurationImpl.java:297)
at
org.jboss.logmanager.PropertyConfigurator.configure(PropertyConfigurator.java:546)
at
org.jboss.logmanager.PropertyConfigurator.configure(PropertyConfigurator.java:97)
at org.jboss.logmanager.LogManager.readConfiguration(LogManager.java:170)
at org.jboss.logmanager.LogManager.readConfiguration(LogManager.java:132)
at java.util.logging.LogManager$3.run(LogManager.java:399)
at java.util.logging.LogManager$3.run(LogManager.java:396)
at java.security.AccessController.doPrivileged(Native Method)
at
java.util.logging.LogManager.readPrimordialConfiguration(LogManager.java:396)
at java.util.logging.LogManager.access$800(LogManager.java:145)
at java.util.logging.LogManager$2.run(LogManager.java:345)
at java.security.AccessController.doPrivileged(Native Method)
at
java.util.logging.LogManager.ensureLogManagerInitialized(LogManager.java:338)
at java.util.logging.LogManager.getLogManager(LogManager.java:378)
at org.jboss.modules.Main.main(Main.java:523)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.logmanager.config.AbstractPropertyConfiguration$ConstructAction.validate(AbstractPropertyConfiguration.java:115)
... 17 more
Caused by: java.io.FileNotFoundException:
/opt/jboss/keycloak/standalone/log/server.log (Permission denied)
at java.io.FileOutputStream.open0(Native Method)
at java.io.FileOutputStream.open(FileOutputStream.java:270)
at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
at org.jboss.logmanager.handlers.FileHandler.setFile(FileHandler.java:151)
at
org.jboss.logmanager.handlers.PeriodicRotatingFileHandler.setFile(PeriodicRotatingFileHandler.java:104)
at
org.jboss.logmanager.handlers.FileHandler.setFileName(FileHandler.java:189)
at org.jboss.logmanager.handlers.FileHandler.<init>(FileHandler.java:119)
at
org.jboss.logmanager.handlers.PeriodicRotatingFileHandler.<init>(PeriodicRotatingFileHandler.java:72)
... 22 more

From dv at glyphy.com  Tue Sep 18 17:01:41 2018
From: dv at glyphy.com (D V)
Date: Tue, 18 Sep 2018 17:01:41 -0400
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
Message-ID: <CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>

The issue was resolved in a somewhat unexpected way. I had a custom
org.keycloak.storage.UserStorageProviderFactory SPI registered that
returned providers
implementing org.keycloak.storage.user.UserLookupProvider,
but org.keycloak.storage.user.UserLookupProvider#getUserById method wasn't
fully filled out. I just had it return null. It wasn't obvious to me that
it was required (or under what circumstances). Once I implemented it, the
experiments in my original message passed. I did have to set owners to 2
for the "sessions" and "clientSessions" distributed cache infinispan
configs.

One thing I noticed is that node2 (the one that doesn't get hit on the
initial password auth) has to do a lookup via getUserById the first time it
handles a grant_type=refresh_token auth. Is the data it needs not shared
across the cluster? It seems to be cached only locally on the node. Just as
a test I tried to set all configured non-local caches to be replicated and
it didn't help. Any thoughts about this?

Thanks,
DV

>

From psilva at redhat.com  Tue Sep 18 17:23:11 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 18 Sep 2018 18:23:11 -0300
Subject: [keycloak-user] Keycloak 4.x Fine Grained Authorization - OAuth
 / UMA - Permissions That Deny Rather Than Grant?
In-Reply-To: <DM6PR17MB2378EF48F04F3FE1EAE0F85FF81D0@DM6PR17MB2378.namprd17.prod.outlook.com>
References: <DM6PR17MB2378EF48F04F3FE1EAE0F85FF81D0@DM6PR17MB2378.namprd17.prod.outlook.com>
Message-ID: <CAJrcDBeN4zEvnznia24YN95s3pPtn3NwHt4M4=eGOaLx5CR3nw@mail.gmail.com>

On Tue, Sep 18, 2018 at 11:29 AM Brian Brooks (US) <
Brian.Brooks at datapath.com> wrote:

> Thanks for providing keycloak as an free open source security solution.
> It's awesome!
>
> **QUESTIONS**
>
> 1. Is there any way to design a keycloak policy for a oauth/uma/bearer
> token authorization client/resource owner that efficiently expresses the
> idea that a user is granted access to most items but denied access to a few?
>
> Our system manages devices and for some customer systems we have as many
> as 0.1 million devices.  We'd like the app's keycloak policy to default to
> granting a user write access to all devices but deny access to maybe a few
> dozen.  Ideally, the Requesting Party Token (RPT) response would contain a
> list of permissions like
>
> Permission {id=3e633107-2291-4694-9f07-728ea6fa7744, name=All Devices
> Resource, scopes=[device:grant:write]}
> Permission {id=86d95056-7e24-4888-93ed-2afe33199212, name=Device 123
> Resource, scopes=[device:deny]}
> Permission {id=33333333-3333-3333-3333-333333333333, name=Device 456
> Resource, scopes=[device:deny]}
>
> 2. Does this make sense; is there a better way to implement this idea?
> 3. Is this possible with keycloak?
> 4. Are there any quickstart examples that demonstrate use of denials?
>

Do you mean also returning the resources/scopes that were not granted by
the server ?


>
> I've been working with the keycloak quickstarts app-authz-uma-photoz and
> app-authz-jee-servlet for a while but I don't see them using any "denial"
> permissions.  All the permissions seem to be "grants".
>
> I've also have been searching the keycloak mailing list for similar
> questions.  I have not seen an answer to this question in these policy
> related threads:
> 1. [keycloak-user] Additional attributes for an authorization request
> http://lists.jboss.org/pipermail/keycloak-user/2017-February/009451.html
> 2. [keycloak-user] How to implement this using Keycloak
> http://lists.jboss.org/pipermail/keycloak-user/2016-July/007069.html
> 3. [keycloak-user] Keycloak authorization protected resource with user
> attributes
> http://lists.jboss.org/pipermail/keycloak-user/2016-December/008821.html
> 4. [keycloak-user] understanding the photoz example
> http://lists.jboss.org/pipermail/keycloak-user/2016-December/008917.html
>
> **DETAILS ABOUT APPLICATION**
> We're upgrading our device management application with keycloak
> authentication and authorization.  We sell our device management
> application to customers that install and operate the device management
> application to run the customer's systems.  Our device management
> application consists of:
>
> 1. Single Page Application that runs in a web browser.
> 2. Google Dart-based server-side application from which the SPA gets its
> data (we wish it was Tomcat-based but don't own the source code).
> 3. OSGi container running many bundles from which the Dart application get
> its data.
> 4. Several other parts e.g. Reporting, Device Data Collectors, database
>
> For this generation of the application and due to our atypical
> architecture, we'll probably be manually walking the claims in the RPT in
> JavaScript to govern our SPA's user interface authorization.
>
> The most important data in our system are devices.  Devices consist of
> commands, alarms, values, grids.  Devices are typed similar to the relation
> between Java objects (device) and Java classes (device_type).  Devices and
> parts of devices can be logically grouped into one or more "circuits".  A
> device is attached to a computer (Device Data Collector).
>
> A typical system has:
> 1,000 devices; a very large system may have 0.1 million devices.
> 100 circuits
> Each device has <100 commands, <300 fields, <50 grids, <100values
> Each circuit has 5-20 devices
> <15 computers
> <100 users; a very large system may have 500 users
>
> Here are some of our application's use cases.  Write for our use cases
> means send commands, change values, etc.
> Administrators can write to all devices and circuits.
> Operator A can only read all devices.

Operator B can write to all devices except device123, device456, and
> device678.

Operator C can only write circuit1.

Operation D can only write computer1.


In general, you should try using scope-based permissions to govern access
fo each scope you want to protect. When creating scope-based permissions
you can a set of one or more scopes so the permission will be evaluated for
any resource associated with any of these scopes.

You can also write JS policies like that:

var context = $evaluation.getContext();
var identity = context.getIdentity();
var permission = $evaluation.getPermission();
var resource = permission.getResource();

if (identity.hasRealmRole('operator_b')) {
    var resourceName = resource.getName();

    if (resourceName.equals('Device 123')
        || resourceName.equals('Device 456')
        || resourceName.equals('Device 678')) {
        $evaluation.deny();
    }
} else {
    $evaluation.grant();
}

Is just a matter of making sure this policy is evaluated all the time for a
set of one or more scopes (e.g.: using scope-based permissions for the
scopes you want to protect) or resources with a specific type (e.g.:
resource-based permissions with a type) .


> Thanks for reading this far!
>
> 5. Any advice on how to implement these use cases with a keycloak policy?
> Is it too ambitious to model this hiearchical permission scheme?  What do
> you recommend?  We're a very small development team trying to implement
> finish this in 2018.
>

We don't support hierarchies .... But you can define types to your
resources and apply permissions for any resource with the same type without
having to define a specific permission for each resource.


>
> Brian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From fernando.mayoral at practiv.com  Tue Sep 18 17:31:28 2018
From: fernando.mayoral at practiv.com (Fernando Mayoral)
Date: Wed, 19 Sep 2018 09:31:28 +1200
Subject: [keycloak-user] Issuer mismatch when using fixed url provider and
	using different schema
Message-ID: <CA+AOV3t7p2dR7FOaoFe1=83opKviOmX2brDeHVLxfV94=eLeuQ@mail.gmail.com>

Hello everyone!
I'm trying to develop a very simple filter for an application to exchange
the user token with keycloak for another one with different scopes and I'm
in trouble with the issuer not matching.

Both the filter and keycloak are deployed in docker containers and connect
directly to each other.

The user authenticating into this application does it through a public
website, e.g.  https://sample.com so the issuer in the token will look
something like https://sample.com/auth/realm or similar given the current
implementation.

The filter exchanging the token connects to keycloak through http, e.g.
http://my-keycloak the issuer would normally look like
http://my-keycloak/auth/realm, but because we are configuring the fixed
hostname provider to be sample.com it actually looks like
http://sample.com/auth/realm <https://sample.com/auth/realm>, so it's
pretty close but it's http instead of https because the hostname SPI
introduced in KEYCLOAK-7967
<https://issues.jboss.org/browse/KEYCLOAK-7967> doesn't
support a fixed schema (as far as I could tell at least by looking at the
PR and configs). And because that's being used to validate the token, and
there's no way I'm aware of setting the schema I haven't been able to get
it running properly.

Is there any known solution to this limitation?
My take is that schema should be supported by the fixed hostname provider,
otherwise I think it misses the point of supporting a "backchannel URL back
to the adapters to allow adapters to use internal IP address when
communicating with Keycloak"
On top of that, I believe there's a confusion on what the issuer is;
As per RFC-7519:4.1.1 <https://tools.ietf.org/html/rfc7519#section-4>

The "iss" (issuer) claim identifies the principal that issued the

JWT.  The processing of this claim is generally application specific.
The "iss" value is a case-sensitive string containing a StringOrURI
value.  Use of this claim is OPTIONAL.


i.e. not a URL and certainly not necessarily linked to the URL of the
issuing system, it's just a URI value defined arbitrarily. I believe
that this concept is more closely related to realm application clients
rather than to the entire keycloak server; i.e. issuer/accepted
issuers could be defined per client.

Because of this I've taken the liberty to raise KEYCLOAK-8310
<https://issues.jboss.org/browse/KEYCLOAK-8310>

Still, is there any known/recommended way to workaround this issue?

Thanks for your time,
Fernando.

From arun.velayudhan at motorolasolutions.com  Wed Sep 19 04:48:02 2018
From: arun.velayudhan at motorolasolutions.com (Arun Velayudhan)
Date: Wed, 19 Sep 2018 14:18:02 +0530
Subject: [keycloak-user] Uncaught server error:
 java.lang.OutOfMemoryError: Java heap space
In-Reply-To: <BL0PR07MB500970BDA0AE912940273374DA260@BL0PR07MB5009.namprd07.prod.outlook.com>
References: <CAFi6rQ8TFEyZ0Ej5Um=Q7mBdohBp3oWVB0Kw5NCTk+pQAfXkYw@mail.gmail.com>
	<BL0PR07MB500970BDA0AE912940273374DA260@BL0PR07MB5009.namprd07.prod.outlook.com>
Message-ID: <CAFi6rQ_UJqQaOa76PH=HUa6cLNTpueOP+PVUyOJaPHD_ty6qiQ@mail.gmail.com>

Thanks Sabastian and Peter.
After increasing the JVM memory and setting the cache limits the
out-of-memory exception has been arrested. But I started observing lot of
get-token requests failing after sometime i.e after 12hrs of run. On
debugging, lot of failures are observed once the full GC is executed.
Anyone has observed this behavior or any pointers?


Arun


On Wed, Aug 8, 2018 at 5:26 PM, Nalyvayko, Peter <pnalyvayko at agi.com> wrote:

> Hi Arun,
> Yes, we have seen this issue before. A temporary remedy has been to
> increase jVM's maximum heap size, among other things, like changing the
> eviction rate and infinispan cache sizes.
> --Peter
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> On Behalf Of Arun Velayudhan
> Sent: Wednesday, August 8, 2018 1:02 AM
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] Uncaught server error:
> java.lang.OutOfMemoryError: Java heap space
>
> Hello,
> We ran keycloak with some basic load (like auth, gettoken) for few hours
> at theand after sometime Keycloak threw an Out-of-memory error.  Has anyone
> faced similar kind of problem. Would be keen to know what was done to
> mitigate.
>
> Version of Keycloak -> 4.0.0.Final.
>
>
>
> =====
> 18:32:47,716 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
> ARJUNA012117: TransactionReaper::check timeout for TX
> 0:ffffc0a80c38:-56b32ec9:5b6463c3:54bcab in state  RUN
>
> 18:30:23,749 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-199) Uncaught server error: java.lang.OutOfMemoryError: Java
> heap space
>
> 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-219) Uncaught server error: java.lang.OutOfMemoryError: Java
> heap space
>
> 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-505) Uncaught server error: java.lang.OutOfMemoryError: Java
> heap space ===============
>
> Pls find with the startup configuration
> ===
>
> 19:46:33,121 DEBUG [org.jboss.as.config] (MSC service thread 1-7) VM
> Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M
> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> -Dorg.jboss.boot.log.file=/DG/activeRelease/keycloak/
> standalone/log/server.log
> -Dlogging.configuration=file:/DG/activeRelease/keycloak/
> standalone/configuration/logging.properties
>
> ==================
>
>
>
> Arun
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIFAg&c=
> q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_
> 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=dtKSJp9M6MgNlIhxciRs-
> KVyFWOKZNNZNjQjWu5DP34&s=85dtwsUG0nkAMRjT3Jb9LTz0hbeuBXEvN8khcHdLq70&e=
>

From arun.velayudhan at motorolasolutions.com  Wed Sep 19 05:19:12 2018
From: arun.velayudhan at motorolasolutions.com (Arun Velayudhan)
Date: Wed, 19 Sep 2018 14:49:12 +0530
Subject: [keycloak-user] Get token returns new refresh token before expiry
	of refresh token
Message-ID: <CAFi6rQ_vSBhJgJ7-gtrZMxQcT_wHOoGmrsgkH4jwZRR96RFbOw@mail.gmail.com>

Hello All,
Whenever we renew an access token keycloak returns a new refresh token.
Suppose the access token expiry is 30min and refresh token is 24hrs, for
every new access token request (i.e intervals of 30min) a new refresh token
(same expiry) gets created by keycloak. I am suspecting if this might be a
cause for memory growth in keycloak under traffic conditions. Any specific
configuration that can be enabled in keycloak so that keycloak can reuse
the same refresh token till it expires.


Arun

From federico.facca at martel-innovate.com  Wed Sep 19 06:02:04 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Wed, 19 Sep 2018 12:02:04 +0200
Subject: [keycloak-user] OAuth Tokens and IoT Devices
Message-ID: <CAOxz=rObKhYYtLh79CL55PJy6QenOTEfPe8GZmPPp9dtG7qEuw@mail.gmail.com>

Hi,
what is the current best solution in Keycloak to support a scenario where
devices needs to authenticate using OAuth against an API?

At the time being, to simplify we use offline-refresh tokens and every
time, it the token is expired, generated out of that a new token.

In term of performance the trick we use is to cache the access token and
refresh it when needed with a background process.
This process, unfortunately, for some tiny computational devices can be
quite demanding and slow down the most important
goal of sending data to the API at given intervarls.

A better solution could be having a way to create never expiring access
tokens (or with a manually defined expired date), we understand
that may introduce security issues, but it would be only for specific
scenarios (and I doubt it will introduce more issues that the offline
token).

Feelings? Suggestions?

Cheers,
Federico

-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From derek.gibson at cimenviro.com  Wed Sep 19 06:18:05 2018
From: derek.gibson at cimenviro.com (Derek Gibson)
Date: Wed, 19 Sep 2018 12:18:05 +0200
Subject: [keycloak-user] problem with nginx reverse proxy and ip access
	control
Message-ID: <B062A25E-C1F5-4CC1-B4BD-3FD149CB9A3C@cimenviro.com>

Hi there,

I'm having a hard time trying to get ip restriction working behind an nginx reverse proxy on Keycloak 4.3


I have configured an ip filter as per https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction <https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction>

<subsystem xmlns="urn:jboss:domain:undertow:4.0">
    <buffer-cache name="default"/>
    <server name="default-server">
        <ajp-listener name="ajp" socket-binding="ajp"/>
        <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
        <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" proxy-address-forwarding="true" enable-http2="true"/>
        <host name="default-host" alias="localhost">
            <location name="/" handler="welcome-content"/>
            <http-invoker security-realm="ApplicationRealm"/>
            <filter-ref name="ipAccess"/>
        </host>
    </server>
    <filters>
        <expression-filter name="ipAccess" expression="path-prefix('/auth/admin') -> ip-access-control(acl={'10.10.10.10 allow'})"/>
    </filters>
    <servlet-container name="default">
        <jsp-config/>
        <websockets/>
    </servlet-container>
    <handlers>
        <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
    </handlers>
</subsystem>

and my nginx server block

server {
    listen        443 ssl;
    server_name    keycloak.example.com <http://keycloak.example.com/>;
    location / {
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_pass https://keycloak-prx.example.com <https://keycloak-prx.example.com/>;
    }
}

This works as intended when I request it directly, however when I try to access via nginx reverse proxy I get a 403 regardless of the ip I set in the ip-access-control filter, whether I have the host ip, or the proxy or gateway.

Undertow debug shows that the correct ip's (as far as I understand that it should be) are being passed by nginx

10:03:29,564 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth for path /auth/
10:03:29,565 DEBUG [io.undertow.request.security] (default task-3) Authentication result was ATTEMPTED for HttpServerExchange{ GET /auth/ request {X-Real-IP=[10.10.10.20], accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], X-Amzn-Trace-Id=[Root=1-5b9b8771-70fa72df4ef4bf816434fcc5], accept-language=[en-US,en;q=0.9], accept-encoding=[gzip, deflate, br], user-agent=[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36], Connection=[close], X-Forwarded-Proto=[https], X-Forwarded-Port=[443], X-Forwarded-For=[10.10.10.10, 10.10.10.20], cookie=[_ga=GA1.2.1510178336.1525250562; ajs_user_id=%22ca89cde3-6cac-4197-a5ad-aa966295c66d%22; ajs_anonymous_id=%2228cb540a-cb21-4200-a531-64b11ef909d8%22; ajs_group_id=%22customer%3A1%22], upgrade-insecure-requests=[1], Host=[keycloak.example.com <http://keycloak.example.com/>]} response {}}

but I do not get any debug logs for matches for /auth/admin, I only get an entry

09:42:47,387 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth/admin for path /auth/admin/

and no subsequent security logs for that request 

Have I misconfigured something or could this be a bug?
Is there any steps that I can take to debug this further?

my debug settings are 
<subsystem xmlns="urn:jboss:domain:logging:3.0">
    <console-handler name="CONSOLE">
        <level name="DEBUG"/>
        <formatter>
            <named-formatter name="COLOR-PATTERN"/>
        </formatter>
    </console-handler>
    ...
    <logger category="io.undertow">
        <level name="DEBUG"/>
    </logger>
    ...
</subsystem>
all else is INFO

Would really appreciate any help at all on this
thanks
Derek

From amjad.qau at gmail.com  Wed Sep 19 06:51:30 2018
From: amjad.qau at gmail.com (Amjad)
Date: Wed, 19 Sep 2018 03:51:30 -0700 (MST)
Subject: [keycloak-user] Unable to perform Keycloak single logout
Message-ID: <1537354290563-0.post@n6.nabble.com>

I am using keycloak to authenticate users of two applications. One
application is Django based protected using mod_auth_openidc over apache,
where is the 2nd application is Java based hosted on wildfly and protected
using keycloak specific java adapter. The SSO works fine on both
applications. However, the problem occurs in case of Logout. When I perform
logout from Django application, then both applications are redirected to
login on next request. However, when I perform logout on java application,
then Django application still works as normal rather than asking for login
again on next request.

As per the keycloak documentation, Admin URL shall be set for a particular
client that can be used by Keycloak server to send backend requests to the
application for various tasks, like logout users or push revocation
policies. This doesn't seem to work as I can not see any back-end request
generated by keycloak against the logout perform by Java-based application.
If I generate the logout from keycloak admin utility then apache logs show a
post action for k_logout.

I think, I am missing some configuration, but don't know what? Any idea/help
in this regard will be much appreciated. Many thanks.

I am using the following versions of different components,
    mod_auth_openidc 2.3.7
    apache 2.4.34
    Ubuntu 16.4
    Keycloak 4.2.1

and my mod_auth_openidc configurations are:

WSGIDaemonProcess myproject python-home=path_to_v_env 
python-path=path_to_python
WSGIProcessGroup myproject
WSGIScriptAlias / path_to_wsgi.py

OIDCProviderMetadataURL
http://keycloak_domain/auth/realms/demo/.well-known/openid-configuration
OIDCRedirectURI http://domain_name/testapp
OIDCCryptoPassphrase random4321
OIDCClientID testapp
OIDCClientSecret client_secret
OIDCDefaultLoggedOutURL http://domain_name/
OIDCScope "openid email profile"
<Location /testapp/>
     AuthType openid-connect
     Require valid-user
</Location>



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From slaskawi at redhat.com  Wed Sep 19 06:51:49 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Wed, 19 Sep 2018 12:51:49 +0200
Subject: [keycloak-user] Uncaught server error:
 java.lang.OutOfMemoryError: Java heap space
In-Reply-To: <CAFi6rQ_UJqQaOa76PH=HUa6cLNTpueOP+PVUyOJaPHD_ty6qiQ@mail.gmail.com>
References: <CAFi6rQ8TFEyZ0Ej5Um=Q7mBdohBp3oWVB0Kw5NCTk+pQAfXkYw@mail.gmail.com>
	<BL0PR07MB500970BDA0AE912940273374DA260@BL0PR07MB5009.namprd07.prod.outlook.com>
	<CAFi6rQ_UJqQaOa76PH=HUa6cLNTpueOP+PVUyOJaPHD_ty6qiQ@mail.gmail.com>
Message-ID: <CAA9R9O4-ataSJuGNyFg6uTxqCWBNMC_tSNJd54G7LjVb4rjx-A@mail.gmail.com>

That's the line your balancing on. If the cache is very big, you might get
an OOM Error. If it's too small, you will observe plenty queries to the
database. You need to find what size works best for you.

On Wed, Sep 19, 2018 at 10:56 AM Arun Velayudhan <
arun.velayudhan at motorolasolutions.com> wrote:

> Thanks Sabastian and Peter.
> After increasing the JVM memory and setting the cache limits the
> out-of-memory exception has been arrested. But I started observing lot of
> get-token requests failing after sometime i.e after 12hrs of run. On
> debugging, lot of failures are observed once the full GC is executed.
> Anyone has observed this behavior or any pointers?
>
>
> Arun
>
>
> On Wed, Aug 8, 2018 at 5:26 PM, Nalyvayko, Peter <pnalyvayko at agi.com>
> wrote:
>
> > Hi Arun,
> > Yes, we have seen this issue before. A temporary remedy has been to
> > increase jVM's maximum heap size, among other things, like changing the
> > eviction rate and infinispan cache sizes.
> > --Peter
> >
> > -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org
> <keycloak-user-bounces at lists.
> > jboss.org> On Behalf Of Arun Velayudhan
> > Sent: Wednesday, August 8, 2018 1:02 AM
> > To: keycloak-user <keycloak-user at lists.jboss.org>
> > Subject: [keycloak-user] Uncaught server error:
> > java.lang.OutOfMemoryError: Java heap space
> >
> > Hello,
> > We ran keycloak with some basic load (like auth, gettoken) for few hours
> > at theand after sometime Keycloak threw an Out-of-memory error.  Has
> anyone
> > faced similar kind of problem. Would be keen to know what was done to
> > mitigate.
> >
> > Version of Keycloak -> 4.0.0.Final.
> >
> >
> >
> > =====
> > 18:32:47,716 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
> > ARJUNA012117: TransactionReaper::check timeout for TX
> > 0:ffffc0a80c38:-56b32ec9:5b6463c3:54bcab in state  RUN
> >
> > 18:30:23,749 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> > (default task-199) Uncaught server error: java.lang.OutOfMemoryError:
> Java
> > heap space
> >
> > 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> > (default task-219) Uncaught server error: java.lang.OutOfMemoryError:
> Java
> > heap space
> >
> > 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> > (default task-505) Uncaught server error: java.lang.OutOfMemoryError:
> Java
> > heap space ===============
> >
> > Pls find with the startup configuration
> > ===
> >
> > 19:46:33,121 DEBUG [org.jboss.as.config] (MSC service thread 1-7) VM
> > Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M
> > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
> > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> > -Dorg.jboss.boot.log.file=/DG/activeRelease/keycloak/
> > standalone/log/server.log
> > -Dlogging.configuration=file:/DG/activeRelease/keycloak/
> > standalone/configuration/logging.properties
> >
> > ==================
> >
> >
> >
> > Arun
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
> > jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIFAg&c=
> > q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_
> > 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=dtKSJp9M6MgNlIhxciRs-
> > KVyFWOKZNNZNjQjWu5DP34&s=85dtwsUG0nkAMRjT3Jb9LTz0hbeuBXEvN8khcHdLq70&e=
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From slaskawi at redhat.com  Wed Sep 19 06:55:34 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Wed, 19 Sep 2018 12:55:34 +0200
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
Message-ID: <CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>

Thanks for letting us know DV!

Setting the number of owners equal to the cluster size doesn't make any
sense. You might use a replicated cache in that scenarios (which works the
same way apart from some Infinispan internal behavior, which can be omitted
in your case). Could you please paste your Infinispan configuration? Maybe
there's some hint there...

Thanks,
Seb

On Tue, Sep 18, 2018 at 11:02 PM D V <dv at glyphy.com> wrote:

> The issue was resolved in a somewhat unexpected way. I had a custom
> org.keycloak.storage.UserStorageProviderFactory SPI registered that
> returned providers
> implementing org.keycloak.storage.user.UserLookupProvider,
> but org.keycloak.storage.user.UserLookupProvider#getUserById method wasn't
> fully filled out. I just had it return null. It wasn't obvious to me that
> it was required (or under what circumstances). Once I implemented it, the
> experiments in my original message passed. I did have to set owners to 2
> for the "sessions" and "clientSessions" distributed cache infinispan
> configs.
>
> One thing I noticed is that node2 (the one that doesn't get hit on the
> initial password auth) has to do a lookup via getUserById the first time it
> handles a grant_type=refresh_token auth. Is the data it needs not shared
> across the cluster? It seems to be cached only locally on the node. Just as
> a test I tried to set all configured non-local caches to be replicated and
> it didn't help. Any thoughts about this?
>
> Thanks,
> DV
>
>>

From jernej.porenta at 3fs.si  Wed Sep 19 07:22:00 2018
From: jernej.porenta at 3fs.si (Jernej Porenta)
Date: Wed, 19 Sep 2018 13:22:00 +0200
Subject: [keycloak-user] problem with nginx reverse proxy and ip access
 control
In-Reply-To: <B062A25E-C1F5-4CC1-B4BD-3FD149CB9A3C@cimenviro.com>
References: <B062A25E-C1F5-4CC1-B4BD-3FD149CB9A3C@cimenviro.com>
Message-ID: <8AA69DF9-CB9A-4806-95C5-926684B17953@3fs.si>

Hey Derek,

I had the exact same issue and tried multiple options:
- inverted undertow ip-access-control rule
- turning the nobs by proxy-address-forwarding mangling (changing headers etc.)
- checking out the client IP by request logging (which were right in the keycloak logs)
- multiple ways of specifying the rules within undertow (based on RH documentation)

None of them worked.

In the end, i implemented that at nginx level. It isn?t the most beautiful solution (k8s nginx ingress), but it is working as expected.

The only one, which I hadn?t tried at that time, is that maybe X-Forwarded-For header included multiple IPs (X-Forwarded-For: 1.2.3.4 5.6.7.8). You can test that by stripping them and add only original one with nginx.

br, Jernej

> On 19 Sep 2018, at 12:18, Derek Gibson <derek.gibson at cimenviro.com> wrote:
> 
> Hi there,
> 
> I'm having a hard time trying to get ip restriction working behind an nginx reverse proxy on Keycloak 4.3
> 
> 
> I have configured an ip filter as per https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction <https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction>
> 
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>    <buffer-cache name="default"/>
>    <server name="default-server">
>        <ajp-listener name="ajp" socket-binding="ajp"/>
>        <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
>        <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" proxy-address-forwarding="true" enable-http2="true"/>
>        <host name="default-host" alias="localhost">
>            <location name="/" handler="welcome-content"/>
>            <http-invoker security-realm="ApplicationRealm"/>
>            <filter-ref name="ipAccess"/>
>        </host>
>    </server>
>    <filters>
>        <expression-filter name="ipAccess" expression="path-prefix('/auth/admin') -> ip-access-control(acl={'10.10.10.10 allow'})"/>
>    </filters>
>    <servlet-container name="default">
>        <jsp-config/>
>        <websockets/>
>    </servlet-container>
>    <handlers>
>        <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
>    </handlers>
> </subsystem>
> 
> and my nginx server block
> 
> server {
>    listen        443 ssl;
>    server_name    keycloak.example.com <http://keycloak.example.com/>;
>    location / {
>        proxy_set_header Host               $host;
>        proxy_set_header X-Real-IP          $remote_addr;
>        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
>        proxy_set_header X-Forwarded-Proto  $scheme;
>        proxy_pass https://keycloak-prx.example.com <https://keycloak-prx.example.com/>;
>    }
> }
> 
> This works as intended when I request it directly, however when I try to access via nginx reverse proxy I get a 403 regardless of the ip I set in the ip-access-control filter, whether I have the host ip, or the proxy or gateway.
> 
> Undertow debug shows that the correct ip's (as far as I understand that it should be) are being passed by nginx
> 
> 10:03:29,564 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth for path /auth/
> 10:03:29,565 DEBUG [io.undertow.request.security] (default task-3) Authentication result was ATTEMPTED for HttpServerExchange{ GET /auth/ request {X-Real-IP=[10.10.10.20], accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], X-Amzn-Trace-Id=[Root=1-5b9b8771-70fa72df4ef4bf816434fcc5], accept-language=[en-US,en;q=0.9], accept-encoding=[gzip, deflate, br], user-agent=[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36], Connection=[close], X-Forwarded-Proto=[https], X-Forwarded-Port=[443], X-Forwarded-For=[10.10.10.10, 10.10.10.20], cookie=[_ga=GA1.2.1510178336.1525250562; ajs_user_id=%22ca89cde3-6cac-4197-a5ad-aa966295c66d%22; ajs_anonymous_id=%2228cb540a-cb21-4200-a531-64b11ef909d8%22; ajs_group_id=%22customer%3A1%22], upgrade-insecure-requests=[1], Host=[keycloak.example.com <http://keycloak.example.com/>]} response {}}
> 
> but I do not get any debug logs for matches for /auth/admin, I only get an entry
> 
> 09:42:47,387 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth/admin for path /auth/admin/
> 
> and no subsequent security logs for that request 
> 
> Have I misconfigured something or could this be a bug?
> Is there any steps that I can take to debug this further?
> 
> my debug settings are 
> <subsystem xmlns="urn:jboss:domain:logging:3.0">
>    <console-handler name="CONSOLE">
>        <level name="DEBUG"/>
>        <formatter>
>            <named-formatter name="COLOR-PATTERN"/>
>        </formatter>
>    </console-handler>
>    ...
>    <logger category="io.undertow">
>        <level name="DEBUG"/>
>    </logger>
>    ...
> </subsystem>
> all else is INFO
> 
> Would really appreciate any help at all on this
> thanks
> Derek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From psilva at redhat.com  Wed Sep 19 08:12:35 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 19 Sep 2018 09:12:35 -0300
Subject: [keycloak-user] OAuth Tokens and IoT Devices
In-Reply-To: <CAOxz=rObKhYYtLh79CL55PJy6QenOTEfPe8GZmPPp9dtG7qEuw@mail.gmail.com>
References: <CAOxz=rObKhYYtLh79CL55PJy6QenOTEfPe8GZmPPp9dtG7qEuw@mail.gmail.com>
Message-ID: <CAJrcDBeDwnj1ujjmVaqansiq0y3Q-1df1xU=Y4fmCrcuXzZ9CA@mail.gmail.com>

Or you can use long-lived tokens (e.g: 1 week, 1 month) and reduce the
frequency your devices refresh tokens ...

On Wed, Sep 19, 2018 at 7:14 AM Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:

> Hi,
> what is the current best solution in Keycloak to support a scenario where
> devices needs to authenticate using OAuth against an API?
>
> At the time being, to simplify we use offline-refresh tokens and every
> time, it the token is expired, generated out of that a new token.
>
> In term of performance the trick we use is to cache the access token and
> refresh it when needed with a background process.
> This process, unfortunately, for some tiny computational devices can be
> quite demanding and slow down the most important
> goal of sending data to the API at given intervarls.
>
> A better solution could be having a way to create never expiring access
> tokens (or with a manually defined expired date), we understand
> that may introduce security issues, but it would be only for specific
> scenarios (and I doubt it will introduce more issues that the offline
> token).
>
> Feelings? Suggestions?
>
> Cheers,
> Federico
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From federico.facca at martel-innovate.com  Wed Sep 19 08:20:00 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Wed, 19 Sep 2018 14:20:00 +0200
Subject: [keycloak-user] OAuth Tokens and IoT Devices
In-Reply-To: <CAJrcDBeDwnj1ujjmVaqansiq0y3Q-1df1xU=Y4fmCrcuXzZ9CA@mail.gmail.com>
References: <CAOxz=rObKhYYtLh79CL55PJy6QenOTEfPe8GZmPPp9dtG7qEuw@mail.gmail.com>
	<CAJrcDBeDwnj1ujjmVaqansiq0y3Q-1df1xU=Y4fmCrcuXzZ9CA@mail.gmail.com>
Message-ID: <CAOxz=rNspOKED9DWQodv5iEnRtqXzWrEvBjGdc_Tja0Oac-F=g@mail.gmail.com>

Hi Pedro :)
My understanding (but I may be wrong) is that in this way I will affect the
whole realm not just a client. Correct?

Cheers,
Federico

On 19 September 2018 at 14:12, Pedro Igor Silva <psilva at redhat.com> wrote:

> Or you can use long-lived tokens (e.g: 1 week, 1 month) and reduce the
> frequency your devices refresh tokens ...
>
> On Wed, Sep 19, 2018 at 7:14 AM Federico Michele Facca <
> federico.facca at martel-innovate.com> wrote:
>
>> Hi,
>> what is the current best solution in Keycloak to support a scenario where
>> devices needs to authenticate using OAuth against an API?
>>
>> At the time being, to simplify we use offline-refresh tokens and every
>> time, it the token is expired, generated out of that a new token.
>>
>> In term of performance the trick we use is to cache the access token and
>> refresh it when needed with a background process.
>> This process, unfortunately, for some tiny computational devices can be
>> quite demanding and slow down the most important
>> goal of sending data to the API at given intervarls.
>>
>> A better solution could be having a way to create never expiring access
>> tokens (or with a manually defined expired date), we understand
>> that may introduce security issues, but it would be only for specific
>> scenarios (and I doubt it will introduce more issues that the offline
>> token).
>>
>> Feelings? Suggestions?
>>
>> Cheers,
>> Federico
>>
>> --
>> *Dr. FEDERICO MICHELE FACCA*
>> *Head of Martel Lab*
>> 0041 78 807 58 38
>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>> support for innovation projects
>> Click to download our innovators' insights!
>> <https://www.martel-innovate.com/premium-content/>
>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From psilva at redhat.com  Wed Sep 19 08:26:11 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 19 Sep 2018 09:26:11 -0300
Subject: [keycloak-user] OAuth Tokens and IoT Devices
In-Reply-To: <CAOxz=rNspOKED9DWQodv5iEnRtqXzWrEvBjGdc_Tja0Oac-F=g@mail.gmail.com>
References: <CAOxz=rObKhYYtLh79CL55PJy6QenOTEfPe8GZmPPp9dtG7qEuw@mail.gmail.com>
	<CAJrcDBeDwnj1ujjmVaqansiq0y3Q-1df1xU=Y4fmCrcuXzZ9CA@mail.gmail.com>
	<CAOxz=rNspOKED9DWQodv5iEnRtqXzWrEvBjGdc_Tja0Oac-F=g@mail.gmail.com>
Message-ID: <CAJrcDBdbj3us-FSVa4+tC8vW73msSRJTtPFKcp3Dt3HXjXF+yA@mail.gmail.com>

Hi,

Yeah, true. Although there are some discussions happening about overriding
token lifetime in clients. But yeah, right now any change at this regard
will affect all clients in your realm ...

On Wed, Sep 19, 2018 at 9:20 AM Federico Michele Facca <
federico.facca at martel-innovate.com> wrote:

> Hi Pedro :)
> My understanding (but I may be wrong) is that in this way I will affect
> the whole realm not just a client. Correct?
>
> Cheers,
> Federico
>
> On 19 September 2018 at 14:12, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Or you can use long-lived tokens (e.g: 1 week, 1 month) and reduce the
>> frequency your devices refresh tokens ...
>>
>> On Wed, Sep 19, 2018 at 7:14 AM Federico Michele Facca <
>> federico.facca at martel-innovate.com> wrote:
>>
>>> Hi,
>>> what is the current best solution in Keycloak to support a scenario where
>>> devices needs to authenticate using OAuth against an API?
>>>
>>> At the time being, to simplify we use offline-refresh tokens and every
>>> time, it the token is expired, generated out of that a new token.
>>>
>>> In term of performance the trick we use is to cache the access token and
>>> refresh it when needed with a background process.
>>> This process, unfortunately, for some tiny computational devices can be
>>> quite demanding and slow down the most important
>>> goal of sending data to the API at given intervarls.
>>>
>>> A better solution could be having a way to create never expiring access
>>> tokens (or with a manually defined expired date), we understand
>>> that may introduce security issues, but it would be only for specific
>>> scenarios (and I doubt it will introduce more issues that the offline
>>> token).
>>>
>>> Feelings? Suggestions?
>>>
>>> Cheers,
>>> Federico
>>>
>>> --
>>> *Dr. FEDERICO MICHELE FACCA*
>>> *Head of Martel Lab*
>>> 0041 78 807 58 38
>>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>>> support for innovation projects
>>> Click to download our innovators' insights!
>>> <https://www.martel-innovate.com/premium-content/>
>>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>
>
> --
> *Dr. FEDERICO MICHELE FACCA*
> *Head of Martel Lab*
> 0041 78 807 58 38
> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
> support for innovation projects
> Click to download our innovators' insights!
> <https://www.martel-innovate.com/premium-content/>
> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>

From arun.velayudhan at motorolasolutions.com  Wed Sep 19 09:03:00 2018
From: arun.velayudhan at motorolasolutions.com (Arun Velayudhan)
Date: Wed, 19 Sep 2018 18:33:00 +0530
Subject: [keycloak-user] Uncaught server error:
 java.lang.OutOfMemoryError: Java heap space
In-Reply-To: <CAA9R9O4-ataSJuGNyFg6uTxqCWBNMC_tSNJd54G7LjVb4rjx-A@mail.gmail.com>
References: <CAFi6rQ8TFEyZ0Ej5Um=Q7mBdohBp3oWVB0Kw5NCTk+pQAfXkYw@mail.gmail.com>
	<BL0PR07MB500970BDA0AE912940273374DA260@BL0PR07MB5009.namprd07.prod.outlook.com>
	<CAFi6rQ_UJqQaOa76PH=HUa6cLNTpueOP+PVUyOJaPHD_ty6qiQ@mail.gmail.com>
	<CAA9R9O4-ataSJuGNyFg6uTxqCWBNMC_tSNJd54G7LjVb4rjx-A@mail.gmail.com>
Message-ID: <CAFi6rQ-61beO54bd0QvvyDqdBq431ryL7Gy1zYC4aEjhgZo5oQ@mail.gmail.com>

Thanks for the input.
I am ok if there are few failures and few success and the system runs in
this manner so that we can tune the cache and make it better. But in our
case once the full GC is executed almost all the get-token requests are
failing. Keycloak doesn't seem to be recovering from here.

Here is my startup JVM params

=================
JAVA_OPTS="-Xms2048m -Xmx4096m -XX:-PrintGC -XX:-PrintGCDetails
-XX:-PrintGCTimeStamps -Xloggc:/DGlogs/gclogs.txt -XX:-UseGCLogFileRotation
-XX:NumberOfGCLogFiles=20 -XX:GCLogFileSize=10M -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
  JAVA_OPTS="$JAVA_OPTS
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true"
===================

And below is the cache configuration ...If there is any better
recommendation I would be glad to try that out....

===========================
<subsystem xmlns="urn:jboss:domain:infinispan:4.0">
           <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
               <transport lock-timeout="60000"/>
               <local-cache name="realms">
                   <eviction max-entries="10000" strategy="LRU"/>
               </local-cache>
               <local-cache name="users">
                   <eviction max-entries="50000" strategy="LRU"/>
               </local-cache>
               <distributed-cache name="sessions" mode="SYNC" owners="2"/>
               <distributed-cache name="authenticationSessions" mode="SYNC"
owners="2"/>
               <!--<distributed-cache name="offlineSessions" mode="SYNC"
owners="2"/>-->
               <distributed-cache name="offlineSessions" mode="SYNC"
owners="2">
                   <eviction max-entries="10000" strategy="LRU"/>
               </distributed-cache>
               <!--<distributed-cache name="clientSessions" mode="SYNC"
owners="2"/>-->
               <distributed-cache name="clientSessions" mode="SYNC"
owners="2">
                   <eviction max-entries="10000" strategy="LRU"/>
                   <expiration max-idle="36000"/>
               </distributed-cache>
               <!--<distributed-cache name="offlineClientSessions"
mode="SYNC" owners="2"/>-->
               <distributed-cache name="offlineClientSessions" mode="SYNC"
owners="2">
                   <eviction max-entries="10000" strategy="LRU"/>
                   <expiration max-idle="36000"/>
               </distributed-cache>
               <distributed-cache name="loginFailures" mode="SYNC"
owners="2"/>
               <local-cache name="authorization">
                   <eviction max-entries="1000000" strategy="LRU"/>
               </local-cache>
               <replicated-cache name="work" mode="SYNC"/>
               <local-cache name="keys">
                   <eviction max-entries="1000" strategy="LRU"/>
                   <expiration max-idle="3600000"/>
               </local-cache>
               <distributed-cache name="actionTokens" mode="SYNC"
owners="2">
                   <eviction max-entries="-1" strategy="NONE"/>
==================

Thanks
Arun



On Wed, Sep 19, 2018 at 4:21 PM, Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> That's the line your balancing on. If the cache is very big, you might get
> an OOM Error. If it's too small, you will observe plenty queries to the
> database. You need to find what size works best for you.
>
> On Wed, Sep 19, 2018 at 10:56 AM Arun Velayudhan <arun.velayudhan@
> motorolasolutions.com> wrote:
>
>> Thanks Sabastian and Peter.
>> After increasing the JVM memory and setting the cache limits the
>> out-of-memory exception has been arrested. But I started observing lot of
>> get-token requests failing after sometime i.e after 12hrs of run. On
>> debugging, lot of failures are observed once the full GC is executed.
>> Anyone has observed this behavior or any pointers?
>>
>>
>> Arun
>>
>>
>> On Wed, Aug 8, 2018 at 5:26 PM, Nalyvayko, Peter <pnalyvayko at agi.com>
>> wrote:
>>
>> > Hi Arun,
>> > Yes, we have seen this issue before. A temporary remedy has been to
>> > increase jVM's maximum heap size, among other things, like changing the
>> > eviction rate and infinispan cache sizes.
>> > --Peter
>> >
>> > -----Original Message-----
>> > From: keycloak-user-bounces at lists.jboss.org
>> <keycloak-user-bounces at lists.
>> > jboss.org
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss.org&d=DwMFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=8Pvsmoua5c6CWWNh79KqdxXWEU8kyUEVv_6yuushpRY&s=WJqYionlEDTjKU-8EIQZmkAjgEsDbOxey9VNZnxPI8s&e=>>
>> On Behalf Of Arun Velayudhan
>> > Sent: Wednesday, August 8, 2018 1:02 AM
>> > To: keycloak-user <keycloak-user at lists.jboss.org>
>> > Subject: [keycloak-user] Uncaught server error:
>> > java.lang.OutOfMemoryError: Java heap space
>> >
>> > Hello,
>> > We ran keycloak with some basic load (like auth, gettoken) for few hours
>> > at theand after sometime Keycloak threw an Out-of-memory error.  Has
>> anyone
>> > faced similar kind of problem. Would be keen to know what was done to
>> > mitigate.
>> >
>> > Version of Keycloak -> 4.0.0.Final.
>> >
>> >
>> >
>> > =====
>> > 18:32:47,716 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
>> > ARJUNA012117: TransactionReaper::check timeout for TX
>> > 0:ffffc0a80c38:-56b32ec9:5b6463c3:54bcab in state  RUN
>> >
>> > 18:30:23,749 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>> > (default task-199) Uncaught server error: java.lang.OutOfMemoryError:
>> Java
>> > heap space
>> >
>> > 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>> > (default task-219) Uncaught server error: java.lang.OutOfMemoryError:
>> Java
>> > heap space
>> >
>> > 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>> > (default task-505) Uncaught server error: java.lang.OutOfMemoryError:
>> Java
>> > heap space ===============
>> >
>> > Pls find with the startup configuration
>> > ===
>> >
>> > 19:46:33,121 DEBUG [org.jboss.as.config] (MSC service thread 1-7) VM
>> > Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M
>> > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
>> > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>> > -Dorg.jboss.boot.log.file=/DG/activeRelease/keycloak/
>> > standalone/log/server.log
>> > -Dlogging.configuration=file:/DG/activeRelease/keycloak/
>> > standalone/configuration/logging.properties
>> >
>> > ==================
>> >
>> >
>> >
>> > Arun
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
>> > jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIFAg&c=
>> > q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_
>> > 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=dtKSJp9M6MgNlIhxciRs-
>> > KVyFWOKZNNZNjQjWu5DP34&s=85dtwsUG0nkAMRjT3Jb9LTz0hbeuBXEvN8khcHdLq70&e=
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=8Pvsmoua5c6CWWNh79KqdxXWEU8kyUEVv_6yuushpRY&s=U7nxEsDNiCE0Wpqs1agThkPMt-vBfIazfAmGA2a3IKo&e=>
>>
>

From dv at glyphy.com  Wed Sep 19 09:21:21 2018
From: dv at glyphy.com (D V)
Date: Wed, 19 Sep 2018 09:21:21 -0400
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
	<CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
Message-ID: <CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>

Makes sense re: replicated caches. Here's my infinispan subsystem config
right now:

        <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
            <cache-container name="keycloak"
jndi-name="infinispan/Keycloak" statistics-enabled="true">
                <transport lock-timeout="60000"/>
                <local-cache name="realms" statistics-enabled="true">
                    <eviction max-entries="10000" strategy="LRU"/>
                </local-cache>
                <local-cache name="users" statistics-enabled="true">
                    <eviction max-entries="10000" strategy="LRU"/>
                </local-cache>

                <!--
                These two need to be replicated or the node that didn't
issue the initial refresh token
                will return "invalid_grant" errors when attempting to auth
with that refresh token.
                -->
                <replicated-cache name="sessions"
statistics-enabled="true"/>
                <replicated-cache name="clientSessions"
statistics-enabled="true"/>

                <distributed-cache name="authenticationSessions"
mode="SYNC" owners="1" statistics-enabled="true"/>
                <distributed-cache name="offlineSessions" mode="SYNC"
owners="1" statistics-enabled="true"/>
                <distributed-cache name="offlineClientSessions" mode="SYNC"
owners="1" statistics-enabled="true"/>
                <distributed-cache name="loginFailures" mode="SYNC"
owners="1" statistics-enabled="true"/>
                <local-cache name="authorization" statistics-enabled="true">
                    <eviction max-entries="10000" strategy="LRU"/>
                </local-cache>
                <replicated-cache name="work" mode="SYNC"
statistics-enabled="true"/>
                <local-cache name="keys" statistics-enabled="true">
                    <eviction max-entries="1000" strategy="LRU"/>
                    <expiration max-idle="3600000"/>
                </local-cache>
                <distributed-cache name="actionTokens" mode="SYNC"
owners="2" statistics-enabled="true">
                    <eviction max-entries="-1" strategy="NONE"/>
                    <expiration max-idle="-1" interval="300000"/>
                </distributed-cache>
            </cache-container>
            <cache-container name="server" aliases="singleton cluster"
default-cache="default" module="org.wildfly.clustering.server">
                <transport lock-timeout="60000"/>
                <replicated-cache name="default">
                    <transaction mode="BATCH"/>
                </replicated-cache>
            </cache-container>
            <cache-container name="web" default-cache="dist"
module="org.wildfly.clustering.web.infinispan">
                <transport lock-timeout="60000"/>
                <distributed-cache name="dist">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store/>
                </distributed-cache>
            </cache-container>
            <cache-container name="ejb" aliases="sfsb" default-cache="dist"
module="org.wildfly.clustering.ejb.infinispan">
                <transport lock-timeout="60000"/>
                <distributed-cache name="dist">
                    <locking isolation="REPEATABLE_READ"/>
                    <transaction mode="BATCH"/>
                    <file-store/>
                </distributed-cache>
            </cache-container>
            <cache-container name="hibernate" default-cache="local-query"
module="org.hibernate.infinispan">
                <transport lock-timeout="60000"/>
                <local-cache name="local-query">
                    <eviction strategy="LRU" max-entries="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <invalidation-cache name="entity">
                    <transaction mode="NON_XA"/>
                    <eviction strategy="LRU" max-entries="10000"/>
                    <expiration max-idle="100000"/>
                </invalidation-cache>
                <replicated-cache name="timestamps" mode="ASYNC"/>
            </cache-container>
        </subsystem>

The scenario I'm testing:
1. Auth with grant_type=password on node1.
2. Shut down node1.
3. Auth with grant_type=refresh_token on node2.

When client_sessions is not replicated (distributed, with owners=1, as in
the distribution's standalone-ha.xml), I get this on node2:
{
    "error": "invalid_grant",
    "error_description": "Session doesn't have required client"
}

When sessions is not replicated:
{
    "error": "invalid_grant",
    "error_description": "Session not active"
}

On Wed, Sep 19, 2018 at 6:56 AM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> Thanks for letting us know DV!
>
> Setting the number of owners equal to the cluster size doesn't make any
> sense. You might use a replicated cache in that scenarios (which works the
> same way apart from some Infinispan internal behavior, which can be omitted
> in your case). Could you please paste your Infinispan configuration? Maybe
> there's some hint there...
>
> Thanks,
> Seb
>
> On Tue, Sep 18, 2018 at 11:02 PM D V <dv at glyphy.com> wrote:
>
>> The issue was resolved in a somewhat unexpected way. I had a custom
>> org.keycloak.storage.UserStorageProviderFactory SPI registered that
>> returned providers
>> implementing org.keycloak.storage.user.UserLookupProvider,
>> but org.keycloak.storage.user.UserLookupProvider#getUserById method wasn't
>> fully filled out. I just had it return null. It wasn't obvious to me that
>> it was required (or under what circumstances). Once I implemented it, the
>> experiments in my original message passed. I did have to set owners to 2
>> for the "sessions" and "clientSessions" distributed cache infinispan
>> configs.
>>
>> One thing I noticed is that node2 (the one that doesn't get hit on the
>> initial password auth) has to do a lookup via getUserById the first time it
>> handles a grant_type=refresh_token auth. Is the data it needs not shared
>> across the cluster? It seems to be cached only locally on the node. Just as
>> a test I tried to set all configured non-local caches to be replicated and
>> it didn't help. Any thoughts about this?
>>
>> Thanks,
>> DV
>>
>>>

From federico.facca at martel-innovate.com  Wed Sep 19 10:14:06 2018
From: federico.facca at martel-innovate.com (Federico Michele Facca)
Date: Wed, 19 Sep 2018 16:14:06 +0200
Subject: [keycloak-user] OAuth Tokens and IoT Devices
In-Reply-To: <CAJrcDBdbj3us-FSVa4+tC8vW73msSRJTtPFKcp3Dt3HXjXF+yA@mail.gmail.com>
References: <CAOxz=rObKhYYtLh79CL55PJy6QenOTEfPe8GZmPPp9dtG7qEuw@mail.gmail.com>
	<CAJrcDBeDwnj1ujjmVaqansiq0y3Q-1df1xU=Y4fmCrcuXzZ9CA@mail.gmail.com>
	<CAOxz=rNspOKED9DWQodv5iEnRtqXzWrEvBjGdc_Tja0Oac-F=g@mail.gmail.com>
	<CAJrcDBdbj3us-FSVa4+tC8vW73msSRJTtPFKcp3Dt3HXjXF+yA@mail.gmail.com>
Message-ID: <CAOxz=rM9PtjbGA94F-vXbtu5_vEnzJLUh-rr890eHCZzmCiBkA@mail.gmail.com>

what about taking a similar approach to "access_offline" role?

having a role which is "infinite_token" that if granted and used as scope
in a request grants you a token that last until not revoked?

federico

On 19 September 2018 at 14:26, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> Yeah, true. Although there are some discussions happening about overriding
> token lifetime in clients. But yeah, right now any change at this regard
> will affect all clients in your realm ...
>
> On Wed, Sep 19, 2018 at 9:20 AM Federico Michele Facca <
> federico.facca at martel-innovate.com> wrote:
>
>> Hi Pedro :)
>> My understanding (but I may be wrong) is that in this way I will affect
>> the whole realm not just a client. Correct?
>>
>> Cheers,
>> Federico
>>
>> On 19 September 2018 at 14:12, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Or you can use long-lived tokens (e.g: 1 week, 1 month) and reduce the
>>> frequency your devices refresh tokens ...
>>>
>>> On Wed, Sep 19, 2018 at 7:14 AM Federico Michele Facca <
>>> federico.facca at martel-innovate.com> wrote:
>>>
>>>> Hi,
>>>> what is the current best solution in Keycloak to support a scenario
>>>> where
>>>> devices needs to authenticate using OAuth against an API?
>>>>
>>>> At the time being, to simplify we use offline-refresh tokens and every
>>>> time, it the token is expired, generated out of that a new token.
>>>>
>>>> In term of performance the trick we use is to cache the access token and
>>>> refresh it when needed with a background process.
>>>> This process, unfortunately, for some tiny computational devices can be
>>>> quite demanding and slow down the most important
>>>> goal of sending data to the API at given intervarls.
>>>>
>>>> A better solution could be having a way to create never expiring access
>>>> tokens (or with a manually defined expired date), we understand
>>>> that may introduce security issues, but it would be only for specific
>>>> scenarios (and I doubt it will introduce more issues that the offline
>>>> token).
>>>>
>>>> Feelings? Suggestions?
>>>>
>>>> Cheers,
>>>> Federico
>>>>
>>>> --
>>>> *Dr. FEDERICO MICHELE FACCA*
>>>> *Head of Martel Lab*
>>>> 0041 78 807 58 38
>>>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>>>> support for innovation projects
>>>> Click to download our innovators' insights!
>>>> <https://www.martel-innovate.com/premium-content/>
>>>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>
>>
>> --
>> *Dr. FEDERICO MICHELE FACCA*
>> *Head of Martel Lab*
>> 0041 78 807 58 38
>> *Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
>> support for innovation projects
>> Click to download our innovators' insights!
>> <https://www.martel-innovate.com/premium-content/>
>> Follow Us on Twitter <https://twitter.com/Martel_Innovate>
>>
>


-- 
*Dr. FEDERICO MICHELE FACCA*
*Head of Martel Lab*
0041 78 807 58 38
*Martel Innovate* <https://www.martel-innovate.com/>  -  Professional
support for innovation projects
Click to download our innovators' insights!
<https://www.martel-innovate.com/premium-content/>
Follow Us on Twitter <https://twitter.com/Martel_Innovate>

From Brian.Brooks at datapath.com  Wed Sep 19 11:40:04 2018
From: Brian.Brooks at datapath.com (Brian Brooks (US))
Date: Wed, 19 Sep 2018 15:40:04 +0000
Subject: [keycloak-user] Keycloak 4.x Fine Grained Authorization - OAuth
 / UMA - Permissions That Deny Rather Than Grant?
In-Reply-To: <CAJrcDBeN4zEvnznia24YN95s3pPtn3NwHt4M4=eGOaLx5CR3nw@mail.gmail.com>
References: <DM6PR17MB2378EF48F04F3FE1EAE0F85FF81D0@DM6PR17MB2378.namprd17.prod.outlook.com>
	<CAJrcDBeN4zEvnznia24YN95s3pPtn3NwHt4M4=eGOaLx5CR3nw@mail.gmail.com>
Message-ID: <DM6PR17MB237825B7AFC76CF015745F53F81C0@DM6PR17MB2378.namprd17.prod.outlook.com>

Hi Pedro,

Thanks for taking the time to respond.

I responded to your question inline below.

Brian


>> On Tue, Sep 18, 2018 at 11:29 AM Brian Brooks (US) <mailto:Brian.Brooks at datapath.com> wrote:
>> 
>> 1. Is there any way to design a keycloak policy for a oauth/uma/bearer token authorization client/resource owner 
>> that efficiently expresses the idea that a user is granted access to most items but denied access to a few?
>> 
>> Our system manages devices and for some customer systems we have as many as 0.1 million devices.  
>> We'd like the app's keycloak policy to default to granting a user write access to all devices 
>> but deny access to maybe a few dozen.  Ideally, the Requesting Party Token (RPT) response would 
>> contain a list of permissions like 
>> 
>> Permission {id=3e633107-2291-4694-9f07-728ea6fa7744, name=All Devices Resource, scopes=[device:grant:write]}
>> Permission {id=86d95056-7e24-4888-93ed-2afe33199212, name=Device 123 Resource, scopes=[device:deny]}
>> Permission {id=33333333-3333-3333-3333-333333333333, name=Device 456 Resource, scopes=[device:deny]}
>
> On Tuesday, September 18, 2018 5:23 PM Pedro Igor Silva <psilva at redhat.com> wrote: 
> Do you mean also returning the resources/scopes that were not granted by the server ?

No, I was trying to minimize the number of permission entries in the RPT.  If the set of devices a user 
can access is

    {All Devices} - {Device 123, Device 456}

Then I was trying to model the permissions that way i.e.

    grant(All) + deny({Device123,Device456}).

Rather than

    grant(Device0,Device1,Device2,...,DeviceN-3), where N may be 0.1 million.
    N-3 because Device123 and Device456 will not be included because this user isn't authorized.

Our concern is overloading keycloak with too many resources and the RPT with too many permission entires.

Is the an upper limit on how many resources keycloak supports?  
Has any scalability testing been done on resource count?  If so, what were the results?
By "resources", I mean the data shown in this part of the Keycloak Admin Console
http://localhost:8180/auth/admin/master/console/#/realms/photoz/clients/<client-id>/authz/resource-server/resource

If denials are not really supported in keycloak, are there any quickstart examples that demonstrate "paging" the
RPT when resource counts/permissions exceed 10,000 (or whatever value would result in HTTP response problems)?


From psilva at redhat.com  Wed Sep 19 12:35:31 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 19 Sep 2018 13:35:31 -0300
Subject: [keycloak-user] Keycloak 4.x Fine Grained Authorization - OAuth
 / UMA - Permissions That Deny Rather Than Grant?
In-Reply-To: <DM6PR17MB237825B7AFC76CF015745F53F81C0@DM6PR17MB2378.namprd17.prod.outlook.com>
References: <DM6PR17MB2378EF48F04F3FE1EAE0F85FF81D0@DM6PR17MB2378.namprd17.prod.outlook.com>
	<CAJrcDBeN4zEvnznia24YN95s3pPtn3NwHt4M4=eGOaLx5CR3nw@mail.gmail.com>
	<DM6PR17MB237825B7AFC76CF015745F53F81C0@DM6PR17MB2378.namprd17.prod.outlook.com>
Message-ID: <CAJrcDBeCssZbzJChRyFAbSG8TrTfeSyHJV4gaHvJjuWy0OT1sA@mail.gmail.com>

On Wed, Sep 19, 2018 at 12:40 PM Brian Brooks (US) <
Brian.Brooks at datapath.com> wrote:

> Hi Pedro,
>
> Thanks for taking the time to respond.
>
> I responded to your question inline below.
>
> Brian
>
>
> >> On Tue, Sep 18, 2018 at 11:29 AM Brian Brooks (US) <mailto:
> Brian.Brooks at datapath.com> wrote:
> >>
> >> 1. Is there any way to design a keycloak policy for a oauth/uma/bearer
> token authorization client/resource owner
> >> that efficiently expresses the idea that a user is granted access to
> most items but denied access to a few?
> >>
> >> Our system manages devices and for some customer systems we have as
> many as 0.1 million devices.
> >> We'd like the app's keycloak policy to default to granting a user write
> access to all devices
> >> but deny access to maybe a few dozen.  Ideally, the Requesting Party
> Token (RPT) response would
> >> contain a list of permissions like
> >>
> >> Permission {id=3e633107-2291-4694-9f07-728ea6fa7744, name=All Devices
> Resource, scopes=[device:grant:write]}
> >> Permission {id=86d95056-7e24-4888-93ed-2afe33199212, name=Device 123
> Resource, scopes=[device:deny]}
> >> Permission {id=33333333-3333-3333-3333-333333333333, name=Device 456
> Resource, scopes=[device:deny]}
> >
> > On Tuesday, September 18, 2018 5:23 PM Pedro Igor Silva <
> psilva at redhat.com> wrote:
> > Do you mean also returning the resources/scopes that were not granted by
> the server ?
>
> No, I was trying to minimize the number of permission entries in the RPT.
> If the set of devices a user
> can access is
>
>     {All Devices} - {Device 123, Device 456}
>
> Then I was trying to model the permissions that way i.e.
>
>     grant(All) + deny({Device123,Device456}).
>
> Rather than
>
>     grant(Device0,Device1,Device2,...,DeviceN-3), where N may be 0.1
> million.
>     N-3 because Device123 and Device456 will not be included because this
> user isn't authorized.
>
> Our concern is overloading keycloak with too many resources and the RPT
> with too many permission entires.


> Is the an upper limit on how many resources keycloak supports?
>

No limit.


> Has any scalability testing been done on resource count?  If so, what were
> the results?
>

Nothing official, but we did a few performance improvements in the last
releases and the number of resources should not impact performance. But how
you obtain permissions from the server. For instance, if you ask
permissions for all resources you could get bad response times depending on
how many resources you have. But requesting only a few, using limits to the
number of permissions the server should evaluate and performing incremental
authorization, you should get a good experience.

The number of resources you actually need also depends on how you design
your resources and permissions. For instance, if all your resources share
the same access constraints, you could have a "Device Resource"
representing all of them, where permissions associated with this resources
can be used to check whether or not user have access to a set of devices.
In a nutshell, you should consider a resource in keycloak not only as 1:1
map to what you want to protect as it can also represent a set of one or
more resources in your application.

Considering your example, why the user can't access Device123 and Device456
? Are you denyning access to the resource or only for some scopes/actions
users can perform on it ?


> By "resources", I mean the data shown in this part of the Keycloak Admin
> Console
> http://localhost:8180/auth/admin/master/console/#/realms/photoz/clients/
> <client-id>/authz/resource-server/resource
>
> If denials are not really supported in keycloak, are there any quickstart
> examples that demonstrate "paging" the
> RPT when resource counts/permissions exceed 10,000 (or whatever value
> would result in HTTP response problems)?
>

https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
.

From peterson.dean at gmail.com  Wed Sep 19 13:49:39 2018
From: peterson.dean at gmail.com (Dean Peterson)
Date: Wed, 19 Sep 2018 12:49:39 -0500
Subject: [keycloak-user] SAML RSAKeyValue causing error
Message-ID: <CAFGzvPnGMcvukPbn9ER8PDAgPHTL38WXKXtGhwD8AbcR-ocheg@mail.gmail.com>

I am having trouble using Keycloak as the external provider to our
Websphere Application. I received the following response from IBM support:

I discussed the issue with our SAML SSO SME. He found in SAML token,
besides X509Certificate, it also contains RSAKeyValue (<dsig:RSAKeyValue>).
This document states:

https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/cwbs_limitationsofsaml.html

.

RSAKeyValue is supported for the KeyInfo element in a Signature. However,
the X.509 certificate is not available when using RSAKeyValue. When the
X.509 certificate is not available to the runtime, the signer of the SAML
Assertion cannot be checked against a truststore. If you want to receive
SAML Assertions that use RSAKeyValue you cannot configure the runtime to
use a truststore.

.

Can you config the idP so that it only sends X509 certificate, not RSAKey?


Is it possible to remove the RSAKeyValue from the saml token and still send
just the certificate?

From gintautas.sulskus at gmail.com  Wed Sep 19 19:09:38 2018
From: gintautas.sulskus at gmail.com (Gintautas Sulskus)
Date: Thu, 20 Sep 2018 00:09:38 +0100
Subject: [keycloak-user] Forward Keycloak Events to Kafka
Message-ID: <CALv+pX6HTZawmwJmwgRMFd+52macZ7APWy3jcHW8MEO-5t8ACA@mail.gmail.com>

Hi Thomas,

Have you come across such an extension in the end?

Best,
Gintas

Hello,
> just wanted to know if someone on this mailinglist has already built a
> keycloak extension that forwards Keycloak user / admin events to Kafka?
> Cheers,
> Thomas

From jpperata at gmail.com  Wed Sep 19 22:01:19 2018
From: jpperata at gmail.com (Juan Pablo Perata)
Date: Wed, 19 Sep 2018 23:01:19 -0300
Subject: [keycloak-user] Keycloak single Log Out not working
In-Reply-To: <OFB3901F9C.28A46364-ON6525830B.0048D2A0-6525830C.001E5FE5@tcs.com>
References: <OF6B4BEE16.97988AE0-ON65258301.00277B30-65258301.0027FB88@LocalDomain>
	<OF2A411907.30F037F4-ON65258305.003C474F-65258305.003CD932@LocalDomain>
	<OFB3901F9C.28A46364-ON6525830B.0048D2A0-6525830C.001E5FE5@tcs.com>
Message-ID: <CA+BZ0jhdrqAcdzwydx8fVHC-bHXTJB8GMVaTDn6WCRB-Dz7Djw@mail.gmail.com>

Hi Triveni,

I faced a similar problem with applications secured by keycloak.

After a while testing the app behaviour, reviewing some github samples, I
realized I omitted admin URL setting for each client (you pointed that out
in your mail). That solved my single sign out issue.

You can check archive messages of this list, I made a mention a few months
ago with my issue.

You can review also keycloak samples in github.

Hope it helps.

KR,
Juan


El mar., 18 de set. de 2018 12:35, Triveni Chegireddy <
triveni.chegireddy at tcs.com> escribi?:

> Hi,
>
>
> I have few applications, i.e. one Spring Boot application using keycloak
> specific java starter, another jira and confluence applications protected
> using Miniorange plugin from Atlassian and another jenkins application
> protected
> using keycloak specific plugin from Jenkins available plugins for single
> sign on and single Logout out. The SSO works fine on all applications.
> However, the problem occurs in case of Logout. Below are my observations:
>
> 1. When I perform logout on java application, then jira, confluence and
> jenkins application still works as normal rather than asking for login
> again on next request.
> 2. And when I perform logout from Jira, then Confluence is getting
> redirected to Login page on next request but the Spring boot application
> works as normal.
> 3. When I see keycloak admin console, on logout of any application all the
> sessions of all opened clients in the Realm are killed, but applications
> are working normal instead of redirecting to Login page.
> 4. As per the keycloak documentation,Admin URL shall be set for a
> particular client that can be used by Keycloak
> server to send backend requests to the application for logout users.
>
> Any idea/help in this regard will be much appreciated. Many thanks.
>
>
> Regards
> Triveni Chegireddy
> Tata Consultancy Services Limited
> Mailto: triveni.chegireddy at tcs.com
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty.   IT Services
>                         Business Solutions
>                         Consulting
> ____________________________________________
>
>
>
>
> From:   Triveni Chegireddy/LATAM/TCS
> To:     keycloak-user at lists.jboss.org
> Date:   09/11/2018 04:30 PM
> Subject:        Re: Keycloak single Log Out not working
>
>
> Hi All,
>
> The below issue is blocking in our application. Could anyone help us in
> resolving the Single Logout issue.
>
> Regards
> Triveni Chegireddy
> Tata Consultancy Services Limited
> Mailto: triveni.chegireddy at tcs.com
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty.   IT Services
>                         Business Solutions
>                         Consulting
> ____________________________________________
>
>
>
>
>
> From:   Triveni Chegireddy/LATAM/TCS
> To:     keycloak-user at lists.jboss.org
> Date:   09/07/2018 12:42 PM
> Subject:        Keycloak single Log Out not working
>
>
> Hi Team,
>
> I am securing many tools using Keycloak for Single sign on and Single
> Logout. We are securing tools like Jira, Confluence using Miniorange
> plugin. We have few Spring boot applications which are to be secured. They
>
> are secured using Spring Boot with KeycloakWebSecurityConfigurerAdapter.
> Single Sign on is working fine. The landing application is spring boot web
>
> application, which is accessed by giving LDAP credentials. From that
> application, we will be accessing the Jira, Confluence. They are opened
> without asking me for credentials. But Single Logout is not working. In
> Spring boot application, on click of Logout, I am calling
> HttpServletRequest.logout(), which is logging me out of Spring boot
> application successfully. But the sessions in Jira and Confluence are not
> killed. Similarly once I open the tools from Spring boot application, on
> logout of any tools both Jira and confluence are logging out using Single
> Logout but session in Spring boot application is not killed.
>
> Could you please help us resolving this issue.
>
>
> Regards
> Triveni Chegireddy
> Tata Consultancy Services Limited
> Mailto: triveni.chegireddy at tcs.com
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty.   IT Services
>                         Business Solutions
>                         Consulting
> ____________________________________________
>
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain
> confidential or privileged information. If you are
> not the intended recipient, any dissemination, use,
> review, distribution, printing or copying of the
> information contained in this e-mail message
> and/or attachments to it are strictly prohibited. If
> you have received this communication in error,
> please notify us by reply e-mail or telephone and
> immediately and permanently delete the message
> and any attachments. Thank you
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From fernando.mayoral at practiv.com  Wed Sep 19 22:35:57 2018
From: fernando.mayoral at practiv.com (Fernando Mayoral)
Date: Thu, 20 Sep 2018 14:35:57 +1200
Subject: [keycloak-user] Client Service Account Roles are not exported
Message-ID: <CA+AOV3vNmxTrQRSsn87kXfoZ-Rx4cC5wsWqUgpdiSmN6pRaPhQ@mail.gmail.com>

While automating the deployment and testing of my solution I found out that
the client service account roles are not being exported.
I've been struggling to find any documentation that allows the client
service account roles to be configured using the CLI or any other automated
way

I came across this bug ticket KEYCLOAK-4923
<https://issues.jboss.org/browse/KEYCLOAK-4923>  but it's pretty quiet
there.
Which makes me wonder, is there any obvious workaround for this limitation?

Thanks,
Fernando.

From lokesh.ravichandru at grootan.com  Thu Sep 20 02:53:14 2018
From: lokesh.ravichandru at grootan.com (Lokesh Ravichandru)
Date: Thu, 20 Sep 2018 12:23:14 +0530
Subject: [keycloak-user] Forward scopes from Keycloak authorize url to IDP
Message-ID: <CAMDN6TMnhsa8pwf3eEuwUmRTvguVs53dktB7zmPgmzrqQ9caSw@mail.gmail.com>

Hello,

Did anyone tried to solve forwarding of custom scopes to IdentityProvider,
as of now we are putting in default scopes, but it requires to be dynamic.

Thanks,
Lokesh=

From testoauth55 at gmail.com  Thu Sep 20 03:30:13 2018
From: testoauth55 at gmail.com (keycloak demo)
Date: Thu, 20 Sep 2018 13:00:13 +0530
Subject: [keycloak-user] Server Adminstration : Is there Rest API to import
	realm.json
Message-ID: <CANAVTmObxhuYaSrMPJiXG90oR-Wp8O22KCWdcjVvSFpW8Vx03Q@mail.gmail.com>

The doc:
https://www.keycloak.org/docs/4.3/server_admin/index.html#_export_import
mentions realm.json can be imported/exported through admin console. Is
there a REST API to import realm json?

From testoauth55 at gmail.com  Thu Sep 20 03:34:40 2018
From: testoauth55 at gmail.com (keycloak demo)
Date: Thu, 20 Sep 2018 13:04:40 +0530
Subject: [keycloak-user] Server Initialization: Is there a REST API to
 create the first/initial admin user
Message-ID: <CANAVTmN_AObX1xBS8mMaY=8_N-79erDs0_+sqiOFBmyBOPeXtw@mail.gmail.com>

Can the first admin user be created through a REST API?

The doc
https://www.keycloak.org/docs/4.3/server_admin/index.html#server-initialization
mentions
that first admin can be created either  by : http://localhost:8080/auth URL
or with add-user-keycloak  script. Is adding first admin possible through a
REST API?

From sblanc at redhat.com  Thu Sep 20 03:43:49 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 20 Sep 2018 09:43:49 +0200
Subject: [keycloak-user] Server Adminstration : Is there Rest API to
 import realm.json
In-Reply-To: <CANAVTmObxhuYaSrMPJiXG90oR-Wp8O22KCWdcjVvSFpW8Vx03Q@mail.gmail.com>
References: <CANAVTmObxhuYaSrMPJiXG90oR-Wp8O22KCWdcjVvSFpW8Vx03Q@mail.gmail.com>
Message-ID: <CAMZCGg-jnhC-z9v33gaq_v0AOUo4F_HF4PC6zViiRHXovgUPuA@mail.gmail.com>

Yes,
check
https://www.keycloak.org/docs-api/4.4/rest-api/index.html#_realms_admin_resource

On Thu, Sep 20, 2018 at 9:30 AM, keycloak demo <testoauth55 at gmail.com>
wrote:

> The doc:
> https://www.keycloak.org/docs/4.3/server_admin/index.html#_export_import
> mentions realm.json can be imported/exported through admin console. Is
> there a REST API to import realm json?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From slaskawi at redhat.com  Thu Sep 20 07:21:45 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Thu, 20 Sep 2018 13:21:45 +0200
Subject: [keycloak-user] Uncaught server error:
 java.lang.OutOfMemoryError: Java heap space
In-Reply-To: <CAFi6rQ-61beO54bd0QvvyDqdBq431ryL7Gy1zYC4aEjhgZo5oQ@mail.gmail.com>
References: <CAFi6rQ8TFEyZ0Ej5Um=Q7mBdohBp3oWVB0Kw5NCTk+pQAfXkYw@mail.gmail.com>
	<BL0PR07MB500970BDA0AE912940273374DA260@BL0PR07MB5009.namprd07.prod.outlook.com>
	<CAFi6rQ_UJqQaOa76PH=HUa6cLNTpueOP+PVUyOJaPHD_ty6qiQ@mail.gmail.com>
	<CAA9R9O4-ataSJuGNyFg6uTxqCWBNMC_tSNJd54G7LjVb4rjx-A@mail.gmail.com>
	<CAFi6rQ-61beO54bd0QvvyDqdBq431ryL7Gy1zYC4aEjhgZo5oQ@mail.gmail.com>
Message-ID: <CAA9R9O6DdqtA81L6k3J_PD5UL3yc-juPq3_sWCd3HN-KyRY62Q@mail.gmail.com>

Ok, so I think you might tune a couple of things there:
- Xms = Xmx, so probably don't need dynamic sizing.
- MetaspaceSize and MaxMetaspaceSize to be removed.
- Use either CMS or G1 (I think the latest JDK builds overrun CMS, which
wasn't true a couple of months back).
- Replace distributed caches with number of owners = 2 with replicated
ones.

I also highly advice reading this documents:
- Infinispan Performance Guide:
http://infinispan.org/docs/dev/performance_guide/performance_guide.html
- My very old conference manual on tuning JGroups. However, you should
probably look up for better materials. Please treat it as a starting point:
https://github.com/slaskawi/presentations/tree/master/2017_infinispan_rolling_upgrade#configuration-tuning-guide

On Wed, Sep 19, 2018 at 3:03 PM Arun Velayudhan <
arun.velayudhan at motorolasolutions.com> wrote:

> Thanks for the input.
> I am ok if there are few failures and few success and the system runs in
> this manner so that we can tune the cache and make it better. But in our
> case once the full GC is executed almost all the get-token requests are
> failing. Keycloak doesn't seem to be recovering from here.
>
> Here is my startup JVM params
>
> =================
> JAVA_OPTS="-Xms2048m -Xmx4096m -XX:-PrintGC -XX:-PrintGCDetails
> -XX:-PrintGCTimeStamps -Xloggc:/DGlogs/gclogs.txt -XX:-UseGCLogFileRotation
> -XX:NumberOfGCLogFiles=20 -XX:GCLogFileSize=10M -XX:MetaspaceSize=96M
> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true"
>   JAVA_OPTS="$JAVA_OPTS
> -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
> -Djava.awt.headless=true"
> ===================
>
> And below is the cache configuration ...If there is any better
> recommendation I would be glad to try that out....
>
> ===========================
> <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
>            <cache-container name="keycloak"
> jndi-name="infinispan/Keycloak">
>                <transport lock-timeout="60000"/>
>                <local-cache name="realms">
>                    <eviction max-entries="10000" strategy="LRU"/>
>                </local-cache>
>                <local-cache name="users">
>                    <eviction max-entries="50000" strategy="LRU"/>
>                </local-cache>
>                <distributed-cache name="sessions" mode="SYNC" owners="2"/>
>                <distributed-cache name="authenticationSessions"
> mode="SYNC" owners="2"/>
>                <!--<distributed-cache name="offlineSessions" mode="SYNC"
> owners="2"/>-->
>                <distributed-cache name="offlineSessions" mode="SYNC"
> owners="2">
>                    <eviction max-entries="10000" strategy="LRU"/>
>                </distributed-cache>
>                <!--<distributed-cache name="clientSessions" mode="SYNC"
> owners="2"/>-->
>                <distributed-cache name="clientSessions" mode="SYNC"
> owners="2">
>                    <eviction max-entries="10000" strategy="LRU"/>
>                    <expiration max-idle="36000"/>
>                </distributed-cache>
>                <!--<distributed-cache name="offlineClientSessions"
> mode="SYNC" owners="2"/>-->
>                <distributed-cache name="offlineClientSessions" mode="SYNC"
> owners="2">
>                    <eviction max-entries="10000" strategy="LRU"/>
>                    <expiration max-idle="36000"/>
>                </distributed-cache>
>                <distributed-cache name="loginFailures" mode="SYNC"
> owners="2"/>
>                <local-cache name="authorization">
>                    <eviction max-entries="1000000" strategy="LRU"/>
>                </local-cache>
>                <replicated-cache name="work" mode="SYNC"/>
>                <local-cache name="keys">
>                    <eviction max-entries="1000" strategy="LRU"/>
>                    <expiration max-idle="3600000"/>
>                </local-cache>
>                <distributed-cache name="actionTokens" mode="SYNC"
> owners="2">
>                    <eviction max-entries="-1" strategy="NONE"/>
> ==================
>
> Thanks
> Arun
>
>
>
> On Wed, Sep 19, 2018 at 4:21 PM, Sebastian Laskawiec <slaskawi at redhat.com>
> wrote:
>
>> That's the line your balancing on. If the cache is very big, you might
>> get an OOM Error. If it's too small, you will observe plenty queries to the
>> database. You need to find what size works best for you.
>>
>> On Wed, Sep 19, 2018 at 10:56 AM Arun Velayudhan <
>> arun.velayudhan at motorolasolutions.com> wrote:
>>
>>> Thanks Sabastian and Peter.
>>> After increasing the JVM memory and setting the cache limits the
>>> out-of-memory exception has been arrested. But I started observing lot of
>>> get-token requests failing after sometime i.e after 12hrs of run. On
>>> debugging, lot of failures are observed once the full GC is executed.
>>> Anyone has observed this behavior or any pointers?
>>>
>>>
>>> Arun
>>>
>>>
>>> On Wed, Aug 8, 2018 at 5:26 PM, Nalyvayko, Peter <pnalyvayko at agi.com>
>>> wrote:
>>>
>>> > Hi Arun,
>>> > Yes, we have seen this issue before. A temporary remedy has been to
>>> > increase jVM's maximum heap size, among other things, like changing the
>>> > eviction rate and infinispan cache sizes.
>>> > --Peter
>>> >
>>> > -----Original Message-----
>>> > From: keycloak-user-bounces at lists.jboss.org
>>> <keycloak-user-bounces at lists.
>>> > jboss.org
>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss.org&d=DwMFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=8Pvsmoua5c6CWWNh79KqdxXWEU8kyUEVv_6yuushpRY&s=WJqYionlEDTjKU-8EIQZmkAjgEsDbOxey9VNZnxPI8s&e=>>
>>> On Behalf Of Arun Velayudhan
>>> > Sent: Wednesday, August 8, 2018 1:02 AM
>>> > To: keycloak-user <keycloak-user at lists.jboss.org>
>>> > Subject: [keycloak-user] Uncaught server error:
>>> > java.lang.OutOfMemoryError: Java heap space
>>> >
>>> > Hello,
>>> > We ran keycloak with some basic load (like auth, gettoken) for few
>>> hours
>>> > at theand after sometime Keycloak threw an Out-of-memory error.  Has
>>> anyone
>>> > faced similar kind of problem. Would be keen to know what was done to
>>> > mitigate.
>>> >
>>> > Version of Keycloak -> 4.0.0.Final.
>>> >
>>> >
>>> >
>>> > =====
>>> > 18:32:47,716 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
>>> > ARJUNA012117: TransactionReaper::check timeout for TX
>>> > 0:ffffc0a80c38:-56b32ec9:5b6463c3:54bcab in state  RUN
>>> >
>>> > 18:30:23,749 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>>> > (default task-199) Uncaught server error: java.lang.OutOfMemoryError:
>>> Java
>>> > heap space
>>> >
>>> > 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>>> > (default task-219) Uncaught server error: java.lang.OutOfMemoryError:
>>> Java
>>> > heap space
>>> >
>>> > 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>>> > (default task-505) Uncaught server error: java.lang.OutOfMemoryError:
>>> Java
>>> > heap space ===============
>>> >
>>> > Pls find with the startup configuration
>>> > ===
>>> >
>>> > 19:46:33,121 DEBUG [org.jboss.as.config] (MSC service thread 1-7) VM
>>> > Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M
>>> > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
>>> > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>>> > -Dorg.jboss.boot.log.file=/DG/activeRelease/keycloak/
>>> > standalone/log/server.log
>>> > -Dlogging.configuration=file:/DG/activeRelease/keycloak/
>>> > standalone/configuration/logging.properties
>>> >
>>> > ==================
>>> >
>>> >
>>> >
>>> > Arun
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
>>> > jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIFAg&c=
>>> > q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_
>>> > 1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=dtKSJp9M6MgNlIhxciRs-
>>> > KVyFWOKZNNZNjQjWu5DP34&s=85dtwsUG0nkAMRjT3Jb9LTz0hbeuBXEvN8khcHdLq70&e=
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=q3cDpHe1hF8lXU5EFjNM_A&r=N8w3J29mjdEYPeHA-d1E_1Kp1KsnJ1yRhHwyWg25CWeqI66NKKjV9HfGziPFIi6m&m=8Pvsmoua5c6CWWNh79KqdxXWEU8kyUEVv_6yuushpRY&s=U7nxEsDNiCE0Wpqs1agThkPMt-vBfIazfAmGA2a3IKo&e=>
>>>
>>
>

From slaskawi at redhat.com  Thu Sep 20 07:35:47 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Thu, 20 Sep 2018 13:35:47 +0200
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
	<CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
	<CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>
Message-ID: <CAA9R9O7EL6KuvbDEJ+sTwqEmiUGF3zYtswdnqSu12q4TaNMUhw@mail.gmail.com>

Could you please try to unify the caches? Please replace all local-cache
and distributed-cache with replicated-cache.

Even though using distributed caches over replicated ones should be the
cause, I think those local caches might cause the behavior you're
describing.

On Wed, Sep 19, 2018 at 3:21 PM D V <dv at glyphy.com> wrote:

> Makes sense re: replicated caches. Here's my infinispan subsystem config
> right now:
>
>         <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
>             <cache-container name="keycloak"
> jndi-name="infinispan/Keycloak" statistics-enabled="true">
>                 <transport lock-timeout="60000"/>
>                 <local-cache name="realms" statistics-enabled="true">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>                 <local-cache name="users" statistics-enabled="true">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>
>                 <!--
>                 These two need to be replicated or the node that didn't
> issue the initial refresh token
>                 will return "invalid_grant" errors when attempting to auth
> with that refresh token.
>                 -->
>                 <replicated-cache name="sessions"
> statistics-enabled="true"/>
>                 <replicated-cache name="clientSessions"
> statistics-enabled="true"/>
>
>                 <distributed-cache name="authenticationSessions"
> mode="SYNC" owners="1" statistics-enabled="true"/>
>                 <distributed-cache name="offlineSessions" mode="SYNC"
> owners="1" statistics-enabled="true"/>
>                 <distributed-cache name="offlineClientSessions"
> mode="SYNC" owners="1" statistics-enabled="true"/>
>                 <distributed-cache name="loginFailures" mode="SYNC"
> owners="1" statistics-enabled="true"/>
>                 <local-cache name="authorization"
> statistics-enabled="true">
>                     <eviction max-entries="10000" strategy="LRU"/>
>                 </local-cache>
>                 <replicated-cache name="work" mode="SYNC"
> statistics-enabled="true"/>
>                 <local-cache name="keys" statistics-enabled="true">
>                     <eviction max-entries="1000" strategy="LRU"/>
>                     <expiration max-idle="3600000"/>
>                 </local-cache>
>                 <distributed-cache name="actionTokens" mode="SYNC"
> owners="2" statistics-enabled="true">
>                     <eviction max-entries="-1" strategy="NONE"/>
>                     <expiration max-idle="-1" interval="300000"/>
>                 </distributed-cache>
>             </cache-container>
>             <cache-container name="server" aliases="singleton cluster"
> default-cache="default" module="org.wildfly.clustering.server">
>                 <transport lock-timeout="60000"/>
>                 <replicated-cache name="default">
>                     <transaction mode="BATCH"/>
>                 </replicated-cache>
>             </cache-container>
>             <cache-container name="web" default-cache="dist"
> module="org.wildfly.clustering.web.infinispan">
>                 <transport lock-timeout="60000"/>
>                 <distributed-cache name="dist">
>                     <locking isolation="REPEATABLE_READ"/>
>                     <transaction mode="BATCH"/>
>                     <file-store/>
>                 </distributed-cache>
>             </cache-container>
>             <cache-container name="ejb" aliases="sfsb"
> default-cache="dist" module="org.wildfly.clustering.ejb.infinispan">
>                 <transport lock-timeout="60000"/>
>                 <distributed-cache name="dist">
>                     <locking isolation="REPEATABLE_READ"/>
>                     <transaction mode="BATCH"/>
>                     <file-store/>
>                 </distributed-cache>
>             </cache-container>
>             <cache-container name="hibernate" default-cache="local-query"
> module="org.hibernate.infinispan">
>                 <transport lock-timeout="60000"/>
>                 <local-cache name="local-query">
>                     <eviction strategy="LRU" max-entries="10000"/>
>                     <expiration max-idle="100000"/>
>                 </local-cache>
>                 <invalidation-cache name="entity">
>                     <transaction mode="NON_XA"/>
>                     <eviction strategy="LRU" max-entries="10000"/>
>                     <expiration max-idle="100000"/>
>                 </invalidation-cache>
>                 <replicated-cache name="timestamps" mode="ASYNC"/>
>             </cache-container>
>         </subsystem>
>
> The scenario I'm testing:
> 1. Auth with grant_type=password on node1.
> 2. Shut down node1.
> 3. Auth with grant_type=refresh_token on node2.
>
> When client_sessions is not replicated (distributed, with owners=1, as in
> the distribution's standalone-ha.xml), I get this on node2:
> {
>     "error": "invalid_grant",
>     "error_description": "Session doesn't have required client"
> }
>
> When sessions is not replicated:
> {
>     "error": "invalid_grant",
>     "error_description": "Session not active"
> }
>
> On Wed, Sep 19, 2018 at 6:56 AM Sebastian Laskawiec <slaskawi at redhat.com>
> wrote:
>
>> Thanks for letting us know DV!
>>
>> Setting the number of owners equal to the cluster size doesn't make any
>> sense. You might use a replicated cache in that scenarios (which works the
>> same way apart from some Infinispan internal behavior, which can be omitted
>> in your case). Could you please paste your Infinispan configuration? Maybe
>> there's some hint there...
>>
>> Thanks,
>> Seb
>>
>> On Tue, Sep 18, 2018 at 11:02 PM D V <dv at glyphy.com> wrote:
>>
>>> The issue was resolved in a somewhat unexpected way. I had a custom
>>> org.keycloak.storage.UserStorageProviderFactory SPI registered that
>>> returned providers
>>> implementing org.keycloak.storage.user.UserLookupProvider,
>>> but org.keycloak.storage.user.UserLookupProvider#getUserById method wasn't
>>> fully filled out. I just had it return null. It wasn't obvious to me that
>>> it was required (or under what circumstances). Once I implemented it, the
>>> experiments in my original message passed. I did have to set owners to 2
>>> for the "sessions" and "clientSessions" distributed cache infinispan
>>> configs.
>>>
>>> One thing I noticed is that node2 (the one that doesn't get hit on the
>>> initial password auth) has to do a lookup via getUserById the first time it
>>> handles a grant_type=refresh_token auth. Is the data it needs not shared
>>> across the cluster? It seems to be cached only locally on the node. Just as
>>> a test I tried to set all configured non-local caches to be replicated and
>>> it didn't help. Any thoughts about this?
>>>
>>> Thanks,
>>> DV
>>>
>>>>

From gondarlinux at gmail.com  Thu Sep 20 09:24:07 2018
From: gondarlinux at gmail.com (Michael Griffin)
Date: Thu, 20 Sep 2018 09:24:07 -0400
Subject: [keycloak-user] Multi-site/multi-region cluster sync question
Message-ID: <CAL98M=4hm3jZvr+NHZgJ4dio_s=kWwnmAV-kF03t+WwsqgB6OQ@mail.gmail.com>

After reading the following:

https://www.keycloak.org/docs/latest/server_installation/index.html#crossdc-mode

and

https://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html

I am wondering how does it scale?  I am trying to work a solution that
would have synchronization across multiple data centers in a
geographic region as well as with multiple regions.  E.G.:

region A --> site 1, site 2
region B --> site 3, site 4
region C --> site 5, site 6

My understanding to this point is that region A, sites 1-2 can sync
with each other, but can they sync with regions B/C?

Thanks.

By my hand, I am,

Michael G.

From Christoph.Leistert at bosch-si.com  Thu Sep 20 09:54:01 2018
From: Christoph.Leistert at bosch-si.com (Leistert Christoph (INST/ECS2))
Date: Thu, 20 Sep 2018 13:54:01 +0000
Subject: [keycloak-user] Performance impact when fine-grained permissions
	are active
Message-ID: <aef80ba0e35d488bba026abaae6951ef@bosch-si.com>

Hi,
We are using the fine-grained permissions for clients to control which group of users could query and manage which clients. Therefore, we create a client role "manage" for each of our clients and define a role-based policy, which includes all users that have this "manage" role. This policy is then assigned to the view and manage permissions of the client. The client role "manage" is assigned to the group, which should manage the client.
This perfectly works if we only have few clients in our system. If we add some more (in our system after ~700 clients) we got huge performance problems. E.g., the list viewable clients operation (GET /<realm>/clients?viewableOnly=true ) in the context of a user, which is allowed to see two of the 700 clients, takes more than 10 seconds. We also facing performance issues when delete a single client by id (DELETE /<realm>/clients/<id>).
Unfortunately, I did not find any information about the limits or performance tuning possibilities, when using the fine-grained permissions at the documentation: https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
I found some JIRA issues related to the performance tests (https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275). So I created a new one to especially not forget the fine-grained permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
So my question additional questions are:
Did we use the fine-grained permissions in a way there are built for? If not, is there any hint, how to use the fine-grained permissions feature in a correct way?
Are these performance impacts already known? If yes, are there any plans to improve these issues?

Best regards

Christoph Leistert

(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn




From sthorger at redhat.com  Thu Sep 20 10:01:02 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 20 Sep 2018 16:01:02 +0200
Subject: [keycloak-user] Danish translation review needed
Message-ID: <CAJgngAfRj+jmhUrYz-5KyKBMjLcxeJj-rTJWc3Oj93-W01hH9w@mail.gmail.com>

Any Danish natives out there that could review
https://github.com/keycloak/keycloak/pull/5567?

From byte.russian at gmail.com  Thu Sep 20 10:03:03 2018
From: byte.russian at gmail.com (Rocco G.)
Date: Thu, 20 Sep 2018 16:03:03 +0200
Subject: [keycloak-user] Users and bearer tokens managment
Message-ID: <CAM1+9ojck+nXEf3Rg8R1t827Z5XLVi7yry1KN4342c__4Yr9EQ@mail.gmail.com>

Hi,

I read all the doc but still can't understand how bearer tokens generation
works. Every user should generate/manage personal bearer tokens, is this
possibile? I should create a "client" for every user?

PS: If is not clear if user 1 generates the token "abcd" and make a request
to api.mysite.com I should know that the token belongs to user 1.

Thanks,
Rocco

From dv at glyphy.com  Thu Sep 20 10:26:57 2018
From: dv at glyphy.com (D V)
Date: Thu, 20 Sep 2018 10:26:57 -0400
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAA9R9O7EL6KuvbDEJ+sTwqEmiUGF3zYtswdnqSu12q4TaNMUhw@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
	<CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
	<CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>
	<CAA9R9O7EL6KuvbDEJ+sTwqEmiUGF3zYtswdnqSu12q4TaNMUhw@mail.gmail.com>
Message-ID: <CAJL87rj0CJc+bjmHL=8M=q0CAYeGefC_bKK_-Q8qdUwkvMCMJg@mail.gmail.com>

OK. So, with all caches being replicated, there's an error on startup:

2018-09-20 14:03:38,307 ERROR [org.infinispan.remoting.rpc.RpcManagerImpl]
(ServerService Thread Pool -- 62) ISPN000073: Unexpected error while
replicating: org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.models.PasswordPolicy$Builder
Caused by: an exception which occurred:
in field org.keycloak.models.PasswordPolicy.builder
in object org.keycloak.models.PasswordPolicy at 6ab5350d
in field
org.keycloak.models.cache.infinispan.entities.CachedRealm.passwordPolicy
in object org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
in object org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
in object org.infinispan.commands.write.PutKeyValueCommand at fec4dc5e
in object org.infinispan.commands.remote.SingleRpcCommand at 3f2e5d1a

If I make the realms cache local but leave the rest replicated, I observe
the same behaviour: the node that didn't issue the original set of
refresh/access tokens does a getUserById lookup, which in my case results
in a network call against a remote service.

I noticed there are caches running that aren't mentioned in the config,
like userRevisions. These are local and adding them to the config as
replicated doesn't actually make them as such.

On Thu, Sep 20, 2018 at 7:36 AM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> Could you please try to unify the caches? Please replace all local-cache
> and distributed-cache with replicated-cache.
>
> Even though using distributed caches over replicated ones should be the
> cause, I think those local caches might cause the behavior you're
> describing.
>
> On Wed, Sep 19, 2018 at 3:21 PM D V <dv at glyphy.com> wrote:
>
>> Makes sense re: replicated caches. Here's my infinispan subsystem config
>> right now:
>>
>>         <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
>>             <cache-container name="keycloak"
>> jndi-name="infinispan/Keycloak" statistics-enabled="true">
>>                 <transport lock-timeout="60000"/>
>>                 <local-cache name="realms" statistics-enabled="true">
>>                     <eviction max-entries="10000" strategy="LRU"/>
>>                 </local-cache>
>>                 <local-cache name="users" statistics-enabled="true">
>>                     <eviction max-entries="10000" strategy="LRU"/>
>>                 </local-cache>
>>
>>                 <!--
>>                 These two need to be replicated or the node that didn't
>> issue the initial refresh token
>>                 will return "invalid_grant" errors when attempting to
>> auth with that refresh token.
>>                 -->
>>                 <replicated-cache name="sessions"
>> statistics-enabled="true"/>
>>                 <replicated-cache name="clientSessions"
>> statistics-enabled="true"/>
>>
>>                 <distributed-cache name="authenticationSessions"
>> mode="SYNC" owners="1" statistics-enabled="true"/>
>>                 <distributed-cache name="offlineSessions" mode="SYNC"
>> owners="1" statistics-enabled="true"/>
>>                 <distributed-cache name="offlineClientSessions"
>> mode="SYNC" owners="1" statistics-enabled="true"/>
>>                 <distributed-cache name="loginFailures" mode="SYNC"
>> owners="1" statistics-enabled="true"/>
>>                 <local-cache name="authorization"
>> statistics-enabled="true">
>>                     <eviction max-entries="10000" strategy="LRU"/>
>>                 </local-cache>
>>                 <replicated-cache name="work" mode="SYNC"
>> statistics-enabled="true"/>
>>                 <local-cache name="keys" statistics-enabled="true">
>>                     <eviction max-entries="1000" strategy="LRU"/>
>>                     <expiration max-idle="3600000"/>
>>                 </local-cache>
>>                 <distributed-cache name="actionTokens" mode="SYNC"
>> owners="2" statistics-enabled="true">
>>                     <eviction max-entries="-1" strategy="NONE"/>
>>                     <expiration max-idle="-1" interval="300000"/>
>>                 </distributed-cache>
>>             </cache-container>
>>             <cache-container name="server" aliases="singleton cluster"
>> default-cache="default" module="org.wildfly.clustering.server">
>>                 <transport lock-timeout="60000"/>
>>                 <replicated-cache name="default">
>>                     <transaction mode="BATCH"/>
>>                 </replicated-cache>
>>             </cache-container>
>>             <cache-container name="web" default-cache="dist"
>> module="org.wildfly.clustering.web.infinispan">
>>                 <transport lock-timeout="60000"/>
>>                 <distributed-cache name="dist">
>>                     <locking isolation="REPEATABLE_READ"/>
>>                     <transaction mode="BATCH"/>
>>                     <file-store/>
>>                 </distributed-cache>
>>             </cache-container>
>>             <cache-container name="ejb" aliases="sfsb"
>> default-cache="dist" module="org.wildfly.clustering.ejb.infinispan">
>>                 <transport lock-timeout="60000"/>
>>                 <distributed-cache name="dist">
>>                     <locking isolation="REPEATABLE_READ"/>
>>                     <transaction mode="BATCH"/>
>>                     <file-store/>
>>                 </distributed-cache>
>>             </cache-container>
>>             <cache-container name="hibernate" default-cache="local-query"
>> module="org.hibernate.infinispan">
>>                 <transport lock-timeout="60000"/>
>>                 <local-cache name="local-query">
>>                     <eviction strategy="LRU" max-entries="10000"/>
>>                     <expiration max-idle="100000"/>
>>                 </local-cache>
>>                 <invalidation-cache name="entity">
>>                     <transaction mode="NON_XA"/>
>>                     <eviction strategy="LRU" max-entries="10000"/>
>>                     <expiration max-idle="100000"/>
>>                 </invalidation-cache>
>>                 <replicated-cache name="timestamps" mode="ASYNC"/>
>>             </cache-container>
>>         </subsystem>
>>
>> The scenario I'm testing:
>> 1. Auth with grant_type=password on node1.
>> 2. Shut down node1.
>> 3. Auth with grant_type=refresh_token on node2.
>>
>> When client_sessions is not replicated (distributed, with owners=1, as in
>> the distribution's standalone-ha.xml), I get this on node2:
>> {
>>     "error": "invalid_grant",
>>     "error_description": "Session doesn't have required client"
>> }
>>
>> When sessions is not replicated:
>> {
>>     "error": "invalid_grant",
>>     "error_description": "Session not active"
>> }
>>
>> On Wed, Sep 19, 2018 at 6:56 AM Sebastian Laskawiec <slaskawi at redhat.com>
>> wrote:
>>
>>> Thanks for letting us know DV!
>>>
>>> Setting the number of owners equal to the cluster size doesn't make any
>>> sense. You might use a replicated cache in that scenarios (which works the
>>> same way apart from some Infinispan internal behavior, which can be omitted
>>> in your case). Could you please paste your Infinispan configuration? Maybe
>>> there's some hint there...
>>>
>>> Thanks,
>>> Seb
>>>
>>> On Tue, Sep 18, 2018 at 11:02 PM D V <dv at glyphy.com> wrote:
>>>
>>>> The issue was resolved in a somewhat unexpected way. I had a custom
>>>> org.keycloak.storage.UserStorageProviderFactory SPI registered that
>>>> returned providers
>>>> implementing org.keycloak.storage.user.UserLookupProvider,
>>>> but org.keycloak.storage.user.UserLookupProvider#getUserById method wasn't
>>>> fully filled out. I just had it return null. It wasn't obvious to me that
>>>> it was required (or under what circumstances). Once I implemented it, the
>>>> experiments in my original message passed. I did have to set owners to 2
>>>> for the "sessions" and "clientSessions" distributed cache infinispan
>>>> configs.
>>>>
>>>> One thing I noticed is that node2 (the one that doesn't get hit on the
>>>> initial password auth) has to do a lookup via getUserById the first time it
>>>> handles a grant_type=refresh_token auth. Is the data it needs not shared
>>>> across the cluster? It seems to be cached only locally on the node. Just as
>>>> a test I tried to set all configured non-local caches to be replicated and
>>>> it didn't help. Any thoughts about this?
>>>>
>>>> Thanks,
>>>> DV
>>>>
>>>>>

From psilva at redhat.com  Thu Sep 20 10:35:27 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 20 Sep 2018 11:35:27 -0300
Subject: [keycloak-user] Performance impact when fine-grained
 permissions are active
In-Reply-To: <aef80ba0e35d488bba026abaae6951ef@bosch-si.com>
References: <aef80ba0e35d488bba026abaae6951ef@bosch-si.com>
Message-ID: <CAJrcDBe94yRXF3zvxuts9dM9k2ZtiapEc8D46GdEfd4FxXNa8Q@mail.gmail.com>

On Thu, Sep 20, 2018 at 11:05 AM Leistert Christoph (INST/ECS2) <
Christoph.Leistert at bosch-si.com> wrote:

> Hi,
> We are using the fine-grained permissions for clients to control which
> group of users could query and manage which clients. Therefore, we create a
> client role "manage" for each of our clients and define a role-based
> policy, which includes all users that have this "manage" role. This policy
> is then assigned to the view and manage permissions of the client. The
> client role "manage" is assigned to the group, which should manage the
> client.
> This perfectly works if we only have few clients in our system. If we add
> some more (in our system after ~700 clients) we got huge performance
> problems. E.g., the list viewable clients operation (GET
> /<realm>/clients?viewableOnly=true ) in the context of a user, which is
> allowed to see two of the 700 clients, takes more than 10 seconds. We also
> facing performance issues when delete a single client by id (DELETE
> /<realm>/clients/<id>).
> Unfortunately, I did not find any information about the limits or
> performance tuning possibilities, when using the fine-grained permissions
> at the documentation:
> https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
> I found some JIRA issues related to the performance tests (
> https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having
> large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275).
> So I created a new one to especially not forget the fine-grained
> permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
> So my question additional questions are:
> Did we use the fine-grained permissions in a way there are built for? If
> not, is there any hint, how to use the fine-grained permissions feature in
> a correct way?
> Are these performance impacts already known? If yes, are there any plans
> to improve these issues?
>

We had recently improved performance on keycloak authorization services but
not really the fine-grained permissions in admin console. What is the
Keycloak version you are using ?

>From your description, it seems that to reproduce the problem we need to
create clients, enable permission for each of them and define a policy for
any of the scope permissions (view, manage, etc), is that right ?


>
> Best regards
>
> Christoph Leistert
>
> (INST/ECS2)
> Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY
> | www.bosch-si.com<http://www.bosch-si.com>
> Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From craig at baseventure.com  Thu Sep 20 10:41:23 2018
From: craig at baseventure.com (Craig Setera)
Date: Thu, 20 Sep 2018 09:41:23 -0500
Subject: [keycloak-user] Simultaneous SAML and OAuth for same resources?
Message-ID: <CAPVdwjpfMfcykPdtzyqjEyR702OkfGHs1RFuL4_ovmBsov7sKA@mail.gmail.com>

Reading the documentation, there is a statement that makes it appear that
it is not possible to support *both* OAuth and SAML simultaneously to the same
resources?  Is that really the case?  We would like to allow both OAuth and
SAML authentication to access our API (along with appropriate differences
in functionality).  Is that possible?

Thanks,
Craig


=================================
*Craig Setera*

*Chief Technology Officer*

*415-324-5861**craig at baseventure.com <craig at baseventure.com>*

From Christoph.Leistert at bosch-si.com  Thu Sep 20 12:09:59 2018
From: Christoph.Leistert at bosch-si.com (Leistert Christoph (INST/ECS2))
Date: Thu, 20 Sep 2018 16:09:59 +0000
Subject: [keycloak-user] Performance impact when fine-grained
 permissions are active
Message-ID: <1c17c5727fbc42049e118cddf1f08684@bosch-si.com>

Currently we use Keycloak version 3.4.3, but we would like to change to the latest 4.x version as soon as possible.
I did the same tests with Keycloak in version 4.4.0 and it is much faster, but the number of clients before the performance is getting slow is still not very high and we expect much more clients in our system.

Tested request: GET /<realm>/clients?viewableOnly=true
Measurement: average of 20 requests with different users after 2 warm up requests

For 750 clients:
Version 3.4.3: 14193.35 ms
Version 4.4.0: 4078.1 ms

For 1000 clients:
Version 4.4.0:  9202.65 ms

That?s right.
Each client has permissions enabled and there is one role based policy per client (Has role ?manage? of client ?123?).
This policy is used for the view and manage permission of the client. (Manage client ?123? is possible if the user has the role ?manage? of client ?123?)

Mit freundlichen Gr??en / Best regards

Christoph Leistert

(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn



Von: Pedro Igor Silva <psilva at redhat.com>
Gesendet: Donnerstag, 20. September 2018 16:35
An: Leistert Christoph (INST/ECS2) <Christoph.Leistert at bosch-si.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] Performance impact when fine-grained permissions are active


On Thu, Sep 20, 2018 at 11:05 AM Leistert Christoph (INST/ECS2) <Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>> wrote:
Hi,
We are using the fine-grained permissions for clients to control which group of users could query and manage which clients. Therefore, we create a client role "manage" for each of our clients and define a role-based policy, which includes all users that have this "manage" role. This policy is then assigned to the view and manage permissions of the client. The client role "manage" is assigned to the group, which should manage the client.
This perfectly works if we only have few clients in our system. If we add some more (in our system after ~700 clients) we got huge performance problems. E.g., the list viewable clients operation (GET /<realm>/clients?viewableOnly=true ) in the context of a user, which is allowed to see two of the 700 clients, takes more than 10 seconds. We also facing performance issues when delete a single client by id (DELETE /<realm>/clients/<id>).
Unfortunately, I did not find any information about the limits or performance tuning possibilities, when using the fine-grained permissions at the documentation: https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
I found some JIRA issues related to the performance tests (https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275). So I created a new one to especially not forget the fine-grained permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
So my question additional questions are:
Did we use the fine-grained permissions in a way there are built for? If not, is there any hint, how to use the fine-grained permissions feature in a correct way?
Are these performance impacts already known? If yes, are there any plans to improve these issues?

We had recently improved performance on keycloak authorization services but not really the fine-grained permissions in admin console. What is the Keycloak version you are using ?

From your description, it seems that to reproduce the problem we need to create clients, enable permission for each of them and define a policy for any of the scope permissions (view, manage, etc), is that right ?


Best regards

Christoph Leistert

(INST/ECS2)
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com><http://www.bosch-si.com>
Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com><mailto:Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From iameymahajan5 at gmail.com  Thu Sep 20 12:22:05 2018
From: iameymahajan5 at gmail.com (Amey)
Date: Thu, 20 Sep 2018 21:52:05 +0530
Subject: [keycloak-user] To post
Message-ID: <5ba3c92c.1c69fb81.a9038.042d@mx.google.com>

iameymahajan5 at gmail.com

Sent from Mail for Windows 10


From ionel.gardais at tech-advantage.com  Thu Sep 20 12:40:56 2018
From: ionel.gardais at tech-advantage.com (GARDAIS Ionel)
Date: Thu, 20 Sep 2018 18:40:56 +0200 (CEST)
Subject: [keycloak-user] Is WebAuthn planned ?
Message-ID: <1636519450.112536.1537461656819.JavaMail.zimbra@tech-advantage.com>

Hi, 

Is WebAuthn integration is planned to be integrated in the browser workflow (like OTP) ? 

Ionel 

--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
-------------- next part --------------
A non-text attachment was scrubbed...
Name: GARDAIS, Ionel.vcf
Type: text/directory
Size: 399 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180920/fa85f010/attachment.bin 

From jkenefick at eircom.net  Thu Sep 20 12:46:37 2018
From: jkenefick at eircom.net (Jack Kenefick)
Date: Thu, 20 Sep 2018 17:46:37 +0100 (IST)
Subject: [keycloak-user] Retrieve name of login theme for a realm?
Message-ID: <30974846.825645.1537461997302.JavaMail.zimbra@eircom.net>

Hi,
I need to retrieve the name of the login them for a particular realm.
Is there anything in the REST/Java API that would let me do this?

Best regards,
Jack.

From Brian.Brooks at datapath.com  Thu Sep 20 12:48:15 2018
From: Brian.Brooks at datapath.com (Brian Brooks (US))
Date: Thu, 20 Sep 2018 16:48:15 +0000
Subject: [keycloak-user] Link for Token Decoder jwt Demo? - From DevNation
 DEEP DIVE INTO KEYCLOAK
Message-ID: <DM6PR17MB2378755806DB0F0E7CA02CF0F8130@DM6PR17MB2378.namprd17.prod.outlook.com>

This question is for Stian Thorgersen...

I enjoyed your DevNation DEEP DIVE INTO KEYCLOAK webinar today.  Great job!

During the webinar, you demonstrated a web app 'jwt' which supported decoding a token.
The URL was 
https://localhost:8080/auth/realms/demo/jwt

Is that jwt token decoder app available in github?

Brian



From henning.waack at codecentric.de  Thu Sep 20 13:26:04 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Thu, 20 Sep 2018 19:26:04 +0200
Subject: [keycloak-user] KC installation DB problems
Message-ID: <CAGqTYawe_6WTPS9TF2xhfhAvUtV5yc_6W22uJ6sf6kBLYGE+Xw@mail.gmail.com>

Dear all.

I try to setup KC 4.2.1 (also tried with 4.0.0) on Ubuntu 18.04 with Mysq
5.7l/MariaDB 10.x. It works totally fine on my Vagrant box (I use Ansible),
but on the "real" server the Liquibase init scripts time out. Please note
that the DB is installed physically on the same machine as Keycloak,
connection is done trough localhost.

The error is some kind of transaction timeout exception, please see below
the log. It is interesting to note that a) the script runs for more than 5
minutes before it fails, and b) most tables have been created in the DB,
but after this error the state is unrecoverable.

Do you have any pointers/hints on why I run into these timeout issues? I am
totally at loss, having tried so many combinations (KC version x DB type x
DB version), which all run fine on Vagrant but fail on the server.

Thanks in advance & greetings

Henning

------

2018-09-20 19:00:53,220 INFO
[org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory]
(ServerService Thread Pool -- 49) Node name: sso, Site name: null
2018-09-20 19:00:55,982 INFO
[org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider]
(ServerService Thread Pool -- 49) Initializing database schema. Using
changelog META-INF/jpa-changelog-master.xml
2018-09-20 19:05:53,240 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
ARJUNA012117: TransactionReaper::check timeout for TX
0:ffff91eff4af:-1fd3cdfc:5ba3d243:e in state  RUN
2018-09-20 19:05:53,252 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper
Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX
0:ffff91eff4af:-1fd3cdfc:5ba3d243:e
2018-09-20 19:05:53,938 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
ARJUNA012117: TransactionReaper::check timeout for TX
0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 in state  RUN
2018-09-20 19:05:53,940 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper
Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker
Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX
0:ffff91eff4af:-1fd3cdfc:5ba3d243:11
2018-09-20 19:06:13,864 INFO  [org.hibernate.jpa.internal.util.LogHelper]
(ServerService Thread Pool -- 49) HHH000204: Processing PersistenceUnitInfo
[
        name: keycloak-default
        ...]
2018-09-20 19:06:13,913 INFO  [org.hibernate.Version] (ServerService Thread
Pool -- 49) HHH000412: Hibernate Core {5.1.10.Final}
2018-09-20 19:06:13,914 INFO  [org.hibernate.cfg.Environment]
(ServerService Thread Pool -- 49) HHH000206: hibernate.properties not found
2018-09-20 19:06:13,916 INFO  [org.hibernate.cfg.Environment]
(ServerService Thread Pool -- 49) HHH000021: Bytecode provider name :
javassist
2018-09-20 19:06:13,943 INFO  [org.hibernate.annotations.common.Version]
(ServerService Thread Pool -- 49) HCANN000001: Hibernate Commons
Annotations {5.0.1.Final}
2018-09-20 19:06:14,076 INFO  [org.hibernate.dialect.Dialect]
(ServerService Thread Pool -- 49) HHH000400: Using dialect:
org.hibernate.dialect.MySQL5Dialect
2018-09-20 19:06:14,107 INFO
[org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService
Thread Pool -- 49) Envers integration enabled? : true
2018-09-20 19:06:14,534 INFO
[org.hibernate.validator.internal.util.Version] (ServerService Thread Pool
-- 49) HV000001: Hibernate Validator 5.3.5.Final
2018-09-20 19:06:15,154 INFO
[org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService
Thread Pool -- 49) HHH000397: Using ASTQueryTranslatorFactory
2018-09-20 19:06:15,842 WARN
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread
Pool -- 49) SQL Error: 0, SQLState: null
2018-09-20 19:06:15,842 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread
Pool -- 49) javax.resource.ResourceException: IJ000460: Error checking for
a transaction
2018-09-20 19:06:15,843 INFO
[org.hibernate.event.internal.DefaultLoadEventListener] (ServerService
Thread Pool -- 49) HHH000327: Error performing load command :
org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC
Connection
2018-09-20 19:06:15,844 WARN  [com.arjuna.ats.arjuna] (ServerService Thread
Pool -- 49) ARJUNA012077: Abort called on already aborted atomic action
0:ffff91eff4af:-1fd3cdfc:5ba3d243:11
2018-09-20 19:06:15,850 WARN  [com.arjuna.ats.arjuna] (ServerService Thread
Pool -- 49) ARJUNA012077: Abort called on already aborted atomic action
0:ffff91eff4af:-1fd3cdfc:5ba3d243:e
2018-09-20 19:06:15,853 INFO  [org.jboss.as.server] (Thread-2) WFLYSRV0220:
Server shutdown has been requested via an OS signal
2018-09-20 19:06:15,857 ERROR [org.jboss.msc.service.fail] (ServerService
Thread Pool -- 49) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84)
        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
        at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
        at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
        at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
        at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
        at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
        at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
        at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
        at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
        at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
        at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
        at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
        at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
        at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
        at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
        ... 6 more
Caused by: org.keycloak.models.ModelException:
javax.persistence.PersistenceException:
org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC
Connection
        at
org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)
        at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51)
        at com.sun.proxy.$Proxy68.find(Unknown Source)
        at
org.keycloak.models.jpa.MigrationModelAdapter.getStoredVersion(MigrationModelAdapter.java:38)
        at
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:84)
        at
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
        at
org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
        at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
        at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
        at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
        at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
        ... 28 more
Caused by: javax.persistence.PersistenceException:
org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC
Connection
        at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
        at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1619)
        at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1106)
        at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1033)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49)
        ... 41 more
Caused by: org.hibernate.exception.GenericJDBCException: Unable to acquire
JDBC Connection
        at
org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)
        at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)
        at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)
        at
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:87)
        at
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getPhysicalConnection(LogicalConnectionManagedImpl.java:109)
        at
org.hibernate.engine.jdbc.internal.StatementPreparerImpl.connection(StatementPreparerImpl.java:47)
        at
org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146)
        at
org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172)
        at
org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148)
        at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.prepareQueryStatement(AbstractLoadPlanBasedLoader.java:241)
        at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:185)
        at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121)
        at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86)
        at
org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:167)
        at
org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4069)
        at
org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:508)
        at
org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:478)
        at
org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:219)
        at
org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:278)
        at
org.hibernate.event.internal.DefaultLoadEventListener.doOnLoad(DefaultLoadEventListener.java:121)
        at
org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:89)
        at
org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1142)
        at
org.hibernate.internal.SessionImpl.access$2600(SessionImpl.java:167)
        at
org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.doLoad(SessionImpl.java:2762)
        at
org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2741)
        at org.hibernate.internal.SessionImpl.get(SessionImpl.java:978)
        at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1075)
        ... 47 more
Caused by: java.sql.SQLException: javax.resource.ResourceException:
IJ000460: Error checking for a transaction
        at
org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)
        at
org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64)
        at
org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122)
        at
org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:386)
        at
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:84)
        ... 70 more
Caused by: javax.resource.ResourceException: IJ000460: Error checking for a
transaction
        at
org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:425)
        at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789)
        at
org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
        ... 74 more
Caused by: javax.resource.ResourceException: IJ000459: Transaction is not
active: tx=Local transaction (delegate=TransactionImple < ac, BasicAction:
0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 status: ActionStatus.ABORTED >,
owner=Local transaction context for provider JBoss JTA transaction provider)
        at
org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:409)
        ... 76 more

2018-09-20 19:06:15,872 INFO  [org.wildfly.extension.undertow] (MSC service
thread 1-7) WFLYUT0008: Undertow HTTPS listener https suspending
2018-09-20 19:06:15,872 INFO
[org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-3)
WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS]
2018-09-20 19:06:15,877 INFO
[org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2)
WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS]
2018-09-20 19:06:15,878 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-6) WFLYJCA0019: Stopped Driver service with driver-name =
h2
2018-09-20 19:06:15,881 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name =
mariadb
2018-09-20 19:06:15,881 INFO  [org.wildfly.extension.undertow] (MSC service
thread 1-7) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to
0.0.0.0:8443
2018-09-20 19:06:15,885 INFO  [org.wildfly.extension.undertow] (MSC service
thread 1-7) WFLYUT0008: Undertow HTTP listener default suspendi

--

From jblashka at redhat.com  Thu Sep 20 17:42:09 2018
From: jblashka at redhat.com (Jared Blashka)
Date: Thu, 20 Sep 2018 17:42:09 -0400
Subject: [keycloak-user] Multi-site/multi-region cluster sync question
In-Reply-To: <CAL98M=4hm3jZvr+NHZgJ4dio_s=kWwnmAV-kF03t+WwsqgB6OQ@mail.gmail.com>
References: <CAL98M=4hm3jZvr+NHZgJ4dio_s=kWwnmAV-kF03t+WwsqgB6OQ@mail.gmail.com>
Message-ID: <CALO-DfBh88aDBwTbHVCKoC7F=nnuyhEgdbLEW6aT2JspXdcGGw@mail.gmail.com>

At Red Hat Summit this year there was a Keynote demonstration[1] utilizing
the Cross-Datacenter Replication Mode for Red Hat SSO deployed in three
regions (a local private cloud, Microsoft Azure, and Amazon AWS).
We've also recently completed work internally deploying a similar
configuration in two regions with plans to expand this to additional
regions in the future. So it is definitely capable of scaling to
multi-region but the ultimate details of that configuration will be
specific to your deployment (performance, sync vs. async replication,
timeouts, active/active vs active/passive regions, etc.)

Jared Blashka
Red Hat - Identity & Access Management

[1]
http://blog.keycloak.org/2018/06/red-hat-single-sign-on-in-keynote-demo.html

On Thu, Sep 20, 2018 at 9:24 AM, Michael Griffin <gondarlinux at gmail.com>
wrote:

> After reading the following:
>
> https://www.keycloak.org/docs/latest/server_installation/
> index.html#crossdc-mode
>
> and
>
> https://blog.keycloak.org/2017/09/cross-datacenter-
> support-in-keycloak.html
>
> I am wondering how does it scale?  I am trying to work a solution that
> would have synchronization across multiple data centers in a
> geographic region as well as with multiple regions.  E.G.:
>
> region A --> site 1, site 2
> region B --> site 3, site 4
> region C --> site 5, site 6
>
> My understanding to this point is that region A, sites 1-2 can sync
> with each other, but can they sync with regions B/C?
>
> Thanks.
>
> By my hand, I am,
>
> Michael G.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Thu Sep 20 19:18:17 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 20 Sep 2018 20:18:17 -0300
Subject: [keycloak-user] Performance impact when fine-grained
 permissions are active
In-Reply-To: <1c17c5727fbc42049e118cddf1f08684@bosch-si.com>
References: <1c17c5727fbc42049e118cddf1f08684@bosch-si.com>
Message-ID: <CAJrcDBcbpm88mO7EPHQAtPtMD6oJpncvtAiKPHMKmue-V8LPxQ@mail.gmail.com>

Hi Leister,

One of the main issues with clients is that we don't paginate results there
yet. Load every single client from the database is scalable.

Regarding fine-grained permissions in admin, I think I have something that
might improve response time a bit. In a nutshell, currently, we evaluate
permission on a per-client basis (for every client returned from database)
where the authorization API supports using callbacks that are called during
decisions. That means we can improve evaluation (even without pagination)
by filtering the list of clients based on decisions from the policy
evaluation engine.

Will update those JIRAs once I have something more concrete to share.

Regards.
Pedro Igor


On Thu, Sep 20, 2018 at 1:10 PM Leistert Christoph (INST/ECS2) <
Christoph.Leistert at bosch-si.com> wrote:

> Currently we use Keycloak version 3.4.3, but we would like to change to
> the latest 4.x version as soon as possible.
>
> I did the same tests with Keycloak in version 4.4.0 and it is much faster,
> but the number of clients before the performance is getting slow is still
> not very high and we expect much more clients in our system.
>
>
>
> Tested request: GET /<realm>/clients?viewableOnly=true
>
> Measurement: average of 20 requests with different users after 2 warm up
> requests
>
>
>
> For 750 clients:
>
> Version 3.4.3: 14193.35 ms
>
> Version 4.4.0: 4078.1 ms
>
>
>
> For 1000 clients:
>
> Version 4.4.0:  9202.65 ms
>
>
>
> That?s right.
>
> Each client has permissions enabled and there is one role based policy per
> client (Has role ?manage? of client ?123?).
>
> This policy is used for the view and manage permission of the client.
> (Manage client ?123? is possible if the user has the role ?manage? of
> client ?123?)
>
>
>
> Mit freundlichen Gr??en / Best regards
>
>
> *Christoph Leistert *
> (INST/ECS2)
> Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY
> | www.bosch-si.com
> Christoph.Leistert at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> *Von:* Pedro Igor Silva <psilva at redhat.com>
> *Gesendet:* Donnerstag, 20. September 2018 16:35
> *An:* Leistert Christoph (INST/ECS2) <Christoph.Leistert at bosch-si.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Betreff:* Re: [keycloak-user] Performance impact when fine-grained
> permissions are active
>
>
>
>
>
> On Thu, Sep 20, 2018 at 11:05 AM Leistert Christoph (INST/ECS2) <
> Christoph.Leistert at bosch-si.com> wrote:
>
> Hi,
> We are using the fine-grained permissions for clients to control which
> group of users could query and manage which clients. Therefore, we create a
> client role "manage" for each of our clients and define a role-based
> policy, which includes all users that have this "manage" role. This policy
> is then assigned to the view and manage permissions of the client. The
> client role "manage" is assigned to the group, which should manage the
> client.
> This perfectly works if we only have few clients in our system. If we add
> some more (in our system after ~700 clients) we got huge performance
> problems. E.g., the list viewable clients operation (GET
> /<realm>/clients?viewableOnly=true ) in the context of a user, which is
> allowed to see two of the 700 clients, takes more than 10 seconds. We also
> facing performance issues when delete a single client by id (DELETE
> /<realm>/clients/<id>).
> Unfortunately, I did not find any information about the limits or
> performance tuning possibilities, when using the fine-grained permissions
> at the documentation:
> https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions
> I found some JIRA issues related to the performance tests (
> https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for having
> large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275).
> So I created a new one to especially not forget the fine-grained
> permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
> So my question additional questions are:
> Did we use the fine-grained permissions in a way there are built for? If
> not, is there any hint, how to use the fine-grained permissions feature in
> a correct way?
> Are these performance impacts already known? If yes, are there any plans
> to improve these issues?
>
>
>
> We had recently improved performance on keycloak authorization services
> but not really the fine-grained permissions in admin console. What is the
> Keycloak version you are using ?
>
>
>
> From your description, it seems that to reproduce the problem we need to
> create clients, enable permission for each of them and define a policy for
> any of the scope permissions (view, manage, etc), is that right ?
>
>
>
>
> Best regards
>
> Christoph Leistert
>
> (INST/ECS2)
> Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY
> | www.bosch-si.com<http://www.bosch-si.com>
> Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From Sebastian.Schuster at bosch-si.com  Fri Sep 21 03:22:30 2018
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS))
Date: Fri, 21 Sep 2018 07:22:30 +0000
Subject: [keycloak-user] Performance impact when fine-grained
 permissions are active
In-Reply-To: <CAJrcDBcbpm88mO7EPHQAtPtMD6oJpncvtAiKPHMKmue-V8LPxQ@mail.gmail.com>
References: <1c17c5727fbc42049e118cddf1f08684@bosch-si.com>
	<CAJrcDBcbpm88mO7EPHQAtPtMD6oJpncvtAiKPHMKmue-V8LPxQ@mail.gmail.com>
Message-ID: <b104716fdb0a4762b082e65d480bbaac@bosch-si.com>

Other options that I see include also changing to querying ids only for making policy decisions similarly to what Pedro did in https://github.com/keycloak/keycloak/pull/5576
One could also think about introducing groups for clients as well or maybe even for any Keycloak domain entity that potentially exists very often (users, clients, ...?).
It could make management a little easier and especially using permissions to control access to clients much more efficient...

Best regards,
Sebastian 

Mit freundlichen Gr??en / Best regards

Dr.-Ing.  Sebastian Schuster

Open Source Services (INST-CSS/BSV-OS) 
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn 



-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Pedro Igor Silva
Sent: Freitag, 21. September 2018 01:18
To: Leistert Christoph (INST/ECS2) <Christoph.Leistert at bosch-si.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Performance impact when fine-grained permissions are active

Hi Leister,

One of the main issues with clients is that we don't paginate results there yet. Load every single client from the database is scalable.

Regarding fine-grained permissions in admin, I think I have something that might improve response time a bit. In a nutshell, currently, we evaluate permission on a per-client basis (for every client returned from database) where the authorization API supports using callbacks that are called during decisions. That means we can improve evaluation (even without pagination) by filtering the list of clients based on decisions from the policy evaluation engine.

Will update those JIRAs once I have something more concrete to share.

Regards.
Pedro Igor


On Thu, Sep 20, 2018 at 1:10 PM Leistert Christoph (INST/ECS2) < Christoph.Leistert at bosch-si.com> wrote:

> Currently we use Keycloak version 3.4.3, but we would like to change 
> to the latest 4.x version as soon as possible.
>
> I did the same tests with Keycloak in version 4.4.0 and it is much 
> faster, but the number of clients before the performance is getting 
> slow is still not very high and we expect much more clients in our system.
>
>
>
> Tested request: GET /<realm>/clients?viewableOnly=true
>
> Measurement: average of 20 requests with different users after 2 warm 
> up requests
>
>
>
> For 750 clients:
>
> Version 3.4.3: 14193.35 ms
>
> Version 4.4.0: 4078.1 ms
>
>
>
> For 1000 clients:
>
> Version 4.4.0:  9202.65 ms
>
>
>
> That?s right.
>
> Each client has permissions enabled and there is one role based policy 
> per client (Has role ?manage? of client ?123?).
>
> This policy is used for the view and manage permission of the client.
> (Manage client ?123? is possible if the user has the role ?manage? of 
> client ?123?)
>
>
>
> Mit freundlichen Gr??en / Best regards
>
>
> *Christoph Leistert *
> (INST/ECS2)
> Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | 
> GERMANY
> | www.bosch-si.com
> Christoph.Leistert at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 
> B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> *Von:* Pedro Igor Silva <psilva at redhat.com>
> *Gesendet:* Donnerstag, 20. September 2018 16:35
> *An:* Leistert Christoph (INST/ECS2) <Christoph.Leistert at bosch-si.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Betreff:* Re: [keycloak-user] Performance impact when fine-grained 
> permissions are active
>
>
>
>
>
> On Thu, Sep 20, 2018 at 11:05 AM Leistert Christoph (INST/ECS2) < 
> Christoph.Leistert at bosch-si.com> wrote:
>
> Hi,
> We are using the fine-grained permissions for clients to control which 
> group of users could query and manage which clients. Therefore, we 
> create a client role "manage" for each of our clients and define a 
> role-based policy, which includes all users that have this "manage" 
> role. This policy is then assigned to the view and manage permissions 
> of the client. The client role "manage" is assigned to the group, 
> which should manage the client.
> This perfectly works if we only have few clients in our system. If we 
> add some more (in our system after ~700 clients) we got huge 
> performance problems. E.g., the list viewable clients operation (GET 
> /<realm>/clients?viewableOnly=true ) in the context of a user, which 
> is allowed to see two of the 700 clients, takes more than 10 seconds. 
> We also facing performance issues when delete a single client by id 
> (DELETE /<realm>/clients/<id>).
> Unfortunately, I did not find any information about the limits or 
> performance tuning possibilities, when using the fine-grained 
> permissions at the documentation:
> https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_gra
> in_permissions I found some JIRA issues related to the performance 
> tests (
> https://issues.jboss.org/browse/KEYCLOAK-6196) and the support for 
> having large number of clients (https://issues.jboss.org/browse/KEYCLOAK-8275).
> So I created a new one to especially not forget the fine-grained
> permissions: https://issues.jboss.org/browse/KEYCLOAK-8307
> So my question additional questions are:
> Did we use the fine-grained permissions in a way there are built for? 
> If not, is there any hint, how to use the fine-grained permissions 
> feature in a correct way?
> Are these performance impacts already known? If yes, are there any 
> plans to improve these issues?
>
>
>
> We had recently improved performance on keycloak authorization 
> services but not really the fine-grained permissions in admin console. 
> What is the Keycloak version you are using ?
>
>
>
> From your description, it seems that to reproduce the problem we need 
> to create clients, enable permission for each of them and define a 
> policy for any of the scope permissions (view, manage, etc), is that right ?
>
>
>
>
> Best regards
>
> Christoph Leistert
>
> (INST/ECS2)
> Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | 
> GERMANY
> | www.bosch-si.com<http://www.bosch-si.com>
> Christoph.Leistert at bosch-si.com<mailto:Christoph.Leistert at bosch-si.com
> >
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 
> B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From derek.gibson at cimenviro.com  Fri Sep 21 03:55:12 2018
From: derek.gibson at cimenviro.com (Derek Gibson)
Date: Fri, 21 Sep 2018 09:55:12 +0200
Subject: [keycloak-user] problem with nginx reverse proxy and ip access
 control
In-Reply-To: <8AA69DF9-CB9A-4806-95C5-926684B17953@3fs.si>
References: <B062A25E-C1F5-4CC1-B4BD-3FD149CB9A3C@cimenviro.com>
	<8AA69DF9-CB9A-4806-95C5-926684B17953@3fs.si>
Message-ID: <CE57BA13-2F9C-4914-85C2-A57925A6F118@cimenviro.com>

Hi Jernej,

Thanks for the reply. I've gone through pretty much the same iterations. I've also tried manipulating the X-Forwarded-For as you mentioned and it doesnt help either.

In our case we are using Amazon ECS to host Keycloak behind an external facing ALB. I want to be able to restrict the admin console to internal only addresses, so I have an nginx container to reverse-proxy admin requests to keycloak. No matter what configuration I try, I cannot get it to work.

Would be open to any other suggestions

Thanks
Derek


> On 19 Sep 2018, at 13:22, Jernej Porenta <jernej.porenta at 3fs.si> wrote:
> 
> Hey Derek,
> 
> I had the exact same issue and tried multiple options:
> - inverted undertow ip-access-control rule
> - turning the nobs by proxy-address-forwarding mangling (changing headers etc.)
> - checking out the client IP by request logging (which were right in the keycloak logs)
> - multiple ways of specifying the rules within undertow (based on RH documentation)
> 
> None of them worked.
> 
> In the end, i implemented that at nginx level. It isn?t the most beautiful solution (k8s nginx ingress), but it is working as expected.
> 
> The only one, which I hadn?t tried at that time, is that maybe X-Forwarded-For header included multiple IPs (X-Forwarded-For: 1.2.3.4 5.6.7.8). You can test that by stripping them and add only original one with nginx.
> 
> br, Jernej
> 
>> On 19 Sep 2018, at 12:18, Derek Gibson <derek.gibson at cimenviro.com <mailto:derek.gibson at cimenviro.com>> wrote:
>> 
>> Hi there,
>> 
>> I'm having a hard time trying to get ip restriction working behind an nginx reverse proxy on Keycloak 4.3
>> 
>> 
>> I have configured an ip filter as per https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction <https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction><https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction <https://www.keycloak.org/docs/4.3/server_admin/#ip-restriction>>
>> 
>> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>>   <buffer-cache name="default"/>
>>   <server name="default-server">
>>       <ajp-listener name="ajp" socket-binding="ajp"/>
>>       <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
>>       <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" proxy-address-forwarding="true" enable-http2="true"/>
>>       <host name="default-host" alias="localhost">
>>           <location name="/" handler="welcome-content"/>
>>           <http-invoker security-realm="ApplicationRealm"/>
>>           <filter-ref name="ipAccess"/>
>>       </host>
>>   </server>
>>   <filters>
>>       <expression-filter name="ipAccess" expression="path-prefix('/auth/admin') -> ip-access-control(acl={'10.10.10.10 allow'})"/>
>>   </filters>
>>   <servlet-container name="default">
>>       <jsp-config/>
>>       <websockets/>
>>   </servlet-container>
>>   <handlers>
>>       <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
>>   </handlers>
>> </subsystem>
>> 
>> and my nginx server block
>> 
>> server {
>>   listen        443 ssl;
>>   server_name    keycloak.example.com <http://keycloak.example.com/> <http://keycloak.example.com/ <http://keycloak.example.com/>>;
>>   location / {
>>       proxy_set_header Host               $host;
>>       proxy_set_header X-Real-IP          $remote_addr;
>>       proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
>>       proxy_set_header X-Forwarded-Proto  $scheme;
>>       proxy_pass https://keycloak-prx.example.com <https://keycloak-prx.example.com/> <https://keycloak-prx.example.com/ <https://keycloak-prx.example.com/>>;
>>   }
>> }
>> 
>> This works as intended when I request it directly, however when I try to access via nginx reverse proxy I get a 403 regardless of the ip I set in the ip-access-control filter, whether I have the host ip, or the proxy or gateway.
>> 
>> Undertow debug shows that the correct ip's (as far as I understand that it should be) are being passed by nginx
>> 
>> 10:03:29,564 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth for path /auth/
>> 10:03:29,565 DEBUG [io.undertow.request.security] (default task-3) Authentication result was ATTEMPTED for HttpServerExchange{ GET /auth/ request {X-Real-IP=[10.10.10.20], accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], X-Amzn-Trace-Id=[Root=1-5b9b8771-70fa72df4ef4bf816434fcc5], accept-language=[en-US,en;q=0.9], accept-encoding=[gzip, deflate, br], user-agent=[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36], Connection=[close], X-Forwarded-Proto=[https], X-Forwarded-Port=[443], X-Forwarded-For=[10.10.10.10, 10.10.10.20], cookie=[_ga=GA1.2.1510178336.1525250562; ajs_user_id=%22ca89cde3-6cac-4197-a5ad-aa966295c66d%22; ajs_anonymous_id=%2228cb540a-cb21-4200-a531-64b11ef909d8%22; ajs_group_id=%22customer%3A1%22], upgrade-insecure-requests=[1], Host=[keycloak.example.com <http://keycloak.example.com/> <http://keycloak.example.com/ <http://keycloak.example.com/>>]} response {}}
>> 
>> but I do not get any debug logs for matches for /auth/admin, I only get an entry
>> 
>> 09:42:47,387 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth/admin for path /auth/admin/
>> 
>> and no subsequent security logs for that request 
>> 
>> Have I misconfigured something or could this be a bug?
>> Is there any steps that I can take to debug this further?
>> 
>> my debug settings are 
>> <subsystem xmlns="urn:jboss:domain:logging:3.0">
>>   <console-handler name="CONSOLE">
>>       <level name="DEBUG"/>
>>       <formatter>
>>           <named-formatter name="COLOR-PATTERN"/>
>>       </formatter>
>>   </console-handler>
>>   ...
>>   <logger category="io.undertow">
>>       <level name="DEBUG"/>
>>   </logger>
>>   ...
>> </subsystem>
>> all else is INFO
>> 
>> Would really appreciate any help at all on this
>> thanks
>> Derek
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

From narendra.pathai at sterlite.com  Fri Sep 21 06:09:27 2018
From: narendra.pathai at sterlite.com (Narendra Pathai)
Date: Fri, 21 Sep 2018 15:39:27 +0530
Subject: [keycloak-user] How to debug Tomcat 8 KeycloakAuthenticatorValve?
Message-ID: <CAMVDz2NpS7VVU0nXC1T7g8S-KPwH1MwvCNfL-oWgZNufwW31wg@mail.gmail.com>

I am using Keycloak with Tomcat 8, and I am able to successfully able to
achieve OpenID connect based Single Sign On flow.

But I am facing issue with back-channel logout, when I click on logout from
Sessions tab, it shows success. But the application session is not
invalidated and the application session still can be used actively till the
token expiry.

So I wanted to debug the source and see if I could find the root cause and
solve the issue if any. Please help me in guiding how to debug
KeycloackAuthenticatorValve. I am using IntelliJ IDEA for development.

Let me know if any further details are required.

Regards,
Narendra Pathai

-- 
*Sterlite Tech Disclaimer:*
The content of this message may be legally 
privileged and confidential and are for the use of the intended?
recipient(s) only. It should not be read, copied and used by anyone other 
than the intended recipient(s). If you have received this message in error, 
please immediately notify the sender, preserve its confidentiality and 
delete it. Before opening any attachments please check them for viruses and 
defects. No employee or agent is authorised to conclude any binding 
agreement on behalf of Sterlite Technologies Limited with another party by 
email without express written confirmation by authorised person.?Visit us 
at?www.sterlitetech.com <http://www.sterlitetech.com>
?Please consider 
environment before printing this email !


Registered office: E 1, MIDC 
Industrial Area, Waluj,
Aurangabad, Maharashtra ? 431 136 CIN ? 
L31300MH2000PLC269261

From ionel.gardais at tech-advantage.com  Fri Sep 21 08:14:34 2018
From: ionel.gardais at tech-advantage.com (GARDAIS Ionel)
Date: Fri, 21 Sep 2018 14:14:34 +0200 (CEST)
Subject: [keycloak-user] Securing keycloak
In-Reply-To: <CAA9R9O4m+bq1fcptvL14V1yp+=6rho5V+OvrvoCYfX0c5kbh+g@mail.gmail.com>
References: <1446556795.533894.1537086198213.JavaMail.zimbra@tech-advantage.com>
	<CAA9R9O4m+bq1fcptvL14V1yp+=6rho5V+OvrvoCYfX0c5kbh+g@mail.gmail.com>
Message-ID: <1972499297.138587.1537532074384.JavaMail.zimbra@tech-advantage.com>

Thanks. 

I had hard time figuring how IPv6 matching was done but it's OK now. 
(for the record, it looks like all fields of an IPv6 address must be listed : '2001:db8:0:0:0:0:0:0/32 allow' is OK but not '2001:db8::/32 allow') 

-- 
Ionel GARDAIS 
Tech'Advantage CIO - IT Team manager 


De: "Sebastian Laskawiec" <slaskawi at redhat.com> 
?: "Ionel GARDAIS" <ionel.gardais at tech-advantage.com> 
Cc: "keycloak-user" <keycloak-user at lists.jboss.org> 
Envoy?: Lundi 17 Septembre 2018 09:15:31 
Objet: Re: [keycloak-user] Securing keycloak 

This documentation piece should do exactly what you want: [ https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction | https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction ] 

On Sun, Sep 16, 2018 at 10:25 AM GARDAIS Ionel < [ mailto:ionel.gardais at tech-advantage.com | ionel.gardais at tech-advantage.com ] > wrote: 


Hi list, 

Beside /auth/admin, are there any other URI that should be secured/restricted to limit attack surface for a public facing keycloak ? 

By the way, could it be useful to add a dedicated configuration entry directly inside keycloak to restrict IPs allowed to make to low-level actions ? 

Thanks, 
Ionel 

-- 
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON 
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301_______________________________________________ 
keycloak-user mailing list 
[ mailto:keycloak-user at lists.jboss.org | keycloak-user at lists.jboss.org ] 
[ https://lists.jboss.org/mailman/listinfo/keycloak-user | https://lists.jboss.org/mailman/listinfo/keycloak-user ] 




--

232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON

Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301


From gondarlinux at gmail.com  Fri Sep 21 08:35:04 2018
From: gondarlinux at gmail.com (Michael Griffin)
Date: Fri, 21 Sep 2018 08:35:04 -0400
Subject: [keycloak-user] Multi-site/multi-region cluster sync question
In-Reply-To: <CALO-DfBh88aDBwTbHVCKoC7F=nnuyhEgdbLEW6aT2JspXdcGGw@mail.gmail.com>
References: <CAL98M=4hm3jZvr+NHZgJ4dio_s=kWwnmAV-kF03t+WwsqgB6OQ@mail.gmail.com>
	<CALO-DfBh88aDBwTbHVCKoC7F=nnuyhEgdbLEW6aT2JspXdcGGw@mail.gmail.com>
Message-ID: <CAL98M=6rfJQHPdv9ET7ZQ0Yp5T8KJFxUY_rzaEy-R4XrfQXkgQ@mail.gmail.com>

This is exactly what I'm looking for.  The details will be slightly
different, but this answers the question.  Thanks much!

By my hand, I am,

Michael G.

On Thu, Sep 20, 2018 at 5:42 PM Jared Blashka <jblashka at redhat.com> wrote:
>
> At Red Hat Summit this year there was a Keynote demonstration[1] utilizing the Cross-Datacenter Replication Mode for Red Hat SSO deployed in three regions (a local private cloud, Microsoft Azure, and Amazon AWS).
> We've also recently completed work internally deploying a similar configuration in two regions with plans to expand this to additional regions in the future. So it is definitely capable of scaling to multi-region but the ultimate details of that configuration will be specific to your deployment (performance, sync vs. async replication, timeouts, active/active vs active/passive regions, etc.)
>
> Jared Blashka
> Red Hat - Identity & Access Management
>
> [1] http://blog.keycloak.org/2018/06/red-hat-single-sign-on-in-keynote-demo.html
>
> On Thu, Sep 20, 2018 at 9:24 AM, Michael Griffin <gondarlinux at gmail.com> wrote:
>>
>> After reading the following:
>>
>> https://www.keycloak.org/docs/latest/server_installation/index.html#crossdc-mode
>>
>> and
>>
>> https://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html
>>
>> I am wondering how does it scale?  I am trying to work a solution that
>> would have synchronization across multiple data centers in a
>> geographic region as well as with multiple regions.  E.G.:
>>
>> region A --> site 1, site 2
>> region B --> site 3, site 4
>> region C --> site 5, site 6
>>
>> My understanding to this point is that region A, sites 1-2 can sync
>> with each other, but can they sync with regions B/C?
>>
>> Thanks.
>>
>> By my hand, I am,
>>
>> Michael G.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


From jernej.porenta at 3fs.si  Fri Sep 21 08:37:15 2018
From: jernej.porenta at 3fs.si (Jernej Porenta)
Date: Fri, 21 Sep 2018 14:37:15 +0200
Subject: [keycloak-user] problem with nginx reverse proxy and ip access
 control
In-Reply-To: <CE57BA13-2F9C-4914-85C2-A57925A6F118@cimenviro.com>
References: <B062A25E-C1F5-4CC1-B4BD-3FD149CB9A3C@cimenviro.com>
	<8AA69DF9-CB9A-4806-95C5-926684B17953@3fs.si>
	<CE57BA13-2F9C-4914-85C2-A57925A6F118@cimenviro.com>
Message-ID: <5251B845-B536-450F-817A-B58865352F0D@3fs.si>

Hey,

> 
> Thanks for the reply. I've gone through pretty much the same iterations. I've also tried manipulating the X-Forwarded-For as you mentioned and it doesnt help either.
> 
> In our case we are using Amazon ECS to host Keycloak behind an external facing ALB. I want to be able to restrict the admin console to internal only addresses, so I have an nginx container to reverse-proxy admin requests to keycloak. No matter what configuration I try, I cannot get it to work.
> 
> Would be open to any other suggestions
> 

I?ve added some snippet into http part of nginx (if using nginx ingress: config.http-snippet)
geo $admin_access {
	default deny;
	192.168.0.1/24 allow;
}

and into server part of nginx host (of server-snippet of your ingress service configuration)
set $check ?";
if ($uri ~ '^/auth/admin') { set $check "${admin_access}-admin"; };
if ($check = "deny-admin") { return 403; }


br, Jernej



From jpperata at gmail.com  Fri Sep 21 08:42:07 2018
From: jpperata at gmail.com (Juan Pablo Perata)
Date: Fri, 21 Sep 2018 09:42:07 -0300
Subject: [keycloak-user] Why doesn't the login module get called on
 Wildfly with Keycloak?
In-Reply-To: <AM6PR06MB44538B88B52242DE17777CA0F61E0@AM6PR06MB4453.eurprd06.prod.outlook.com>
References: <AM6PR06MB44538B88B52242DE17777CA0F61E0@AM6PR06MB4453.eurprd06.prod.outlook.com>
Message-ID: <CA+BZ0jhZRx43qD-9vHNw6HwnBvY=RLtB-OxS5DDUbjxoXY_xdg@mail.gmail.com>

Hi Linda,

The client is properly configured in keycloak administration console?
Is there an error or warning showed in the wildfly console?

Perhaps you can share a sample with your configurations to be able to view
the details.

Regards,
Juan


On Mon, Sep 17, 2018 at 6:51 AM Linda Sauder <Linda.Sauder at amdocs.com>
wrote:

> We have a Wildfly 10 AS, and we have the Keycloak 4.1 SAML Adapter
> installed according to the description in ?3.1.2 of the Keycloak
> documentation<
> https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter-2
> >
>
>
>
> That means, our standalone.xml has
> ?         loaded the org.keycloak.keycloak-saml-adapter-subsystem extension
> ?         added the urn:jboss:domain:keycloak-saml:1.1 subsystem to our
> server's profile
> ?         defined a security domain (although in our case it's not called
> keycloak)
> ?         defined org.keycloak.adapters.jboss.KeycloakLoginModule as a
> <login-module> on that domain
>
>
> Furthermore, we have an Application.war, which
> ?         contains some HTML to deliver
> ?         has a keycloak-saml.xml
> ?         has a jboss-web.xml, configuring the deployment's
> security-domain to the one defined in standalone.xml
> ?         has a web.xml which sets the auth-method configured to
> KEYCLOAK-SAML
>
>
> And yet, the login module never gets called. Why?
>
> Is there any logging we can enable to shed more light? Any places in
> undertow, picketlink, or picketbox to set breakpoints?
>
> ?Amdocs? email platform is based on a third-party, worldwide, cloud-based
> system. Any emails sent to Amdocs will be processed and stored using such
> system and are accessible by third party providers of such system on a
> limited basis. Your sending of emails to Amdocs evidences your consent to
> the use of such system and such processing, storing and access?.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jpperata at gmail.com  Fri Sep 21 09:07:13 2018
From: jpperata at gmail.com (Juan Pablo Perata)
Date: Fri, 21 Sep 2018 10:07:13 -0300
Subject: [keycloak-user] Get federated roles in user federation provider or
	authenticator
Message-ID: <CA+BZ0jg=jr6B2aH121_zup1XgXDpDWgWWfDL8metp+trUONvNg@mail.gmail.com>

Hi all,

I would like to ask if there is a way to get "federated roles" in a custom
authenticator or custom user federation provider?

I found that defining my own UserAdapter which extends
AbstracrUserAdapterFederatedStorage, there is a method which can be
overrided named "Set<RoleModel> getRoleMappingsInternal()".

I tried to create a role mapping and populate that set with the roles the
user has (in external database). Although, when I receive the security
context in my client application, the roles are missing (I only see some
realm default roles I created in the realm).

I take a step further and tried to debug the code and reached to the point
when the role assignation is done, and the roles I define are obtained from
the user adapter, but then the roles which remain are the only which are
defined in Keycloak. Is my assumption right?

Is there a way to get what I need? Or I need to define each role in
Keycloak as well?

My user federation provider is a read only provider to the external
database and the intention was to not maintain duplicated configuration.

Any help is appreciated.

Kind regards,
Juan

From jpperata at gmail.com  Fri Sep 21 21:58:54 2018
From: jpperata at gmail.com (Juan Pablo Perata)
Date: Fri, 21 Sep 2018 22:58:54 -0300
Subject: [keycloak-user] Keycloak JPA UserFederation Adapter in multiple
 realms with different Datasource names
In-Reply-To: <CAPLPyg=e2OguJNJrQsk0kcD=MBy3uPOw2X4mgkg9vCERn_NQXA@mail.gmail.com>
References: <CAPLPygmtH7v1svWYddkuGfuxH_0GCeaU59P_o7g3mRexLnC0BQ@mail.gmail.com>
	<8f279099-7172-f86f-c51f-894ee77e6194@redhat.com>
	<CAPLPygm-3pevCDVNSq-7gnukS1Ztc27+udT7DhxVAZrG8niKkw@mail.gmail.com>
	<CAPLPyg=e2OguJNJrQsk0kcD=MBy3uPOw2X4mgkg9vCERn_NQXA@mail.gmail.com>
Message-ID: <CA+BZ0jgFkte0fEjNH-RfZDoX_uT8YTdsQV4K0_=i3z5vHW2=RQ@mail.gmail.com>

Hi,
Thank you for the code, I am with such requirement and making some chances
to adapt user federation to work with multiple realms and diferent
datasources.

Is it possible for you to share the code for CustomUserStorageProvider? I
suppose it is similar to keycloak JPA provider sample but without injection
of Entity Manager, it is recieved from the create method in the factory.

Perhaps something can be done with CDI or a Producer, I will give a try.

Regards,
Juan

El s?b., 10 de feb. de 2018 09:41, Niels Bertram <nielsbne at gmail.com>
escribi?:

> Hi Marek,
>
> using an application managed EntityManagerFactory appear to be working. I
> created a  UserStorageProviderFactory that is managing a entity manager
> factory and when I use the entity manager in the  UserStorageProvider the
> transaction is managed by the container transaction manager that also
> manages the Keycloak transactions. Why am I certain about that? Had a few
> errors in the beginning about 2 datasources trying to enroll as last
> resort.
>
> The main ingredients in this gist.
>
> https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b29
>
>
> The trick is to tell hibernate
> <
> https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b29#file-customuserstorageproviderfactory-java-L117
> >
> where to get the JTA platform transaction manager from.
>
> Does that look about right? I have a feeling it could be simplified with
> some CDI magic ...
>
> Cheers Niels
>
>
> On Sat, Feb 10, 2018 at 12:26 AM, Niels Bertram <nielsbne at gmail.com>
> wrote:
>
> > Yes studied that one before asking the question, its close but not close
> > enough. I think I will get away with creating an application managed
> > persistence context with container managed transaction. Then in the
> > provider factory I will read the DataSource name from config and create
> the
> > entity transaction manager. Am just not too sure if it'll work with the
> > things you do in Keycloak to access these provider EJBs. I kinda need 1
> > stateful session bean for each provider instance added to the realm and
> > that needs its on EntityManagerFactory which enrolls the entity manager
> in
> > the JTA from Keycloak. Will report back if I can get something working.
> > Thanks Niels
> >
> > On Sat, Feb 10, 2018 at 12:18 AM, Marek Posolda <mposolda at redhat.com>
> > wrote:
> >
> >> I suggest to look at this example: https://github.com/keycloak/ke
> >> ycloak/tree/master/examples/providers/user-storage-jpa
> >>
> >> AFAIK It's probably closest thing to your usecase, which we have.
> >>
> >> Marek
> >>
> >> Dne 8.2.2018 v 17:49 Niels Bertram napsal(a):
> >>
> >>> Hi there,
> >>>
> >>> we have a requirement to set the jndi datasource name on a
> UserFederation
> >>> provider when added to a realm to support connecting different realms
> in
> >>> the same Keycloak server to different databases. Been through the
> >>> examples
> >>> and read a few emails from around 2016 in the developer list but do not
> >>> find anyone who'd actually done this before. we could create a user
> >>> managed
> >>> EntityManagerFactory within the federation provider factory but the
> >>> question is then how can we inject it into the container context and
> >>> enlist
> >>> our transactions in the JTA?
> >>>
> >>> Has anyone ever had to implement something like that?
> >>>
> >>> Cheers,
> >>> NIels
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> >>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vandana0242 at gmail.com  Sat Sep 22 10:04:21 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Sat, 22 Sep 2018 09:04:21 -0500
Subject: [keycloak-user] Picktelink| Keycloak |Wildfly 11 |SSO
Message-ID: <CAL_K0ez649v6Fs+OMp5rJ2PoMQw1hNWyx7+f8h264TnmSo9Z7Q@mail.gmail.com>

Hello

Is  picketlink is good  to use  for SSO on wildfly 11 .What are advantages
and disadvantagees  of using  below  link configurations  for  SSO on
wildfly 11

Below is the link  for picketlink, wildfly and IDP

https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
.


Thanks,
Vandana

From graham.burgess at razer.com  Sat Sep 22 16:57:46 2018
From: graham.burgess at razer.com (Graham Burgess)
Date: Sat, 22 Sep 2018 20:57:46 +0000
Subject: [keycloak-user] Sync of OpenID Connect Profile
Message-ID: <PS2PR01MB223200C3CF3E4A1DCA80A84A92110@PS2PR01MB2232.apcprd01.prod.exchangelabs.com>

So I am attempting to use Keycloak to use an external IDP transparently. I have managed to get it to go through the first broker login flow but it has me wondering, does it keep the Keycloak profile in sync with the external? I suspect not, and if that is the case, I was wondering if any one had any suggestions on how to implement that sort of functionality?
Best regards,
Graham Burgess
R?Z?R|stormmore
Sr. DevOps Engineer (USA)
Email: graham.burgess at razer.com
[http://assets.razerzone.com/email/email-sig.jpg]
Razer.com<https://www.razer.com/> | Razer Game Store<https://gamestore.razer.com/> | Razer Insider<https://insider.razer.com/> | Razer zVault<https://zvault.razer.com/>

[https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png]<https://www.facebook.com/Razer>    [Twitter_Social_Icon_Rounded_Square_Color] <https://twitter.com/Razer>     [glyph-logo_May2016] <https://www.instagram.com/razer/>     [youtube_social_squircle_red] <https://www.youtube.com/Razer?sub_confirmation=1>
Razer Inc. (San Francisco)
201 3rd Street, Suite 900
San Francisco CA 94103, USA
Tel: +1 (415) 266 5300

Razer Inc. Stock Code: 1337.HK
IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 33672 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180922/448a237b/attachment-0001.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1088 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180922/448a237b/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1214 bytes
Desc: image003.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180922/448a237b/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 930 bytes
Desc: image004.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180922/448a237b/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1337 bytes
Desc: image005.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180922/448a237b/attachment-0007.png 

From Daicy_Duarte00 at hotmail.com  Sun Sep 23 09:17:22 2018
From: Daicy_Duarte00 at hotmail.com (Daicy Duarte)
Date: Sun, 23 Sep 2018 13:17:22 +0000
Subject: [keycloak-user] Authenticator options on login page
Message-ID: <BYAPR08MB447143CA001BDEBED830B5DDF5100@BYAPR08MB4471.namprd08.prod.outlook.com>

Hi!

It is possible to add authenticator options on the login page. So that the user can select through which authenticator wants to login.

For example having as options: passwords, secret question, etc.

Best regards,

From Daniel.Scheiner at mhp.com  Sun Sep 23 12:46:39 2018
From: Daniel.Scheiner at mhp.com (Daniel Scheiner)
Date: Sun, 23 Sep 2018 16:46:39 +0000
Subject: [keycloak-user] Authentication (Node.JS) Microservice to pass User
 x.509 certificate to Keycloak
Message-ID: <B0EFE69D03A5A94FBAC9510A83D4108301D81C54A8@BCSW-SMX12.mymhp.net>

Hi!

I am currently trying to have a Node.JS application between the User and Keycloak.
Keycloak is running in a Docker container (with the option "-e PROXY_ADDRESS_FORWARDING=true").
The Node.JS microservice connects to Keycloak via HTTPS and wants to offer the User x.509 certificate.

How do I have to configure Keycloak (Docker image) to accept the user cert?
- certificate is PEM
- we have a CA set up and can provide the ca-chain
- Node.JS currently tries connecting via 'isomorphic-fetch' and passing cert in headers...

All I get so far with headers:
- SSL_CLIENT_CERT
- X-Client-Certificate
- USER_CERT
- javax.servlet.request.X509Certificate
--> { error_description: 'X509 client certificate is missing.',  error: 'invalid_request' }

Thank you sincerely!
Daniel



From raiden0610 at gmail.com  Sun Sep 23 15:03:27 2018
From: raiden0610 at gmail.com (Cyril Casaucau)
Date: Sun, 23 Sep 2018 21:03:27 +0200
Subject: [keycloak-user] SRP (Secure remote password)
Message-ID: <CAL9QDjVug=JSyFhaL68Kkgd37JqMXPJaGpqs3_NgFuGXQEqW6A@mail.gmail.com>

Hi,
Do you know SRP (Secure remote password,
https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol) ?
It's the RFC 2945(https://tools.ietf.org/html/rfc2945), 5054(
https://tools.ietf.org/html/rfc5054) and I think it's very interesting the
idea of not transfering the password to the server.
There are 1Password and Protonmail who implementing it for their app
https://blog.agilebits.com/2018/02/14/how-we-use-srp-and-you-can-too/
https://protonmail.com/blog/encrypted_email_authentication/

So first, what do you guys think about SRP (Secure remote password) ?
And second : Do you thought of implementing it in Keycloak ?

Thanks

From jpperata at gmail.com  Sun Sep 23 18:14:50 2018
From: jpperata at gmail.com (Juan Pablo Perata)
Date: Sun, 23 Sep 2018 19:14:50 -0300
Subject: [keycloak-user] Picktelink| Keycloak |Wildfly 11 |SSO
In-Reply-To: <CAL_K0ez649v6Fs+OMp5rJ2PoMQw1hNWyx7+f8h264TnmSo9Z7Q@mail.gmail.com>
References: <CAL_K0ez649v6Fs+OMp5rJ2PoMQw1hNWyx7+f8h264TnmSo9Z7Q@mail.gmail.com>
Message-ID: <CA+BZ0jg7HtbVE+G+uYAKWRnfXDmmnJEhXS-yqFfBMpXuGXtbKQ@mail.gmail.com>

Hi,

AFAIK PicketLink is merged into Keycloak and it is no longer maintained,
all efforts, enhacements, etc are part of Keycloak now.

Regards,
Juan

On Sat, Sep 22, 2018 at 2:24 PM vandana thota <vandana0242 at gmail.com> wrote:

> Hello
>
> Is  picketlink is good  to use  for SSO on wildfly 11 .What are advantages
> and disadvantagees  of using  below  link configurations  for  SSO on
> wildfly 11
>
> Below is the link  for picketlink, wildfly and IDP
>
>
> https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
> .
>
>
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Sebastian.Schuster at bosch-si.com  Mon Sep 24 02:57:39 2018
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS))
Date: Mon, 24 Sep 2018 06:57:39 +0000
Subject: [keycloak-user] Sync of OpenID Connect Profile
In-Reply-To: <PS2PR01MB223200C3CF3E4A1DCA80A84A92110@PS2PR01MB2232.apcprd01.prod.exchangelabs.com>
References: <PS2PR01MB223200C3CF3E4A1DCA80A84A92110@PS2PR01MB2232.apcprd01.prod.exchangelabs.com>
Message-ID: <789695ec2bc241229ce051d1f8d070d2@bosch-si.com>

Hi Graham,

Have you checked using custom mappers (https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers). I am not 100% sure but I if I recall correctly, they retrieve and map the external information every time a user logs in...

Best regards,
Sebastian

Mit freundlichen Gr??en / Best regards

Dr.-Ing.  Sebastian Schuster

Open Source Services (INST-CSS/BSV-OS) 
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn 




-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Graham Burgess
Sent: Samstag, 22. September 2018 22:58
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Sync of OpenID Connect Profile

So I am attempting to use Keycloak to use an external IDP transparently. I have managed to get it to go through the first broker login flow but it has me wondering, does it keep the Keycloak profile in sync with the external? I suspect not, and if that is the case, I was wondering if any one had any suggestions on how to implement that sort of functionality?
Best regards,
Graham Burgess
R?Z?R|stormmore
Sr. DevOps Engineer (USA)
Email: graham.burgess at razer.com
[http://assets.razerzone.com/email/email-sig.jpg]
Razer.com<https://www.razer.com/> | Razer Game Store<https://gamestore.razer.com/> | Razer Insider<https://insider.razer.com/> | Razer zVault<https://zvault.razer.com/>

[https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png]<https://www.facebook.com/Razer>    [Twitter_Social_Icon_Rounded_Square_Color] <https://twitter.com/Razer>     [glyph-logo_May2016] <https://www.instagram.com/razer/>     [youtube_social_squircle_red] <https://www.youtube.com/Razer?sub_confirmation=1>
Razer Inc. (San Francisco)
201 3rd Street, Suite 900
San Francisco CA 94103, USA
Tel: +1 (415) 266 5300

Razer Inc. Stock Code: 1337.HK
IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems.



From testoauth55 at gmail.com  Mon Sep 24 05:52:11 2018
From: testoauth55 at gmail.com (keycloak demo)
Date: Mon, 24 Sep 2018 15:22:11 +0530
Subject: [keycloak-user] How to obtain identity information from
	KeycloakSecurityContext
Message-ID: <CANAVTmMH6-iR9dJ0yU0mS1BSqE48-bOkf+BYkNkLOnAAvGe0vQ@mail.gmail.com>

I want to provide access to a resource if the current user is the creator
of resource. So I want to extract identity information. I have
obtained  *KeycloakSecurityContext
*and *AuthorizationContext *from the request.

KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
AuthorizationContext authzContext =
keycloakSecurityContext.getAuthorizationContext();

*How can I obtain identity information like mentioned in EvaluationContext**
?*(
https://www.keycloak.org/docs/4.3/authorization_services/#using-the-authorizationcontext-to-obtain-an-authorization-client-instance
)?

From mhopkins at ukcloud.com  Mon Sep 24 05:53:56 2018
From: mhopkins at ukcloud.com (michaelkeycloakforums)
Date: Mon, 24 Sep 2018 02:53:56 -0700 (MST)
Subject: [keycloak-user] Adding a rules based authorization policy to
	keycloak - help?
Message-ID: <1537782836855-0.post@n6.nabble.com>

Hi
I'm trying to add a rules based policy to my keycloak.

I'm using this example policy
https://github.com/justindav1s/openshift-sso/tree/master/drools-policy 

I understand I need to provide the maven GAV information and the kie-server
will pull from nexus, but I don't know where/ how to configure the correct
nexus url and credentials.

Could anyone with experience of this area of keycloak point me in the right
direction? 

Many thanks, Michael



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From jonatan.erdal at capgemini.com  Mon Sep 24 08:14:49 2018
From: jonatan.erdal at capgemini.com (Erdal, Jonatan)
Date: Mon, 24 Sep 2018 12:14:49 +0000
Subject: [keycloak-user] Remove client roles containing slash using Admin
 Client/Admin REST API
Message-ID: <AM6PR02MB37516A14F199A546FAC3FECBE7170@AM6PR02MB3751.eurprd02.prod.outlook.com>

Hi,

We are working on automatically removing client roles from one of our clients, but are struggeling with roles containing a slash, /.

Currently we are using the Keycloak Admin Client library for Java, org.keycloak.admin.client. To be more precise, we use the ClientResource to fetch the RolesResource, and we then use the method deleteRole(String rolename) ;

*         clientResource.roles().deleteRole(roleName)

We have tried both with and without URL Encoding (UTF-8). It works perfectly fine for roles not containing slash.

Example of role not working :

*         test/role
Example of role working:

*         test_role

We have also tried using the Admin REST API to remove the roles, but with the same result.
DELETE /admin/realms/{realm}/clients/{id}/roles/{role-name}

Both methods (Admin client and Admin REST API) returns status 404 for role test/test. Both methods works for other roles, such as test_test.

Does anyone know if it is possible to somehow remove roles containing slash without having to go to the admin console?

Thanks in advance!

//Jonatan

________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsv?gen 131 Box 825 ? S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

From psilva at redhat.com  Mon Sep 24 08:22:22 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 24 Sep 2018 09:22:22 -0300
Subject: [keycloak-user] Adding a rules based authorization policy to
 keycloak - help?
In-Reply-To: <1537782836855-0.post@n6.nabble.com>
References: <1537782836855-0.post@n6.nabble.com>
Message-ID: <CAJrcDBcOhncS=7AH_wzyaQVGrn9_m-sQuBjBQTRHaVnysq1Ogg@mail.gmail.com>

Hi,

Did you try configuring your settings.xml to set credentials on a per
server basis ?

Regards.
Pedro Igor

On Mon, Sep 24, 2018 at 6:55 AM michaelkeycloakforums <mhopkins at ukcloud.com>
wrote:

> Hi
> I'm trying to add a rules based policy to my keycloak.
>
> I'm using this example policy
> https://github.com/justindav1s/openshift-sso/tree/master/drools-policy
>
> I understand I need to provide the maven GAV information and the kie-server
> will pull from nexus, but I don't know where/ how to configure the correct
> nexus url and credentials.
>
> Could anyone with experience of this area of keycloak point me in the right
> direction?
>
> Many thanks, Michael
>
>
>
> --
> Sent from: http://keycloak-user.88327.x6.nabble.com/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tim.hedlund at outlook.com  Mon Sep 24 09:13:50 2018
From: tim.hedlund at outlook.com (Tim Hedlund)
Date: Mon, 24 Sep 2018 13:13:50 +0000
Subject: [keycloak-user] Sync of OpenID Connect Profile
In-Reply-To: <PS2PR01MB223200C3CF3E4A1DCA80A84A92110@PS2PR01MB2232.apcprd01.prod.exchangelabs.com>
References: <PS2PR01MB223200C3CF3E4A1DCA80A84A92110@PS2PR01MB2232.apcprd01.prod.exchangelabs.com>
Message-ID: <SN4PR0801MB382198408A6D4E29CD4C31E0F8170@SN4PR0801MB3821.namprd08.prod.outlook.com>

Hi Graham,

I think https://issues.jboss.org/browse/KEYCLOAK-3355 is what you are looking for. I don't know the status of this jira but as this is not a trivial fix I guess more people need to request it.

I'm also interested in any other ways of achieving this sync, although I only need it one-way.

Regards
Tim

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Graham Burgess
Sent: den 22 september 2018 22:58
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Sync of OpenID Connect Profile

So I am attempting to use Keycloak to use an external IDP transparently. I have managed to get it to go through the first broker login flow but it has me wondering, does it keep the Keycloak profile in sync with the external? I suspect not, and if that is the case, I was wondering if any one had any suggestions on how to implement that sort of functionality?
Best regards,
Graham Burgess
R?Z?R|stormmore
Sr. DevOps Engineer (USA)
Email: graham.burgess at razer.com
[http://assets.razerzone.com/email/email-sig.jpg]
Razer.com<https://www.razer.com/> | Razer Game Store<https://gamestore.razer.com/> | Razer Insider<https://insider.razer.com/> | Razer zVault<https://zvault.razer.com/>

[https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png]<https://www.facebook.com/Razer>    [Twitter_Social_Icon_Rounded_Square_Color] <https://twitter.com/Razer>     [glyph-logo_May2016] <https://www.instagram.com/razer/>     [youtube_social_squircle_red] <https://www.youtube.com/Razer?sub_confirmation=1>
Razer Inc. (San Francisco)
201 3rd Street, Suite 900
San Francisco CA 94103, USA
Tel: +1 (415) 266 5300

Razer Inc. Stock Code: 1337.HK
IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems.



From n.e921 at yahoo.com  Mon Sep 24 09:22:15 2018
From: n.e921 at yahoo.com (waterlilly_lilly)
Date: Mon, 24 Sep 2018 06:22:15 -0700 (MST)
Subject: [keycloak-user] Assign permissions to client-level roles in KeyCloak
Message-ID: <1537795335331-0.post@n6.nabble.com>

I want to assign permissions to client-level roles to do so I create policies
for the client-level roles which need to be assigned to permissions. I need
to assign these policies for client-level roles to permission via REST from
my project but I can't find the REST URI in documentation and project.



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From vandana0242 at gmail.com  Mon Sep 24 10:01:53 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 24 Sep 2018 09:01:53 -0500
Subject: [keycloak-user] Picktelink| Keycloak |Wildfly 11 |SSO
In-Reply-To: <CA+BZ0jg7HtbVE+G+uYAKWRnfXDmmnJEhXS-yqFfBMpXuGXtbKQ@mail.gmail.com>
References: <CAL_K0ez649v6Fs+OMp5rJ2PoMQw1hNWyx7+f8h264TnmSo9Z7Q@mail.gmail.com>
	<CA+BZ0jg7HtbVE+G+uYAKWRnfXDmmnJEhXS-yqFfBMpXuGXtbKQ@mail.gmail.com>
Message-ID: <CAL_K0exwYvV2nqBUSUCKmR19x=sgtg8BZn5kUy7iF272Hk+ykg@mail.gmail.com>

If we have to go with keycloak we have to stand up as  saparate server in
the arhcitecture.

But if we use  this  below  configuration no need  to set up the saparate
keycloak server

https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
.

What  are the pros  and cons of each set up ( 1 . With keycloak  server  2
. with out keycloak server  ) for SSO  configuration .

Thanks.


On Sun, Sep 23, 2018 at 5:15 PM Juan Pablo Perata <jpperata at gmail.com>
wrote:

> Hi,
>
> AFAIK PicketLink is merged into Keycloak and it is no longer maintained,
> all efforts, enhacements, etc are part of Keycloak now.
>
> Regards,
> Juan
>
> On Sat, Sep 22, 2018 at 2:24 PM vandana thota <vandana0242 at gmail.com>
> wrote:
>
>> Hello
>>
>> Is  picketlink is good  to use  for SSO on wildfly 11 .What are advantages
>> and disadvantagees  of using  below  link configurations  for  SSO on
>> wildfly 11
>>
>> Below is the link  for picketlink, wildfly and IDP
>>
>>
>> https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
>> .
>>
>>
>> Thanks,
>> Vandana
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From yura.srohiy at uplab.io  Mon Sep 24 11:23:14 2018
From: yura.srohiy at uplab.io (Yura Srohiy)
Date: Mon, 24 Sep 2018 18:23:14 +0300
Subject: [keycloak-user] =?utf-8?q?Can=E2=80=99t_get_specific_role_or_user?=
 =?utf-8?q?s_by_specific_role?=
Message-ID: <43be2d93-f658-437b-ad9a-5908df323179@Spark>

I have trouble fetching info from some endpoints

When I?m trying to fetch roles from client everything works.

Get all roles for the realm or client
GET /{realm}/clients/{id}/roles

But when I?m trying to reach specific role or users with specific role it return 403 Forbidden error

Get a role by name
GET /{realm}/clients/{id}/roles/{role-name}

Is this an issue on api side or I?m forgetting something?
Hope you can help me! Thanks!

From leonore.desplas at soprasteria.com  Mon Sep 24 12:06:17 2018
From: leonore.desplas at soprasteria.com (DES PLAS Leonore)
Date: Mon, 24 Sep 2018 16:06:17 +0000
Subject: [keycloak-user] Multi tenant on a given resource
Message-ID: <AM4PR0701MB214834AEEE21AF3D01BD598BF0170@AM4PR0701MB2148.eurprd07.prod.outlook.com>

Hi there,

We are wondering how to achieve "multi tenant" on a resource.
We have a spring boot backend with an angular front end, and are using Spring Security and keycloak-angular adapters.

We have one keycloak used to authenticate and authorize users to the application, that configuration is ok.
But now, for a set of resources (angular paths and REST services), we need to authenticate to an other Keycloak server, which we don't know much of because it is somebody else's.
How can we handle having 2 different Keycloak for a set a resources?
How can we tell in Spring Boot and Angular which AccessToken is the right one ?
Is it possible to check if AccessToken is valid on 2 different Keycloak and only for some paths ?

At first, we thought about user federation... but we don't want to be able to log in to the application just with the 2nd Keycloak. We have to be logged in with the first Keycloak on all paths, and for some paths we want to also be logged in to the 2nd Keycloak.

Thank you for your time,

L?onore DES PLAS MATTEI
Ing?nieure Etudes et D?veloppement - Aix en Provence SIG



From graham.burgess at razer.com  Mon Sep 24 12:11:46 2018
From: graham.burgess at razer.com (Graham Burgess)
Date: Mon, 24 Sep 2018 16:11:46 +0000
Subject: [keycloak-user] Sync of OpenID Connect Profile
In-Reply-To: <SN4PR0801MB382198408A6D4E29CD4C31E0F8170@SN4PR0801MB3821.namprd08.prod.outlook.com>
References: <PS2PR01MB223200C3CF3E4A1DCA80A84A92110@PS2PR01MB2232.apcprd01.prod.exchangelabs.com>
	<SN4PR0801MB382198408A6D4E29CD4C31E0F8170@SN4PR0801MB3821.namprd08.prod.outlook.com>
Message-ID: <PS2PR01MB2232B8FF83D995D5826800E892170@PS2PR01MB2232.apcprd01.prod.exchangelabs.com>

Thank Tim,

That definitely looks like I am looking for. I just want 1-way sync from the external IDP as I am trying to make Keycloak as invisible as possible.

Best regards,
Graham Burgess
R?Z?R|stormmore
Sr. DevOps Engineer (USA)
Email: graham.burgess at razer.com
DID: (415) 374 0639
Razer Inc. Stock Code: 1337.HK
IMPORTANT NOTICE:?This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems.

-----Original Message-----
From: Tim Hedlund <tim.hedlund at outlook.com> 
Sent: Monday, September 24, 2018 6:14 AM
To: Graham Burgess <graham.burgess at razer.com>; keycloak-user at lists.jboss.org
Subject: RE: Sync of OpenID Connect Profile

Hi Graham,

I think https://issues.jboss.org/browse/KEYCLOAK-3355 is what you are looking for. I don't know the status of this jira but as this is not a trivial fix I guess more people need to request it.

I'm also interested in any other ways of achieving this sync, although I only need it one-way.

Regards
Tim

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Graham Burgess
Sent: den 22 september 2018 22:58
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Sync of OpenID Connect Profile

So I am attempting to use Keycloak to use an external IDP transparently. I have managed to get it to go through the first broker login flow but it has me wondering, does it keep the Keycloak profile in sync with the external? I suspect not, and if that is the case, I was wondering if any one had any suggestions on how to implement that sort of functionality?
Best regards,
Graham Burgess
R?Z?R|stormmore
Sr. DevOps Engineer (USA)
Email: graham.burgess at razer.com
[http://assets.razerzone.com/email/email-sig.jpg]
Razer.com<https://www.razer.com/> | Razer Game Store<https://gamestore.razer.com/> | Razer Insider<https://insider.razer.com/> | Razer zVault<https://zvault.razer.com/>

[https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png]<https://www.facebook.com/Razer>    [Twitter_Social_Icon_Rounded_Square_Color] <https://twitter.com/Razer>     [glyph-logo_May2016] <https://www.instagram.com/razer/>     [youtube_social_squircle_red] <https://www.youtube.com/Razer?sub_confirmation=1>
Razer Inc. (San Francisco)
201 3rd Street, Suite 900
San Francisco CA 94103, USA
Tel: +1 (415) 266 5300

Razer Inc. Stock Code: 1337.HK
IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems.



From sthorger at redhat.com  Mon Sep 24 14:23:44 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 24 Sep 2018 20:23:44 +0200
Subject: [keycloak-user] Keycloak Live Events?
Message-ID: <CAJgngAf6v9CkLAoSCdRAE5NxOWNkwURKBYdTw2y=ZV1RHkmZew@mail.gmail.com>

All,

I have been considering setting up a series of live events for Keycloak.
The plan would be once a month to have a live event with presentations from
the Keycloak team and we would also be happy to invite others that want to
talk about Keycloak.

Topics would include presentations on new features, archicture/design on
upcoming features and perhaps open Q&A sessions.

Now the question is how many would attend? Let me know on the mailing list
or on Doodle (https://doodle.com/poll/qadckvmkgi6eyukd) if you are
interested. I'm also interested in knowing if you are not interested.

Suggestions for other topics are also welcome.

From ronyjoy at gmail.com  Mon Sep 24 19:07:08 2018
From: ronyjoy at gmail.com (rony joy)
Date: Mon, 24 Sep 2018 18:07:08 -0500
Subject: [keycloak-user] Keycloak 3.4.3 to 4.X.X Migration Fails - we have
	400-500 realms
Message-ID: <CACCBH8N=XUGh7CAvEvki+bOmK07bd+0M-BFnpW4y5QaAFNKC2w@mail.gmail.com>

Dear All,

We have currently using keycloak 3.4.3 version and trying to migrate to
4.3.0 but the startup is failing due to the migration issue. We have around
400-500 realms in the database.  Please find below exception. From the log
it is clear that
"org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)"
is the one causing the exception (see the code below. Line 51 is in bold).
Is this because of large realms? any ideas?
 @Override
    public void migrate(KeycloakSession session) {
        *session.realms().getRealms().stream().forEach(*
                r -> {
                    migrateRealm(session, r, false);
                }
        );
    }


22:16:17,002 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
ARJUNA012117: TransactionReaper::check timeout for TX
0:ffffac110004:-14e6f320:5ba958b2:12 in state  RUN
22:16:17,070 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction
Reaper Worker 0,5,main] succ
essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:f
22:16:17,073 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012095: Abort of action id 0:ffffac110004:-14e6f320:5ba958b2:12
invoked while multiple threads ac
tive within it.
22:16:17,079 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012381: Action id 0:ffffac110004:-14e6f320:5ba958b2:12 completed with
multiple threads - thread S
erverService Thread Pool -- 53 was in progress with
org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:163)
org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
org.hibernate.event.internal.AbstractSaveEventListener.cascadeAfterSave(AbstractSaveEventListener.java:445)
org.hibernate.event.internal.DefaultPersistEventListener.justCascade(DefaultPersistEventListener.java:172)
org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:164)
org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
org.hibernate.event.internal.AbstractFlushingEventListener.cascadeOnFlush(AbstractFlushingEventListener.java:150)
org.hibernate.event.internal.AbstractFlushingEventListener.prepareEntityFlushes(AbstractFlushingEventListener.java:141)
org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:74)
org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
org.keycloak.models.jpa.ClientAdapter.getClientScopes(ClientAdapter.java:353)
org.keycloak.models.cache.infinispan.entities.CachedClient.<init>(CachedClient.java:119)
org.keycloak.models.cache.infinispan.RealmCacheSession.cacheClient(RealmCacheSession.java:1069)
org.keycloak.models.cache.infinispan.RealmCacheSession.getClientById(RealmCacheSession.java:1029)
org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient(RealmAdapter.java:1037)
org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:235)
org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
java.lang.reflect.Constructor.newInstance(Constructor.java:423)
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/538179304.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
Source)
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
org.jboss.threads.JBossThread.run(JBossThread.java:320)

22:16:17,085 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012108: CheckedAction::check - atomic action
0:ffffac110004:-14e6f320:5ba958b2:12 aborting with 1
 threads active!
22:16:17,099 WARN
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
(Transaction Reaper Worker 0) HHH000
451: Transaction afterCompletion called by a background thread; delaying
afterCompletion processing until the original thread can handle it.
[status=4]
22:16:17,101 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction
Reaper Worker 0,5,main] succ
essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:12

-- 
Rony Joy

From n.e921 at yahoo.com  Tue Sep 25 01:39:24 2018
From: n.e921 at yahoo.com (waterlilly_lilly)
Date: Mon, 24 Sep 2018 22:39:24 -0700 (MST)
Subject: [keycloak-user] Assign permissions to client-level roles in KeyCloak
Message-ID: <1537853964033-0.post@n6.nabble.com>

I want to assign permissions to client-level roles to do so I create policies
for the client-level roles which need to be assigned to permissions. I need
to assign these policies for client-level roles to permission via REST from
my project but I can't find the REST URI in documentation and project.



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From vignesh at dataphilabs.com  Tue Sep 25 02:07:52 2018
From: vignesh at dataphilabs.com (Vignesh S)
Date: Tue, 25 Sep 2018 11:37:52 +0530
Subject: [keycloak-user] Send additional parameter on keycloak login
Message-ID: <CAOc5ygr9Gj9TiYk9eMXB6GYm_tLmbCxyDASCbJz0tCQgsxLobw@mail.gmail.com>

Hello All,

After having received so many good reviews about Keycloak, We are
implementing Keycloak as the access management system to our client
organization. Thanks to all the contributors.

I am stuck in getting the login complete with the User Federation SPI. I am
in need of sending an additional parameter from the client during login
which I wanted to be available in the User Federation layer. So that based
on that parameter, I shall make an appropriate request to our legacy system
for validating the password.

Currently, I do this,

curl -X POST \
  http://localhost:8080/auth/realms/<realm-name>/protocol/openid-connect/token
\
  -H 'Accept: application/json' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d
'username=<username>&password=<password>&grant_type=password&client_id=<client-id>'

How can I add one another custom param to the body and make it available in
the federation layer before making the login request to the legacy system?

Any help will be much appreciated.

Thanks,
Vignesh

From mposolda at redhat.com  Tue Sep 25 03:16:11 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Sep 2018 09:16:11 +0200
Subject: [keycloak-user] Send additional parameter on keycloak login
In-Reply-To: <CAOc5ygr9Gj9TiYk9eMXB6GYm_tLmbCxyDASCbJz0tCQgsxLobw@mail.gmail.com>
References: <CAOc5ygr9Gj9TiYk9eMXB6GYm_tLmbCxyDASCbJz0tCQgsxLobw@mail.gmail.com>
Message-ID: <586170cc-0c43-1a71-41a8-2af0e1c03e31@redhat.com>

Hi,

I think that in the federation layer, you have access to current 
KeycloakSession. So you can probably use something like:

org.jboss.resteasy.spi.HttpRequest req = session.getContext().getContextObject(HttpRequest.class);
String myParam = req.getFormPArameters().get("my-param");

No guarantee that it works :) Also question is, whether it's not more proper way to handle this at the Authenticator level, which will delegate to proper userStorage. UserStorage in theory shouldn't be
interested about request params etc, but just make sure to CRUD user objects. But not sure about your use-case, and maybe handle at userStorage is the easiest option for you..

Marek



On 25/09/18 08:07, Vignesh S wrote:
> Hello All,
>
> After having received so many good reviews about Keycloak, We are
> implementing Keycloak as the access management system to our client
> organization. Thanks to all the contributors.
>
> I am stuck in getting the login complete with the User Federation SPI. I am
> in need of sending an additional parameter from the client during login
> which I wanted to be available in the User Federation layer. So that based
> on that parameter, I shall make an appropriate request to our legacy system
> for validating the password.
>
> Currently, I do this,
>
> curl -X POST \
>    http://localhost:8080/auth/realms/<realm-name>/protocol/openid-connect/token
> \
>    -H 'Accept: application/json' \
>    -H 'Cache-Control: no-cache' \
>    -H 'Content-Type: application/x-www-form-urlencoded' \
>    -d
> 'username=<username>&password=<password>&grant_type=password&client_id=<client-id>'
>
> How can I add one another custom param to the body and make it available in
> the federation layer before making the login request to the legacy system?
>
> Any help will be much appreciated.
>
> Thanks,
> Vignesh
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Sep 25 03:20:24 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Sep 2018 09:20:24 +0200
Subject: [keycloak-user] Keycloak 3.4.3 to 4.X.X Migration Fails - we
 have 400-500 realms
In-Reply-To: <CACCBH8N=XUGh7CAvEvki+bOmK07bd+0M-BFnpW4y5QaAFNKC2w@mail.gmail.com>
References: <CACCBH8N=XUGh7CAvEvki+bOmK07bd+0M-BFnpW4y5QaAFNKC2w@mail.gmail.com>
Message-ID: <0b038f25-5a31-9539-d7db-e0f8fb26ca55@redhat.com>

We did not try to test with so many realms yet, so issues are expected 
unfortunately :( We plan to improve it, but not sure when...

To workaround this one, you may need to increase the default JTA 
transaction timeout, which is doable by adding/changing some attributes 
in the Wildfly standalone.xml configuration file somewhere in the 
transaction subsystem. By default it is 10 minutes AFAIR. See Wildfly 
docs for more details.

Marek

On 25/09/18 01:07, rony joy wrote:
> Dear All,
>
> We have currently using keycloak 3.4.3 version and trying to migrate to
> 4.3.0 but the startup is failing due to the migration issue. We have around
> 400-500 realms in the database.  Please find below exception. From the log
> it is clear that
> "org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)"
> is the one causing the exception (see the code below. Line 51 is in bold).
> Is this because of large realms? any ideas?
>   @Override
>      public void migrate(KeycloakSession session) {
>          *session.realms().getRealms().stream().forEach(*
>                  r -> {
>                      migrateRealm(session, r, false);
>                  }
>          );
>      }
>
>
> 22:16:17,002 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
> ARJUNA012117: TransactionReaper::check timeout for TX
> 0:ffffac110004:-14e6f320:5ba958b2:12 in state  RUN
> 22:16:17,070 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction
> Reaper Worker 0,5,main] succ
> essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:f
> 22:16:17,073 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> ARJUNA012095: Abort of action id 0:ffffac110004:-14e6f320:5ba958b2:12
> invoked while multiple threads ac
> tive within it.
> 22:16:17,079 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> ARJUNA012381: Action id 0:ffffac110004:-14e6f320:5ba958b2:12 completed with
> multiple threads - thread S
> erverService Thread Pool -- 53 was in progress with
> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:163)
> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
> org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
> org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
> org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
> org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
> org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
> org.hibernate.event.internal.AbstractSaveEventListener.cascadeAfterSave(AbstractSaveEventListener.java:445)
> org.hibernate.event.internal.DefaultPersistEventListener.justCascade(DefaultPersistEventListener.java:172)
> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:164)
> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
> org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
> org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
> org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
> org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
> org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
> org.hibernate.event.internal.AbstractFlushingEventListener.cascadeOnFlush(AbstractFlushingEventListener.java:150)
> org.hibernate.event.internal.AbstractFlushingEventListener.prepareEntityFlushes(AbstractFlushingEventListener.java:141)
> org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:74)
> org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
> org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
> org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
> org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
> org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
> org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
> org.keycloak.models.jpa.ClientAdapter.getClientScopes(ClientAdapter.java:353)
> org.keycloak.models.cache.infinispan.entities.CachedClient.<init>(CachedClient.java:119)
> org.keycloak.models.cache.infinispan.RealmCacheSession.cacheClient(RealmCacheSession.java:1069)
> org.keycloak.models.cache.infinispan.RealmCacheSession.getClientById(RealmCacheSession.java:1029)
> org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient(RealmAdapter.java:1037)
> org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:235)
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
> org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
> org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
> org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/538179304.call(Unknown
> Source)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> Source)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> Source)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> Source)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> Source)
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> java.util.concurrent.FutureTask.run(FutureTask.java:266)
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> java.lang.Thread.run(Thread.java:748)
> org.jboss.threads.JBossThread.run(JBossThread.java:320)
>
> 22:16:17,085 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> ARJUNA012108: CheckedAction::check - atomic action
> 0:ffffac110004:-14e6f320:5ba958b2:12 aborting with 1
>   threads active!
> 22:16:17,099 WARN
> [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> (Transaction Reaper Worker 0) HHH000
> 451: Transaction afterCompletion called by a background thread; delaying
> afterCompletion processing until the original thread can handle it.
> [status=4]
> 22:16:17,101 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction
> Reaper Worker 0,5,main] succ
> essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:12
>


From mposolda at redhat.com  Tue Sep 25 03:28:13 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Sep 2018 09:28:13 +0200
Subject: [keycloak-user] Picktelink| Keycloak |Wildfly 11 |SSO
In-Reply-To: <CAL_K0exwYvV2nqBUSUCKmR19x=sgtg8BZn5kUy7iF272Hk+ykg@mail.gmail.com>
References: <CAL_K0ez649v6Fs+OMp5rJ2PoMQw1hNWyx7+f8h264TnmSo9Z7Q@mail.gmail.com>
	<CA+BZ0jg7HtbVE+G+uYAKWRnfXDmmnJEhXS-yqFfBMpXuGXtbKQ@mail.gmail.com>
	<CAL_K0exwYvV2nqBUSUCKmR19x=sgtg8BZn5kUy7iF272Hk+ykg@mail.gmail.com>
Message-ID: <8fc22726-933f-328f-8450-68b021213ecc@redhat.com>

As you pointed, for Keycloak you need to have separate server. But for 
bigger deployments, separate server (or rather separate cluster of 
servers) is recommended for identity management anyway. The biggest 
disadvantage of Picketlink is no more active development and limited 
support from the long term perspective.

For more details see Faq page [1]. It is quite old and maybe some points 
are outdated, but most are probably still valid.

[1] http://picketlink.org/keycloak-merge-faq/

Marek

On 24/09/18 16:01, vandana thota wrote:
> If we have to go with keycloak we have to stand up as  saparate server in
> the arhcitecture.
>
> But if we use  this  below  configuration no need  to set up the saparate
> keycloak server
>
> https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
> .
>
> What  are the pros  and cons of each set up ( 1 . With keycloak  server  2
> . with out keycloak server  ) for SSO  configuration .
>
> Thanks.
>
>
> On Sun, Sep 23, 2018 at 5:15 PM Juan Pablo Perata <jpperata at gmail.com>
> wrote:
>
>> Hi,
>>
>> AFAIK PicketLink is merged into Keycloak and it is no longer maintained,
>> all efforts, enhacements, etc are part of Keycloak now.
>>
>> Regards,
>> Juan
>>
>> On Sat, Sep 22, 2018 at 2:24 PM vandana thota <vandana0242 at gmail.com>
>> wrote:
>>
>>> Hello
>>>
>>> Is  picketlink is good  to use  for SSO on wildfly 11 .What are advantages
>>> and disadvantagees  of using  below  link configurations  for  SSO on
>>> wildfly 11
>>>
>>> Below is the link  for picketlink, wildfly and IDP
>>>
>>>
>>> https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
>>> .
>>>
>>>
>>> Thanks,
>>> Vandana
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Sep 25 03:32:38 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Sep 2018 09:32:38 +0200
Subject: [keycloak-user] Multi tenant on a given resource
In-Reply-To: <AM4PR0701MB214834AEEE21AF3D01BD598BF0170@AM4PR0701MB2148.eurprd07.prod.outlook.com>
References: <AM4PR0701MB214834AEEE21AF3D01BD598BF0170@AM4PR0701MB2148.eurprd07.prod.outlook.com>
Message-ID: <bc945b4a-97bd-c1bd-e46f-fed4ad38fcc1@redhat.com>

For servlet adapters, there is this: 
https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy

For javascript adapters, it is nothing out of the box. Based on your 
requirements, you can probably "listen" on the request and then based on 
the fragment path, you can create an appropriate instance of "Keycloak" 
object which will point either to Keycloak1 or Keycloak2 server.

Marek

On 24/09/18 18:06, DES PLAS Leonore wrote:
> Hi there,
>
> We are wondering how to achieve "multi tenant" on a resource.
> We have a spring boot backend with an angular front end, and are using Spring Security and keycloak-angular adapters.
>
> We have one keycloak used to authenticate and authorize users to the application, that configuration is ok.
> But now, for a set of resources (angular paths and REST services), we need to authenticate to an other Keycloak server, which we don't know much of because it is somebody else's.
> How can we handle having 2 different Keycloak for a set a resources?
> How can we tell in Spring Boot and Angular which AccessToken is the right one ?
> Is it possible to check if AccessToken is valid on 2 different Keycloak and only for some paths ?
>
> At first, we thought about user federation... but we don't want to be able to log in to the application just with the 2nd Keycloak. We have to be logged in with the first Keycloak on all paths, and for some paths we want to also be logged in to the 2nd Keycloak.
>
> Thank you for your time,
>
> L?onore DES PLAS MATTEI
> Ing?nieure Etudes et D?veloppement - Aix en Provence SIG
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Sep 25 03:35:07 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Sep 2018 09:35:07 +0200
Subject: [keycloak-user] Authenticator options on login page
In-Reply-To: <BYAPR08MB447143CA001BDEBED830B5DDF5100@BYAPR08MB4471.namprd08.prod.outlook.com>
References: <BYAPR08MB447143CA001BDEBED830B5DDF5100@BYAPR08MB4471.namprd08.prod.outlook.com>
Message-ID: <e73be594-c301-bd64-9261-1d0fec37b38a@redhat.com>

I think you will need to customize authentication flows and create your 
own implementation of Authenticator to achieve this. See documentation 
for Authentication SPI in the Keycloak Server Development guide.

Marek

On 23/09/18 15:17, Daicy Duarte wrote:
> Hi!
>
> It is possible to add authenticator options on the login page. So that the user can select through which authenticator wants to login.
>
> For example having as options: passwords, secret question, etc.
>
> Best regards,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From vignesh at dataphilabs.com  Tue Sep 25 05:01:37 2018
From: vignesh at dataphilabs.com (Vignesh S)
Date: Tue, 25 Sep 2018 14:31:37 +0530
Subject: [keycloak-user] Send additional parameter on keycloak login
In-Reply-To: <586170cc-0c43-1a71-41a8-2af0e1c03e31@redhat.com>
References: <CAOc5ygr9Gj9TiYk9eMXB6GYm_tLmbCxyDASCbJz0tCQgsxLobw@mail.gmail.com>
	<586170cc-0c43-1a71-41a8-2af0e1c03e31@redhat.com>
Message-ID: <CAOc5ygpd1+2PM2aFOa+C58OvU1m57bi5uThW77-vjevPFCAj0A@mail.gmail.com>

On Tue, Sep 25, 2018 at 12:46 PM Marek Posolda <mposolda at redhat.com> wrote:

> Hi,
>
> I think that in the federation layer, you have access to current
> KeycloakSession. So you can probably use something like:
>
> org.jboss.resteasy.spi.HttpRequest req = session.getContext().getContextObject(HttpRequest.class);
> String myParam = req.getFormPArameters().get("my-param");
>
> This worked! Thank you so much Marek.

> No guarantee that it works :) Also question is, whether it's not more proper way to handle this at the Authenticator level, which will delegate to proper userStorage. UserStorage in theory shouldn't be
> interested about request params etc, but just make sure to CRUD user objects. But not sure about your use-case, and maybe handle at userStorage is the easiest option for you..
>
> The legacy system has one login API that behaves differently based on the
parameters passed. So I was in need of it in this layer to pass it on.

> Marek
>
>
>
> On 25/09/18 08:07, Vignesh S wrote:
>
> Hello All,
>
> After having received so many good reviews about Keycloak, We are
> implementing Keycloak as the access management system to our client
> organization. Thanks to all the contributors.
>
> I am stuck in getting the login complete with the User Federation SPI. I am
> in need of sending an additional parameter from the client during login
> which I wanted to be available in the User Federation layer. So that based
> on that parameter, I shall make an appropriate request to our legacy system
> for validating the password.
>
> Currently, I do this,
>
> curl -X POST \
>   http://localhost:8080/auth/realms/<realm-name>/protocol/openid-connect/token
> \
>   -H 'Accept: application/json' \
>   -H 'Cache-Control: no-cache' \
>   -H 'Content-Type: application/x-www-form-urlencoded' \
>   -d
> 'username=<username>&password=<password>&grant_type=password&client_id=<client-id>'
>
> How can I add one another custom param to the body and make it available in
> the federation layer before making the login request to the legacy system?
>
> Any help will be much appreciated.
>
> Thanks,
> Vignesh
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From henning.waack at codecentric.de  Tue Sep 25 05:50:03 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Tue, 25 Sep 2018 11:50:03 +0200
Subject: [keycloak-user] Keycloak 3.4.3 to 4.X.X Migration Fails - we
 have 400-500 realms
In-Reply-To: <0b038f25-5a31-9539-d7db-e0f8fb26ca55@redhat.com>
References: <CACCBH8N=XUGh7CAvEvki+bOmK07bd+0M-BFnpW4y5QaAFNKC2w@mail.gmail.com>
	<0b038f25-5a31-9539-d7db-e0f8fb26ca55@redhat.com>
Message-ID: <CAGqTYayN40btcAQXMz8QNSNpFqPbuT-tAym835qVbvwTLsDYkA@mail.gmail.com>

I'm having a similar problem with a fresh 4.4.0 KC installation using
Mysql, i.e. I also get these transaction timeouts. Unfortunately I did not
find a solution, yet.

Greetings

Henning

Am Di., 25. Sep. 2018 um 09:21 Uhr schrieb Marek Posolda <
mposolda at redhat.com>:

> We did not try to test with so many realms yet, so issues are expected
> unfortunately :( We plan to improve it, but not sure when...
>
> To workaround this one, you may need to increase the default JTA
> transaction timeout, which is doable by adding/changing some attributes
> in the Wildfly standalone.xml configuration file somewhere in the
> transaction subsystem. By default it is 10 minutes AFAIR. See Wildfly
> docs for more details.
>
> Marek
>
> On 25/09/18 01:07, rony joy wrote:
> > Dear All,
> >
> > We have currently using keycloak 3.4.3 version and trying to migrate to
> > 4.3.0 but the startup is failing due to the migration issue. We have
> around
> > 400-500 realms in the database.  Please find below exception. From the
> log
> > it is clear that
> >
> "org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)"
> > is the one causing the exception (see the code below. Line 51 is in
> bold).
> > Is this because of large realms? any ideas?
> >   @Override
> >      public void migrate(KeycloakSession session) {
> >          *session.realms().getRealms().stream().forEach(*
> >                  r -> {
> >                      migrateRealm(session, r, false);
> >                  }
> >          );
> >      }
> >
> >
> > 22:16:17,002 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
> > ARJUNA012117: TransactionReaper::check timeout for TX
> > 0:ffffac110004:-14e6f320:5ba958b2:12 in state  RUN
> > 22:16:17,070 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012121: TransactionReaper::doCancellations worker
> Thread[Transaction
> > Reaper Worker 0,5,main] succ
> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:f
> > 22:16:17,073 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012095: Abort of action id 0:ffffac110004:-14e6f320:5ba958b2:12
> > invoked while multiple threads ac
> > tive within it.
> > 22:16:17,079 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012381: Action id 0:ffffac110004:-14e6f320:5ba958b2:12 completed
> with
> > multiple threads - thread S
> > erverService Thread Pool -- 53 was in progress with
> >
> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:163)
> >
> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
> >
> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
> > org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
> >
> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
> >
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> >
> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
> > org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
> >
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
> >
> org.hibernate.event.internal.AbstractSaveEventListener.cascadeAfterSave(AbstractSaveEventListener.java:445)
> >
> org.hibernate.event.internal.DefaultPersistEventListener.justCascade(DefaultPersistEventListener.java:172)
> >
> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:164)
> >
> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
> >
> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
> > org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
> >
> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
> >
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> >
> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
> > org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
> >
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
> >
> org.hibernate.event.internal.AbstractFlushingEventListener.cascadeOnFlush(AbstractFlushingEventListener.java:150)
> >
> org.hibernate.event.internal.AbstractFlushingEventListener.prepareEntityFlushes(AbstractFlushingEventListener.java:141)
> >
> org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:74)
> >
> org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
> >
> org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
> > org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
> > org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
> > org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
> > org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
> >
> org.keycloak.models.jpa.ClientAdapter.getClientScopes(ClientAdapter.java:353)
> >
> org.keycloak.models.cache.infinispan.entities.CachedClient.<init>(CachedClient.java:119)
> >
> org.keycloak.models.cache.infinispan.RealmCacheSession.cacheClient(RealmCacheSession.java:1069)
> >
> org.keycloak.models.cache.infinispan.RealmCacheSession.getClientById(RealmCacheSession.java:1029)
> >
> org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient(RealmAdapter.java:1037)
> >
> org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:235)
> >
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
> >
> org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
> >
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
> >
> org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
> >
> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
> >
> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
> >
> org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
> >
> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
> >
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> >
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
> > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> >
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> >
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> > java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> >
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> >
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
> >
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
> >
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> >
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> >
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> >
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> >
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
> >
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
> >
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
> >
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
> >
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
> >
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> >
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> >
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/538179304.call(Unknown
> > Source)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> > Source)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> > Source)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> > Source)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> > Source)
> >
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> > java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> > java.lang.Thread.run(Thread.java:748)
> > org.jboss.threads.JBossThread.run(JBossThread.java:320)
> >
> > 22:16:17,085 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012108: CheckedAction::check - atomic action
> > 0:ffffac110004:-14e6f320:5ba958b2:12 aborting with 1
> >   threads active!
> > 22:16:17,099 WARN
> >
> [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > (Transaction Reaper Worker 0) HHH000
> > 451: Transaction afterCompletion called by a background thread; delaying
> > afterCompletion processing until the original thread can handle it.
> > [status=4]
> > 22:16:17,101 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012121: TransactionReaper::doCancellations worker
> Thread[Transaction
> > Reaper Worker 0,5,main] succ
> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:12
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 


-----------

Henning Waack | IT Consultant


codecentric AG | Hochstra?e 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>


tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz

Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

From tanja.schaefer.01 at gmail.com  Tue Sep 25 05:56:05 2018
From: tanja.schaefer.01 at gmail.com (Tanja Schaefer)
Date: Tue, 25 Sep 2018 11:56:05 +0200
Subject: [keycloak-user] Custom IdentityProvider lifecycle
Message-ID: <CAEZq0GcOuCBpqzLmueFenQKTAnVVttmi6FGxePvhd6OsFcFi5g@mail.gmail.com>

Hi,

we implemented custom Identity provider that extends from
AbstractOAuth2IdentityProvider and some Required Actions. It?s works pretty
good, but we have one new Requirement, that is to call an external Endpoint
ONCE after all Required Actions are done. My Question: is there some method
to override, that is executed once after all Required Actions have been
processed. Something like ?@Override public void importNewUser()? but just
after required actions are ready.

Best regards,
Tanja

From slaskawi at redhat.com  Tue Sep 25 06:06:45 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Tue, 25 Sep 2018 12:06:45 +0200
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <CAJL87rj0CJc+bjmHL=8M=q0CAYeGefC_bKK_-Q8qdUwkvMCMJg@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
	<CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
	<CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>
	<CAA9R9O7EL6KuvbDEJ+sTwqEmiUGF3zYtswdnqSu12q4TaNMUhw@mail.gmail.com>
	<CAJL87rj0CJc+bjmHL=8M=q0CAYeGefC_bKK_-Q8qdUwkvMCMJg@mail.gmail.com>
Message-ID: <CAA9R9O4ONCuy7Z1pHXS0zywSPoLbj9DCGaGYznupRBc=RbkzYQ@mail.gmail.com>

Thanks a lot for checking this.

This seems like a bug to me, so I filled
https://issues.jboss.org/browse/KEYCLOAK-8415. Unfortunately, we are
preparing for some urgent work on the product side and I can't promise you
when we will be able to look into this. I highly encourage you to
contribute a fix if you are in hurry or just subscribe to the ticket and
wait till we find a free slot to get it fixed.

Thanks,
Sebastian

On Thu, Sep 20, 2018 at 4:27 PM D V <dv at glyphy.com> wrote:

> OK. So, with all caches being replicated, there's an error on startup:
>
> 2018-09-20 14:03:38,307 ERROR [org.infinispan.remoting.rpc.RpcManagerImpl]
> (ServerService Thread Pool -- 62) ISPN000073: Unexpected error while
> replicating: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.models.PasswordPolicy$Builder
> Caused by: an exception which occurred:
> in field org.keycloak.models.PasswordPolicy.builder
> in object org.keycloak.models.PasswordPolicy at 6ab5350d
> in field
> org.keycloak.models.cache.infinispan.entities.CachedRealm.passwordPolicy
> in object
> org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
> in object
> org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
> in object org.infinispan.commands.write.PutKeyValueCommand at fec4dc5e
> in object org.infinispan.commands.remote.SingleRpcCommand at 3f2e5d1a
>
> If I make the realms cache local but leave the rest replicated, I observe
> the same behaviour: the node that didn't issue the original set of
> refresh/access tokens does a getUserById lookup, which in my case results
> in a network call against a remote service.
>
> I noticed there are caches running that aren't mentioned in the config,
> like userRevisions. These are local and adding them to the config as
> replicated doesn't actually make them as such.
>
> On Thu, Sep 20, 2018 at 7:36 AM Sebastian Laskawiec <slaskawi at redhat.com>
> wrote:
>
>> Could you please try to unify the caches? Please replace all local-cache
>> and distributed-cache with replicated-cache.
>>
>> Even though using distributed caches over replicated ones should be the
>> cause, I think those local caches might cause the behavior you're
>> describing.
>>
>> On Wed, Sep 19, 2018 at 3:21 PM D V <dv at glyphy.com> wrote:
>>
>>> Makes sense re: replicated caches. Here's my infinispan subsystem config
>>> right now:
>>>
>>>         <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
>>>             <cache-container name="keycloak"
>>> jndi-name="infinispan/Keycloak" statistics-enabled="true">
>>>                 <transport lock-timeout="60000"/>
>>>                 <local-cache name="realms" statistics-enabled="true">
>>>                     <eviction max-entries="10000" strategy="LRU"/>
>>>                 </local-cache>
>>>                 <local-cache name="users" statistics-enabled="true">
>>>                     <eviction max-entries="10000" strategy="LRU"/>
>>>                 </local-cache>
>>>
>>>                 <!--
>>>                 These two need to be replicated or the node that didn't
>>> issue the initial refresh token
>>>                 will return "invalid_grant" errors when attempting to
>>> auth with that refresh token.
>>>                 -->
>>>                 <replicated-cache name="sessions"
>>> statistics-enabled="true"/>
>>>                 <replicated-cache name="clientSessions"
>>> statistics-enabled="true"/>
>>>
>>>                 <distributed-cache name="authenticationSessions"
>>> mode="SYNC" owners="1" statistics-enabled="true"/>
>>>                 <distributed-cache name="offlineSessions" mode="SYNC"
>>> owners="1" statistics-enabled="true"/>
>>>                 <distributed-cache name="offlineClientSessions"
>>> mode="SYNC" owners="1" statistics-enabled="true"/>
>>>                 <distributed-cache name="loginFailures" mode="SYNC"
>>> owners="1" statistics-enabled="true"/>
>>>                 <local-cache name="authorization"
>>> statistics-enabled="true">
>>>                     <eviction max-entries="10000" strategy="LRU"/>
>>>                 </local-cache>
>>>                 <replicated-cache name="work" mode="SYNC"
>>> statistics-enabled="true"/>
>>>                 <local-cache name="keys" statistics-enabled="true">
>>>                     <eviction max-entries="1000" strategy="LRU"/>
>>>                     <expiration max-idle="3600000"/>
>>>                 </local-cache>
>>>                 <distributed-cache name="actionTokens" mode="SYNC"
>>> owners="2" statistics-enabled="true">
>>>                     <eviction max-entries="-1" strategy="NONE"/>
>>>                     <expiration max-idle="-1" interval="300000"/>
>>>                 </distributed-cache>
>>>             </cache-container>
>>>             <cache-container name="server" aliases="singleton cluster"
>>> default-cache="default" module="org.wildfly.clustering.server">
>>>                 <transport lock-timeout="60000"/>
>>>                 <replicated-cache name="default">
>>>                     <transaction mode="BATCH"/>
>>>                 </replicated-cache>
>>>             </cache-container>
>>>             <cache-container name="web" default-cache="dist"
>>> module="org.wildfly.clustering.web.infinispan">
>>>                 <transport lock-timeout="60000"/>
>>>                 <distributed-cache name="dist">
>>>                     <locking isolation="REPEATABLE_READ"/>
>>>                     <transaction mode="BATCH"/>
>>>                     <file-store/>
>>>                 </distributed-cache>
>>>             </cache-container>
>>>             <cache-container name="ejb" aliases="sfsb"
>>> default-cache="dist" module="org.wildfly.clustering.ejb.infinispan">
>>>                 <transport lock-timeout="60000"/>
>>>                 <distributed-cache name="dist">
>>>                     <locking isolation="REPEATABLE_READ"/>
>>>                     <transaction mode="BATCH"/>
>>>                     <file-store/>
>>>                 </distributed-cache>
>>>             </cache-container>
>>>             <cache-container name="hibernate"
>>> default-cache="local-query" module="org.hibernate.infinispan">
>>>                 <transport lock-timeout="60000"/>
>>>                 <local-cache name="local-query">
>>>                     <eviction strategy="LRU" max-entries="10000"/>
>>>                     <expiration max-idle="100000"/>
>>>                 </local-cache>
>>>                 <invalidation-cache name="entity">
>>>                     <transaction mode="NON_XA"/>
>>>                     <eviction strategy="LRU" max-entries="10000"/>
>>>                     <expiration max-idle="100000"/>
>>>                 </invalidation-cache>
>>>                 <replicated-cache name="timestamps" mode="ASYNC"/>
>>>             </cache-container>
>>>         </subsystem>
>>>
>>> The scenario I'm testing:
>>> 1. Auth with grant_type=password on node1.
>>> 2. Shut down node1.
>>> 3. Auth with grant_type=refresh_token on node2.
>>>
>>> When client_sessions is not replicated (distributed, with owners=1, as
>>> in the distribution's standalone-ha.xml), I get this on node2:
>>> {
>>>     "error": "invalid_grant",
>>>     "error_description": "Session doesn't have required client"
>>> }
>>>
>>> When sessions is not replicated:
>>> {
>>>     "error": "invalid_grant",
>>>     "error_description": "Session not active"
>>> }
>>>
>>> On Wed, Sep 19, 2018 at 6:56 AM Sebastian Laskawiec <slaskawi at redhat.com>
>>> wrote:
>>>
>>>> Thanks for letting us know DV!
>>>>
>>>> Setting the number of owners equal to the cluster size doesn't make any
>>>> sense. You might use a replicated cache in that scenarios (which works the
>>>> same way apart from some Infinispan internal behavior, which can be omitted
>>>> in your case). Could you please paste your Infinispan configuration? Maybe
>>>> there's some hint there...
>>>>
>>>> Thanks,
>>>> Seb
>>>>
>>>> On Tue, Sep 18, 2018 at 11:02 PM D V <dv at glyphy.com> wrote:
>>>>
>>>>> The issue was resolved in a somewhat unexpected way. I had a custom
>>>>> org.keycloak.storage.UserStorageProviderFactory SPI registered that
>>>>> returned providers
>>>>> implementing org.keycloak.storage.user.UserLookupProvider,
>>>>> but org.keycloak.storage.user.UserLookupProvider#getUserById method wasn't
>>>>> fully filled out. I just had it return null. It wasn't obvious to me that
>>>>> it was required (or under what circumstances). Once I implemented it, the
>>>>> experiments in my original message passed. I did have to set owners to 2
>>>>> for the "sessions" and "clientSessions" distributed cache infinispan
>>>>> configs.
>>>>>
>>>>> One thing I noticed is that node2 (the one that doesn't get hit on the
>>>>> initial password auth) has to do a lookup via getUserById the first time it
>>>>> handles a grant_type=refresh_token auth. Is the data it needs not shared
>>>>> across the cluster? It seems to be cached only locally on the node. Just as
>>>>> a test I tried to set all configured non-local caches to be replicated and
>>>>> it didn't help. Any thoughts about this?
>>>>>
>>>>> Thanks,
>>>>> DV
>>>>>
>>>>>>

From mukesh_harshwal at yahoo.co.in  Tue Sep 25 06:43:32 2018
From: mukesh_harshwal at yahoo.co.in (mukesh Harshwal)
Date: Tue, 25 Sep 2018 10:43:32 +0000 (UTC)
Subject: [keycloak-user] Want Session expired or not from keycloak server
References: <617363955.2184865.1537872212881.ref@mail.yahoo.com>
Message-ID: <617363955.2184865.1537872212881@mail.yahoo.com>

Hi all,
I am using Keycloak 3.4.3.Final as SSO solution for my applications. I want to display session inactivity popup if user is inactive for certain time, I want to know in how much time session is going to be expired, so that he can click on continue button to keep session continue, or he can logout immediately by clicking logout button in popup.
I there any way to know session expiry time? I tried with ActiveToken's API isExpired() but it doesn't serve my purpose.Is there any way to know session is expired or active?Please help me.
Thanks,Mukesh Harshwal

From K.Buler at adbglobal.com  Tue Sep 25 07:01:16 2018
From: K.Buler at adbglobal.com (Karol Buler)
Date: Tue, 25 Sep 2018 13:01:16 +0200
Subject: [keycloak-user] Integration with OpenID provider
Message-ID: <6ba2227a-e380-ad29-8d0e-cbfae5134242@adbglobal.com>

Hi,

I am trying to add Identity Broker based on OpenID Connect to my
Keycloak. Everything is fine, redirecting to login page is working,
but... always is "but" :) I've got error in Keycloak:

org.keycloak.broker.provider.IdentityBrokerException: No access_token
from server.

What I found is that the Keycloak doesn't send the "Authorization"
header in request "code-to-token". Is it bug/feature or am I missing
some configuration?

Best regards,
Karol

[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.


From psilva at redhat.com  Tue Sep 25 07:25:45 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 25 Sep 2018 08:25:45 -0300
Subject: [keycloak-user] Assign permissions to client-level roles in
	KeyCloak
In-Reply-To: <1537853964033-0.post@n6.nabble.com>
References: <1537853964033-0.post@n6.nabble.com>
Message-ID: <CAJrcDBcCQowdpGqHa626miDhWBy1R1N4OqK1Q2nQqbqNKzSiSg@mail.gmail.com>

Hi,

We don't have a public API for this yet.

Regards.
Pedro Igor

On Tue, Sep 25, 2018 at 2:42 AM waterlilly_lilly <n.e921 at yahoo.com> wrote:

> I want to assign permissions to client-level roles to do so I create
> policies
> for the client-level roles which need to be assigned to permissions. I need
> to assign these policies for client-level roles to permission via REST from
> my project but I can't find the REST URI in documentation and project.
>
>
>
> --
> Sent from: http://keycloak-user.88327.x6.nabble.com/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Sep 25 07:31:07 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 25 Sep 2018 13:31:07 +0200
Subject: [keycloak-user] Want Session expired or not from keycloak server
In-Reply-To: <617363955.2184865.1537872212881@mail.yahoo.com>
References: <617363955.2184865.1537872212881.ref@mail.yahoo.com>
	<617363955.2184865.1537872212881@mail.yahoo.com>
Message-ID: <CAJgngAfVHo4ns63oTeFQpTTo8ybOEheWCh=ryJMyopKFLBy3rQ@mail.gmail.com>

Not sure if there's already a protocol mapper that would do it, but you
should at least be able to create a custom one that adds the details to the
token.

On Tue, 25 Sep 2018 at 12:45, mukesh Harshwal <mukesh_harshwal at yahoo.co.in>
wrote:

> Hi all,
> I am using Keycloak 3.4.3.Final as SSO solution for my applications. I
> want to display session inactivity popup if user is inactive for certain
> time, I want to know in how much time session is going to be expired, so
> that he can click on continue button to keep session continue, or he can
> logout immediately by clicking logout button in popup.
> I there any way to know session expiry time? I tried with ActiveToken's
> API isExpired() but it doesn't serve my purpose.Is there any way to know
> session is expired or active?Please help me.
> Thanks,Mukesh Harshwal
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ronyjoy at gmail.com  Tue Sep 25 08:02:36 2018
From: ronyjoy at gmail.com (rony joy)
Date: Tue, 25 Sep 2018 07:02:36 -0500
Subject: [keycloak-user] Keycloak 3.4.3 to 4.X.X Migration Fails - we
 have 400-500 realms
In-Reply-To: <0b038f25-5a31-9539-d7db-e0f8fb26ca55@redhat.com>
References: <CACCBH8N=XUGh7CAvEvki+bOmK07bd+0M-BFnpW4y5QaAFNKC2w@mail.gmail.com>
	<0b038f25-5a31-9539-d7db-e0f8fb26ca55@redhat.com>
Message-ID: <CACCBH8NsNcyVj_oexmCEaiiw62=xvWUcRp1MTbrSYbLOXUzjdA@mail.gmail.com>

Hi Marek, I forgot to mention that we had increased the transaction timeout
to 20 minutes and then to 40 min which is is not helping. It simply takes
more than 40 minutes :( to load the realms into cache.  any help
appreciated. Attached the keycloak debug logs which shows exactly after 40
minutes transaction timeout occurs.

22:32:02,793 DEBUG
[org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider]
(ServerService Thread Pool -- 51) Validation passed. Database is up-to-date
for
changelog META-INF/jpa-changelog-master.xml
22:32:02,804 DEBUG
[org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider]
(ServerService Thread Pool -- 51) Using changelog file META-INF/sasi
dp-config-changelog.xml and changelogTableName DATABASECHANGELOG_SASIDP_CON
22:32:02,830 DEBUG
[org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider]
(ServerService Thread Pool -- 51) Reading from keycloak3000.DATABASE
CHANGELOG_SASIDP_CON
22:32:02,843 DEBUG
[org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider]
(ServerService Thread Pool -- 51) Validation passed. Database is up-to-date
for
changelog META-INF/sasidp-config-changelog.xml
22:32:02,844 DEBUG
[org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory]
(ServerService Thread Pool -- 51) Database is up-to-date
22:32:02name: keycloak-defaultate.jpa.internal.util.LogHelper]
(ServerService Thread Pool -- 51) HHH000204: Processing PersistenceUnitInfo
[
        ...]
22:32:03,000 INFO  [org.hibernate.Version] (ServerService Thread Pool --
51) HHH000412: Hibernate Core {5.1.10.Final}
22:32:03,004 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
Pool -- 51) HHH000206: hibernate.properties not found
22:32:03,007 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
Pool -- 51) HHH000021: Bytecode provider name : javassist
22:32:03,056 INFO  [org.hibernate.annotations.common.Version]
(ServerService Thread Pool -- 51) HCANN000001: Hibernate Commons
Annotations {5.0.1.Final}
22:32:03,230 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread
Pool -- 51) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect
22:32:03,288 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(Timer-2) new JtaTransactionWrapper
22:32:03,290 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(Timer-2) was existing? false
22:32:03,291 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(Timer-2) new JtaTransactionWrapper
22:32:03,291 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(Timer-2) was existing? true
22:32:03,320 INFO  [org.hibernate.envers.boot.internal.EnversServiceImpl]
(ServerService Thread Pool -- 51) Envers integration enabled? : true
22:32:04,230 INFO  [org.hibernate.validator.internal.util.Version]
(ServerService Thread Pool -- 51) HV000001: Hibernate Validator 5.3.5.Final
22:32:05,429 INFO
[org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService
Thread Pool -- 51) HHH000397: Using ASTQueryTranslatorFactory
22:32:07,290 DEBUG [org.keycloak.migration.MigrationModelManager]
(ServerService Thread Pool -- 51) Migrating older model to 4.0.0
22:32:07,305 DEBUG
[com.gemalto.sas.keycloak.service.crypto.StorageKeyLoader] (Timer-2)
Decrypting storage key...
22:32:07,339 DEBUG
[com.gemalto.sas.keycloak.service.crypto.StorageKeyLoader] (Timer-2)
Storage key decrypted.
22:32:07,340 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(Timer-2) JtaTransactionWrapper  commit
22:32:07,404 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(Timer-2) JtaTransactionWrapper end
22:32:07,404 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(Timer-2) JtaTransactionWrapper resuming suspended
22:32:07,406 DEBUG [org.keycloak.timer.basic.BasicTimerProvider] (Timer-2)
Cancelling task 'load-storage-key'
22:32:07,407 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(Timer-2) JtaTransactionWrapper  commit
22:32:07,408 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(Timer-2) JtaTransactionWrapper end
22:32:07,409 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner]
(Timer-2) Executed scheduled task
22:32:09,853 DEBUG [com.gemalto.sas.keycloak.admin.RoleServiceImpl]
(pool-8-thread-1) Creating addIdpCompositeRoles
22:32:22,269 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(pool-8-thread-1) JtaTransactionWrapper  commit
22:32:22,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(pool-8-thread-1) JtaTransactionWrapper end
22:32:22,364 DEBUG [com.gemalto.sas.keycloak.admin.RoleServiceFactory]
(pool-8-thread-1) setting up roles completed
23:12:04,365 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
ARJUNA012117: TransactionReaper::check timeout for TX
0:ffffac110004:268991c5:5ba965d6:10 in state  RUN
23:12:04,425 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction
Reaper Worker 0,5,main] succ
essfully canceled TX 0:ffffac110004:268991c5:5ba965d6:d
23:12:04,428 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012095: Abort of action id 0:ffffac110004:268991c5:5ba965d6:10
invoked while multiple threads act
ive within it.
23:12:04,436 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012381: Action id 0:ffffac110004:268991c5:5ba965d6:10 completed with
multiple threads - thread Se
rverService Thread Pool -- 51 was in progress with
org.hibernate.type.TypeHelper.findDirty(TypeHelper.java:321)
org.hibernate.persister.entity.AbstractEntityPersister.findDirty(AbstractEntityPersister.java:4204)
org.hibernate.event.internal.DefaultFlushEntityEventListener.dirtyCheck(DefaultFlushEntityEventListener.java:528)
org.hibernate.event.internal.DefaultFlushEntityEventListener.isUpdateNecessary(DefaultFlushEntityEventListener.java:215)
org.hibernate.event.internal.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:142)
org.hibernate.event.internal.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:216)
org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:85)
org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
org.keycloak.models.jpa.RealmAdapter.getDefaultClientScopes(RealmAdapter.java:1893)
org.keycloak.models.cache.infinispan.entities.CachedRealm.cacheClientScopes(CachedRealm.java:294)
org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:238)
org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
java.lang.reflect.Constructor.newInstance(Constructor.java:423)
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/680156514.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/248363466.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/248363466.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/248363466.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/248363466.call(Unknown
Source)
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
org.jboss.threads.JBossThread.run(JBossThread.java:320)

On Tue, Sep 25, 2018 at 2:20 AM Marek Posolda <mposolda at redhat.com> wrote:

> We did not try to test with so many realms yet, so issues are expected
> unfortunately :( We plan to improve it, but not sure when...
>
> To workaround this one, you may need to increase the default JTA
> transaction timeout, which is doable by adding/changing some attributes
> in the Wildfly standalone.xml configuration file somewhere in the
> transaction subsystem. By default it is 10 minutes AFAIR. See Wildfly
> docs for more details.
>
> Marek
>
> On 25/09/18 01:07, rony joy wrote:
> > Dear All,
> >
> > We have currently using keycloak 3.4.3 version and trying to migrate to
> > 4.3.0 but the startup is failing due to the migration issue. We have
> around
> > 400-500 realms in the database.  Please find below exception. From the
> log
> > it is clear that
> >
> "org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)"
> > is the one causing the exception (see the code below. Line 51 is in
> bold).
> > Is this because of large realms? any ideas?
> >   @Override
> >      public void migrate(KeycloakSession session) {
> >          *session.realms().getRealms().stream().forEach(*
> >                  r -> {
> >                      migrateRealm(session, r, false);
> >                  }
> >          );
> >      }
> >
> >
> > 22:16:17,002 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
> > ARJUNA012117: TransactionReaper::check timeout for TX
> > 0:ffffac110004:-14e6f320:5ba958b2:12 in state  RUN
> > 22:16:17,070 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012121: TransactionReaper::doCancellations worker
> Thread[Transaction
> > Reaper Worker 0,5,main] succ
> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:f
> > 22:16:17,073 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012095: Abort of action id 0:ffffac110004:-14e6f320:5ba958b2:12
> > invoked while multiple threads ac
> > tive within it.
> > 22:16:17,079 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012381: Action id 0:ffffac110004:-14e6f320:5ba958b2:12 completed
> with
> > multiple threads - thread S
> > erverService Thread Pool -- 53 was in progress with
> >
> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:163)
> >
> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
> >
> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
> > org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
> >
> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
> >
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> >
> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
> > org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
> >
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
> >
> org.hibernate.event.internal.AbstractSaveEventListener.cascadeAfterSave(AbstractSaveEventListener.java:445)
> >
> org.hibernate.event.internal.DefaultPersistEventListener.justCascade(DefaultPersistEventListener.java:172)
> >
> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:164)
> >
> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
> >
> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
> > org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
> >
> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
> >
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> >
> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
> > org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
> >
> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
> >
> org.hibernate.event.internal.AbstractFlushingEventListener.cascadeOnFlush(AbstractFlushingEventListener.java:150)
> >
> org.hibernate.event.internal.AbstractFlushingEventListener.prepareEntityFlushes(AbstractFlushingEventListener.java:141)
> >
> org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:74)
> >
> org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
> >
> org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
> > org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
> > org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
> > org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
> > org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
> >
> org.keycloak.models.jpa.ClientAdapter.getClientScopes(ClientAdapter.java:353)
> >
> org.keycloak.models.cache.infinispan.entities.CachedClient.<init>(CachedClient.java:119)
> >
> org.keycloak.models.cache.infinispan.RealmCacheSession.cacheClient(RealmCacheSession.java:1069)
> >
> org.keycloak.models.cache.infinispan.RealmCacheSession.getClientById(RealmCacheSession.java:1029)
> >
> org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient(RealmAdapter.java:1037)
> >
> org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:235)
> >
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
> >
> org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
> >
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
> >
> org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
> >
> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
> >
> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
> >
> org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
> >
> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
> >
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> >
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
> > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> >
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> >
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> > java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> >
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> >
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
> >
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
> >
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> >
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> >
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> >
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> >
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
> >
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
> >
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
> >
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
> >
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
> >
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> >
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> >
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/538179304.call(Unknown
> > Source)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> > Source)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> > Source)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> > Source)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
> > Source)
> >
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> > java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> > java.lang.Thread.run(Thread.java:748)
> > org.jboss.threads.JBossThread.run(JBossThread.java:320)
> >
> > 22:16:17,085 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012108: CheckedAction::check - atomic action
> > 0:ffffac110004:-14e6f320:5ba958b2:12 aborting with 1
> >   threads active!
> > 22:16:17,099 WARN
> >
> [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
> > (Transaction Reaper Worker 0) HHH000
> > 451: Transaction afterCompletion called by a background thread; delaying
> > afterCompletion processing until the original thread can handle it.
> > [status=4]
> > 22:16:17,101 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
> > ARJUNA012121: TransactionReaper::doCancellations worker
> Thread[Transaction
> > Reaper Worker 0,5,main] succ
> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:12
> >
>
>

-- 
Rony Joy

From ronyjoy at gmail.com  Tue Sep 25 08:03:28 2018
From: ronyjoy at gmail.com (rony joy)
Date: Tue, 25 Sep 2018 07:03:28 -0500
Subject: [keycloak-user] Keycloak 3.4.3 to 4.X.X Migration Fails - we
 have 400-500 realms
In-Reply-To: <CAGqTYayN40btcAQXMz8QNSNpFqPbuT-tAym835qVbvwTLsDYkA@mail.gmail.com>
References: <CACCBH8N=XUGh7CAvEvki+bOmK07bd+0M-BFnpW4y5QaAFNKC2w@mail.gmail.com>
	<0b038f25-5a31-9539-d7db-e0f8fb26ca55@redhat.com>
	<CAGqTYayN40btcAQXMz8QNSNpFqPbuT-tAym835qVbvwTLsDYkA@mail.gmail.com>
Message-ID: <CACCBH8Map4kUEGK1p9voQd2C-aZmTP_iYJSvOmOkY8k4xe08FA@mail.gmail.com>

How many realms do you have ?

On Tue, Sep 25, 2018 at 4:50 AM Henning Waack <henning.waack at codecentric.de>
wrote:

> I'm having a similar problem with a fresh 4.4.0 KC installation using
> Mysql, i.e. I also get these transaction timeouts. Unfortunately I did not
> find a solution, yet.
>
> Greetings
>
> Henning
>
> Am Di., 25. Sep. 2018 um 09:21 Uhr schrieb Marek Posolda <
> mposolda at redhat.com>:
>
>> We did not try to test with so many realms yet, so issues are expected
>> unfortunately :( We plan to improve it, but not sure when...
>>
>> To workaround this one, you may need to increase the default JTA
>> transaction timeout, which is doable by adding/changing some attributes
>> in the Wildfly standalone.xml configuration file somewhere in the
>> transaction subsystem. By default it is 10 minutes AFAIR. See Wildfly
>> docs for more details.
>>
>> Marek
>>
>> On 25/09/18 01:07, rony joy wrote:
>> > Dear All,
>> >
>> > We have currently using keycloak 3.4.3 version and trying to migrate to
>> > 4.3.0 but the startup is failing due to the migration issue. We have
>> around
>> > 400-500 realms in the database.  Please find below exception. From the
>> log
>> > it is clear that
>> >
>> "org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)"
>> > is the one causing the exception (see the code below. Line 51 is in
>> bold).
>> > Is this because of large realms? any ideas?
>> >   @Override
>> >      public void migrate(KeycloakSession session) {
>> >          *session.realms().getRealms().stream().forEach(*
>> >                  r -> {
>> >                      migrateRealm(session, r, false);
>> >                  }
>> >          );
>> >      }
>> >
>> >
>> > 22:16:17,002 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
>> > ARJUNA012117: TransactionReaper::check timeout for TX
>> > 0:ffffac110004:-14e6f320:5ba958b2:12 in state  RUN
>> > 22:16:17,070 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
>> > ARJUNA012121: TransactionReaper::doCancellations worker
>> Thread[Transaction
>> > Reaper Worker 0,5,main] succ
>> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:f
>> > 22:16:17,073 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
>> > ARJUNA012095: Abort of action id 0:ffffac110004:-14e6f320:5ba958b2:12
>> > invoked while multiple threads ac
>> > tive within it.
>> > 22:16:17,079 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
>> > ARJUNA012381: Action id 0:ffffac110004:-14e6f320:5ba958b2:12 completed
>> with
>> > multiple threads - thread S
>> > erverService Thread Pool -- 53 was in progress with
>> >
>> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:163)
>> >
>> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
>> >
>> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
>> > org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
>> >
>> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
>> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
>> >
>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
>> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>> >
>> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
>> >
>> org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
>> >
>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
>> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
>> >
>> org.hibernate.event.internal.AbstractSaveEventListener.cascadeAfterSave(AbstractSaveEventListener.java:445)
>> >
>> org.hibernate.event.internal.DefaultPersistEventListener.justCascade(DefaultPersistEventListener.java:172)
>> >
>> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:164)
>> >
>> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
>> >
>> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
>> > org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
>> >
>> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
>> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
>> >
>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
>> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>> >
>> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
>> >
>> org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
>> >
>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
>> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
>> >
>> org.hibernate.event.internal.AbstractFlushingEventListener.cascadeOnFlush(AbstractFlushingEventListener.java:150)
>> >
>> org.hibernate.event.internal.AbstractFlushingEventListener.prepareEntityFlushes(AbstractFlushingEventListener.java:141)
>> >
>> org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:74)
>> >
>> org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
>> >
>> org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
>> > org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
>> > org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
>> > org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
>> > org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
>> >
>> org.keycloak.models.jpa.ClientAdapter.getClientScopes(ClientAdapter.java:353)
>> >
>> org.keycloak.models.cache.infinispan.entities.CachedClient.<init>(CachedClient.java:119)
>> >
>> org.keycloak.models.cache.infinispan.RealmCacheSession.cacheClient(RealmCacheSession.java:1069)
>> >
>> org.keycloak.models.cache.infinispan.RealmCacheSession.getClientById(RealmCacheSession.java:1029)
>> >
>> org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient(RealmAdapter.java:1037)
>> >
>> org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:235)
>> >
>> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
>> >
>> org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
>> >
>> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
>> >
>> org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
>> >
>> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
>> >
>> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
>> >
>> org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
>> >
>> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
>> >
>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>> >
>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
>> > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> >
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>> >
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>> > java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>> >
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
>> >
>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
>> >
>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
>> >
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
>> >
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
>> >
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>> >
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>> >
>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>> >
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>> >
>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
>> >
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
>> >
>> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
>> >
>> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
>> >
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
>> >
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>> >
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>> >
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/538179304.call(Unknown
>> > Source)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>> > Source)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>> > Source)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>> > Source)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>> > Source)
>> >
>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
>> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> > java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> >
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>> >
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>> > java.lang.Thread.run(Thread.java:748)
>> > org.jboss.threads.JBossThread.run(JBossThread.java:320)
>> >
>> > 22:16:17,085 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
>> > ARJUNA012108: CheckedAction::check - atomic action
>> > 0:ffffac110004:-14e6f320:5ba958b2:12 aborting with 1
>> >   threads active!
>> > 22:16:17,099 WARN
>> >
>> [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
>> > (Transaction Reaper Worker 0) HHH000
>> > 451: Transaction afterCompletion called by a background thread; delaying
>> > afterCompletion processing until the original thread can handle it.
>> > [status=4]
>> > 22:16:17,101 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
>> > ARJUNA012121: TransactionReaper::doCancellations worker
>> Thread[Transaction
>> > Reaper Worker 0,5,main] succ
>> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:12
>> >
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
>
>
> -----------
>
> Henning Waack | IT Consultant
>
>
> codecentric AG | Hochstra?e 11
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> |
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
> Solingen
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>  |Deutschland
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
>
> tel: +49 (0)151 108 515 29
>
> www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
>
> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>
> Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz
>
> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
> und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
> Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
> bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
> beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
> evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
> nicht gestattet.
>


-- 
Rony Joy

From leonore.desplas at soprasteria.com  Tue Sep 25 08:18:39 2018
From: leonore.desplas at soprasteria.com (DES PLAS Leonore)
Date: Tue, 25 Sep 2018 12:18:39 +0000
Subject: [keycloak-user] Multi tenant on a given resource
In-Reply-To: <bc945b4a-97bd-c1bd-e46f-fed4ad38fcc1@redhat.com>
References: <AM4PR0701MB214834AEEE21AF3D01BD598BF0170@AM4PR0701MB2148.eurprd07.prod.outlook.com>
	<bc945b4a-97bd-c1bd-e46f-fed4ad38fcc1@redhat.com>
Message-ID: <DB6PR0701MB215094440B5B844D8B6656F9F0160@DB6PR0701MB2150.eurprd07.prod.outlook.com>

Thank you for your answer, and my bad I had already seen the java multi tenancy part but misread it !

For the angular side, we are still looking for a good solution... 
once found, we will post it there but in the meantime if someone has implemented that feel free to tell us how =)

-----Message d'origine-----
De?: Marek Posolda <mposolda at redhat.com> 
Envoy??: mardi 25 septembre 2018 09:33
??: DES PLAS Leonore <leonore.desplas at soprasteria.com>; keycloak-user at lists.jboss.org
Objet?: Re: [keycloak-user] Multi tenant on a given resource

For servlet adapters, there is this: 
https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy

For javascript adapters, it is nothing out of the box. Based on your requirements, you can probably "listen" on the request and then based on the fragment path, you can create an appropriate instance of "Keycloak" 
object which will point either to Keycloak1 or Keycloak2 server.

Marek

On 24/09/18 18:06, DES PLAS Leonore wrote:
> Hi there,
>
> We are wondering how to achieve "multi tenant" on a resource.
> We have a spring boot backend with an angular front end, and are using Spring Security and keycloak-angular adapters.
>
> We have one keycloak used to authenticate and authorize users to the application, that configuration is ok.
> But now, for a set of resources (angular paths and REST services), we need to authenticate to an other Keycloak server, which we don't know much of because it is somebody else's.
> How can we handle having 2 different Keycloak for a set a resources?
> How can we tell in Spring Boot and Angular which AccessToken is the right one ?
> Is it possible to check if AccessToken is valid on 2 different Keycloak and only for some paths ?
>
> At first, we thought about user federation... but we don't want to be able to log in to the application just with the 2nd Keycloak. We have to be logged in with the first Keycloak on all paths, and for some paths we want to also be logged in to the 2nd Keycloak.
>
> Thank you for your time,
>
> L?onore DES PLAS MATTEI
> Ing?nieure Etudes et D?veloppement - Aix en Provence SIG
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From piergiorgiolucidi at gmail.com  Tue Sep 25 08:44:14 2018
From: piergiorgiolucidi at gmail.com (Piergiorgio Lucidi)
Date: Tue, 25 Sep 2018 14:44:14 +0200
Subject: [keycloak-user] Keycloak Docker Quickstart
Message-ID: <CAEO2op8mN2dweQTkwc-3jxexrYZDY0oTGGzWtgKyV43NVYGtow@mail.gmail.com>

Hi,

I have just published a first version of a generic Keycloak SDK based on
Docker fully managed by Maven. I would like to understand if this first
work can be useful for the current Keycloak development.

I'm also interested to know if there are developers interested to
contribute in this project.

Article link:
https://www.open4dev.com/journal/2018/9/25/introducing-the-keycloak-docker-quickstart-sdk

Github:
https://github.com/OpenPj/keycloak-docker-quickstart

I'm wondering if this project can be improved as a Maven Archetype with
dynamic parameters for generating components only if needed by developers.
I mean without having all the Maven modules for components that you don't
need to extend or create.

Please let me know what you think and how this project can be extended to
become more helpful for the overall community.

Thank you and hope this helps.

Cheers,
PJ

-- 
Piergiorgio Lucidi
https://www.open4dev.com

From mposolda at redhat.com  Tue Sep 25 08:52:44 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Sep 2018 14:52:44 +0200
Subject: [keycloak-user] Keycloak 3.4.3 to 4.X.X Migration Fails - we
 have 400-500 realms
In-Reply-To: <CACCBH8NsNcyVj_oexmCEaiiw62=xvWUcRp1MTbrSYbLOXUzjdA@mail.gmail.com>
References: <CACCBH8N=XUGh7CAvEvki+bOmK07bd+0M-BFnpW4y5QaAFNKC2w@mail.gmail.com>
	<0b038f25-5a31-9539-d7db-e0f8fb26ca55@redhat.com>
	<CACCBH8NsNcyVj_oexmCEaiiw62=xvWUcRp1MTbrSYbLOXUzjdA@mail.gmail.com>
Message-ID: <f50a3565-e248-9e96-0f91-b745ae718d4a@redhat.com>

I would try much bigger timeout, like 400 minutes. Sorry, it is just a 
dummy workaround and no guarantee it will help you and you won't see 
other issues... We know about this and we will try to improve scenario 
with many realms.

Marek

On 25/09/18 14:02, rony joy wrote:
> Hi Marek, I forgot to mention that we had increased the transaction 
> timeout to 20 minutes and then to 40 min which is is not helping. It 
> simply takes more than 40 minutes :( to load the realms into cache.? 
> any help appreciated. Attached the keycloak debug logs which shows 
> exactly after 40 minutes transaction timeout occurs.
>
> 22:32:02,793 DEBUG 
> [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] 
> (ServerService Thread Pool -- 51) Validation passed. Database is 
> up-to-date for
> changelog META-INF/jpa-changelog-master.xml
> 22:32:02,804 DEBUG 
> [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] 
> (ServerService Thread Pool -- 51) Using changelog file META-INF/sasi
> dp-config-changelog.xml and changelogTableName 
> DATABASECHANGELOG_SASIDP_CON
> 22:32:02,830 DEBUG 
> [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] 
> (ServerService Thread Pool -- 51) Reading from keycloak3000.DATABASE
> CHANGELOG_SASIDP_CON
> 22:32:02,843 DEBUG 
> [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] 
> (ServerService Thread Pool -- 51) Validation passed. Database is 
> up-to-date for
> changelog META-INF/sasidp-config-changelog.xml
> 22:32:02,844 DEBUG 
> [org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory] 
> (ServerService Thread Pool -- 51) Database is up-to-date
> 22:32:02name: keycloak-defaultate.jpa.internal.util.LogHelper] 
> (ServerService Thread Pool -- 51) HHH000204: Processing 
> PersistenceUnitInfo [
> ? ? ? ? ...]
> 22:32:03,000 INFO? [org.hibernate.Version] (ServerService Thread Pool 
> -- 51) HHH000412: Hibernate Core {5.1.10.Final}
> 22:32:03,004 INFO? [org.hibernate.cfg.Environment] (ServerService 
> Thread Pool -- 51) HHH000206: hibernate.properties not found
> 22:32:03,007 INFO? [org.hibernate.cfg.Environment] (ServerService 
> Thread Pool -- 51) HHH000021: Bytecode provider name : javassist
> 22:32:03,056 INFO [org.hibernate.annotations.common.Version] 
> (ServerService Thread Pool -- 51) HCANN000001: Hibernate Commons 
> Annotations {5.0.1.Final}
> 22:32:03,230 INFO? [org.hibernate.dialect.Dialect] (ServerService 
> Thread Pool -- 51) HHH000400: Using dialect: 
> org.hibernate.dialect.MySQL5Dialect
> 22:32:03,288 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (Timer-2) new JtaTransactionWrapper
> 22:32:03,290 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (Timer-2) was existing? false
> 22:32:03,291 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (Timer-2) new JtaTransactionWrapper
> 22:32:03,291 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (Timer-2) was existing? true
> 22:32:03,320 INFO 
> [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService 
> Thread Pool -- 51) Envers integration enabled? : true
> 22:32:04,230 INFO [org.hibernate.validator.internal.util.Version] 
> (ServerService Thread Pool -- 51) HV000001: Hibernate Validator 
> 5.3.5.Final
> 22:32:05,429 INFO 
> [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] 
> (ServerService Thread Pool -- 51) HHH000397: Using 
> ASTQueryTranslatorFactory
> 22:32:07,290 DEBUG [org.keycloak.migration.MigrationModelManager] 
> (ServerService Thread Pool -- 51) Migrating older model to 4.0.0
> 22:32:07,305 DEBUG 
> [com.gemalto.sas.keycloak.service.crypto.StorageKeyLoader] (Timer-2) 
> Decrypting storage key...
> 22:32:07,339 DEBUG 
> [com.gemalto.sas.keycloak.service.crypto.StorageKeyLoader] (Timer-2) 
> Storage key decrypted.
> 22:32:07,340 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (Timer-2) JtaTransactionWrapper? commit
> 22:32:07,404 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (Timer-2) JtaTransactionWrapper end
> 22:32:07,404 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (Timer-2) JtaTransactionWrapper resuming suspended
> 22:32:07,406 DEBUG [org.keycloak.timer.basic.BasicTimerProvider] 
> (Timer-2) Cancelling task 'load-storage-key'
> 22:32:07,407 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (Timer-2) JtaTransactionWrapper? commit
> 22:32:07,408 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (Timer-2) JtaTransactionWrapper end
> 22:32:07,409 DEBUG 
> [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) 
> Executed scheduled task
> 22:32:09,853 DEBUG [com.gemalto.sas.keycloak.admin.RoleServiceImpl] 
> (pool-8-thread-1) Creating addIdpCompositeRoles
> 22:32:22,269 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (pool-8-thread-1) JtaTransactionWrapper? commit
> 22:32:22,335 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] 
> (pool-8-thread-1) JtaTransactionWrapper end
> 22:32:22,364 DEBUG [com.gemalto.sas.keycloak.admin.RoleServiceFactory] 
> (pool-8-thread-1) setting up roles completed
> 23:12:04,365 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper) 
> ARJUNA012117: TransactionReaper::check timeout for TX 
> 0:ffffac110004:268991c5:5ba965d6:10 in state? RUN
> 23:12:04,425 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 
> 0) ARJUNA012121: TransactionReaper::doCancellations worker 
> Thread[Transaction Reaper Worker 0,5,main] succ
> essfully canceled TX 0:ffffac110004:268991c5:5ba965d6:d
> 23:12:04,428 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 
> 0) ARJUNA012095: Abort of action id 
> 0:ffffac110004:268991c5:5ba965d6:10 invoked while multiple threads act
> ive within it.
> 23:12:04,436 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 
> 0) ARJUNA012381: Action id 0:ffffac110004:268991c5:5ba965d6:10 
> completed with multiple threads - thread Se
> rverService Thread Pool -- 51 was in progress with 
> org.hibernate.type.TypeHelper.findDirty(TypeHelper.java:321)
> org.hibernate.persister.entity.AbstractEntityPersister.findDirty(AbstractEntityPersister.java:4204)
> org.hibernate.event.internal.DefaultFlushEntityEventListener.dirtyCheck(DefaultFlushEntityEventListener.java:528)
> org.hibernate.event.internal.DefaultFlushEntityEventListener.isUpdateNecessary(DefaultFlushEntityEventListener.java:215)
> org.hibernate.event.internal.DefaultFlushEntityEventListener.onFlushEntity(DefaultFlushEntityEventListener.java:142)
> org.hibernate.event.internal.AbstractFlushingEventListener.flushEntities(AbstractFlushingEventListener.java:216)
> org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:85)
> org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
> org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
> org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
> org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
> org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
> org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
> org.keycloak.models.jpa.RealmAdapter.getDefaultClientScopes(RealmAdapter.java:1893)
> org.keycloak.models.cache.infinispan.entities.CachedRealm.cacheClientScopes(CachedRealm.java:294)
> org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:238)
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
> org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
> org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
> org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/680156514.call(Unknown 
> Source)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/248363466.call(Unknown 
> Source)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/248363466.call(Unknown 
> Source)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/248363466.call(Unknown 
> Source)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/248363466.call(Unknown 
> Source)
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> java.util.concurrent.FutureTask.run(FutureTask.java:266)
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> java.lang.Thread.run(Thread.java:748)
> org.jboss.threads.JBossThread.run(JBossThread.java:320)
>
> On Tue, Sep 25, 2018 at 2:20 AM Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     We did not try to test with so many realms yet, so issues are
>     expected
>     unfortunately :( We plan to improve it, but not sure when...
>
>     To workaround this one, you may need to increase the default JTA
>     transaction timeout, which is doable by adding/changing some
>     attributes
>     in the Wildfly standalone.xml configuration file somewhere in the
>     transaction subsystem. By default it is 10 minutes AFAIR. See Wildfly
>     docs for more details.
>
>     Marek
>
>     On 25/09/18 01:07, rony joy wrote:
>     > Dear All,
>     >
>     > We have currently using keycloak 3.4.3 version and trying to
>     migrate to
>     > 4.3.0 but the startup is failing due to the migration issue. We
>     have around
>     > 400-500 realms in the database.? Please find below exception.
>     From the log
>     > it is clear that
>     >
>     "org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)"
>     > is the one causing the exception (see the code below. Line 51 is
>     in bold).
>     > Is this because of large realms? any ideas?
>     >? ?@Override
>     >? ? ? public void migrate(KeycloakSession session) {
>     >? ? ? ? ? *session.realms().getRealms().stream().forEach(*
>     >? ? ? ? ? ? ? ? ? r -> {
>     >? ? ? ? ? ? ? ? ? ? ? migrateRealm(session, r, false);
>     >? ? ? ? ? ? ? ? ? }
>     >? ? ? ? ? );
>     >? ? ? }
>     >
>     >
>     > 22:16:17,002 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper)
>     > ARJUNA012117: TransactionReaper::check timeout for TX
>     > 0:ffffac110004:-14e6f320:5ba958b2:12 in state? RUN
>     > 22:16:17,070 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper
>     Worker 0)
>     > ARJUNA012121: TransactionReaper::doCancellations worker
>     Thread[Transaction
>     > Reaper Worker 0,5,main] succ
>     > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:f
>     > 22:16:17,073 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper
>     Worker 0)
>     > ARJUNA012095: Abort of action id
>     0:ffffac110004:-14e6f320:5ba958b2:12
>     > invoked while multiple threads ac
>     > tive within it.
>     > 22:16:17,079 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper
>     Worker 0)
>     > ARJUNA012381: Action id 0:ffffac110004:-14e6f320:5ba958b2:12
>     completed with
>     > multiple threads - thread S
>     > erverService Thread Pool -- 53 was in progress with
>     >
>     org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:163)
>     >
>     org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
>     >
>     org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
>     >
>     org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
>     >
>     org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
>     > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>     > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
>     >
>     org.hibernate.event.internal.AbstractSaveEventListener.cascadeAfterSave(AbstractSaveEventListener.java:445)
>     >
>     org.hibernate.event.internal.DefaultPersistEventListener.justCascade(DefaultPersistEventListener.java:172)
>     >
>     org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:164)
>     >
>     org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
>     >
>     org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
>     >
>     org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
>     >
>     org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
>     > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
>     >
>     org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>     > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
>     >
>     org.hibernate.event.internal.AbstractFlushingEventListener.cascadeOnFlush(AbstractFlushingEventListener.java:150)
>     >
>     org.hibernate.event.internal.AbstractFlushingEventListener.prepareEntityFlushes(AbstractFlushingEventListener.java:141)
>     >
>     org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:74)
>     >
>     org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
>     >
>     org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
>     > org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
>     > org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
>     > org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
>     >
>     org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
>     >
>     org.keycloak.models.jpa.ClientAdapter.getClientScopes(ClientAdapter.java:353)
>     >
>     org.keycloak.models.cache.infinispan.entities.CachedClient.<init>(CachedClient.java:119)
>     >
>     org.keycloak.models.cache.infinispan.RealmCacheSession.cacheClient(RealmCacheSession.java:1069)
>     >
>     org.keycloak.models.cache.infinispan.RealmCacheSession.getClientById(RealmCacheSession.java:1029)
>     >
>     org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient(RealmAdapter.java:1037)
>     >
>     org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:235)
>     >
>     org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
>     >
>     org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
>     >
>     org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
>     >
>     org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
>     >
>     org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
>     >
>     org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
>     >
>     org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
>     >
>     org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
>     >
>     org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>     >
>     org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
>     > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>     Method)
>     >
>     sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>     >
>     sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>     > java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>     >
>     org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
>     >
>     org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
>     >
>     org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
>     >
>     org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
>     >
>     org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
>     >
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>     >
>     io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>     >
>     org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>     >
>     io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>     >
>     io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
>     >
>     io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
>     >
>     io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
>     >
>     io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
>     >
>     io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
>     >
>     io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>     >
>     org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>     >
>     org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/538179304.call(Unknown
>     > Source)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>     > Source)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>     > Source)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>     > Source)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>     > Source)
>     >
>     io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
>     >
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
>     >
>     java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>     > java.util.concurrent.FutureTask.run(FutureTask.java:266)
>     >
>     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>     >
>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>     > java.lang.Thread.run(Thread.java:748)
>     > org.jboss.threads.JBossThread.run(JBossThread.java:320)
>     >
>     > 22:16:17,085 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper
>     Worker 0)
>     > ARJUNA012108: CheckedAction::check - atomic action
>     > 0:ffffac110004:-14e6f320:5ba958b2:12 aborting with 1
>     >? ?threads active!
>     > 22:16:17,099 WARN
>     >
>     [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
>     > (Transaction Reaper Worker 0) HHH000
>     > 451: Transaction afterCompletion called by a background thread;
>     delaying
>     > afterCompletion processing until the original thread can handle it.
>     > [status=4]
>     > 22:16:17,101 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper
>     Worker 0)
>     > ARJUNA012121: TransactionReaper::doCancellations worker
>     Thread[Transaction
>     > Reaper Worker 0,5,main] succ
>     > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:12
>     >
>
>
>
> -- 
> Rony Joy
>


From henning.waack at codecentric.de  Tue Sep 25 08:55:50 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Tue, 25 Sep 2018 14:55:50 +0200
Subject: [keycloak-user] Keycloak 3.4.3 to 4.X.X Migration Fails - we
 have 400-500 realms
In-Reply-To: <CACCBH8Map4kUEGK1p9voQd2C-aZmTP_iYJSvOmOkY8k4xe08FA@mail.gmail.com>
References: <CACCBH8N=XUGh7CAvEvki+bOmK07bd+0M-BFnpW4y5QaAFNKC2w@mail.gmail.com>
	<0b038f25-5a31-9539-d7db-e0f8fb26ca55@redhat.com>
	<CAGqTYayN40btcAQXMz8QNSNpFqPbuT-tAym835qVbvwTLsDYkA@mail.gmail.com>
	<CACCBH8Map4kUEGK1p9voQd2C-aZmTP_iYJSvOmOkY8k4xe08FA@mail.gmail.com>
Message-ID: <CAGqTYayv-q0xw+g4+yaiZdFUMwtPgGKqBaRt__iE+0jwwsZ3_A@mail.gmail.com>

I have only one tiny Realm, but my problem starts already at installation
time, not migration time.

Which DB are you using?

Am Di., 25. Sep. 2018 um 14:03 Uhr schrieb rony joy <ronyjoy at gmail.com>:

> How many realms do you have ?
>
> On Tue, Sep 25, 2018 at 4:50 AM Henning Waack <
> henning.waack at codecentric.de> wrote:
>
>> I'm having a similar problem with a fresh 4.4.0 KC installation using
>> Mysql, i.e. I also get these transaction timeouts. Unfortunately I did not
>> find a solution, yet.
>>
>> Greetings
>>
>> Henning
>>
>> Am Di., 25. Sep. 2018 um 09:21 Uhr schrieb Marek Posolda <
>> mposolda at redhat.com>:
>>
>>> We did not try to test with so many realms yet, so issues are expected
>>> unfortunately :( We plan to improve it, but not sure when...
>>>
>>> To workaround this one, you may need to increase the default JTA
>>> transaction timeout, which is doable by adding/changing some attributes
>>> in the Wildfly standalone.xml configuration file somewhere in the
>>> transaction subsystem. By default it is 10 minutes AFAIR. See Wildfly
>>> docs for more details.
>>>
>>> Marek
>>>
>>> On 25/09/18 01:07, rony joy wrote:
>>> > Dear All,
>>> >
>>> > We have currently using keycloak 3.4.3 version and trying to migrate to
>>> > 4.3.0 but the startup is failing due to the migration issue. We have
>>> around
>>> > 400-500 realms in the database.  Please find below exception. From the
>>> log
>>> > it is clear that
>>> >
>>> "org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)"
>>> > is the one causing the exception (see the code below. Line 51 is in
>>> bold).
>>> > Is this because of large realms? any ideas?
>>> >   @Override
>>> >      public void migrate(KeycloakSession session) {
>>> >          *session.realms().getRealms().stream().forEach(*
>>> >                  r -> {
>>> >                      migrateRealm(session, r, false);
>>> >                  }
>>> >          );
>>> >      }
>>> >
>>> >
>>> > 22:16:17,002 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
>>> > ARJUNA012117: TransactionReaper::check timeout for TX
>>> > 0:ffffac110004:-14e6f320:5ba958b2:12 in state  RUN
>>> > 22:16:17,070 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>> 0)
>>> > ARJUNA012121: TransactionReaper::doCancellations worker
>>> Thread[Transaction
>>> > Reaper Worker 0,5,main] succ
>>> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:f
>>> > 22:16:17,073 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>> 0)
>>> > ARJUNA012095: Abort of action id 0:ffffac110004:-14e6f320:5ba958b2:12
>>> > invoked while multiple threads ac
>>> > tive within it.
>>> > 22:16:17,079 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>> 0)
>>> > ARJUNA012381: Action id 0:ffffac110004:-14e6f320:5ba958b2:12 completed
>>> with
>>> > multiple threads - thread S
>>> > erverService Thread Pool -- 53 was in progress with
>>> >
>>> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:163)
>>> >
>>> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
>>> >
>>> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
>>> > org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
>>> >
>>> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
>>> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
>>> >
>>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
>>> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>>> >
>>> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
>>> >
>>> org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
>>> >
>>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
>>> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>>> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
>>> >
>>> org.hibernate.event.internal.AbstractSaveEventListener.cascadeAfterSave(AbstractSaveEventListener.java:445)
>>> >
>>> org.hibernate.event.internal.DefaultPersistEventListener.justCascade(DefaultPersistEventListener.java:172)
>>> >
>>> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:164)
>>> >
>>> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
>>> >
>>> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
>>> > org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
>>> >
>>> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
>>> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
>>> >
>>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
>>> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>>> >
>>> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
>>> >
>>> org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
>>> >
>>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
>>> > org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>>> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
>>> >
>>> org.hibernate.event.internal.AbstractFlushingEventListener.cascadeOnFlush(AbstractFlushingEventListener.java:150)
>>> >
>>> org.hibernate.event.internal.AbstractFlushingEventListener.prepareEntityFlushes(AbstractFlushingEventListener.java:141)
>>> >
>>> org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:74)
>>> >
>>> org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
>>> >
>>> org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
>>> > org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
>>> > org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
>>> > org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
>>> > org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
>>> >
>>> org.keycloak.models.jpa.ClientAdapter.getClientScopes(ClientAdapter.java:353)
>>> >
>>> org.keycloak.models.cache.infinispan.entities.CachedClient.<init>(CachedClient.java:119)
>>> >
>>> org.keycloak.models.cache.infinispan.RealmCacheSession.cacheClient(RealmCacheSession.java:1069)
>>> >
>>> org.keycloak.models.cache.infinispan.RealmCacheSession.getClientById(RealmCacheSession.java:1029)
>>> >
>>> org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient(RealmAdapter.java:1037)
>>> >
>>> org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:235)
>>> >
>>> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
>>> >
>>> org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
>>> >
>>> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
>>> >
>>> org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
>>> >
>>> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
>>> >
>>> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
>>> >
>>> org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
>>> >
>>> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
>>> >
>>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>>> >
>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
>>> > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>> >
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>> >
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>> > java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>> >
>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
>>> >
>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
>>> >
>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
>>> >
>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>> >
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>> >
>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>> >
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>> >
>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
>>> >
>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
>>> >
>>> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
>>> >
>>> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
>>> >
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
>>> >
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/538179304.call(Unknown
>>> > Source)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>>> > Source)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>>> > Source)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>>> > Source)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>>> > Source)
>>> >
>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
>>> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>> > java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> >
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>> >
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>> > java.lang.Thread.run(Thread.java:748)
>>> > org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>> >
>>> > 22:16:17,085 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>> 0)
>>> > ARJUNA012108: CheckedAction::check - atomic action
>>> > 0:ffffac110004:-14e6f320:5ba958b2:12 aborting with 1
>>> >   threads active!
>>> > 22:16:17,099 WARN
>>> >
>>> [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
>>> > (Transaction Reaper Worker 0) HHH000
>>> > 451: Transaction afterCompletion called by a background thread;
>>> delaying
>>> > afterCompletion processing until the original thread can handle it.
>>> > [status=4]
>>> > 22:16:17,101 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>> 0)
>>> > ARJUNA012121: TransactionReaper::doCancellations worker
>>> Thread[Transaction
>>> > Reaper Worker 0,5,main] succ
>>> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:12
>>> >
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> --
>>
>>
>> -----------
>>
>> Henning Waack | IT Consultant
>>
>>
>> codecentric AG | Hochstra?e 11
>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>> |
>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>>
>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
>> Solingen
>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>>  |Deutschland
>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>>
>>
>> tel: +49 (0)151 108 515 29
>>
>> www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
>>
>> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>>
>> Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
>> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen
>> Sch?tz
>>
>> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt
>> vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht
>> der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben,
>> informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und
>> evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder
>> ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser
>> E-Mail ist nicht gestattet.
>>
>
>
> --
> Rony Joy
>
>

-- 


-----------

Henning Waack | IT Consultant


codecentric AG | Hochstra?e 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>


tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz

Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

From mposolda at redhat.com  Tue Sep 25 09:12:59 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Sep 2018 15:12:59 +0200
Subject: [keycloak-user] Standalone HA tokens not immediately shared
 among nodes
In-Reply-To: <CAA9R9O4ONCuy7Z1pHXS0zywSPoLbj9DCGaGYznupRBc=RbkzYQ@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
	<CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
	<CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>
	<CAA9R9O7EL6KuvbDEJ+sTwqEmiUGF3zYtswdnqSu12q4TaNMUhw@mail.gmail.com>
	<CAJL87rj0CJc+bjmHL=8M=q0CAYeGefC_bKK_-Q8qdUwkvMCMJg@mail.gmail.com>
	<CAA9R9O4ONCuy7Z1pHXS0zywSPoLbj9DCGaGYznupRBc=RbkzYQ@mail.gmail.com>
Message-ID: <832f60fa-b3f1-093c-0ee5-e4a0fe452603@redhat.com>

Sorry, I did not read whole thread.

Just a quick note, that caches "realms", "users", "keys" and 
"authorization" are supposed to be local caches. The pattern, we're 
using ATM is, that every cluster node caches it's data (realms, users 
etc) locally. In case that some objects are updated (EG. realm or 
users), there is separate cache "work", which make sure to notify other 
cluster nodes (or even nodes on all the other DCs), so all the nodes can 
invalidate particular cached object from their caches.

Caches "realms", "users", "keys" and "authorization" are not meant to be 
replicated/distributed, but local. So this NotSerializableException 
doesn't look like a bug to me.

Marek

On 25/09/18 12:06, Sebastian Laskawiec wrote:
> Thanks a lot for checking this.
>
> This seems like a bug to me, so I filled 
> https://issues.jboss.org/browse/KEYCLOAK-8415. Unfortunately, we are 
> preparing for some urgent work on the product side and I can't promise 
> you when we will be able to look into this. I highly encourage you to 
> contribute a fix if you are in hurry or just subscribe to the ticket 
> and wait till we find a free slot to get it fixed.
>
> Thanks,
> Sebastian
>
> On Thu, Sep 20, 2018 at 4:27 PM D V <dv at glyphy.com 
> <mailto:dv at glyphy.com>> wrote:
>
>     OK. So, with all caches being replicated, there's an error on
>     startup:
>
>     2018-09-20 14:03:38,307 ERROR
>     [org.infinispan.remoting.rpc.RpcManagerImpl] (ServerService Thread
>     Pool -- 62) ISPN000073: Unexpected error while replicating:
>     org.infinispan.commons.marshall.NotSerializableException:
>     org.keycloak.models.PasswordPolicy$Builder
>     Caused by: an exception which occurred:
>     in field org.keycloak.models.PasswordPolicy.builder
>     in object org.keycloak.models.PasswordPolicy at 6ab5350d
>     in field
>     org.keycloak.models.cache.infinispan.entities.CachedRealm.passwordPolicy
>     in object
>     org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
>     in object
>     org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
>     in object org.infinispan.commands.write.PutKeyValueCommand at fec4dc5e
>     in object org.infinispan.commands.remote.SingleRpcCommand at 3f2e5d1a
>
>     If I make the realms cache local but leave the rest replicated, I
>     observe the same behaviour: the node that didn't issue the
>     original set of refresh/access tokens does a getUserById lookup,
>     which in my case results in a network call against a remote service.
>
>     I noticed there are caches running that aren't mentioned in the
>     config, like userRevisions. These are local and adding them to the
>     config as replicated doesn't actually make them as such.
>
>     On Thu, Sep 20, 2018 at 7:36 AM Sebastian Laskawiec
>     <slaskawi at redhat.com <mailto:slaskawi at redhat.com>> wrote:
>
>         Could you please try to unify the caches? Please replace
>         all?local-cache and distributed-cache with?replicated-cache.
>
>         Even though using distributed caches over replicated ones
>         should be the cause, I think those local caches might cause
>         the behavior you're describing.
>
>         On Wed, Sep 19, 2018 at 3:21 PM D V <dv at glyphy.com
>         <mailto:dv at glyphy.com>> wrote:
>
>             Makes sense re: replicated caches. Here's my infinispan
>             subsystem config right now:
>
>             ? ? ? ? <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
>             ? ? ? ? ? ? <cache-container name="keycloak"
>             jndi-name="infinispan/Keycloak" statistics-enabled="true">
>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>             ? ? ? ? ? ? ? ? <local-cache name="realms"
>             statistics-enabled="true">
>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="10000"
>             strategy="LRU"/>
>             ? ? ? ? ? ? ? ? </local-cache>
>             ? ? ? ? ? ? ? ? <local-cache name="users"
>             statistics-enabled="true">
>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="10000"
>             strategy="LRU"/>
>             ? ? ? ? ? ? ? ? </local-cache>
>
>             ? ? ? ? ? ? ? ? <!--
>             ? ? ? ? ? ? ? ? These two need to be replicated or the
>             node that didn't issue the initial refresh token
>             ? ? ? ? ? ? ? ? will return "invalid_grant" errors when
>             attempting to auth with that refresh token.
>             ? ? ? ? ? ? ? ? -->
>             ? ? ? ? ? ? ? ? <replicated-cache name="sessions"
>             statistics-enabled="true"/>
>             ? ? ? ? ? ? ? ? <replicated-cache name="clientSessions"
>             statistics-enabled="true"/>
>
>             ? ? ? ? ? ? ? ? <distributed-cache
>             name="authenticationSessions" mode="SYNC" owners="1"
>             statistics-enabled="true"/>
>             ? ? ? ? ? ? ? ? <distributed-cache name="offlineSessions"
>             mode="SYNC" owners="1" statistics-enabled="true"/>
>             ? ? ? ? ? ? ? ? <distributed-cache
>             name="offlineClientSessions" mode="SYNC" owners="1"
>             statistics-enabled="true"/>
>             ? ? ? ? ? ? ? ? <distributed-cache name="loginFailures"
>             mode="SYNC" owners="1" statistics-enabled="true"/>
>             ? ? ? ? ? ? ? ? <local-cache name="authorization"
>             statistics-enabled="true">
>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="10000"
>             strategy="LRU"/>
>             ? ? ? ? ? ? ? ? </local-cache>
>             ? ? ? ? ? ? ? ? <replicated-cache name="work" mode="SYNC"
>             statistics-enabled="true"/>
>             ? ? ? ? ? ? ? ? <local-cache name="keys"
>             statistics-enabled="true">
>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="1000"
>             strategy="LRU"/>
>             ? ? ? ? ? ? ? ? ? ? <expiration max-idle="3600000"/>
>             ? ? ? ? ? ? ? ? </local-cache>
>             ? ? ? ? ? ? ? ? <distributed-cache name="actionTokens"
>             mode="SYNC" owners="2" statistics-enabled="true">
>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="-1"
>             strategy="NONE"/>
>             ? ? ? ? ? ? ? ? ? ? <expiration max-idle="-1"
>             interval="300000"/>
>             </distributed-cache>
>             ? ? ? ? ? ? </cache-container>
>             ? ? ? ? ? ? <cache-container name="server"
>             aliases="singleton cluster" default-cache="default"
>             module="org.wildfly.clustering.server">
>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>             ? ? ? ? ? ? ? ? <replicated-cache name="default">
>             ? ? ? ? ? ? ? ? ? ? <transaction mode="BATCH"/>
>             </replicated-cache>
>             ? ? ? ? ? ? </cache-container>
>             ? ? ? ? ? ? <cache-container name="web"
>             default-cache="dist"
>             module="org.wildfly.clustering.web.infinispan">
>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>             ? ? ? ? ? ? ? ? <distributed-cache name="dist">
>             ? ? ? ? ? ? ? ? ? ? <locking isolation="REPEATABLE_READ"/>
>             ? ? ? ? ? ? ? ? ? ? <transaction mode="BATCH"/>
>             ? ? ? ? ? ? ? ? ? ? <file-store/>
>             </distributed-cache>
>             ? ? ? ? ? ? </cache-container>
>             ? ? ? ? ? ? <cache-container name="ejb" aliases="sfsb"
>             default-cache="dist"
>             module="org.wildfly.clustering.ejb.infinispan">
>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>             ? ? ? ? ? ? ? ? <distributed-cache name="dist">
>             ? ? ? ? ? ? ? ? ? ? <locking isolation="REPEATABLE_READ"/>
>             ? ? ? ? ? ? ? ? ? ? <transaction mode="BATCH"/>
>             ? ? ? ? ? ? ? ? ? ? <file-store/>
>             </distributed-cache>
>             ? ? ? ? ? ? </cache-container>
>             ? ? ? ? ? ? <cache-container name="hibernate"
>             default-cache="local-query" module="org.hibernate.infinispan">
>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>             ? ? ? ? ? ? ? ? <local-cache name="local-query">
>             ? ? ? ? ? ? ? ? ? ? <eviction strategy="LRU"
>             max-entries="10000"/>
>             ? ? ? ? ? ? ? ? ? ? <expiration max-idle="100000"/>
>             ? ? ? ? ? ? ? ? </local-cache>
>             ? ? ? ? ? ? ? ? <invalidation-cache name="entity">
>             ? ? ? ? ? ? ? ? ? ? <transaction mode="NON_XA"/>
>             ? ? ? ? ? ? ? ? ? ? <eviction strategy="LRU"
>             max-entries="10000"/>
>             ? ? ? ? ? ? ? ? ? ? <expiration max-idle="100000"/>
>             </invalidation-cache>
>             ? ? ? ? ? ? ? ? <replicated-cache name="timestamps"
>             mode="ASYNC"/>
>             ? ? ? ? ? ? </cache-container>
>             ? ? ? ? </subsystem>
>
>             The scenario I'm testing:
>             1. Auth with grant_type=password on node1.
>             2. Shut down node1.
>             3. Auth with grant_type=refresh_token on node2.
>
>             When client_sessions is not replicated (distributed, with
>             owners=1, as in the distribution's standalone-ha.xml), I
>             get this on node2:
>             {
>             ? ? "error": "invalid_grant",
>             ? ? "error_description": "Session doesn't have required
>             client"
>             }
>
>             When sessions is not replicated:
>             {
>             ? ? "error": "invalid_grant",
>             ? ? "error_description": "Session not active"
>             }
>
>             On Wed, Sep 19, 2018 at 6:56 AM Sebastian Laskawiec
>             <slaskawi at redhat.com <mailto:slaskawi at redhat.com>> wrote:
>
>                 Thanks for letting us know DV!
>
>                 Setting the number of owners equal to the cluster size
>                 doesn't make any sense. You might use a replicated
>                 cache in that scenarios (which works the same way
>                 apart from some Infinispan internal behavior, which
>                 can be omitted in your case). Could you please paste
>                 your Infinispan configuration? Maybe there's some hint
>                 there...
>
>                 Thanks,
>                 Seb
>
>                 On Tue, Sep 18, 2018 at 11:02 PM D V <dv at glyphy.com
>                 <mailto:dv at glyphy.com>> wrote:
>
>                     The issue was resolved in a somewhat unexpected
>                     way. I had a custom
>                     org.keycloak.storage.UserStorageProviderFactory
>                     SPI registered that returned providers
>                     implementing?org.keycloak.storage.user.UserLookupProvider,
>                     but?org.keycloak.storage.user.UserLookupProvider#getUserById
>                     method wasn't fully filled out. I just had it
>                     return null. It wasn't obvious to me that it was
>                     required (or under what circumstances). Once I
>                     implemented it, the experiments in my original
>                     message passed. I did have to set owners to 2 for
>                     the "sessions" and "clientSessions" distributed
>                     cache infinispan configs.
>
>                     One thing I noticed is that node2 (the one that
>                     doesn't get hit on the initial password auth) has
>                     to do a lookup via getUserById the first time it
>                     handles a grant_type=refresh_token auth. Is the
>                     data it needs not shared across the cluster? It
>                     seems to be cached only locally on the node. Just
>                     as a test I tried to set all configured non-local
>                     caches to be replicated and it didn't help. Any
>                     thoughts about this?
>
>                     Thanks,
>                     DV
>


From mposolda at redhat.com  Tue Sep 25 09:14:24 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 25 Sep 2018 15:14:24 +0200
Subject: [keycloak-user] Standalone HA tokens not immediately shared
 among nodes
In-Reply-To: <832f60fa-b3f1-093c-0ee5-e4a0fe452603@redhat.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
	<CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
	<CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>
	<CAA9R9O7EL6KuvbDEJ+sTwqEmiUGF3zYtswdnqSu12q4TaNMUhw@mail.gmail.com>
	<CAJL87rj0CJc+bjmHL=8M=q0CAYeGefC_bKK_-Q8qdUwkvMCMJg@mail.gmail.com>
	<CAA9R9O4ONCuy7Z1pHXS0zywSPoLbj9DCGaGYznupRBc=RbkzYQ@mail.gmail.com>
	<832f60fa-b3f1-093c-0ee5-e4a0fe452603@redhat.com>
Message-ID: <2ddbeef8-3e6d-aaef-27a7-e38995c1659b@redhat.com>

Some more info about our caches: 
https://www.keycloak.org/docs/latest/server_installation/index.html#cache-configuration

Not sure if this info should be updated and some more things to be 
clearified?

Marek

On 25/09/18 15:12, Marek Posolda wrote:
> Sorry, I did not read whole thread.
>
> Just a quick note, that caches "realms", "users", "keys" and 
> "authorization" are supposed to be local caches. The pattern, we're 
> using ATM is, that every cluster node caches it's data (realms, users 
> etc) locally. In case that some objects are updated (EG. realm or 
> users), there is separate cache "work", which make sure to notify 
> other cluster nodes (or even nodes on all the other DCs), so all the 
> nodes can invalidate particular cached object from their caches.
>
> Caches "realms", "users", "keys" and "authorization" are not meant to 
> be replicated/distributed, but local. So this NotSerializableException 
> doesn't look like a bug to me.
>
> Marek
>
> On 25/09/18 12:06, Sebastian Laskawiec wrote:
>> Thanks a lot for checking this.
>>
>> This seems like a bug to me, so I filled 
>> https://issues.jboss.org/browse/KEYCLOAK-8415. Unfortunately, we are 
>> preparing for some urgent work on the product side and I can't 
>> promise you when we will be able to look into this. I highly 
>> encourage you to contribute a fix if you are in hurry or just 
>> subscribe to the ticket and wait till we find a free slot to get it 
>> fixed.
>>
>> Thanks,
>> Sebastian
>>
>> On Thu, Sep 20, 2018 at 4:27 PM D V <dv at glyphy.com 
>> <mailto:dv at glyphy.com>> wrote:
>>
>>     OK. So, with all caches being replicated, there's an error on
>>     startup:
>>
>>     2018-09-20 14:03:38,307 ERROR
>>     [org.infinispan.remoting.rpc.RpcManagerImpl] (ServerService
>>     Thread Pool -- 62) ISPN000073: Unexpected error while
>>     replicating:
>>     org.infinispan.commons.marshall.NotSerializableException:
>>     org.keycloak.models.PasswordPolicy$Builder
>>     Caused by: an exception which occurred:
>>     in field org.keycloak.models.PasswordPolicy.builder
>>     in object org.keycloak.models.PasswordPolicy at 6ab5350d
>>     in field
>>     org.keycloak.models.cache.infinispan.entities.CachedRealm.passwordPolicy
>>     in object
>>     org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
>>     in object
>>     org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
>>     in object org.infinispan.commands.write.PutKeyValueCommand at fec4dc5e
>>     in object org.infinispan.commands.remote.SingleRpcCommand at 3f2e5d1a
>>
>>     If I make the realms cache local but leave the rest replicated, I
>>     observe the same behaviour: the node that didn't issue the
>>     original set of refresh/access tokens does a getUserById lookup,
>>     which in my case results in a network call against a remote service.
>>
>>     I noticed there are caches running that aren't mentioned in the
>>     config, like userRevisions. These are local and adding them to
>>     the config as replicated doesn't actually make them as such.
>>
>>     On Thu, Sep 20, 2018 at 7:36 AM Sebastian Laskawiec
>>     <slaskawi at redhat.com <mailto:slaskawi at redhat.com>> wrote:
>>
>>         Could you please try to unify the caches? Please replace
>>         all?local-cache and distributed-cache with?replicated-cache.
>>
>>         Even though using distributed caches over replicated ones
>>         should be the cause, I think those local caches might cause
>>         the behavior you're describing.
>>
>>         On Wed, Sep 19, 2018 at 3:21 PM D V <dv at glyphy.com
>>         <mailto:dv at glyphy.com>> wrote:
>>
>>             Makes sense re: replicated caches. Here's my infinispan
>>             subsystem config right now:
>>
>>             ? ? ? ? <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
>>             ? ? ? ? ? ? <cache-container name="keycloak"
>>             jndi-name="infinispan/Keycloak" statistics-enabled="true">
>>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>             ? ? ? ? ? ? ? ? <local-cache name="realms"
>>             statistics-enabled="true">
>>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="10000"
>>             strategy="LRU"/>
>>             ? ? ? ? ? ? ? ? </local-cache>
>>             ? ? ? ? ? ? ? ? <local-cache name="users"
>>             statistics-enabled="true">
>>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="10000"
>>             strategy="LRU"/>
>>             ? ? ? ? ? ? ? ? </local-cache>
>>
>>             ? ? ? ? ? ? ? ? <!--
>>             ? ? ? ? ? ? ? ? These two need to be replicated or the
>>             node that didn't issue the initial refresh token
>>             ? ? ? ? ? ? ? ? will return "invalid_grant" errors when
>>             attempting to auth with that refresh token.
>>             ? ? ? ? ? ? ? ? -->
>>             ? ? ? ? ? ? ? ? <replicated-cache name="sessions"
>>             statistics-enabled="true"/>
>>             ? ? ? ? ? ? ? ? <replicated-cache name="clientSessions"
>>             statistics-enabled="true"/>
>>
>>             ? ? ? ? ? ? ? ? <distributed-cache
>>             name="authenticationSessions" mode="SYNC" owners="1"
>>             statistics-enabled="true"/>
>>             ? ? ? ? ? ? ? ? <distributed-cache name="offlineSessions"
>>             mode="SYNC" owners="1" statistics-enabled="true"/>
>>             ? ? ? ? ? ? ? ? <distributed-cache
>>             name="offlineClientSessions" mode="SYNC" owners="1"
>>             statistics-enabled="true"/>
>>             ? ? ? ? ? ? ? ? <distributed-cache name="loginFailures"
>>             mode="SYNC" owners="1" statistics-enabled="true"/>
>>             ? ? ? ? ? ? ? ? <local-cache name="authorization"
>>             statistics-enabled="true">
>>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="10000"
>>             strategy="LRU"/>
>>             ? ? ? ? ? ? ? ? </local-cache>
>>             ? ? ? ? ? ? ? ? <replicated-cache name="work" mode="SYNC"
>>             statistics-enabled="true"/>
>>             ? ? ? ? ? ? ? ? <local-cache name="keys"
>>             statistics-enabled="true">
>>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="1000"
>>             strategy="LRU"/>
>>             ? ? ? ? ? ? ? ? ? ? <expiration max-idle="3600000"/>
>>             ? ? ? ? ? ? ? ? </local-cache>
>>             ? ? ? ? ? ? ? ? <distributed-cache name="actionTokens"
>>             mode="SYNC" owners="2" statistics-enabled="true">
>>             ? ? ? ? ? ? ? ? ? ? <eviction max-entries="-1"
>>             strategy="NONE"/>
>>             ? ? ? ? ? ? ? ? ? ? <expiration max-idle="-1"
>>             interval="300000"/>
>>             </distributed-cache>
>>             ? ? ? ? ? ? </cache-container>
>>             ? ? ? ? ? ? <cache-container name="server"
>>             aliases="singleton cluster" default-cache="default"
>>             module="org.wildfly.clustering.server">
>>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>             ? ? ? ? ? ? ? ? <replicated-cache name="default">
>>             ? ? ? ? ? ? ? ? ? ? <transaction mode="BATCH"/>
>>             </replicated-cache>
>>             ? ? ? ? ? ? </cache-container>
>>             ? ? ? ? ? ? <cache-container name="web"
>>             default-cache="dist"
>>             module="org.wildfly.clustering.web.infinispan">
>>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>             ? ? ? ? ? ? ? ? <distributed-cache name="dist">
>>             ? ? ? ? ? ? ? ? ? ? <locking isolation="REPEATABLE_READ"/>
>>             ? ? ? ? ? ? ? ? ? ? <transaction mode="BATCH"/>
>>             <file-store/>
>>             </distributed-cache>
>>             ? ? ? ? ? ? </cache-container>
>>             ? ? ? ? ? ? <cache-container name="ejb" aliases="sfsb"
>>             default-cache="dist"
>>             module="org.wildfly.clustering.ejb.infinispan">
>>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>             ? ? ? ? ? ? ? ? <distributed-cache name="dist">
>>             ? ? ? ? ? ? ? ? ? ? <locking isolation="REPEATABLE_READ"/>
>>             ? ? ? ? ? ? ? ? ? ? <transaction mode="BATCH"/>
>>             <file-store/>
>>             </distributed-cache>
>>             ? ? ? ? ? ? </cache-container>
>>             ? ? ? ? ? ? <cache-container name="hibernate"
>>             default-cache="local-query"
>>             module="org.hibernate.infinispan">
>>             ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>             ? ? ? ? ? ? ? ? <local-cache name="local-query">
>>             ? ? ? ? ? ? ? ? ? ? <eviction strategy="LRU"
>>             max-entries="10000"/>
>>             ? ? ? ? ? ? ? ? ? ? <expiration max-idle="100000"/>
>>             ? ? ? ? ? ? ? ? </local-cache>
>>             <invalidation-cache name="entity">
>>             ? ? ? ? ? ? ? ? ? ? <transaction mode="NON_XA"/>
>>             ? ? ? ? ? ? ? ? ? ? <eviction strategy="LRU"
>>             max-entries="10000"/>
>>             ? ? ? ? ? ? ? ? ? ? <expiration max-idle="100000"/>
>>             </invalidation-cache>
>>             ? ? ? ? ? ? ? ? <replicated-cache name="timestamps"
>>             mode="ASYNC"/>
>>             ? ? ? ? ? ? </cache-container>
>>             ? ? ? ? </subsystem>
>>
>>             The scenario I'm testing:
>>             1. Auth with grant_type=password on node1.
>>             2. Shut down node1.
>>             3. Auth with grant_type=refresh_token on node2.
>>
>>             When client_sessions is not replicated (distributed, with
>>             owners=1, as in the distribution's standalone-ha.xml), I
>>             get this on node2:
>>             {
>>             ? ? "error": "invalid_grant",
>>             ? ? "error_description": "Session doesn't have required
>>             client"
>>             }
>>
>>             When sessions is not replicated:
>>             {
>>             ? ? "error": "invalid_grant",
>>             ? ? "error_description": "Session not active"
>>             }
>>
>>             On Wed, Sep 19, 2018 at 6:56 AM Sebastian Laskawiec
>>             <slaskawi at redhat.com <mailto:slaskawi at redhat.com>> wrote:
>>
>>                 Thanks for letting us know DV!
>>
>>                 Setting the number of owners equal to the cluster
>>                 size doesn't make any sense. You might use a
>>                 replicated cache in that scenarios (which works the
>>                 same way apart from some Infinispan internal
>>                 behavior, which can be omitted in your case). Could
>>                 you please paste your Infinispan configuration? Maybe
>>                 there's some hint there...
>>
>>                 Thanks,
>>                 Seb
>>
>>                 On Tue, Sep 18, 2018 at 11:02 PM D V <dv at glyphy.com
>>                 <mailto:dv at glyphy.com>> wrote:
>>
>>                     The issue was resolved in a somewhat unexpected
>>                     way. I had a custom
>>                     org.keycloak.storage.UserStorageProviderFactory
>>                     SPI registered that returned providers
>>                     implementing?org.keycloak.storage.user.UserLookupProvider,
>>                     but?org.keycloak.storage.user.UserLookupProvider#getUserById
>>                     method wasn't fully filled out. I just had it
>>                     return null. It wasn't obvious to me that it was
>>                     required (or under what circumstances). Once I
>>                     implemented it, the experiments in my original
>>                     message passed. I did have to set owners to 2 for
>>                     the "sessions" and "clientSessions" distributed
>>                     cache infinispan configs.
>>
>>                     One thing I noticed is that node2 (the one that
>>                     doesn't get hit on the initial password auth) has
>>                     to do a lookup via getUserById the first time it
>>                     handles a grant_type=refresh_token auth. Is the
>>                     data it needs not shared across the cluster? It
>>                     seems to be cached only locally on the node. Just
>>                     as a test I tried to set all configured non-local
>>                     caches to be replicated and it didn't help. Any
>>                     thoughts about this?
>>
>>                     Thanks,
>>                     DV
>>
>


From jochen.mader at instana.com  Tue Sep 25 09:26:08 2018
From: jochen.mader at instana.com (Jochen Mader)
Date: Tue, 25 Sep 2018 15:26:08 +0200
Subject: [keycloak-user] SAML config using kcadmin.sh
Message-ID: <CAFWXqAYxpk10T3KzhvK1-b=kxDyvh57K1jpV0Ng7AzMvA9-DZA@mail.gmail.com>

I am currently trying to automate setup of a SAML-client using kcadmin.sh.

Using 'kcadm.sh create clients -r SAML-DEMO -f saml-client.json' works when
using the Keycloak-specific JSON.

My SAML-Service Provider gives me a sp-metadata.xml. Using that file in the
UI (Clients -> Create -> Impoert(Select File)) works and it will create a
new client comntaining all the stuff provided in the XML-metadata.

Sadly that doesn't seem to work with kcadmin.sh. When providing that file
instead of the JSON it simply fails with 'Not a valid JSON document'.

Is there a way to use the XML file from kcadmin.sh?

Thanks,
Jochen

From vandana0242 at gmail.com  Tue Sep 25 10:23:08 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Tue, 25 Sep 2018 09:23:08 -0500
Subject: [keycloak-user] Picktelink| Keycloak |Wildfly 11 |SSO
In-Reply-To: <8fc22726-933f-328f-8450-68b021213ecc@redhat.com>
References: <CAL_K0ez649v6Fs+OMp5rJ2PoMQw1hNWyx7+f8h264TnmSo9Z7Q@mail.gmail.com>
	<CA+BZ0jg7HtbVE+G+uYAKWRnfXDmmnJEhXS-yqFfBMpXuGXtbKQ@mail.gmail.com>
	<CAL_K0exwYvV2nqBUSUCKmR19x=sgtg8BZn5kUy7iF272Hk+ykg@mail.gmail.com>
	<8fc22726-933f-328f-8450-68b021213ecc@redhat.com>
Message-ID: <CAL_K0ez10wLTbKBoyYCPGBcaAat93rL1eUyqZxk5yMcjU8VwGg@mail.gmail.com>

Can we  use  just keycloak-saml adapater on wildfly server . And  have
other IDP ( not keycloak ) for SSO  configuration for the app deployed  on
wildfly ?

or  is it must to use the keycloak ( as SP / IDP )  ?



On Tue, Sep 25, 2018 at 2:28 AM Marek Posolda <mposolda at redhat.com> wrote:

> As you pointed, for Keycloak you need to have separate server. But for
> bigger deployments, separate server (or rather separate cluster of
> servers) is recommended for identity management anyway. The biggest
> disadvantage of Picketlink is no more active development and limited
> support from the long term perspective.
>
> For more details see Faq page [1]. It is quite old and maybe some points
> are outdated, but most are probably still valid.
>
> [1] http://picketlink.org/keycloak-merge-faq/
>
> Marek
>
> On 24/09/18 16:01, vandana thota wrote:
> > If we have to go with keycloak we have to stand up as  saparate server in
> > the arhcitecture.
> >
> > But if we use  this  below  configuration no need  to set up the saparate
> > keycloak server
> >
> >
> https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
> > .
> >
> > What  are the pros  and cons of each set up ( 1 . With keycloak  server
> 2
> > . with out keycloak server  ) for SSO  configuration .
> >
> > Thanks.
> >
> >
> > On Sun, Sep 23, 2018 at 5:15 PM Juan Pablo Perata <jpperata at gmail.com>
> > wrote:
> >
> >> Hi,
> >>
> >> AFAIK PicketLink is merged into Keycloak and it is no longer maintained,
> >> all efforts, enhacements, etc are part of Keycloak now.
> >>
> >> Regards,
> >> Juan
> >>
> >> On Sat, Sep 22, 2018 at 2:24 PM vandana thota <vandana0242 at gmail.com>
> >> wrote:
> >>
> >>> Hello
> >>>
> >>> Is  picketlink is good  to use  for SSO on wildfly 11 .What are
> advantages
> >>> and disadvantagees  of using  below  link configurations  for  SSO on
> >>> wildfly 11
> >>>
> >>> Below is the link  for picketlink, wildfly and IDP
> >>>
> >>>
> >>>
> https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
> >>> .
> >>>
> >>>
> >>> Thanks,
> >>> Vandana
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From ronyjoy at gmail.com  Tue Sep 25 11:04:12 2018
From: ronyjoy at gmail.com (rony joy)
Date: Tue, 25 Sep 2018 10:04:12 -0500
Subject: [keycloak-user] Keycloak 3.4.3 to 4.X.X Migration Fails - we
 have 400-500 realms
In-Reply-To: <CAGqTYayv-q0xw+g4+yaiZdFUMwtPgGKqBaRt__iE+0jwwsZ3_A@mail.gmail.com>
References: <CACCBH8N=XUGh7CAvEvki+bOmK07bd+0M-BFnpW4y5QaAFNKC2w@mail.gmail.com>
	<0b038f25-5a31-9539-d7db-e0f8fb26ca55@redhat.com>
	<CAGqTYayN40btcAQXMz8QNSNpFqPbuT-tAym835qVbvwTLsDYkA@mail.gmail.com>
	<CACCBH8Map4kUEGK1p9voQd2C-aZmTP_iYJSvOmOkY8k4xe08FA@mail.gmail.com>
	<CAGqTYayv-q0xw+g4+yaiZdFUMwtPgGKqBaRt__iE+0jwwsZ3_A@mail.gmail.com>
Message-ID: <CACCBH8N89ScB-rZPrLvfj=MS_LoKF8euUTE54JmKWV1qYJ45uA@mail.gmail.com>

We are using mysql. This looks like a different issue. I suggest to post a
new thread with you exception.

On Tue, Sep 25, 2018 at 7:56 AM Henning Waack <henning.waack at codecentric.de>
wrote:

> I have only one tiny Realm, but my problem starts already at installation
> time, not migration time.
>
> Which DB are you using?
>
> Am Di., 25. Sep. 2018 um 14:03 Uhr schrieb rony joy <ronyjoy at gmail.com>:
>
>> How many realms do you have ?
>>
>> On Tue, Sep 25, 2018 at 4:50 AM Henning Waack <
>> henning.waack at codecentric.de> wrote:
>>
>>> I'm having a similar problem with a fresh 4.4.0 KC installation using
>>> Mysql, i.e. I also get these transaction timeouts. Unfortunately I did not
>>> find a solution, yet.
>>>
>>> Greetings
>>>
>>> Henning
>>>
>>> Am Di., 25. Sep. 2018 um 09:21 Uhr schrieb Marek Posolda <
>>> mposolda at redhat.com>:
>>>
>>>> We did not try to test with so many realms yet, so issues are expected
>>>> unfortunately :( We plan to improve it, but not sure when...
>>>>
>>>> To workaround this one, you may need to increase the default JTA
>>>> transaction timeout, which is doable by adding/changing some attributes
>>>> in the Wildfly standalone.xml configuration file somewhere in the
>>>> transaction subsystem. By default it is 10 minutes AFAIR. See Wildfly
>>>> docs for more details.
>>>>
>>>> Marek
>>>>
>>>> On 25/09/18 01:07, rony joy wrote:
>>>> > Dear All,
>>>> >
>>>> > We have currently using keycloak 3.4.3 version and trying to migrate
>>>> to
>>>> > 4.3.0 but the startup is failing due to the migration issue. We have
>>>> around
>>>> > 400-500 realms in the database.  Please find below exception. From
>>>> the log
>>>> > it is clear that
>>>> >
>>>> "org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)"
>>>> > is the one causing the exception (see the code below. Line 51 is in
>>>> bold).
>>>> > Is this because of large realms? any ideas?
>>>> >   @Override
>>>> >      public void migrate(KeycloakSession session) {
>>>> >          *session.realms().getRealms().stream().forEach(*
>>>> >                  r -> {
>>>> >                      migrateRealm(session, r, false);
>>>> >                  }
>>>> >          );
>>>> >      }
>>>> >
>>>> >
>>>> > 22:16:17,002 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper)
>>>> > ARJUNA012117: TransactionReaper::check timeout for TX
>>>> > 0:ffffac110004:-14e6f320:5ba958b2:12 in state  RUN
>>>> > 22:16:17,070 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>>> 0)
>>>> > ARJUNA012121: TransactionReaper::doCancellations worker
>>>> Thread[Transaction
>>>> > Reaper Worker 0,5,main] succ
>>>> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:f
>>>> > 22:16:17,073 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>>> 0)
>>>> > ARJUNA012095: Abort of action id 0:ffffac110004:-14e6f320:5ba958b2:12
>>>> > invoked while multiple threads ac
>>>> > tive within it.
>>>> > 22:16:17,079 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>>> 0)
>>>> > ARJUNA012381: Action id 0:ffffac110004:-14e6f320:5ba958b2:12
>>>> completed with
>>>> > multiple threads - thread S
>>>> > erverService Thread Pool -- 53 was in progress with
>>>> >
>>>> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:163)
>>>> >
>>>> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
>>>> >
>>>> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
>>>> >
>>>> org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
>>>> >
>>>> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
>>>> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>>>> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
>>>> >
>>>> org.hibernate.event.internal.AbstractSaveEventListener.cascadeAfterSave(AbstractSaveEventListener.java:445)
>>>> >
>>>> org.hibernate.event.internal.DefaultPersistEventListener.justCascade(DefaultPersistEventListener.java:172)
>>>> >
>>>> org.hibernate.event.internal.DefaultPersistEventListener.entityIsPersistent(DefaultPersistEventListener.java:164)
>>>> >
>>>> org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:128)
>>>> >
>>>> org.hibernate.internal.SessionImpl.firePersistOnFlush(SessionImpl.java:805)
>>>> >
>>>> org.hibernate.internal.SessionImpl.persistOnFlush(SessionImpl.java:798)
>>>> >
>>>> org.hibernate.engine.spi.CascadingActions$8.cascade(CascadingActions.java:340)
>>>> > org.hibernate.engine.internal.Cascade.cascadeToOne(Cascade.java:423)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:348)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeCollectionElements(Cascade.java:456)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeCollection(Cascade.java:388)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeAssociation(Cascade.java:351)
>>>> >
>>>> org.hibernate.engine.internal.Cascade.cascadeProperty(Cascade.java:187)
>>>> > org.hibernate.engine.internal.Cascade.cascade(Cascade.java:136)
>>>> >
>>>> org.hibernate.event.internal.AbstractFlushingEventListener.cascadeOnFlush(AbstractFlushingEventListener.java:150)
>>>> >
>>>> org.hibernate.event.internal.AbstractFlushingEventListener.prepareEntityFlushes(AbstractFlushingEventListener.java:141)
>>>> >
>>>> org.hibernate.event.internal.AbstractFlushingEventListener.flushEverythingToExecutions(AbstractFlushingEventListener.java:74)
>>>> >
>>>> org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:44)
>>>> >
>>>> org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1264)
>>>> > org.hibernate.internal.SessionImpl.list(SessionImpl.java:1332)
>>>> > org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
>>>> > org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
>>>> > org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
>>>> >
>>>> org.keycloak.models.jpa.ClientAdapter.getClientScopes(ClientAdapter.java:353)
>>>> >
>>>> org.keycloak.models.cache.infinispan.entities.CachedClient.<init>(CachedClient.java:119)
>>>> >
>>>> org.keycloak.models.cache.infinispan.RealmCacheSession.cacheClient(RealmCacheSession.java:1069)
>>>> >
>>>> org.keycloak.models.cache.infinispan.RealmCacheSession.getClientById(RealmCacheSession.java:1029)
>>>> >
>>>> org.keycloak.models.jpa.RealmAdapter.getMasterAdminClient(RealmAdapter.java:1037)
>>>> >
>>>> org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:235)
>>>> >
>>>> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
>>>> >
>>>> org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
>>>> >
>>>> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
>>>> >
>>>> org.keycloak.migration.migrators.MigrateTo4_0_0.migrate(MigrateTo4_0_0.java:51)
>>>> >
>>>> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96)
>>>> >
>>>> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
>>>> >
>>>> org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
>>>> >
>>>> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
>>>> >
>>>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>>>> >
>>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
>>>> > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>>> >
>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>>> >
>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>> > java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>>> >
>>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
>>>> >
>>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
>>>> >
>>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
>>>> >
>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
>>>> >
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
>>>> >
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>> >
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>> >
>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>>>> >
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>> >
>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
>>>> >
>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
>>>> >
>>>> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
>>>> >
>>>> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
>>>> >
>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
>>>> >
>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>>> >
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>>> >
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1001/538179304.call(Unknown
>>>> > Source)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>>>> > Source)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>>>> > Source)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>>>> > Source)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1002/1005208678.call(Unknown
>>>> > Source)
>>>> >
>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
>>>> >
>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>>> > java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>>> >
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>>> >
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>>> > java.lang.Thread.run(Thread.java:748)
>>>> > org.jboss.threads.JBossThread.run(JBossThread.java:320)
>>>> >
>>>> > 22:16:17,085 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>>> 0)
>>>> > ARJUNA012108: CheckedAction::check - atomic action
>>>> > 0:ffffac110004:-14e6f320:5ba958b2:12 aborting with 1
>>>> >   threads active!
>>>> > 22:16:17,099 WARN
>>>> >
>>>> [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
>>>> > (Transaction Reaper Worker 0) HHH000
>>>> > 451: Transaction afterCompletion called by a background thread;
>>>> delaying
>>>> > afterCompletion processing until the original thread can handle it.
>>>> > [status=4]
>>>> > 22:16:17,101 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker
>>>> 0)
>>>> > ARJUNA012121: TransactionReaper::doCancellations worker
>>>> Thread[Transaction
>>>> > Reaper Worker 0,5,main] succ
>>>> > essfully canceled TX 0:ffffac110004:-14e6f320:5ba958b2:12
>>>> >
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> --
>>>
>>>
>>> -----------
>>>
>>> Henning Waack | IT Consultant
>>>
>>>
>>> codecentric AG | Hochstra?e 11
>>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>>> |
>>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>>>
>>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
>>> Solingen
>>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>>>  |Deutschland
>>> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>>>
>>>
>>> tel: +49 (0)151 108 515 29
>>>
>>> www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
>>>
>>> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>>>
>>> Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
>>> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen
>>> Sch?tz
>>>
>>> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt
>>> vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht
>>> der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben,
>>> informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und
>>> evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder
>>> ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser
>>> E-Mail ist nicht gestattet.
>>>
>>
>>
>> --
>> Rony Joy
>>
>>
>
> --
>
>
> -----------
>
> Henning Waack | IT Consultant
>
>
> codecentric AG | Hochstra?e 11
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> |
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
> Solingen
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>  |Deutschland
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
>
> tel: +49 (0)151 108 515 29
>
> www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
>
> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>
> Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz
>
> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
> und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
> Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
> bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
> beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
> evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
> nicht gestattet.
>


-- 
Rony Joy

From corentin.dupont at gmail.com  Tue Sep 25 12:21:09 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 25 Sep 2018 18:21:09 +0200
Subject: [keycloak-user] Invalid parameter: redirect_uri behind reverse proxy
Message-ID: <CAEyhvmok6+XRzXMpj49aE92ajUQhzCp5qor=4f15ZPxc=Tvt-Q@mail.gmail.com>

Hello,
wWhen opening the admin console: https://keycloak.mysite.com/auth/admin/.

The page is redirecting to:
https://keycloak.mysite.com/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fkeycloak.mysite.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=580747dc-8471-40be-8d9c-e63af68cf605&response_mode=fragment&response_type=code&scope=openid&nonce=28c85baa-6c76-44d9-8f4a-796a58d29383

But I get this message:
Invalid parameter: redirect_uri

It seems that keycloak doesn't like the https in the redirect. Can it be?


My Keycloak is behind a reverse proxy.
I setup the following tags in standalone.xml:

<http-listener name="default" socket-binding="http" enable-http2="true"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
<socket-binding name="proxy-https" port="443"/>

My reverse proxy is also setting headers: Host, X-Real-IP, X-Forwarded-For,
X-Forwarded-Proto.

Using tcpdump, I can see the following headers:
GET
/auth/resources/4.4.0.final/login/keycloak/node_modules/patternfly/dist/fonts/OpenSans-Light-webfont.woff2
HTTP/1.0
Host: keycloak.staging.waziup.io
X-Real-IP: 18.195.197.182
X-Forwarded-For: 217.77.82.229, 18.195.197.182
X-Forwarded-Proto: http
Connection: close
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101
Firefox/62.0
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Referer:
https://keycloak.staging.waziup.io/auth/resources/4.4.0.final/login/keycloak/node_modules/patternfly/dist/css/patternfly.css
Cookie: _ga=GA1.2.823033289.1537866165; _gid=GA1.2.861449812.1537866165
Pragma: no-cache
Cache-Control: no-cache

Are they correct?
Thanks a lot
Corentin

From dv at glyphy.com  Tue Sep 25 14:55:12 2018
From: dv at glyphy.com (D V)
Date: Tue, 25 Sep 2018 14:55:12 -0400
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <2ddbeef8-3e6d-aaef-27a7-e38995c1659b@redhat.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAA9R9O5TCKiEoS2GVZFGcxzqOwTPhdkw+73_XEVJ8FKj8FAVjQ@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
	<CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
	<CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>
	<CAA9R9O7EL6KuvbDEJ+sTwqEmiUGF3zYtswdnqSu12q4TaNMUhw@mail.gmail.com>
	<CAJL87rj0CJc+bjmHL=8M=q0CAYeGefC_bKK_-Q8qdUwkvMCMJg@mail.gmail.com>
	<CAA9R9O4ONCuy7Z1pHXS0zywSPoLbj9DCGaGYznupRBc=RbkzYQ@mail.gmail.com>
	<832f60fa-b3f1-093c-0ee5-e4a0fe452603@redhat.com>
	<2ddbeef8-3e6d-aaef-27a7-e38995c1659b@redhat.com>
Message-ID: <CAJL87ribCqJ3f4EHT4ON6_-3MpYkD3pMT3PZGK+yM0URgMCLZQ@mail.gmail.com>

Thanks for the responses, folks. The issue now isn't the inability to set
all caches to replicated. It's that a get-user-by-id is called whenever a
node has to process a an authentication via a refresh token that wasn't
also issued by that same node. See the last paragraph of
http://lists.jboss.org/pipermail/keycloak-user/2018-September/015549.html .
The results are cached, but only on the original issuing node. I was
expecting the user-by-id information to be shared between keycloak nodes to
avoid external service calls, but perhaps this is by design? If so, could
you explain why?

On Tue, Sep 25, 2018 at 9:14 AM Marek Posolda <mposolda at redhat.com> wrote:

> Some more info about our caches:
> https://www.keycloak.org/docs/latest/server_installation/index.html#cache-configuration
>
> Not sure if this info should be updated and some more things to be
> clearified?
>
> Marek
>
> On 25/09/18 15:12, Marek Posolda wrote:
>
> Sorry, I did not read whole thread.
>
> Just a quick note, that caches "realms", "users", "keys" and
> "authorization" are supposed to be local caches. The pattern, we're using
> ATM is, that every cluster node caches it's data (realms, users etc)
> locally. In case that some objects are updated (EG. realm or users), there
> is separate cache "work", which make sure to notify other cluster nodes (or
> even nodes on all the other DCs), so all the nodes can invalidate
> particular cached object from their caches.
>
> Caches "realms", "users", "keys" and "authorization" are not meant to be
> replicated/distributed, but local. So this NotSerializableException doesn't
> look like a bug to me.
>
> Marek
>
> On 25/09/18 12:06, Sebastian Laskawiec wrote:
>
> Thanks a lot for checking this.
>
> This seems like a bug to me, so I filled
> https://issues.jboss.org/browse/KEYCLOAK-8415. Unfortunately, we are
> preparing for some urgent work on the product side and I can't promise you
> when we will be able to look into this. I highly encourage you to
> contribute a fix if you are in hurry or just subscribe to the ticket and
> wait till we find a free slot to get it fixed.
>
> Thanks,
> Sebastian
>
> On Thu, Sep 20, 2018 at 4:27 PM D V <dv at glyphy.com> wrote:
>
>> OK. So, with all caches being replicated, there's an error on startup:
>>
>> 2018-09-20 14:03:38,307 ERROR
>> [org.infinispan.remoting.rpc.RpcManagerImpl] (ServerService Thread Pool --
>> 62) ISPN000073: Unexpected error while replicating:
>> org.infinispan.commons.marshall.NotSerializableException:
>> org.keycloak.models.PasswordPolicy$Builder
>> Caused by: an exception which occurred:
>> in field org.keycloak.models.PasswordPolicy.builder
>> in object org.keycloak.models.PasswordPolicy at 6ab5350d
>> in field
>> org.keycloak.models.cache.infinispan.entities.CachedRealm.passwordPolicy
>> in object
>> org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
>> in object
>> org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
>> in object org.infinispan.commands.write.PutKeyValueCommand at fec4dc5e
>> in object org.infinispan.commands.remote.SingleRpcCommand at 3f2e5d1a
>>
>> If I make the realms cache local but leave the rest replicated, I observe
>> the same behaviour: the node that didn't issue the original set of
>> refresh/access tokens does a getUserById lookup, which in my case results
>> in a network call against a remote service.
>>
>> I noticed there are caches running that aren't mentioned in the config,
>> like userRevisions. These are local and adding them to the config as
>> replicated doesn't actually make them as such.
>>
>> On Thu, Sep 20, 2018 at 7:36 AM Sebastian Laskawiec <slaskawi at redhat.com>
>> wrote:
>>
>>> Could you please try to unify the caches? Please replace all local-cache
>>> and distributed-cache with replicated-cache.
>>>
>>> Even though using distributed caches over replicated ones should be the
>>> cause, I think those local caches might cause the behavior you're
>>> describing.
>>>
>>> On Wed, Sep 19, 2018 at 3:21 PM D V <dv at glyphy.com> wrote:
>>>
>>>> Makes sense re: replicated caches. Here's my infinispan subsystem
>>>> config right now:
>>>>
>>>>         <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
>>>>             <cache-container name="keycloak"
>>>> jndi-name="infinispan/Keycloak" statistics-enabled="true">
>>>>                 <transport lock-timeout="60000"/>
>>>>                 <local-cache name="realms" statistics-enabled="true">
>>>>                     <eviction max-entries="10000" strategy="LRU"/>
>>>>                 </local-cache>
>>>>                 <local-cache name="users" statistics-enabled="true">
>>>>                     <eviction max-entries="10000" strategy="LRU"/>
>>>>                 </local-cache>
>>>>
>>>>                 <!--
>>>>                 These two need to be replicated or the node that didn't
>>>> issue the initial refresh token
>>>>                 will return "invalid_grant" errors when attempting to
>>>> auth with that refresh token.
>>>>                 -->
>>>>                 <replicated-cache name="sessions"
>>>> statistics-enabled="true"/>
>>>>                 <replicated-cache name="clientSessions"
>>>> statistics-enabled="true"/>
>>>>
>>>>                 <distributed-cache name="authenticationSessions"
>>>> mode="SYNC" owners="1" statistics-enabled="true"/>
>>>>                 <distributed-cache name="offlineSessions" mode="SYNC"
>>>> owners="1" statistics-enabled="true"/>
>>>>                 <distributed-cache name="offlineClientSessions"
>>>> mode="SYNC" owners="1" statistics-enabled="true"/>
>>>>                 <distributed-cache name="loginFailures" mode="SYNC"
>>>> owners="1" statistics-enabled="true"/>
>>>>                 <local-cache name="authorization"
>>>> statistics-enabled="true">
>>>>                     <eviction max-entries="10000" strategy="LRU"/>
>>>>                 </local-cache>
>>>>                 <replicated-cache name="work" mode="SYNC"
>>>> statistics-enabled="true"/>
>>>>                 <local-cache name="keys" statistics-enabled="true">
>>>>                     <eviction max-entries="1000" strategy="LRU"/>
>>>>                     <expiration max-idle="3600000"/>
>>>>                 </local-cache>
>>>>                 <distributed-cache name="actionTokens" mode="SYNC"
>>>> owners="2" statistics-enabled="true">
>>>>                     <eviction max-entries="-1" strategy="NONE"/>
>>>>                     <expiration max-idle="-1" interval="300000"/>
>>>>                 </distributed-cache>
>>>>             </cache-container>
>>>>             <cache-container name="server" aliases="singleton cluster"
>>>> default-cache="default" module="org.wildfly.clustering.server">
>>>>                 <transport lock-timeout="60000"/>
>>>>                 <replicated-cache name="default">
>>>>                     <transaction mode="BATCH"/>
>>>>                 </replicated-cache>
>>>>             </cache-container>
>>>>             <cache-container name="web" default-cache="dist"
>>>> module="org.wildfly.clustering.web.infinispan">
>>>>                 <transport lock-timeout="60000"/>
>>>>                 <distributed-cache name="dist">
>>>>                     <locking isolation="REPEATABLE_READ"/>
>>>>                     <transaction mode="BATCH"/>
>>>>                     <file-store/>
>>>>                 </distributed-cache>
>>>>             </cache-container>
>>>>             <cache-container name="ejb" aliases="sfsb"
>>>> default-cache="dist" module="org.wildfly.clustering.ejb.infinispan">
>>>>                 <transport lock-timeout="60000"/>
>>>>                 <distributed-cache name="dist">
>>>>                     <locking isolation="REPEATABLE_READ"/>
>>>>                     <transaction mode="BATCH"/>
>>>>                     <file-store/>
>>>>                 </distributed-cache>
>>>>             </cache-container>
>>>>             <cache-container name="hibernate"
>>>> default-cache="local-query" module="org.hibernate.infinispan">
>>>>                 <transport lock-timeout="60000"/>
>>>>                 <local-cache name="local-query">
>>>>                     <eviction strategy="LRU" max-entries="10000"/>
>>>>                     <expiration max-idle="100000"/>
>>>>                 </local-cache>
>>>>                 <invalidation-cache name="entity">
>>>>                     <transaction mode="NON_XA"/>
>>>>                     <eviction strategy="LRU" max-entries="10000"/>
>>>>                     <expiration max-idle="100000"/>
>>>>                 </invalidation-cache>
>>>>                 <replicated-cache name="timestamps" mode="ASYNC"/>
>>>>             </cache-container>
>>>>         </subsystem>
>>>>
>>>> The scenario I'm testing:
>>>> 1. Auth with grant_type=password on node1.
>>>> 2. Shut down node1.
>>>> 3. Auth with grant_type=refresh_token on node2.
>>>>
>>>> When client_sessions is not replicated (distributed, with owners=1, as
>>>> in the distribution's standalone-ha.xml), I get this on node2:
>>>> {
>>>>     "error": "invalid_grant",
>>>>     "error_description": "Session doesn't have required client"
>>>> }
>>>>
>>>> When sessions is not replicated:
>>>> {
>>>>     "error": "invalid_grant",
>>>>     "error_description": "Session not active"
>>>> }
>>>>
>>>> On Wed, Sep 19, 2018 at 6:56 AM Sebastian Laskawiec <
>>>> slaskawi at redhat.com> wrote:
>>>>
>>>>> Thanks for letting us know DV!
>>>>>
>>>>> Setting the number of owners equal to the cluster size doesn't make
>>>>> any sense. You might use a replicated cache in that scenarios (which works
>>>>> the same way apart from some Infinispan internal behavior, which can be
>>>>> omitted in your case). Could you please paste your Infinispan
>>>>> configuration? Maybe there's some hint there...
>>>>>
>>>>> Thanks,
>>>>> Seb
>>>>>
>>>>> On Tue, Sep 18, 2018 at 11:02 PM D V <dv at glyphy.com> wrote:
>>>>>
>>>>>> The issue was resolved in a somewhat unexpected way. I had a custom
>>>>>> org.keycloak.storage.UserStorageProviderFactory SPI registered that
>>>>>> returned providers
>>>>>> implementing org.keycloak.storage.user.UserLookupProvider,
>>>>>> but org.keycloak.storage.user.UserLookupProvider#getUserById method wasn't
>>>>>> fully filled out. I just had it return null. It wasn't obvious to me that
>>>>>> it was required (or under what circumstances). Once I implemented it, the
>>>>>> experiments in my original message passed. I did have to set owners to 2
>>>>>> for the "sessions" and "clientSessions" distributed cache infinispan
>>>>>> configs.
>>>>>>
>>>>>> One thing I noticed is that node2 (the one that doesn't get hit on
>>>>>> the initial password auth) has to do a lookup via getUserById the first
>>>>>> time it handles a grant_type=refresh_token auth. Is the data it needs not
>>>>>> shared across the cluster? It seems to be cached only locally on the node.
>>>>>> Just as a test I tried to set all configured non-local caches to be
>>>>>> replicated and it didn't help. Any thoughts about this?
>>>>>>
>>>>>> Thanks,
>>>>>> DV
>>>>>>
>>>>>>>
>
>

From n.e921 at yahoo.com  Wed Sep 26 03:00:20 2018
From: n.e921 at yahoo.com (n e)
Date: Wed, 26 Sep 2018 07:00:20 +0000 (UTC)
Subject: [keycloak-user] Assign permissions to client-level roles in
 KeyCloak
In-Reply-To: <CAJrcDBcCQowdpGqHa626miDhWBy1R1N4OqK1Q2nQqbqNKzSiSg@mail.gmail.com>
References: <1537853964033-0.post@n6.nabble.com>
	<CAJrcDBcCQowdpGqHa626miDhWBy1R1N4OqK1Q2nQqbqNKzSiSg@mail.gmail.com>
Message-ID: <1128719617.18576414.1537945220786@mail.yahoo.com>

 Thanks for your response. What is the proper way to assign permissions to client-level roles in KeyCloak from a Java program using REST URIs?Thanks

    ???? ?????, 25 ??????????? 2018, 2:56:02 ?.?. GMT+3:30, ? ??????? Pedro Igor Silva <psilva at redhat.com> ??????:  
 
 Hi,
We don't have a public API for this yet.?
Regards.Pedro Igor
On Tue, Sep 25, 2018 at 2:42 AM waterlilly_lilly <n.e921 at yahoo.com> wrote:

I want to assign permissions to client-level roles to do so I create policies
for the client-level roles which need to be assigned to permissions. I need
to assign these policies for client-level roles to permission via REST from
my project but I can't find the REST URI in documentation and project.



--
Sent from: http://keycloak-user.88327.x6.nabble.com/
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  

From lrozenblyum at gmail.com  Wed Sep 26 03:33:47 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Wed, 26 Sep 2018 10:33:47 +0300
Subject: [keycloak-user] Session timeout and SIngle Logout
Message-ID: <CANZPfwSBaasJXYGWveLko7jd+HDEisVWaWGQ7=tsT+fgpTeP3w@mail.gmail.com>

Hello!
I'm using pac4j + Spring Security + keycloak as an Idp + SAML as an SSO
protocol.

I have a question about how to handle session timeout correctly for session
timeout scenario.

SCENARIO:

Let's have 2 web applications (WebApp1, WebApp2)
Let WebApp2 have some small session timeout (for easiness of testing, e.g.
1 minute)
Log-in into WebApp1
Open WebApp2 in another tab of the same browser (so the user will be
authenticated automatically through keycloak)
Close the tab with WebApp2
Wait till the session of WebApp2 expires
Try to log-out from WebApp1

EXPECTED:
Single Logout works

ACTUALLY:
We're relogined to WebApp1

Reason:
We got redirected to Idp, then to WebApp2, inside WebApp2
Security library cannot cannot load the SSO-related information because it
doesn't longer exist in the session (the session has been expired).
So the single Logout procedure fails and we are still logged-in.

Does keycloak have some support for this kind of scenario? Any workarounds
can be applied? It looks to be a not very rare situation when the user
closes the browser tab.

Thanks in advance for help!

From henning.waack at codecentric.de  Wed Sep 26 04:13:20 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Wed, 26 Sep 2018 10:13:20 +0200
Subject: [keycloak-user] Invalid parameter: redirect_uri behind reverse
	proxy
In-Reply-To: <CAEyhvmok6+XRzXMpj49aE92ajUQhzCp5qor=4f15ZPxc=Tvt-Q@mail.gmail.com>
References: <CAEyhvmok6+XRzXMpj49aE92ajUQhzCp5qor=4f15ZPxc=Tvt-Q@mail.gmail.com>
Message-ID: <CAGqTYaxmi+QN4s=m6oyyn471mud1p_vF2f3e8GhcNyMhaBaC9A@mail.gmail.com>

One thing I see is that your X-Forwarded-Proto header is wrong, it should
be https and not http. Please take a look at the documentation at
https://www.keycloak.org/docs/latest/server_installation/index.html#identifying-client-ip-addresses
for how to configure your reverse-proxy. Also make sure that you have set
"proxy-address-forwarding=true" in your standalone.xml configuration of
Wildfly.

Greetings

Henning

Am Di., 25. Sep. 2018 um 18:37 Uhr schrieb Corentin Dupont <
corentin.dupont at gmail.com>:

> Hello,
> wWhen opening the admin console: https://keycloak.mysite.com/auth/admin/.
>
> The page is redirecting to:
>
> https://keycloak.mysite.com/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fkeycloak.mysite.com%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=580747dc-8471-40be-8d9c-e63af68cf605&response_mode=fragment&response_type=code&scope=openid&nonce=28c85baa-6c76-44d9-8f4a-796a58d29383
>
> But I get this message:
> Invalid parameter: redirect_uri
>
> It seems that keycloak doesn't like the https in the redirect. Can it be?
>
>
> My Keycloak is behind a reverse proxy.
> I setup the following tags in standalone.xml:
>
> <http-listener name="default" socket-binding="http" enable-http2="true"
> proxy-address-forwarding="true" redirect-socket="proxy-https"/>
> <socket-binding name="proxy-https" port="443"/>
>
> My reverse proxy is also setting headers: Host, X-Real-IP, X-Forwarded-For,
> X-Forwarded-Proto.
>
> Using tcpdump, I can see the following headers:
> GET
>
> /auth/resources/4.4.0.final/login/keycloak/node_modules/patternfly/dist/fonts/OpenSans-Light-webfont.woff2
> HTTP/1.0
> Host: keycloak.staging.waziup.io
> X-Real-IP: 18.195.197.182
> X-Forwarded-For: 217.77.82.229, 18.195.197.182
> X-Forwarded-Proto: http
> Connection: close
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101
> Firefox/62.0
> Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: identity
> Referer:
>
> https://keycloak.staging.waziup.io/auth/resources/4.4.0.final/login/keycloak/node_modules/patternfly/dist/css/patternfly.css
> Cookie: _ga=GA1.2.823033289.1537866165; _gid=GA1.2.861449812.1537866165
> Pragma: no-cache
> Cache-Control: no-cache
>
> Are they correct?
> Thanks a lot
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 


-----------

Henning Waack | IT Consultant


codecentric AG | Hochstra?e 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>


tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz

Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

From corentin.dupont at gmail.com  Wed Sep 26 05:07:02 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 26 Sep 2018 11:07:02 +0200
Subject: [keycloak-user] Invalid parameter: redirect_uri behind reverse
	proxy
In-Reply-To: <CAGqTYaxmi+QN4s=m6oyyn471mud1p_vF2f3e8GhcNyMhaBaC9A@mail.gmail.com>
References: <CAEyhvmok6+XRzXMpj49aE92ajUQhzCp5qor=4f15ZPxc=Tvt-Q@mail.gmail.com>
	<CAGqTYaxmi+QN4s=m6oyyn471mud1p_vF2f3e8GhcNyMhaBaC9A@mail.gmail.com>
Message-ID: <CAEyhvmpZmg4-kY4+OWdizNWEHt1Opo+dF6VqFFZLcZJsb-TxFw@mail.gmail.com>

Fantastic, it works.
I was using nginx proxy:

proxy_set_header X-Forwarded-Proto $scheme;

However, I'm using two layers of proxy: one for load balancing, one for
micro-services.
So when hitting my second proxy, the HTTPS is lost.
It's solved by forcing HTTPS:

proxy_set_header X-Forwarded-Proto https;

Thanks again.



On Wed, Sep 26, 2018 at 10:13 AM, Henning Waack <
henning.waack at codecentric.de> wrote:

> One thing I see is that your X-Forwarded-Proto header is wrong, it should
> be https and not http. Please take a look at the documentation at
> https://www.keycloak.org/docs/latest/server_installation/index.html#
> identifying-client-ip-addresses for how to configure your reverse-proxy.
> Also make sure that you have set "proxy-address-forwarding=true" in your
> standalone.xml configuration of Wildfly.
>
> Greetings
>
> Henning
>
> Am Di., 25. Sep. 2018 um 18:37 Uhr schrieb Corentin Dupont <
> corentin.dupont at gmail.com>:
>
>> Hello,
>> wWhen opening the admin console: https://keycloak.mysite.com/auth/admin/.
>>
>> The page is redirecting to:
>> https://keycloak.mysite.com/auth/realms/master/protocol/
>> openid-connect/auth?client_id=security-admin-console&
>> redirect_uri=https%3A%2F%2Fkeycloak.mysite.com%2Fauth%
>> 2Fadmin%2Fmaster%2Fconsole%2F&state=580747dc-8471-40be-8d9c-
>> e63af68cf605&response_mode=fragment&response_type=code&
>> scope=openid&nonce=28c85baa-6c76-44d9-8f4a-796a58d29383
>>
>> But I get this message:
>> Invalid parameter: redirect_uri
>>
>> It seems that keycloak doesn't like the https in the redirect. Can it be?
>>
>>
>> My Keycloak is behind a reverse proxy.
>> I setup the following tags in standalone.xml:
>>
>> <http-listener name="default" socket-binding="http" enable-http2="true"
>> proxy-address-forwarding="true" redirect-socket="proxy-https"/>
>> <socket-binding name="proxy-https" port="443"/>
>>
>> My reverse proxy is also setting headers: Host, X-Real-IP,
>> X-Forwarded-For,
>> X-Forwarded-Proto.
>>
>> Using tcpdump, I can see the following headers:
>> GET
>> /auth/resources/4.4.0.final/login/keycloak/node_modules/
>> patternfly/dist/fonts/OpenSans-Light-webfont.woff2
>> HTTP/1.0
>> Host: keycloak.staging.waziup.io
>> X-Real-IP: 18.195.197.182
>> X-Forwarded-For: 217.77.82.229, 18.195.197.182
>> X-Forwarded-Proto: http
>> Connection: close
>> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0)
>> Gecko/20100101
>> Firefox/62.0
>> Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/
>> *;q=0.8
>> Accept-Language: en-US,en;q=0.5
>> Accept-Encoding: identity
>> Referer:
>> https://keycloak.staging.waziup.io/auth/resources/4.4.
>> 0.final/login/keycloak/node_modules/patternfly/dist/css/patternfly.css
>> Cookie: _ga=GA1.2.823033289.1537866165; _gid=GA1.2.861449812.1537866165
>> Pragma: no-cache
>> Cache-Control: no-cache
>>
>> Are they correct?
>> Thanks a lot
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
>
>
> -----------
>
> Henning Waack | IT Consultant
>
>
> codecentric AG | Hochstra?e 11
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> |
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
> Solingen
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>  |Deutschland
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
>
> tel: +49 (0)151 108 515 29
>
> www.codecentric.de
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> |
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>  blog.codecentric.de | www.meettheexperts.de
>
> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>
> Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz
>
> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
> und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
> Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
> bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
> beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
> evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
> nicht gestattet.
>

From mposolda at redhat.com  Wed Sep 26 05:11:11 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 26 Sep 2018 11:11:11 +0200
Subject: [keycloak-user] Standalone HA tokens not immediately shared
 among nodes
In-Reply-To: <CAJL87ribCqJ3f4EHT4ON6_-3MpYkD3pMT3PZGK+yM0URgMCLZQ@mail.gmail.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
	<CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
	<CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>
	<CAA9R9O7EL6KuvbDEJ+sTwqEmiUGF3zYtswdnqSu12q4TaNMUhw@mail.gmail.com>
	<CAJL87rj0CJc+bjmHL=8M=q0CAYeGefC_bKK_-Q8qdUwkvMCMJg@mail.gmail.com>
	<CAA9R9O4ONCuy7Z1pHXS0zywSPoLbj9DCGaGYznupRBc=RbkzYQ@mail.gmail.com>
	<832f60fa-b3f1-093c-0ee5-e4a0fe452603@redhat.com>
	<2ddbeef8-3e6d-aaef-27a7-e38995c1659b@redhat.com>
	<CAJL87ribCqJ3f4EHT4ON6_-3MpYkD3pMT3PZGK+yM0URgMCLZQ@mail.gmail.com>
Message-ID: <abc4e4b9-727c-10a3-7164-c790f7931ce5@redhat.com>

Yes, this is by design.

The UserLookupProvider.getUserById method always need to be properly 
implemented as shown in our quickstarts. For example: 
https://github.com/keycloak/keycloak-quickstarts/tree/latest/user-storage-simple 
.

I agree that a need to lookup user on more cluster nodes isn't always 
the great. One possibility to avoid this is to use sticky sessions, 
which we support. However if you use other adapter than keycloak.js, the 
sticky sessions can't be fully guaranteed as some requests like the 
"refresh-token" request are backchannel requests, which are triggered 
outside of the browser and can't participate in the original browser 
sticky session. So it can happen that this happens on the other cluster 
node.

Support for all the caches like "users" to be replicated will have some 
other consequences and probably in most cases, it won't help with 
performance anyway but rather the opposite (EG. you don't need to lookup 
the user on more nodes, but always when user is cached, the cache 
entries need to be replicated to all the nodes, then invalidated on all 
the nodes in case of updates etc etc). ATM I don't think that we will 
support it (but nothing is set in stone...).

Marek

On 25/09/18 20:55, D V wrote:
> Thanks for the responses, folks. The issue now isn't the inability to 
> set all caches to replicated. It's that a get-user-by-id is called 
> whenever a node has to process a an authentication via a refresh token 
> that wasn't also issued by that same node. See the last paragraph of 
> http://lists.jboss.org/pipermail/keycloak-user/2018-September/015549.html 
> . The results are cached, but only on the original issuing node. I was 
> expecting the user-by-id information to be shared between keycloak 
> nodes to avoid external service calls, but perhaps this is by design? 
> If so, could you explain why?
>
> On Tue, Sep 25, 2018 at 9:14 AM Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Some more info about our caches:
>     https://www.keycloak.org/docs/latest/server_installation/index.html#cache-configuration
>
>     Not sure if this info should be updated and some more things to be
>     clearified?
>
>     Marek
>
>     On 25/09/18 15:12, Marek Posolda wrote:
>>     Sorry, I did not read whole thread.
>>
>>     Just a quick note, that caches "realms", "users", "keys" and
>>     "authorization" are supposed to be local caches. The pattern,
>>     we're using ATM is, that every cluster node caches it's data
>>     (realms, users etc) locally. In case that some objects are
>>     updated (EG. realm or users), there is separate cache "work",
>>     which make sure to notify other cluster nodes (or even nodes on
>>     all the other DCs), so all the nodes can invalidate particular
>>     cached object from their caches.
>>
>>     Caches "realms", "users", "keys" and "authorization" are not
>>     meant to be replicated/distributed, but local. So this
>>     NotSerializableException doesn't look like a bug to me.
>>
>>     Marek
>>
>>     On 25/09/18 12:06, Sebastian Laskawiec wrote:
>>>     Thanks a lot for checking this.
>>>
>>>     This seems like a bug to me, so I filled
>>>     https://issues.jboss.org/browse/KEYCLOAK-8415. Unfortunately, we
>>>     are preparing for some urgent work on the product side and I
>>>     can't promise you when we will be able to look into this. I
>>>     highly encourage you to contribute a fix if you are in hurry or
>>>     just subscribe to the ticket and wait till we find a free slot
>>>     to get it fixed.
>>>
>>>     Thanks,
>>>     Sebastian
>>>
>>>     On Thu, Sep 20, 2018 at 4:27 PM D V <dv at glyphy.com
>>>     <mailto:dv at glyphy.com>> wrote:
>>>
>>>         OK. So, with all caches being replicated, there's an error
>>>         on startup:
>>>
>>>         2018-09-20 14:03:38,307 ERROR
>>>         [org.infinispan.remoting.rpc.RpcManagerImpl] (ServerService
>>>         Thread Pool -- 62) ISPN000073: Unexpected error while
>>>         replicating:
>>>         org.infinispan.commons.marshall.NotSerializableException:
>>>         org.keycloak.models.PasswordPolicy$Builder
>>>         Caused by: an exception which occurred:
>>>         in field org.keycloak.models.PasswordPolicy.builder
>>>         in object org.keycloak.models.PasswordPolicy at 6ab5350d
>>>         in field
>>>         org.keycloak.models.cache.infinispan.entities.CachedRealm.passwordPolicy
>>>         in object
>>>         org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
>>>         in object
>>>         org.keycloak.models.cache.infinispan.entities.CachedRealm at 7864be21
>>>         in object
>>>         org.infinispan.commands.write.PutKeyValueCommand at fec4dc5e
>>>         in object
>>>         org.infinispan.commands.remote.SingleRpcCommand at 3f2e5d1a
>>>
>>>         If I make the realms cache local but leave the rest
>>>         replicated, I observe the same behaviour: the node that
>>>         didn't issue the original set of refresh/access tokens does
>>>         a getUserById lookup, which in my case results in a network
>>>         call against a remote service.
>>>
>>>         I noticed there are caches running that aren't mentioned in
>>>         the config, like userRevisions. These are local and adding
>>>         them to the config as replicated doesn't actually make them
>>>         as such.
>>>
>>>         On Thu, Sep 20, 2018 at 7:36 AM Sebastian Laskawiec
>>>         <slaskawi at redhat.com <mailto:slaskawi at redhat.com>> wrote:
>>>
>>>             Could you please try to unify the caches? Please replace
>>>             all?local-cache and distributed-cache with?replicated-cache.
>>>
>>>             Even though using distributed caches over replicated
>>>             ones should be the cause, I think those local caches
>>>             might cause the behavior you're describing.
>>>
>>>             On Wed, Sep 19, 2018 at 3:21 PM D V <dv at glyphy.com
>>>             <mailto:dv at glyphy.com>> wrote:
>>>
>>>                 Makes sense re: replicated caches. Here's my
>>>                 infinispan subsystem config right now:
>>>
>>>                 ? ? ? ? <subsystem
>>>                 xmlns="urn:jboss:domain:infinispan:4.0">
>>>                 <cache-container name="keycloak"
>>>                 jndi-name="infinispan/Keycloak"
>>>                 statistics-enabled="true">
>>>                 ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>>                 <local-cache name="realms" statistics-enabled="true">
>>>                 <eviction max-entries="10000" strategy="LRU"/>
>>>                 </local-cache>
>>>                 <local-cache name="users" statistics-enabled="true">
>>>                 <eviction max-entries="10000" strategy="LRU"/>
>>>                 </local-cache>
>>>
>>>                 ? ? ? ? ? ? ? ? <!--
>>>                 ? ? ? ? ? ? ? ? These two need to be replicated or
>>>                 the node that didn't issue the initial refresh token
>>>                 ? ? ? ? ? ? ? ? will return "invalid_grant" errors
>>>                 when attempting to auth with that refresh token.
>>>                 ? ? ? ? ? ? ? ? -->
>>>                 <replicated-cache name="sessions"
>>>                 statistics-enabled="true"/>
>>>                 <replicated-cache name="clientSessions"
>>>                 statistics-enabled="true"/>
>>>
>>>                 <distributed-cache name="authenticationSessions"
>>>                 mode="SYNC" owners="1" statistics-enabled="true"/>
>>>                 <distributed-cache name="offlineSessions"
>>>                 mode="SYNC" owners="1" statistics-enabled="true"/>
>>>                 <distributed-cache name="offlineClientSessions"
>>>                 mode="SYNC" owners="1" statistics-enabled="true"/>
>>>                 <distributed-cache name="loginFailures" mode="SYNC"
>>>                 owners="1" statistics-enabled="true"/>
>>>                 <local-cache name="authorization"
>>>                 statistics-enabled="true">
>>>                 <eviction max-entries="10000" strategy="LRU"/>
>>>                 </local-cache>
>>>                 <replicated-cache name="work" mode="SYNC"
>>>                 statistics-enabled="true"/>
>>>                 <local-cache name="keys" statistics-enabled="true">
>>>                 <eviction max-entries="1000" strategy="LRU"/>
>>>                 <expiration max-idle="3600000"/>
>>>                 </local-cache>
>>>                 <distributed-cache name="actionTokens" mode="SYNC"
>>>                 owners="2" statistics-enabled="true">
>>>                 <eviction max-entries="-1" strategy="NONE"/>
>>>                 <expiration max-idle="-1" interval="300000"/>
>>>                 </distributed-cache>
>>>                 </cache-container>
>>>                 <cache-container name="server" aliases="singleton
>>>                 cluster" default-cache="default"
>>>                 module="org.wildfly.clustering.server">
>>>                 ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>>                 <replicated-cache name="default">
>>>                 <transaction mode="BATCH"/>
>>>                 </replicated-cache>
>>>                 </cache-container>
>>>                 <cache-container name="web" default-cache="dist"
>>>                 module="org.wildfly.clustering.web.infinispan">
>>>                 ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>>                 <distributed-cache name="dist">
>>>                 <locking isolation="REPEATABLE_READ"/>
>>>                 <transaction mode="BATCH"/>
>>>                 <file-store/>
>>>                 </distributed-cache>
>>>                 </cache-container>
>>>                 <cache-container name="ejb" aliases="sfsb"
>>>                 default-cache="dist"
>>>                 module="org.wildfly.clustering.ejb.infinispan">
>>>                 ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>>                 <distributed-cache name="dist">
>>>                 <locking isolation="REPEATABLE_READ"/>
>>>                 <transaction mode="BATCH"/>
>>>                 <file-store/>
>>>                 </distributed-cache>
>>>                 </cache-container>
>>>                 <cache-container name="hibernate"
>>>                 default-cache="local-query"
>>>                 module="org.hibernate.infinispan">
>>>                 ? ? ? ? ? ? ? ? <transport lock-timeout="60000"/>
>>>                 <local-cache name="local-query">
>>>                 <eviction strategy="LRU" max-entries="10000"/>
>>>                 <expiration max-idle="100000"/>
>>>                 </local-cache>
>>>                 <invalidation-cache name="entity">
>>>                 <transaction mode="NON_XA"/>
>>>                 <eviction strategy="LRU" max-entries="10000"/>
>>>                 <expiration max-idle="100000"/>
>>>                 </invalidation-cache>
>>>                 <replicated-cache name="timestamps" mode="ASYNC"/>
>>>                 </cache-container>
>>>                 ? ? ? ? </subsystem>
>>>
>>>                 The scenario I'm testing:
>>>                 1. Auth with grant_type=password on node1.
>>>                 2. Shut down node1.
>>>                 3. Auth with grant_type=refresh_token on node2.
>>>
>>>                 When client_sessions is not replicated (distributed,
>>>                 with owners=1, as in the distribution's
>>>                 standalone-ha.xml), I get this on node2:
>>>                 {
>>>                 ? ? "error": "invalid_grant",
>>>                 ? ? "error_description": "Session doesn't have
>>>                 required client"
>>>                 }
>>>
>>>                 When sessions is not replicated:
>>>                 {
>>>                 ? ? "error": "invalid_grant",
>>>                 ? ? "error_description": "Session not active"
>>>                 }
>>>
>>>                 On Wed, Sep 19, 2018 at 6:56 AM Sebastian Laskawiec
>>>                 <slaskawi at redhat.com <mailto:slaskawi at redhat.com>>
>>>                 wrote:
>>>
>>>                     Thanks for letting us know DV!
>>>
>>>                     Setting the number of owners equal to the
>>>                     cluster size doesn't make any sense. You might
>>>                     use a replicated cache in that scenarios (which
>>>                     works the same way apart from some Infinispan
>>>                     internal behavior, which can be omitted in your
>>>                     case). Could you please paste your Infinispan
>>>                     configuration? Maybe there's some hint there...
>>>
>>>                     Thanks,
>>>                     Seb
>>>
>>>                     On Tue, Sep 18, 2018 at 11:02 PM D V
>>>                     <dv at glyphy.com <mailto:dv at glyphy.com>> wrote:
>>>
>>>                         The issue was resolved in a somewhat
>>>                         unexpected way. I had a custom
>>>                         org.keycloak.storage.UserStorageProviderFactory
>>>                         SPI registered that returned providers
>>>                         implementing?org.keycloak.storage.user.UserLookupProvider,
>>>                         but?org.keycloak.storage.user.UserLookupProvider#getUserById
>>>                         method wasn't fully filled out. I just had
>>>                         it return null. It wasn't obvious to me that
>>>                         it was required (or under what
>>>                         circumstances). Once I implemented it, the
>>>                         experiments in my original message passed. I
>>>                         did have to set owners to 2 for the
>>>                         "sessions" and "clientSessions" distributed
>>>                         cache infinispan configs.
>>>
>>>                         One thing I noticed is that node2 (the one
>>>                         that doesn't get hit on the initial password
>>>                         auth) has to do a lookup via getUserById the
>>>                         first time it handles a
>>>                         grant_type=refresh_token auth. Is the data
>>>                         it needs not shared across the cluster? It
>>>                         seems to be cached only locally on the node.
>>>                         Just as a test I tried to set all configured
>>>                         non-local caches to be replicated and it
>>>                         didn't help. Any thoughts about this?
>>>
>>>                         Thanks,
>>>                         DV
>>>
>>
>


From mposolda at redhat.com  Wed Sep 26 05:24:54 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 26 Sep 2018 11:24:54 +0200
Subject: [keycloak-user] Picktelink| Keycloak |Wildfly 11 |SSO
In-Reply-To: <CAL_K0ez10wLTbKBoyYCPGBcaAat93rL1eUyqZxk5yMcjU8VwGg@mail.gmail.com>
References: <CAL_K0ez649v6Fs+OMp5rJ2PoMQw1hNWyx7+f8h264TnmSo9Z7Q@mail.gmail.com>
	<CA+BZ0jg7HtbVE+G+uYAKWRnfXDmmnJEhXS-yqFfBMpXuGXtbKQ@mail.gmail.com>
	<CAL_K0exwYvV2nqBUSUCKmR19x=sgtg8BZn5kUy7iF272Hk+ykg@mail.gmail.com>
	<8fc22726-933f-328f-8450-68b021213ecc@redhat.com>
	<CAL_K0ez10wLTbKBoyYCPGBcaAat93rL1eUyqZxk5yMcjU8VwGg@mail.gmail.com>
Message-ID: <f15a2380-7be5-ce4b-d88c-4f75753b3c0c@redhat.com>

If you want to use the SAML SP part, it is definitely recommended to 
rather use keycloak-saml adapter on Wildfly rather then Picketlink. 
Keycloak SAML adapter is supposed to work with other 3rd party SAML Idp, 
not just with the Keycloak server used as SAML Idp.

Marek


On 25/09/18 16:23, vandana thota wrote:
> Can we? use? just keycloak-saml adapater on wildfly server . And? 
> have? other IDP ( not keycloak ) for SSO configuration for the app 
> deployed? on wildfly ?
>
> or? is it must to use the keycloak ( as SP / IDP )? ?
>
>
>
> On Tue, Sep 25, 2018 at 2:28 AM Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     As you pointed, for Keycloak you need to have separate server. But
>     for
>     bigger deployments, separate server (or rather separate cluster of
>     servers) is recommended for identity management anyway. The biggest
>     disadvantage of Picketlink is no more active development and limited
>     support from the long term perspective.
>
>     For more details see Faq page [1]. It is quite old and maybe some
>     points
>     are outdated, but most are probably still valid.
>
>     [1] http://picketlink.org/keycloak-merge-faq/
>
>     Marek
>
>     On 24/09/18 16:01, vandana thota wrote:
>     > If we have to go with keycloak we have to stand up as? saparate
>     server in
>     > the arhcitecture.
>     >
>     > But if we use? this? below? configuration no need? to set up the
>     saparate
>     > keycloak server
>     >
>     >
>     https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
>     > .
>     >
>     > What? are the pros? and cons of each set up ( 1 . With keycloak?
>     server? 2
>     > . with out keycloak server? ) for SSO? configuration .
>     >
>     > Thanks.
>     >
>     >
>     > On Sun, Sep 23, 2018 at 5:15 PM Juan Pablo Perata
>     <jpperata at gmail.com <mailto:jpperata at gmail.com>>
>     > wrote:
>     >
>     >> Hi,
>     >>
>     >> AFAIK PicketLink is merged into Keycloak and it is no longer
>     maintained,
>     >> all efforts, enhacements, etc are part of Keycloak now.
>     >>
>     >> Regards,
>     >> Juan
>     >>
>     >> On Sat, Sep 22, 2018 at 2:24 PM vandana thota
>     <vandana0242 at gmail.com <mailto:vandana0242 at gmail.com>>
>     >> wrote:
>     >>
>     >>> Hello
>     >>>
>     >>> Is? picketlink is good? to use? for SSO on wildfly 11 .What
>     are advantages
>     >>> and disadvantagees? of using? below? link configurations? for?
>     SSO on
>     >>> wildfly 11
>     >>>
>     >>> Below is the link? for picketlink, wildfly and IDP
>     >>>
>     >>>
>     >>>
>     https://developers.redhat.com/blog/2017/08/17/integrating-picketlink-with-okta-for-saml-based-sso
>     >>> .
>     >>>
>     >>>
>     >>> Thanks,
>     >>> Vandana
>     >>> _______________________________________________
>     >>> keycloak-user mailing list
>     >>> keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>     >>>
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


From dv at glyphy.com  Wed Sep 26 07:26:36 2018
From: dv at glyphy.com (D V)
Date: Wed, 26 Sep 2018 07:26:36 -0400
Subject: [keycloak-user] Standalone HA tokens not immediately shared
	among nodes
In-Reply-To: <abc4e4b9-727c-10a3-7164-c790f7931ce5@redhat.com>
References: <CAJL87rj9iWab154oX5+X2LLk=EV0PW+dt2=tQofE5ncFvMcuVg@mail.gmail.com>
	<CAJL87rgsx5HYtj2aK_HafOZFAFegpSDtCnt7f5n2eQ0+idhkTQ@mail.gmail.com>
	<CAA9R9O5giAugKdgdnJNibXZgov+geZjbvCwnnr14nbKT-rCLLw@mail.gmail.com>
	<CAJL87rheCJ6+2wsrTXDa4LOBig__sFF3VtjQGk5=KnX62KGo_A@mail.gmail.com>
	<CAJL87rjKotPP3DFrOd+YEYjTJ_uNRUt2E7F3gMpfS+SShMUv7g@mail.gmail.com>
	<CAJL87rgEakdw8APWYERh6SPMuaysj4VN96t6KqfcQSbsX-fZAQ@mail.gmail.com>
	<CAA9R9O6tmvDVKaqCAFGx35Gt7M0eeMrNoS-vDCAM28YZkm2dUw@mail.gmail.com>
	<CAJL87rig-vi_sOeXsAiv3sar8hxEGaTtKt0PqkPcr7VWNp55Zg@mail.gmail.com>
	<CAA9R9O7EL6KuvbDEJ+sTwqEmiUGF3zYtswdnqSu12q4TaNMUhw@mail.gmail.com>
	<CAJL87rj0CJc+bjmHL=8M=q0CAYeGefC_bKK_-Q8qdUwkvMCMJg@mail.gmail.com>
	<CAA9R9O4ONCuy7Z1pHXS0zywSPoLbj9DCGaGYznupRBc=RbkzYQ@mail.gmail.com>
	<832f60fa-b3f1-093c-0ee5-e4a0fe452603@redhat.com>
	<2ddbeef8-3e6d-aaef-27a7-e38995c1659b@redhat.com>
	<CAJL87ribCqJ3f4EHT4ON6_-3MpYkD3pMT3PZGK+yM0URgMCLZQ@mail.gmail.com>
	<abc4e4b9-727c-10a3-7164-c790f7931ce5@redhat.com>
Message-ID: <CAJL87rgGWd52n8t=YeOVLDz_fbvEhk4AG=wKsu+kk2Tm3eeGpA@mail.gmail.com>

Thanks for the explanation, Marek!

From uo67113 at gmail.com  Wed Sep 26 08:11:18 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 26 Sep 2018 14:11:18 +0200
Subject: [keycloak-user] How to debug Tomcat 8
	KeycloakAuthenticatorValve?
In-Reply-To: <CAMVDz2NpS7VVU0nXC1T7g8S-KPwH1MwvCNfL-oWgZNufwW31wg@mail.gmail.com>
References: <CAMVDz2NpS7VVU0nXC1T7g8S-KPwH1MwvCNfL-oWgZNufwW31wg@mail.gmail.com>
Message-ID: <CACp70MmB-BGN7VBMHti3QrSD_N4fM_0mT6Dm+tMZhf3bg_Vrxw@mail.gmail.com>

Hello Narenda,

- Start your tomcat under JPDA debugger. You have multiple options:
  - Using bin/catalina.sh jpda start
  - Adding -Xdebug
-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 startup
options (e.g. via setenv.sh)
- Clone keycloak project
- Open a debugger session

Hope it helps,

Luis

El dom., 23 sept. 2018 a las 12:36, Narendra Pathai (<
narendra.pathai at sterlite.com>) escribi?:

> I am using Keycloak with Tomcat 8, and I am able to successfully able to
> achieve OpenID connect based Single Sign On flow.
>
> But I am facing issue with back-channel logout, when I click on logout from
> Sessions tab, it shows success. But the application session is not
> invalidated and the application session still can be used actively till the
> token expiry.
>
> So I wanted to debug the source and see if I could find the root cause and
> solve the issue if any. Please help me in guiding how to debug
> KeycloackAuthenticatorValve. I am using IntelliJ IDEA for development.
>
> Let me know if any further details are required.
>
> Regards,
> Narendra Pathai
>
> --
> *Sterlite Tech Disclaimer:*
> The content of this message may be legally
> privileged and confidential and are for the use of the intended
> recipient(s) only. It should not be read, copied and used by anyone other
> than the intended recipient(s). If you have received this message in
> error,
> please immediately notify the sender, preserve its confidentiality and
> delete it. Before opening any attachments please check them for viruses
> and
> defects. No employee or agent is authorised to conclude any binding
> agreement on behalf of Sterlite Technologies Limited with another party by
> email without express written confirmation by authorised person. Visit us
> at www.sterlitetech.com <http://www.sterlitetech.com>
>  Please consider
> environment before printing this email !
>
>
> Registered office: E 1, MIDC
> Industrial Area, Waluj,
> Aurangabad, Maharashtra ? 431 136 CIN ?
> L31300MH2000PLC269261
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From vandana0242 at gmail.com  Wed Sep 26 08:40:10 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Wed, 26 Sep 2018 08:40:10 -0400
Subject: [keycloak-user] is it must to use keycloak server
Message-ID: <CAL_K0exGO_Hx1cotbTehsPOGyZN9H0fg3aCGuFe=KOdodO_BzQ@mail.gmail.com>

Can we  use  just keycloak-saml adapater on wildfly server . And  have
other IDP ( not keycloak ) for SSO  configuration for the app deployed  on
wildfly ?

or  is it must to use the keycloak server ( as SP / IDP )  ?

From Tony.Harris at oneadvanced.com  Wed Sep 26 10:32:30 2018
From: Tony.Harris at oneadvanced.com (Tony Harris)
Date: Wed, 26 Sep 2018 14:32:30 +0000
Subject: [keycloak-user] Spring Security and Path based multi tenancy
Message-ID: <045d3faaea5144e89e80769e2aeb2ed1@SL1ACSEXCMB01.acsresource.com>

I am trying to convert a Spring MVC web app that uses Spring Security with Keycloak to a multi-tenancy application, for this I followed the standard example and implemented my own version of KeycloakWebSecurityConfigurerAdapter.  Upon first access I am routed to my instance of KeycloakConfigResolver where I can extract the realm based on the path.  However at some point I am redirected to {applicationContext}/sso/login by KeycloakAuthenticationEntryPoint and this too ends up in KeycloakConfigResolver but because there is no realm in the path I end authenticating to the default realm.

Have I missed something, has anyone made this work with Spring Security?
Tony Harris



________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com

From craig at baseventure.com  Wed Sep 26 13:50:55 2018
From: craig at baseventure.com (Craig Setera)
Date: Wed, 26 Sep 2018 12:50:55 -0500
Subject: [keycloak-user] Annotation-based protection?
Message-ID: <CAPVdwjroV8krBO++Bun83N69h_KkXJJygBK=Q2HCeYzc53sL0g@mail.gmail.com>

We are working to replace our Picketlink-based application code with
Keycloak and OAuth/OpenID Connect.  We have a number of JAX-RS services
that have "mixed" resource methods some requiring authentication, while
others do not require any authentication.  We mark those that require
authentication with @LoggedIn and use the Picketlink method interception
support to manage access to that method.

What is the best way to replace this kind of functionality of mixed
resource methods, some requiring authentication and others not requiring
authentication?  It does not seem like specifying this kind of information
via web.xml is the proper/best approach, since it may force authentication
for services that we don't want to make that a requirement.  Is there any
built-in support in Keycloak for this kind of use case?

Thanks,
Craig

=================================
*Craig Setera*

*Chief Technology Officer*

*415-324-5861**craig at baseventure.com <craig at baseventure.com>*

From joy at autonomic.ai  Wed Sep 26 14:13:58 2018
From: joy at autonomic.ai (Joy Kent)
Date: Wed, 26 Sep 2018 11:13:58 -0700
Subject: [keycloak-user] Uncaught server error:
 org.keycloak.models.ModelException: Could not find
 UserStorageProviderFactory
Message-ID: <CANy37OXEYki86h5qYBLJWk_FpJtPPWk8=M2F9WyAjwjVgb2w9w@mail.gmail.com>

We recently noticed an exception in our keycloak 3.3.4 3-node cluster
running in standalone HA mode:

ESC[0mESC[31m14:10:28,640 ERROR
[org.keycloak.services.error.KeycloakErrorHandler] (default task-25)
Uncaught server error: org.keycloak.models.ModelException: Could not find
UserStorageProviderFactory for: MyUserStorage
        at
org.keycloak.storage.UserStorageManager.getStorageProvider(UserStorageManager.java:164)
        at
org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:370)
        at
org.keycloak.storage.UserStorageManager.getUserByFederatedIdentity(UserStorageManager.java:422)
        at
org.keycloak.models.cache.infinispan.UserCacheSession.getUserByFederatedIdentity(UserCacheSession.java:504)
        at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.importUserFromExternalIdentity(TokenEndpoint.java:894)
        at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:857)
        at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:644)
        at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:180)
        at sun.reflect.GeneratedMethodAccessor531.invoke(Unknown Source)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        .....

Our UserStorageProvider was constructed based on the
`EjbExampleUserStorageProvider` as described here:
https://www.keycloak.org/docs/3.3/server_development/topics/providers.html,
except for the following. The `EjbExampleUserStorageProvider` has these
annotations:

@Stateful
> @Local(EjbExampleUserStorageProvider.class)
> public class EjbExampleUserStorageProvider implements UserStorageProvider,


While our UserStorageProvider has these annotations:

@Stateful(passivationCapable=false)
> @Local(MyUserStorageProvider.class)
> public class MyUserStorageProvider implements UserStorageProvider,


The `(passivationCapable=false)` was added to bypass an exception we hit
when running this in HA mode. It was suggested by this thread:
http://lists.jboss.org/pipermail/keycloak-user/2018-March/013442.html.

There is a corresponding MyUserStorageProviderFactory class for this new
MyUserStorageProvider.

Things worked out fine until recently. From the stack trace above, it seems
like the new MyUserStorageProviderFactory was removed from
keycloakSession's keycloakSessionFactory.

Does anyone know what might cause this?

Thanks,
Joy

From sthorger at redhat.com  Wed Sep 26 14:39:48 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 26 Sep 2018 20:39:48 +0200
Subject: [keycloak-user] is it must to use keycloak server
In-Reply-To: <CAL_K0exGO_Hx1cotbTehsPOGyZN9H0fg3aCGuFe=KOdodO_BzQ@mail.gmail.com>
References: <CAL_K0exGO_Hx1cotbTehsPOGyZN9H0fg3aCGuFe=KOdodO_BzQ@mail.gmail.com>
Message-ID: <CAJgngAcVpdSU3=8_hzPgB477pNVC4CCm_srq=Wn100HRNQzJOQ@mail.gmail.com>

SAML adapter is generic so you can use it with other IdPs.

On Wed, 26 Sep 2018 at 14:44, vandana thota <vandana0242 at gmail.com> wrote:

> Can we  use  just keycloak-saml adapater on wildfly server . And  have
> other IDP ( not keycloak ) for SSO  configuration for the app deployed  on
> wildfly ?
>
> or  is it must to use the keycloak server ( as SP / IDP )  ?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Wed Sep 26 15:12:15 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 26 Sep 2018 21:12:15 +0200
Subject: [keycloak-user] Feature freeze for 4.x
Message-ID: <CAJgngAeqXVm64VZtZ3-+fiWnjMSU=d3nnh2_ftOo1E4tKH1GrA@mail.gmail.com>

We are nearing the completion of 4.x and are entering into a feature
freeze.

We will try to get through the current backlog of PRs, please be proactive
and answer any feedback we give on GitHub.

Anyone that wants to contribute additional features and enhancements to 4.x
should do so very soon, otherwise we are most likely not able to accept
until we start on 5.x.

>From November and most likely until end of January the team will focus on
bug fixing, automation and improvements to our testsuite. In this period
I'm afraid we are not able to accept new features or enhancements, but
please do send contributions regardless. We will review and add it to the
queue for things to be merged once we can open up the gates again.

I'm hoping that in the future with the effort we put in now on automation
and testsuite improvements we will not have to have such lengthy yearly
features freezes. Next time around we should be talking about weeks not
months.

As a final note thanks to everyone that has contributed to Keycloak. Be it
in the form of code, documentation or simply answering questions on the
mailing list. The community is what it is all about and we are very prod to
have such a great community around Keycloak.

From graham.burgess at razer.com  Thu Sep 27 00:00:23 2018
From: graham.burgess at razer.com (Graham Burgess)
Date: Thu, 27 Sep 2018 04:00:23 +0000
Subject: [keycloak-user] Token Exchange First Login
Message-ID: <PS2PR01MB22322947ED22BDAFBFC2F2C892140@PS2PR01MB2232.apcprd01.prod.exchangelabs.com>

I am having a problem where when I hit Keycloak up for a token exchange from an external IdP token to a Keycloak token, the first login response the access_token JWT does not content the custom attributes that are added to the newly created account. However, subsequent calls for a token exchange, the access_token JWT does contain the custom attributes that I mapped in the client as well as in the profile client scope. The mappers for the custom attribute I am primarily interested in have "Add to access token" and "Add to ID token" enabled.

I believe I am just being blind as to where I need to map it for first login so any pointers would be appreciated.
Best regards,
Graham Burgess
R?Z?R|stormmore
Sr. DevOps Engineer (USA)
Email: graham.burgess at razer.com
DID: (415) 374 0639
[http://assets.razerzone.com/email/email-sig.jpg]
Razer.com<https://www.razer.com/> | Razer Game Store<https://gamestore.razer.com/> | Razer Insider<https://insider.razer.com/> | Razer zVault<https://zvault.razer.com/>

[https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png]<https://www.facebook.com/Razer>    [Twitter_Social_Icon_Rounded_Square_Color] <https://twitter.com/Razer>     [glyph-logo_May2016] <https://www.instagram.com/razer/>     [youtube_social_squircle_red] <https://www.youtube.com/Razer?sub_confirmation=1>
Razer Inc. (San Francisco)
201 3rd Street, Suite 900
San Francisco CA 94103, USA
Tel: +1 (415) 266 5300

Razer Inc. Stock Code: 1337.HK
IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 33672 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180927/77125b7c/attachment-0001.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1088 bytes
Desc: image002.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180927/77125b7c/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1214 bytes
Desc: image003.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180927/77125b7c/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 930 bytes
Desc: image004.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180927/77125b7c/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1337 bytes
Desc: image005.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180927/77125b7c/attachment-0007.png 

From testoauth55 at gmail.com  Thu Sep 27 01:05:08 2018
From: testoauth55 at gmail.com (Bruce Wings)
Date: Thu, 27 Sep 2018 10:35:08 +0530
Subject: [keycloak-user] Securing Apps : Rest API to obtain Keycloak OIDC
	JSON
Message-ID: <CANAVTmOtEToWJJhhge+O-u0Pb-REYjK6oixo564KfTBOOJviKw@mail.gmail.com>

As mentioned in docs:
https://www.keycloak.org/docs/4.3/securing_apps/index.html#_java_adapter_config

The initial config file can be obtained from the the admin console. This
can be done by opening the admin console, select Clients from the menu and
clicking on the corresponding client. Once the page for the client is
opened click on the Installation tab and select Keycloak OIDC JSON

*Is there a REST API to obtain this json file?*

From sblanc at redhat.com  Thu Sep 27 01:29:53 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 27 Sep 2018 07:29:53 +0200
Subject: [keycloak-user] Securing Apps : Rest API to obtain Keycloak
	OIDC JSON
In-Reply-To: <CANAVTmOtEToWJJhhge+O-u0Pb-REYjK6oixo564KfTBOOJviKw@mail.gmail.com>
References: <CANAVTmOtEToWJJhhge+O-u0Pb-REYjK6oixo564KfTBOOJviKw@mail.gmail.com>
Message-ID: <CAMZCGg8sFS735Fw0SvPm--bFk39M8diQBu7xuC5JQRFy=A-3BA@mail.gmail.com>

Yes :

GET
/auth/admin/realms/<realm>/clients/<id of client (not
client-id)>/installation/providers/keycloak-oidc-keycloak-json

On Thu, Sep 27, 2018 at 7:07 AM Bruce Wings <testoauth55 at gmail.com> wrote:

> As mentioned in docs:
>
> https://www.keycloak.org/docs/4.3/securing_apps/index.html#_java_adapter_config
>
> The initial config file can be obtained from the the admin console. This
> can be done by opening the admin console, select Clients from the menu and
> clicking on the corresponding client. Once the page for the client is
> opened click on the Installation tab and select Keycloak OIDC JSON
>
> *Is there a REST API to obtain this json file?*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From alexis86600 at gmail.com  Thu Sep 27 02:02:25 2018
From: alexis86600 at gmail.com (Alexis Reclus)
Date: Thu, 27 Sep 2018 16:02:25 +1000
Subject: [keycloak-user] Keycloak Clients Access Restriction
Message-ID: <CA6C9FA2-D240-446E-88DF-6A64BCAD8CE2@gmail.com>

Hey, 

I am authenticating users of different web applications using Keycloak (with an Open ID Connect Identity Provider). 
The architecture is the following:
- 1 realm
- Different clients (client A, client B) in the realm, each client corresponding to a web application. 
- Users (user 1, user 2, user 3)

I want to create different groups of users (group A = user1 & user3 and group B = user1 & user2) and each group can access specific clients but can?t access the other clients (group 1 can?t access to web application in client B).
I tried to implement scopes, roles, groups but I am not sure this is the good way. 

How can I realize this in using Keycloak configurations?

Best regards,

From sthorger at redhat.com  Thu Sep 27 02:59:34 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 27 Sep 2018 08:59:34 +0200
Subject: [keycloak-user] Keycloak 4.5.0.Final is out
Message-ID: <CAJgngAes3+jX1gsRuvKDv4uBk52N6b-T9N8WRi+rjjxJbfYUQA@mail.gmail.com>

http://blog.keycloak.org/2018/09/keycloak-450final-released.html

From hi at kaeff.net  Thu Sep 27 04:03:43 2018
From: hi at kaeff.net (kaeff)
Date: Thu, 27 Sep 2018 10:03:43 +0200
Subject: [keycloak-user] Read client config at boot time?
Message-ID: <7905E947-5099-42A3-8E8F-A813ADCB03DF@kaeff.net>

Hi folks,

we?re using the jboss/keycloak docker container for local integration testing for an app that?s secured by keycloak. For that, we?re setting up users upon creating the stack through docker-compose. 

While we can set up users using environment variables / by means of `add-users-keycloak.json`, we need to use the rest api (i.e. `kcadm.sh create clients` ) to configure a client. Since it requires a running server, we currently can?t do this as part of the docker-compose stack.

Is there a way, or what?s the best way, to pre-load a keycloak instance with a client configuration? Like `add-users-keycloak.json`, but for clients?

From remy at grunblatt.org  Thu Sep 27 05:11:08 2018
From: remy at grunblatt.org (=?UTF-8?Q?R=c3=a9my_Gr=c3=bcnblatt?=)
Date: Thu, 27 Sep 2018 11:11:08 +0200
Subject: [keycloak-user] Custom Identity Brokering and First login flow:
 prevent username edition?
Message-ID: <5d4f1caf-6c8b-921f-3999-1e25875590eb@grunblatt.org>

Hi,

I'm using a custom IDP and I have some trouble during the first login
flow, it redirects to a "Update Account Information" page (this is
fine), but you can edit the username in this. How to prevent this
behaviour? As the usernames are provided by the third party, I don't
want people to be able to change them.


Thanks,

R?my


From Mattia.Bello at horsa.it  Thu Sep 27 08:20:50 2018
From: Mattia.Bello at horsa.it (Mattia Bello)
Date: Thu, 27 Sep 2018 12:20:50 +0000
Subject: [keycloak-user] Problem with Spring WEB application using Keycloak
 + Spring Security Adapter in Multi Tenancy mode
Message-ID: <92E1246EF925084F978BEEDBCF3711F10275F145EA@barcellona.horsa.local>

Hello,
I am trying to configure a Spring WEB application using Keycloak + Spring Security Adapter in  Multi Tenancy mode but i encountered some problems.
I followed the instuctions of the Keycloak documentation (https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_security_adapter and https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy)
I created a simple web application (SpringSecurity_HelloWorld) with two pages, one public page (hello.jsp) and a protected one (admin.jsp).

To implementy the Multi tenancy, I created the PathBasedKeycloakConfigResolver java class and I changed the spring-security.xml file as requested to link this class to the Spring context.
The .zip from follow Google Drive Link contains a copy of the test project:
https://drive.google.com/file/d/1YH2phrXlx9yc1vexXkNCMKoOnDBEmBI2/view?usp=sharing

This is what happens when the app is running:

Accessing url localhost:8080/SpringSecurity_HelloWorld/{realm}/admin, (i.e. the protected page) the following steps are executed:

1 As expected, the method resolve(..) of my PathBasedKeycloakConfigResolver class is called, and my code correctly extracts the {realm} from the url, creates the corresponding KeycloakDeployment
object, returning it to the caller

2 The browser receives a redirect (HTTP 302) to the location localhost:8080/SpringSecurity_HelloWorld/sso/login and executes the redirect

3 The method resolve(..) of  PathBasedKeycloakConfigResolve is called again with the url localhost:8080/SpringSecurity_HelloWorld/sso/login as argument. This is very surprising to me because
this url doesn't contains the {realm} part and I am wondering how the method resolve() could cope with this. It is supposed to return the KeycloakDeployment object corresponding to the requast realm
but this is not possible now.

For what I understand from documentation the second call to the resolve() method is just wrong .... why the the {realm} is missing ?
I suspect there is some configuratione error in my project but I can't find anything wrong.


Thanks to all


Mattia Bello
Developer

[Descrizione: cid:image001.jpg at 01CEB308.188717E0]
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile  (+39) 347 37 64 875
www.horsa.it<http://www.horsa.it/>


From Tony.Harris at oneadvanced.com  Thu Sep 27 08:33:06 2018
From: Tony.Harris at oneadvanced.com (Tony Harris)
Date: Thu, 27 Sep 2018 12:33:06 +0000
Subject: [keycloak-user] Problem with Spring WEB application using
 Keycloak + Spring Security Adapter in Multi Tenancy mode
In-Reply-To: <92E1246EF925084F978BEEDBCF3711F10275F145EA@barcellona.horsa.local>
References: <92E1246EF925084F978BEEDBCF3711F10275F145EA@barcellona.horsa.local>
Message-ID: <6777d494c5f442f1a58c3a875060ddc4@SL1ACSEXCMB01.acsresource.com>

I asked just this question last night.  I solved my issue by creating a customer KeycloakAuthenticationEntryPoint to redirect to /RootContext/{realmName}/sso/login and then overrode the keycloakAuthenticationProcessingFilter method in the KeycloakWebSecurityConfigurerAdapter implementation to change the AntPathRequestMatcher to match.

@Override
protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception {
return new KeycloakAuthenticationProcessingFilter(authenticationManager(),new AntPathRequestMatcher("/**/sso/login"));
}

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Mattia Bello
Sent: 27 September 2018 13:21
To: keycloak-user at lists.jboss.org
Cc: Luca Buraggi <Luca.Buraggi at horsa.it>; Marco Pancotti <Marco.Pancotti at horsa.it>
Subject: [keycloak-user] Problem with Spring WEB application using Keycloak + Spring Security Adapter in Multi Tenancy mode

Hello,
I am trying to configure a Spring WEB application using Keycloak + Spring Security Adapter in  Multi Tenancy mode but i encountered some problems.
I followed the instuctions of the Keycloak documentation (https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_security_adapter and https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy)
I created a simple web application (SpringSecurity_HelloWorld) with two pages, one public page (hello.jsp) and a protected one (admin.jsp).

To implementy the Multi tenancy, I created the PathBasedKeycloakConfigResolver java class and I changed the spring-security.xml file as requested to link this class to the Spring context.
The .zip from follow Google Drive Link contains a copy of the test project:
https://drive.google.com/file/d/1YH2phrXlx9yc1vexXkNCMKoOnDBEmBI2/view?usp=sharing

This is what happens when the app is running:

Accessing url localhost:8080/SpringSecurity_HelloWorld/{realm}/admin, (i.e. the protected page) the following steps are executed:

1 As expected, the method resolve(..) of my PathBasedKeycloakConfigResolver class is called, and my code correctly extracts the {realm} from the url, creates the corresponding KeycloakDeployment object, returning it to the caller

2 The browser receives a redirect (HTTP 302) to the location localhost:8080/SpringSecurity_HelloWorld/sso/login and executes the redirect

3 The method resolve(..) of  PathBasedKeycloakConfigResolve is called again with the url localhost:8080/SpringSecurity_HelloWorld/sso/login as argument. This is very surprising to me because this url doesn't contains the {realm} part and I am wondering how the method resolve() could cope with this. It is supposed to return the KeycloakDeployment object corresponding to the requast realm but this is not possible now.

For what I understand from documentation the second call to the resolve() method is just wrong .... why the the {realm} is missing ?
I suspect there is some configuratione error in my project but I can't find anything wrong.


Thanks to all


Mattia Bello
Developer

[Descrizione: cid:image001.jpg at 01CEB308.188717E0]
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile  (+39) 347 37 64 875
www.horsa.it<http://www.horsa.it/>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com


From dean.wyns at aptus.be  Thu Sep 27 08:45:57 2018
From: dean.wyns at aptus.be (Wyns Dean)
Date: Thu, 27 Sep 2018 12:45:57 +0000
Subject: [keycloak-user] Multi-tenancy with groups
Message-ID: <CC7F9E69ED13DD478810F42866C6FAA1B7FAAEAA@CBW-MHEXCH-C.iconos.be>

Hi there

A client of ours requires multi-tenancy (multiple customers) but without isolation of users. In others words, one user can be linked to multiple customers. A user with the permission to do so, should be able to manage their customer's users.

For this client we created a realm to completely isolate it. So we would use groups to implement the customers below our client.
Is creating a group per customer the best way to implement this? And then restrict the user management by using the fine-grained permissions built into the Keycloak admin console?

Or is there another better way?

Thanks
Dean


From Mattia.Bello at horsa.it  Thu Sep 27 09:54:15 2018
From: Mattia.Bello at horsa.it (Mattia Bello)
Date: Thu, 27 Sep 2018 13:54:15 +0000
Subject: [keycloak-user] Problem with Spring WEB application using
 Keycloak + Spring Security Adapter in Multi Tenancy mode
Message-ID: <92E1246EF925084F978BEEDBCF3711F10275F14617@barcellona.horsa.local>

Please, can you describe your solution with more details?

 I solved my issue by:

1. 
Creating a custom KeycloakAuthenticationEntryPoint to redirect to /RootContext/{realmName}/sso/login.

How do i do that? 
I can create a custom KeycloakAuthenticationEntryPoint (NewKeycloakAuthenticationEntryPoint) and set it in the keycloak xml config file:
    <bean id="keycloakAuthenticationEntryPoint" class="org.myApp.NewKeycloakAuthenticationEntryPoint">
        <constructor-arg name="adapterDeploymentContext" ref="adapterDeploymentContext" />
    </bean>
Then? How do i do to redirect to /RootContext/{realmName}/sso/login ?

2. 
Overrode the keycloakAuthenticationProcessingFilter method in the KeycloakWebSecurityConfigurerAdapter implementation to change the AntPathRequestMatcher to match.

How do you do to specified that?
I can create a new class NewKeycloakWebSecurityConfigurerAdapter and override the method keycloakAuthenticationProcessingFilter as you describe, but i don't understand how i set that class for use it when the app is running.
Do i have to set it in the keycloak config xml file ?

------------------------------

Mattia Bello
Developer


Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile  (+39) 347 37 64 875
www.horsa.it

From gideonray at gmail.com  Thu Sep 27 13:02:20 2018
From: gideonray at gmail.com (Gideon Caranzo)
Date: Thu, 27 Sep 2018 12:02:20 -0500
Subject: [keycloak-user] slow role search
Message-ID: <CAFTOGtee=DG_=dUiPu1t5gykef+t46zkQceq2dNXZ22p1ryAkg@mail.gmail.com>

Hi,

I'm running Keycloak with 1700 realms and API calls like getting a realm
now takes a lot of time. I profiled it and found that role checking is
causing the issue particularly *KeycloakModelUtils.searchFor(RoleModel
role, RoleModel composite, Set<String> visited)*.

I'm using a user with "admin" role to call get realm API. And since i have
1700 realms, "admin" role now have about 30K composite roles under it. The
line below from KeycloakModelUtils.searchFor() will load all 30K composite
roles causing the slow down.

        *Set<RoleModel> compositeRoles = composite.getComposites();*

Is there a way to avoid this issue? Or is it possible to fix the code such
that it will do a database query instead of searching in memory to check if
the role exist?

Thank you,
Gideon

From Ori.Doolman at amdocs.com  Thu Sep 27 13:26:05 2018
From: Ori.Doolman at amdocs.com (Ori Doolman)
Date: Thu, 27 Sep 2018 17:26:05 +0000
Subject: [keycloak-user] Authorization Policy evaluation for specific REST
	method (verb)
Message-ID: <DB7PR06MB44741943ABF742032FDFA68D92140@DB7PR06MB4474.eurprd06.prod.outlook.com>

Hello,

We're using authorization services and Keycloak 2.5.X.
We want to have different policies for a REST endpoint with different verbs (GET, PUT).
We have everything configured at the Keycloak server side (PDP), through the web admin UI. We don't use the Policy Enforcer JSON configuration.

We have configured:

  *   Permission P1 for Resource X (URL X) and scope 'GET' mapped to Policy 'POLICY-1'.
  *   Permission P2 for Resource X (URL X) and scope 'PUT' mapped to Policy 'POLICY-2'.

What we see is that both policies are BEING evaluated, while we expected only one of them to be, according to the actual HTTP verb provided at runtime.
By reading the source code, we understand that because we don't use the policy enforcer adapter configuration (JSON file at client side), then the list of required scopes sent with the permission request is empty and therefore all the scopes associated to the resource and permission are being evaluated.

We could workaround this by utilizing the policy enforcer configuration file, but we really like to do the configuration in a single place at the server side (we have many clients and microservices).

My questions are the following:


  1.  Is there any way to enforce evaluation of only one of the permissions above (the one according to the relevant scope/verb)?
Or maybe it was changed in a later version?
I see that code of getRequiredScopes is different (adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java)



  1.  Why are there different configuration capabilities in the Admin UI (server side) and the Policy Enforcer adapter JSON file (client side)?
In the latter, we can configure the "method" like PUT/GET/POST/DELETE for the match. While if we use the server side configuration, we lack the ability to match the method per URL.
Again, is that something that was changed in later version?



Thanks,

Ori Doolman
Lead Software Architect
Amdocs Optima

+972 9 778 6914 (office)
+972 50 9111442 (mobile)

[cid:image001.png at 01D2C8DE.BFF33E10]

?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3506 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180927/97fdc3cc/attachment.png 

From sergey at shimkiv.com  Thu Sep 27 14:42:51 2018
From: sergey at shimkiv.com (Serhii Shymkiv)
Date: Thu, 27 Sep 2018 21:42:51 +0300
Subject: [keycloak-user] Keycloak 4.5.0.Final is out
In-Reply-To: <CAJgngAes3+jX1gsRuvKDv4uBk52N6b-T9N8WRi+rjjxJbfYUQA@mail.gmail.com>
References: <CAJgngAes3+jX1gsRuvKDv4uBk52N6b-T9N8WRi+rjjxJbfYUQA@mail.gmail.com>
Message-ID: <CAD7UjAPpemu4=9Twa9K2T612K5+A8DogT9rwND90sGMimk=9Cw@mail.gmail.com>

As always, thank you !
And the quick one regarding the updated versions of the Maven artifacts -
they are on the way, right ?



On Thu, Sep 27, 2018 at 10:02 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> http://blog.keycloak.org/2018/09/keycloak-450final-released.html
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 
Best regards,
Serhii Shymkiv.

From remy at grunblatt.org  Thu Sep 27 15:30:09 2018
From: remy at grunblatt.org (=?UTF-8?Q?R=c3=a9my_Gr=c3=bcnblatt?=)
Date: Thu, 27 Sep 2018 21:30:09 +0200
Subject: [keycloak-user] Custom Identity Brokering and First login flow:
 prevent username edition?
In-Reply-To: <CAGqTYay=6N7-R6wcj8kvd+71q+JUeLJq2tktuM522FkoAX80Dg@mail.gmail.com>
References: <5d4f1caf-6c8b-921f-3999-1e25875590eb@grunblatt.org>
	<CAGqTYay=6N7-R6wcj8kvd+71q+JUeLJq2tktuM522FkoAX80Dg@mail.gmail.com>
Message-ID: <de32f668-b1e9-ce42-0a8a-9455bd845634@grunblatt.org>

Hi,

nope, it's at "off":

Le 27/09/2018 ? 15:25, Henning Waack a ?crit?:
> Hi Remy.
>
> In your realm settings in the tab "Login" you have the option "Edit
> username", which is most probably set to "true" in your case.
>
> Hth, greetings
>
> Henning
>
> Am Do., 27. Sep. 2018 um 11:17?Uhr schrieb R?my Gr?nblatt
> <remy at grunblatt.org <mailto:remy at grunblatt.org>>:
>
>     Hi,
>
>     I'm using a custom IDP and I have some trouble during the first login
>     flow, it redirects to a "Update Account Information" page (this is
>     fine), but you can edit the username in this. How to prevent this
>     behaviour? As the usernames are provided by the third party, I don't
>     want people to be able to change them.
>
>
>     Thanks,
>
>     R?my
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> -- 
>
>
> -----------
>
> Henning Waack | IT Consultant
>
>
> codecentric AG |?Hochstra?e 11?
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>|
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>?
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
> Solingen
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>?|Deutschland
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>?
>
> tel: +49 (0)151 108 515 29
>
> www.codecentric.de <http://www.codecentric.de/>?|?blog.codecentric.de
> <http://blog.codecentric.de/>?|?www.meettheexperts.de
> <http://www.meettheexperts.de/>?? ?
>
> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>
> Vorstand: Michael Hochg?rtel . Ulrich K?hn*?*. Rainer Vehns
> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen
> Sch?tz
>
> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt
> vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie
> nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten
> haben, informieren Sie bitte sofort den Absender und l?schen Sie diese
> E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte
> Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die
> unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
>

From graham.burgess at razer.com  Thu Sep 27 15:48:31 2018
From: graham.burgess at razer.com (Graham Burgess)
Date: Thu, 27 Sep 2018 19:48:31 +0000
Subject: [keycloak-user] Custom Identity Brokering and First login flow:
 prevent username edition?
In-Reply-To: <de32f668-b1e9-ce42-0a8a-9455bd845634@grunblatt.org>
References: <5d4f1caf-6c8b-921f-3999-1e25875590eb@grunblatt.org>
	<CAGqTYay=6N7-R6wcj8kvd+71q+JUeLJq2tktuM522FkoAX80Dg@mail.gmail.com>
	<de32f668-b1e9-ce42-0a8a-9455bd845634@grunblatt.org>
Message-ID: <PS2PR01MB22320C8CEDAE44E38AAB2A8C92140@PS2PR01MB2232.apcprd01.prod.exchangelabs.com>

I just turned off the initial profile update in the first login flow, I also don't want user to be able to update their Keycloak username. That profile update page is actually displayed pre-Keycloak user creation.

Best regards,
Graham Burgess
R?Z?R|stormmore
Sr. DevOps Engineer (USA)
Email: graham.burgess at razer.com
DID: (415) 374 0639
Razer Inc. Stock Code: 1337.HK
IMPORTANT NOTICE:?This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of R?my Gr?nblatt
Sent: Thursday, September 27, 2018 12:30 PM
To: Henning Waack <henning.waack at codecentric.de>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Custom Identity Brokering and First login flow: prevent username edition?

Hi,

nope, it's at "off":

Le 27/09/2018 ? 15:25, Henning Waack a ?crit?:
> Hi Remy.
>
> In your realm settings in the tab "Login" you have the option "Edit 
> username", which is most probably set to "true" in your case.
>
> Hth, greetings
>
> Henning
>
> Am Do., 27. Sep. 2018 um 11:17?Uhr schrieb R?my Gr?nblatt 
> <remy at grunblatt.org <mailto:remy at grunblatt.org>>:
>
>     Hi,
>
>     I'm using a custom IDP and I have some trouble during the first login
>     flow, it redirects to a "Update Account Information" page (this is
>     fine), but you can edit the username in this. How to prevent this
>     behaviour? As the usernames are provided by the third party, I don't
>     want people to be able to change them.
>
>
>     Thanks,
>
>     R?my
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
>
> -----------
>
> Henning Waack | IT Consultant
>
>
> codecentric AG |?Hochstra?e 11
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+
> Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>|
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+
> Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+
> Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
> Solingen
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+
> Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>?|Deutschland 
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+
> Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
> tel: +49 (0)151 108 515 29
>
> www.codecentric.de <http://www.codecentric.de/>?|?blog.codecentric.de 
> <http://blog.codecentric.de/>?|?www.meettheexperts.de 
> <http://www.meettheexperts.de/>
>
> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>
> Vorstand: Michael Hochg?rtel . Ulrich K?hn*?*. Rainer Vehns
> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen 
> Sch?tz
>
> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt 
> vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie 
> nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten 
> haben, informieren Sie bitte sofort den Absender und l?schen Sie diese 
> E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte 
> Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die 
> unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From testoauth55 at gmail.com  Fri Sep 28 02:44:56 2018
From: testoauth55 at gmail.com (Bruce Wings)
Date: Fri, 28 Sep 2018 12:14:56 +0530
Subject: [keycloak-user] Authroization: Receiving "Failed to enforce policy
 decisions" for valid token after sometime
Message-ID: <CANAVTmNr3E_Re8RgUvyL3YXVrHAkBSF1-Dm8Ei_Oq55koCuWpg@mail.gmail.com>

Steps:

1. After obtaining a token from keycloak, I am able to
authenticate/authorize user with this token.
2. After sometime(15-20 minutes), I start receiving *"Failed to enforce
policy decisions"*. If the same token was valid a few minutes before,
shouldn't I get the "*token expired*" message instead of "*Failed to
enforce policy decisions*"?

My access token lifespan is set to 8 hours. Still I see this behavior after
just 15-20 minutes. Attached image for token expiry settings:


[image: image.png]
-------------- next part --------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 80955 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180928/bcd44bff/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: token_settings.JPG
Type: image/jpeg
Size: 64571 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180928/bcd44bff/attachment-0001.jpe 

From K.Buler at adbglobal.com  Fri Sep 28 03:05:38 2018
From: K.Buler at adbglobal.com (Karol Buler)
Date: Fri, 28 Sep 2018 09:05:38 +0200
Subject: [keycloak-user] Integration with OpenID provider
In-Reply-To: <6ba2227a-e380-ad29-8d0e-cbfae5134242@adbglobal.com>
References: <6ba2227a-e380-ad29-8d0e-cbfae5134242@adbglobal.com>
Message-ID: <abcbe03c-8510-fe1e-df03-63bb4f55e731@adbglobal.com>

Additional information is that this is 3.4.3.Final Keycloak.

Do you know about this problem? Maybe it is fixed in newer version?


On 25.09.2018 13:01, Karol Buler wrote:
> Hi,
>
> I am trying to add Identity Broker based on OpenID Connect to my
> Keycloak. Everything is fine, redirecting to login page is working,
> but... always is "but" :) I've got error in Keycloak:
>
> org.keycloak.broker.provider.IdentityBrokerException: No access_token
> from server.
>
> What I found is that the Keycloak doesn't send the "Authorization"
> header in request "code-to-token". Is it bug/feature or am I missing
> some configuration?
>
> Best regards,
> Karol
>
> [https://www.adbglobal.com/wp-content/uploads/adb.png]
> adbglobal.com<https://www.adbglobal.com>
> This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
> Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From lokesh.ravichandru at grootan.com  Fri Sep 28 03:10:25 2018
From: lokesh.ravichandru at grootan.com (Lokesh Ravichandru)
Date: Fri, 28 Sep 2018 12:40:25 +0530
Subject: [keycloak-user] Integration with OpenID provider
In-Reply-To: <abcbe03c-8510-fe1e-df03-63bb4f55e731@adbglobal.com>
References: <6ba2227a-e380-ad29-8d0e-cbfae5134242@adbglobal.com>
	<abcbe03c-8510-fe1e-df03-63bb4f55e731@adbglobal.com>
Message-ID: <CAMDN6TM1Jn3692Q9_ZK8kYuUhP5eCZx1WafetocotV_93DGfyA@mail.gmail.com>

Just for details, is your Identity broker returning id_token along with the
access token ?

- Lokesh

On Fri, Sep 28, 2018 at 12:36 PM Karol Buler <K.Buler at adbglobal.com> wrote:

> Additional information is that this is 3.4.3.Final Keycloak.
>
> Do you know about this problem? Maybe it is fixed in newer version?
>
>
> On 25.09.2018 13:01, Karol Buler wrote:
> > Hi,
> >
> > I am trying to add Identity Broker based on OpenID Connect to my
> > Keycloak. Everything is fine, redirecting to login page is working,
> > but... always is "but" :) I've got error in Keycloak:
> >
> > org.keycloak.broker.provider.IdentityBrokerException: No access_token
> > from server.
> >
> > What I found is that the Keycloak doesn't send the "Authorization"
> > header in request "code-to-token". Is it bug/feature or am I missing
> > some configuration?
> >
> > Best regards,
> > Karol
> >
> > [https://www.adbglobal.com/wp-content/uploads/adb.png]
> > adbglobal.com<https://www.adbglobal.com>
> > This message (including any attachments) may contain confidential,
> proprietary, privileged and/or private information. The information is
> intended for the use of the individual or entity designated above. If you
> are not the intended recipient of this message, please notify the sender
> immediately, and delete the message and any attachments. Any disclosure,
> reproduction, distribution or other use of this message or any attachments
> by an individual or entity other than the intended recipient is STRICTLY
> PROHIBITED.
> > Please note that ADB protects your privacy. Any personal information we
> collect from you is used in accordance with our Privacy Policy<
> https://www.adbglobal.com/privacy-policy/> and in compliance with
> applicable European data protection law (Regulation (EU) 2016/679, General
> Data Protection Regulation) and other statutory provisions.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 
*Grootan Technologies Private Limited*
R-Block, 15th main street
Anna nagar, Chennai 600 040
tel +91 97890 24698
mail lokesh.ravichandru at grootan.com | web https://www.grootan.com

From sergey at shimkiv.com  Fri Sep 28 03:12:12 2018
From: sergey at shimkiv.com (Serhii Shymkiv)
Date: Fri, 28 Sep 2018 10:12:12 +0300
Subject: [keycloak-user] Keycloak 4.5.0.Final is out
In-Reply-To: <CAD7UjAPpemu4=9Twa9K2T612K5+A8DogT9rwND90sGMimk=9Cw@mail.gmail.com>
References: <CAJgngAes3+jX1gsRuvKDv4uBk52N6b-T9N8WRi+rjjxJbfYUQA@mail.gmail.com>
	<CAD7UjAPpemu4=9Twa9K2T612K5+A8DogT9rwND90sGMimk=9Cw@mail.gmail.com>
Message-ID: <CAD7UjAOFXdCc2qovRHWMTqwQ1HhYJh5=Y5vbEEmcdhV55fmiCw@mail.gmail.com>

No worries, artifacts already updated in central repository.

On Thu, Sep 27, 2018 at 9:42 PM Serhii Shymkiv <sergey at shimkiv.com> wrote:

> As always, thank you !
> And the quick one regarding the updated versions of the Maven artifacts -
> they are on the way, right ?
>
>
>
> On Thu, Sep 27, 2018 at 10:02 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> http://blog.keycloak.org/2018/09/keycloak-450final-released.html
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Best regards,
> Serhii Shymkiv.
>


-- 
Best regards,
Serhii Shymkiv.

From K.Buler at adbglobal.com  Fri Sep 28 03:12:55 2018
From: K.Buler at adbglobal.com (Karol Buler)
Date: Fri, 28 Sep 2018 07:12:55 +0000
Subject: [keycloak-user] Integration with OpenID provider
In-Reply-To: <CAMDN6TM1Jn3692Q9_ZK8kYuUhP5eCZx1WafetocotV_93DGfyA@mail.gmail.com>
References: <6ba2227a-e380-ad29-8d0e-cbfae5134242@adbglobal.com>
	<abcbe03c-8510-fe1e-df03-63bb4f55e731@adbglobal.com>
	<CAMDN6TM1Jn3692Q9_ZK8kYuUhP5eCZx1WafetocotV_93DGfyA@mail.gmail.com>
Message-ID: <92fd3f74-bbde-4407-d0f6-84e64817ad51@adbglobal.com>

Indeed. Structure looks like this:

{
    "access_token": "",
    "token_type": "",
    "expires_in": int value,
    "refresh_token": "",
    "scope": "",
    "id_token": ""
}

Karol

On 28.09.2018 09:10, Lokesh Ravichandru wrote:
Just for details, is your Identity broker returning id_token along with the access token ?

- Lokesh

On Fri, Sep 28, 2018 at 12:36 PM Karol Buler <K.Buler at adbglobal.com<mailto:K.Buler at adbglobal.com>> wrote:
Additional information is that this is 3.4.3.Final Keycloak.

Do you know about this problem? Maybe it is fixed in newer version?


On 25.09.2018 13:01, Karol Buler wrote:
> Hi,
>
> I am trying to add Identity Broker based on OpenID Connect to my
> Keycloak. Everything is fine, redirecting to login page is working,
> but... always is "but" :) I've got error in Keycloak:
>
> org.keycloak.broker.provider.IdentityBrokerException: No access_token
> from server.
>
> What I found is that the Keycloak doesn't send the "Authorization"
> header in request "code-to-token". Is it bug/feature or am I missing
> some configuration?
>
> Best regards,
> Karol
>
> [https://www.adbglobal.com/wp-content/uploads/adb.png]
> adbglobal.com<http://adbglobal.com><https://www.adbglobal.com>
> This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
> Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


--
Grootan Technologies Private Limited
R-Block, 15th main street
Anna nagar, Chennai 600 040
tel +91 97890 24698
mail lokesh.ravichandru at grootan.com<mailto:lokesh.ravichandru at grootan.com> | web https://www.grootan.com


From lokesh.ravichandru at grootan.com  Fri Sep 28 03:16:01 2018
From: lokesh.ravichandru at grootan.com (Lokesh Ravichandru)
Date: Fri, 28 Sep 2018 12:46:01 +0530
Subject: [keycloak-user] Integration with OpenID provider
In-Reply-To: <92fd3f74-bbde-4407-d0f6-84e64817ad51@adbglobal.com>
References: <6ba2227a-e380-ad29-8d0e-cbfae5134242@adbglobal.com>
	<abcbe03c-8510-fe1e-df03-63bb4f55e731@adbglobal.com>
	<CAMDN6TM1Jn3692Q9_ZK8kYuUhP5eCZx1WafetocotV_93DGfyA@mail.gmail.com>
	<92fd3f74-bbde-4407-d0f6-84e64817ad51@adbglobal.com>
Message-ID: <CAMDN6TOFnGHb-xuX8KWHGk2qQY8+iV1x=Ouk2X74zqeScUovYA@mail.gmail.com>

We are using 4.4.0 version, we faced the same issue because of missing
id_token from our Identity broker application connected to keycloak.

For trial you can install 4.4.0 version as a test build and attach your
identity provider for test run.

- Lokesh

On Fri, Sep 28, 2018 at 12:42 PM Karol Buler <K.Buler at adbglobal.com> wrote:

> Indeed. Structure looks like this:
>
> {
>     "access_token": "",
>     "token_type": "",
>     "expires_in": int value,
>     "refresh_token": "",
>     "scope": "",
>     "id_token": ""
> }
>
> Karol
>
> On 28.09.2018 09:10, Lokesh Ravichandru wrote:
>
> Just for details, is your Identity broker returning id_token along with
> the access token ?
>
> - Lokesh
>
> On Fri, Sep 28, 2018 at 12:36 PM Karol Buler <K.Buler at adbglobal.com>
> wrote:
>
>> Additional information is that this is 3.4.3.Final Keycloak.
>>
>> Do you know about this problem? Maybe it is fixed in newer version?
>>
>>
>> On 25.09.2018 13:01, Karol Buler wrote:
>> > Hi,
>> >
>> > I am trying to add Identity Broker based on OpenID Connect to my
>> > Keycloak. Everything is fine, redirecting to login page is working,
>> > but... always is "but" :) I've got error in Keycloak:
>> >
>> > org.keycloak.broker.provider.IdentityBrokerException: No access_token
>> > from server.
>> >
>> > What I found is that the Keycloak doesn't send the "Authorization"
>> > header in request "code-to-token". Is it bug/feature or am I missing
>> > some configuration?
>> >
>> > Best regards,
>> > Karol
>> >
>> > [https://www.adbglobal.com/wp-content/uploads/adb.png]
>> > adbglobal.com<https://www.adbglobal.com>
>> > This message (including any attachments) may contain confidential,
>> proprietary, privileged and/or private information. The information is
>> intended for the use of the individual or entity designated above. If you
>> are not the intended recipient of this message, please notify the sender
>> immediately, and delete the message and any attachments. Any disclosure,
>> reproduction, distribution or other use of this message or any attachments
>> by an individual or entity other than the intended recipient is STRICTLY
>> PROHIBITED.
>> > Please note that ADB protects your privacy. Any personal information we
>> collect from you is used in accordance with our Privacy Policy<
>> https://www.adbglobal.com/privacy-policy/> and in compliance with
>> applicable European data protection law (Regulation (EU) 2016/679, General
>> Data Protection Regulation) and other statutory provisions.
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> *Grootan Technologies Private Limited*
> R-Block, 15th main street
> Anna nagar, Chennai 600 040
> tel +91 97890 24698
> mail lokesh.ravichandru at grootan.com | web https://www.grootan.com
>
>
>

-- 
*Grootan Technologies Private Limited*
R-Block, 15th main street
Anna nagar, Chennai 600 040
tel +91 97890 24698
mail lokesh.ravichandru at grootan.com | web https://www.grootan.com

From K.Buler at adbglobal.com  Fri Sep 28 03:21:39 2018
From: K.Buler at adbglobal.com (Karol Buler)
Date: Fri, 28 Sep 2018 09:21:39 +0200
Subject: [keycloak-user] Integration with OpenID provider
In-Reply-To: <CAMDN6TOFnGHb-xuX8KWHGk2qQY8+iV1x=Ouk2X74zqeScUovYA@mail.gmail.com>
References: <6ba2227a-e380-ad29-8d0e-cbfae5134242@adbglobal.com>
	<abcbe03c-8510-fe1e-df03-63bb4f55e731@adbglobal.com>
	<CAMDN6TM1Jn3692Q9_ZK8kYuUhP5eCZx1WafetocotV_93DGfyA@mail.gmail.com>
	<92fd3f74-bbde-4407-d0f6-84e64817ad51@adbglobal.com>
	<CAMDN6TOFnGHb-xuX8KWHGk2qQY8+iV1x=Ouk2X74zqeScUovYA@mail.gmail.com>
Message-ID: <3b0f565f-2ea8-3f2b-fdbf-2b038503f407@adbglobal.com>

Do you have "confidential client"? If so, could you please confirm that 
Keycloak is sending the Authorization header? Basic from 
client_id:client_secret.

Karol


On 28.09.2018 09:16, Lokesh Ravichandru wrote:
> We are using 4.4.0 version, we faced the same issue because of missing 
> id_token from our Identity broker application connected to keycloak.
>
> For trial you can install 4.4.0 version as a test build and attach 
> your identity provider for test run.
>
> - Lokesh
>
> On Fri, Sep 28, 2018 at 12:42 PM Karol Buler <K.Buler at adbglobal.com 
> <mailto:K.Buler at adbglobal.com>> wrote:
>
>     Indeed. Structure looks like this:
>
>     {
>     ??? "access_token": "",
>     ??? "token_type": "",
>     ??? "expires_in": int value,
>     ??? "refresh_token": "",
>     ??? "scope": "",
>     ??? "id_token": ""
>     }
>
>     Karol
>
>
>     On 28.09.2018 09:10, Lokesh Ravichandru wrote:
>>     Just for details, is your Identity broker returning id_token
>>     along with the access token ?
>>
>>     - Lokesh
>>
>>     On Fri, Sep 28, 2018 at 12:36 PM Karol Buler
>>     <K.Buler at adbglobal.com <mailto:K.Buler at adbglobal.com>> wrote:
>>
>>         Additional information is that this is 3.4.3.Final Keycloak.
>>
>>         Do you know about this problem? Maybe it is fixed in newer
>>         version?
>>
>>
>>         On 25.09.2018 13:01, Karol Buler wrote:
>>         > Hi,
>>         >
>>         > I am trying to add Identity Broker based on OpenID Connect
>>         to my
>>         > Keycloak. Everything is fine, redirecting to login page is
>>         working,
>>         > but... always is "but" :) I've got error in Keycloak:
>>         >
>>         > org.keycloak.broker.provider.IdentityBrokerException: No
>>         access_token
>>         > from server.
>>         >
>>         > What I found is that the Keycloak doesn't send the
>>         "Authorization"
>>         > header in request "code-to-token". Is it bug/feature or am
>>         I missing
>>         > some configuration?
>>         >
>>         > Best regards,
>>         > Karol
>>         >
>>         > [https://www.adbglobal.com/wp-content/uploads/adb.png]
>>         > adbglobal.com <http://adbglobal.com><https://www.adbglobal.com>
>>         > This message (including any attachments) may contain
>>         confidential, proprietary, privileged and/or private
>>         information. The information is intended for the use of the
>>         individual or entity designated above. If you are not the
>>         intended recipient of this message, please notify the sender
>>         immediately, and delete the message and any attachments. Any
>>         disclosure, reproduction, distribution or other use of this
>>         message or any attachments by an individual or entity other
>>         than the intended recipient is STRICTLY PROHIBITED.
>>         > Please note that ADB protects your privacy. Any personal
>>         information we collect from you is used in accordance with
>>         our Privacy Policy<https://www.adbglobal.com/privacy-policy/>
>>         and in compliance with applicable European data protection
>>         law (Regulation (EU) 2016/679, General Data Protection
>>         Regulation) and other statutory provisions.
>>         >
>>         > _______________________________________________
>>         > keycloak-user mailing list
>>         > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>     -- 
>>     *Grootan Technologies Private Limited*
>>     R-Block, 15th main street
>>     Anna nagar, Chennai 600 040
>>     tel +91 97890 24698
>>     mail lokesh.ravichandru at grootan.com
>>     <mailto:lokesh.ravichandru at grootan.com>?| web https://www.grootan.com
>
>
>
> -- 
> *Grootan Technologies Private Limited*
> R-Block, 15th main street
> Anna nagar, Chennai 600 040
> tel +91 97890 24698
> mail lokesh.ravichandru at grootan.com 
> <mailto:lokesh.ravichandru at grootan.com>?| web https://www.grootan.com


From lokesh.ravichandru at grootan.com  Fri Sep 28 03:23:36 2018
From: lokesh.ravichandru at grootan.com (Lokesh Ravichandru)
Date: Fri, 28 Sep 2018 12:53:36 +0530
Subject: [keycloak-user] Integration with OpenID provider
In-Reply-To: <3b0f565f-2ea8-3f2b-fdbf-2b038503f407@adbglobal.com>
References: <6ba2227a-e380-ad29-8d0e-cbfae5134242@adbglobal.com>
	<abcbe03c-8510-fe1e-df03-63bb4f55e731@adbglobal.com>
	<CAMDN6TM1Jn3692Q9_ZK8kYuUhP5eCZx1WafetocotV_93DGfyA@mail.gmail.com>
	<92fd3f74-bbde-4407-d0f6-84e64817ad51@adbglobal.com>
	<CAMDN6TOFnGHb-xuX8KWHGk2qQY8+iV1x=Ouk2X74zqeScUovYA@mail.gmail.com>
	<3b0f565f-2ea8-3f2b-fdbf-2b038503f407@adbglobal.com>
Message-ID: <CAMDN6TOF1_it6KFvVJX6OffeUSdSCBPh-0Y+Rvs16TKDGv=KEg@mail.gmail.com>

Sure will try and post my findings.

- Lokesh

On Fri, Sep 28, 2018 at 12:51 PM Karol Buler <K.Buler at adbglobal.com> wrote:

> Do you have "confidential client"? If so, could you please confirm that
> Keycloak is sending the Authorization header? Basic from
> client_id:client_secret.
>
> Karol
>
> On 28.09.2018 09:16, Lokesh Ravichandru wrote:
>
> We are using 4.4.0 version, we faced the same issue because of missing
> id_token from our Identity broker application connected to keycloak.
>
> For trial you can install 4.4.0 version as a test build and attach your
> identity provider for test run.
>
> - Lokesh
>
> On Fri, Sep 28, 2018 at 12:42 PM Karol Buler <K.Buler at adbglobal.com>
> wrote:
>
>> Indeed. Structure looks like this:
>>
>> {
>>     "access_token": "",
>>     "token_type": "",
>>     "expires_in": int value,
>>     "refresh_token": "",
>>     "scope": "",
>>     "id_token": ""
>> }
>>
>> Karol
>>
>> On 28.09.2018 09:10, Lokesh Ravichandru wrote:
>>
>> Just for details, is your Identity broker returning id_token along with
>> the access token ?
>>
>> - Lokesh
>>
>> On Fri, Sep 28, 2018 at 12:36 PM Karol Buler <K.Buler at adbglobal.com>
>> wrote:
>>
>>> Additional information is that this is 3.4.3.Final Keycloak.
>>>
>>> Do you know about this problem? Maybe it is fixed in newer version?
>>>
>>>
>>> On 25.09.2018 13:01, Karol Buler wrote:
>>> > Hi,
>>> >
>>> > I am trying to add Identity Broker based on OpenID Connect to my
>>> > Keycloak. Everything is fine, redirecting to login page is working,
>>> > but... always is "but" :) I've got error in Keycloak:
>>> >
>>> > org.keycloak.broker.provider.IdentityBrokerException: No access_token
>>> > from server.
>>> >
>>> > What I found is that the Keycloak doesn't send the "Authorization"
>>> > header in request "code-to-token". Is it bug/feature or am I missing
>>> > some configuration?
>>> >
>>> > Best regards,
>>> > Karol
>>> >
>>> > [https://www.adbglobal.com/wp-content/uploads/adb.png]
>>> > adbglobal.com<https://www.adbglobal.com>
>>> > This message (including any attachments) may contain confidential,
>>> proprietary, privileged and/or private information. The information is
>>> intended for the use of the individual or entity designated above. If you
>>> are not the intended recipient of this message, please notify the sender
>>> immediately, and delete the message and any attachments. Any disclosure,
>>> reproduction, distribution or other use of this message or any attachments
>>> by an individual or entity other than the intended recipient is STRICTLY
>>> PROHIBITED.
>>> > Please note that ADB protects your privacy. Any personal information
>>> we collect from you is used in accordance with our Privacy Policy<
>>> https://www.adbglobal.com/privacy-policy/> and in compliance with
>>> applicable European data protection law (Regulation (EU) 2016/679, General
>>> Data Protection Regulation) and other statutory provisions.
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> --
>> *Grootan Technologies Private Limited*
>> R-Block, 15th main street
>> Anna nagar, Chennai 600 040
>> tel +91 97890 24698
>> mail lokesh.ravichandru at grootan.com | web https://www.grootan.com
>>
>>
>>
>
> --
> *Grootan Technologies Private Limited*
> R-Block, 15th main street
> Anna nagar, Chennai 600 040
> tel +91 97890 24698
> mail lokesh.ravichandru at grootan.com | web https://www.grootan.com
>
>
>

-- 
*Grootan Technologies Private Limited*
R-Block, 15th main street
Anna nagar, Chennai 600 040
tel +91 97890 24698
mail lokesh.ravichandru at grootan.com | web https://www.grootan.com

From petr40 at wp.pl  Fri Sep 28 04:51:20 2018
From: petr40 at wp.pl (=?UTF-8?Q?petr40=40wp=2Epl?=)
Date: Fri, 28 Sep 2018 10:51:20 +0200
Subject: [keycloak-user] =?utf-8?q?keycloak_js_adapter_-_authorization_cod?=
	=?utf-8?q?e_vs_implicit_flow?=
Message-ID: <9cce278ab75e41138da6d35f5097720c@grupawp.pl>

Hello !  I dont understand why authorization code is default mode in keycloak.js adapter ? (for SPA javascript application)  Should it be implicit flow instead ? Is it safe to use this flow for public clients ?   I know that &#39;sending access token in the url fragment can be security vulnerability&#39;, but   - authorizaiton code is also returned in query params  - CORS needs to be enable on server side (to exchange code for token via POST)  - we have an extra step  - we can use refresh tokens, but we can also make this work in implicit flow (hidden iframe)    If my arguments are wrong:   why do we need implicit flow if it is authorization code ?  how does it relate to openidconnect , oauth? specification ?    Thanks !

From niko at n-k.de  Fri Sep 28 09:48:07 2018
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Fri, 28 Sep 2018 15:48:07 +0200
Subject: [keycloak-user] Spring Boot Adapter: Error creating
 KeycloakConfigResolver with KC 4.5.0.Final
Message-ID: <C26A033D-835F-4F78-90C9-FD2F04C0FB7E@n-k.de>

Hi all,

I just updated my Spring Boot w/ Spring Security demo installation to KC 4.5.0.Final.
To be able to use the Spring Boot configuration with Spring Security Adapter, I have this bean configuration:

@Bean
public KeycloakConfigResolver keycloakConfigResolver() {
    return new KeycloakSpringBootConfigResolver();
}

This worked well until 4.4.0.Final.
After upgrading to 4.5.0.Final, I get an error when Spring is trying to create the bean registry. Here is the relevant part of the stack trace:

Caused by: org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'keycloakConfigResolver': Requested bean is currently in creation: Is there an unresolvable circular reference?
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:339) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:215) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:583) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
	... 69 common frames omitted


I see, that there was a change in KeycloakSpringBootConfigResolver a few days ago, but I don't really get it... Perhaps it's me, perhaps it's an error?
Do I have to define my KeycloakConfigResolver bean in another way?

Can anybody help me?

Regards,
- Niko



From sblanc at redhat.com  Fri Sep 28 10:09:08 2018
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 28 Sep 2018 16:09:08 +0200
Subject: [keycloak-user] Spring Boot Adapter: Error creating
 KeycloakConfigResolver with KC 4.5.0.Final
In-Reply-To: <C26A033D-835F-4F78-90C9-FD2F04C0FB7E@n-k.de>
References: <C26A033D-835F-4F78-90C9-FD2F04C0FB7E@n-k.de>
Message-ID: <CAMZCGg_NEJDU+o9wGZzYuGPPBNA27J8ZNVj35fhj7tuVXpExeg@mail.gmail.com>

Hi Niko !

Indeed something is wrong here, I can reproduce it. Could you open a ticket
? I will take a look at it ASAP.

Sebi

On Fri, Sep 28, 2018 at 3:51 PM Niko K?bler <niko at n-k.de> wrote:

> Hi all,
>
> I just updated my Spring Boot w/ Spring Security demo installation to KC
> 4.5.0.Final.
> To be able to use the Spring Boot configuration with Spring Security
> Adapter, I have this bean configuration:
>
> @Bean
> public KeycloakConfigResolver keycloakConfigResolver() {
>     return new KeycloakSpringBootConfigResolver();
> }
>
> This worked well until 4.4.0.Final.
> After upgrading to 4.5.0.Final, I get an error when Spring is trying to
> create the bean registry. Here is the relevant part of the stack trace:
>
> Caused by:
> org.springframework.beans.factory.BeanCurrentlyInCreationException: Error
> creating bean with name 'keycloakConfigResolver': Requested bean is
> currently in creation: Is there an unresolvable circular reference?
>         at
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:339)
> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at
> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:215)
> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at
> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315)
> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at
> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at
> org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251)
> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at
> org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135)
> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at
> org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062)
> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at
> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:583)
> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         ... 69 common frames omitted
>
>
> I see, that there was a change in KeycloakSpringBootConfigResolver a few
> days ago, but I don't really get it... Perhaps it's me, perhaps it's an
> error?
> Do I have to define my KeycloakConfigResolver bean in another way?
>
> Can anybody help me?
>
> Regards,
> - Niko
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From niko at n-k.de  Fri Sep 28 10:21:14 2018
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Fri, 28 Sep 2018 16:21:14 +0200
Subject: [keycloak-user] Spring Boot Adapter: Error creating
 KeycloakConfigResolver with KC 4.5.0.Final
In-Reply-To: <CAMZCGg_NEJDU+o9wGZzYuGPPBNA27J8ZNVj35fhj7tuVXpExeg@mail.gmail.com>
References: <C26A033D-835F-4F78-90C9-FD2F04C0FB7E@n-k.de>
	<CAMZCGg_NEJDU+o9wGZzYuGPPBNA27J8ZNVj35fhj7tuVXpExeg@mail.gmail.com>
Message-ID: <4F95B39A-4D28-46AE-9E71-59EF9AA8E307@n-k.de>

Hi Sebi,

thanks for confirming.
Ticket is created: https://issues.jboss.org/browse/KEYCLOAK-8444

- Niko


> Am 28.09.2018 um 16:09 schrieb Sebastien Blanc <sblanc at redhat.com>:
> 
> Hi Niko ! 
> 
> Indeed something is wrong here, I can reproduce it. Could you open a ticket ? I will take a look at it ASAP.
> 
> Sebi 
> 
> On Fri, Sep 28, 2018 at 3:51 PM Niko K?bler <niko at n-k.de <mailto:niko at n-k.de>> wrote:
> Hi all,
> 
> I just updated my Spring Boot w/ Spring Security demo installation to KC 4.5.0.Final.
> To be able to use the Spring Boot configuration with Spring Security Adapter, I have this bean configuration:
> 
> @Bean
> public KeycloakConfigResolver keycloakConfigResolver() {
>     return new KeycloakSpringBootConfigResolver();
> }
> 
> This worked well until 4.4.0.Final.
> After upgrading to 4.5.0.Final, I get an error when Spring is trying to create the bean registry. Here is the relevant part of the stack trace:
> 
> Caused by: org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'keycloakConfigResolver': Requested bean is currently in creation: Is there an unresolvable circular reference?
>         at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:339) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:215) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:583) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>         ... 69 common frames omitted
> 
> 
> I see, that there was a change in KeycloakSpringBootConfigResolver a few days ago, but I don't really get it... Perhaps it's me, perhaps it's an error?
> Do I have to define my KeycloakConfigResolver bean in another way?
> 
> Can anybody help me?
> 
> Regards,
> - Niko
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>


From psilva at redhat.com  Fri Sep 28 10:49:00 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 28 Sep 2018 11:49:00 -0300
Subject: [keycloak-user] Spring Boot Adapter: Error creating
 KeycloakConfigResolver with KC 4.5.0.Final
In-Reply-To: <4F95B39A-4D28-46AE-9E71-59EF9AA8E307@n-k.de>
References: <C26A033D-835F-4F78-90C9-FD2F04C0FB7E@n-k.de>
	<CAMZCGg_NEJDU+o9wGZzYuGPPBNA27J8ZNVj35fhj7tuVXpExeg@mail.gmail.com>
	<4F95B39A-4D28-46AE-9E71-59EF9AA8E307@n-k.de>
Message-ID: <CAJrcDBdk9nzP=VMu6WNNpLJyemoTGOKYW=SYbcXeqT9O=biHCQ@mail.gmail.com>

Can you confirm that you are able to workaround the issue by declaring the
bean creatin in a different class annotated with @Configuration ?

Regards.


On Fri, Sep 28, 2018 at 11:21 AM Niko K?bler <niko at n-k.de> wrote:

> Hi Sebi,
>
> thanks for confirming.
> Ticket is created: https://issues.jboss.org/browse/KEYCLOAK-8444
>
> - Niko
>
>
> Am 28.09.2018 um 16:09 schrieb Sebastien Blanc <sblanc at redhat.com>:
>
> Hi Niko !
>
> Indeed something is wrong here, I can reproduce it. Could you open a
> ticket ? I will take a look at it ASAP.
>
> Sebi
>
> On Fri, Sep 28, 2018 at 3:51 PM Niko K?bler <niko at n-k.de> wrote:
>
>> Hi all,
>>
>> I just updated my Spring Boot w/ Spring Security demo installation to KC
>> 4.5.0.Final.
>> To be able to use the Spring Boot configuration with Spring Security
>> Adapter, I have this bean configuration:
>>
>> @Bean
>> public KeycloakConfigResolver keycloakConfigResolver() {
>>     return new KeycloakSpringBootConfigResolver();
>> }
>>
>> This worked well until 4.4.0.Final.
>> After upgrading to 4.5.0.Final, I get an error when Spring is trying to
>> create the bean registry. Here is the relevant part of the stack trace:
>>
>> Caused by:
>> org.springframework.beans.factory.BeanCurrentlyInCreationException: Error
>> creating bean with name 'keycloakConfigResolver': Requested bean is
>> currently in creation: Is there an unresolvable circular reference?
>>         at
>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:339)
>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at
>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:215)
>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at
>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315)
>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at
>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at
>> org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251)
>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at
>> org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135)
>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at
>> org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062)
>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at
>> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:583)
>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         ... 69 common frames omitted
>>
>>
>> I see, that there was a change in KeycloakSpringBootConfigResolver a few
>> days ago, but I don't really get it... Perhaps it's me, perhaps it's an
>> error?
>> Do I have to define my KeycloakConfigResolver bean in another way?
>>
>> Can anybody help me?
>>
>> Regards,
>> - Niko
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From niko at n-k.de  Fri Sep 28 11:16:40 2018
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Fri, 28 Sep 2018 17:16:40 +0200
Subject: [keycloak-user] Spring Boot Adapter: Error creating
 KeycloakConfigResolver with KC 4.5.0.Final
In-Reply-To: <CAJrcDBdk9nzP=VMu6WNNpLJyemoTGOKYW=SYbcXeqT9O=biHCQ@mail.gmail.com>
References: <C26A033D-835F-4F78-90C9-FD2F04C0FB7E@n-k.de>
	<CAMZCGg_NEJDU+o9wGZzYuGPPBNA27J8ZNVj35fhj7tuVXpExeg@mail.gmail.com>
	<4F95B39A-4D28-46AE-9E71-59EF9AA8E307@n-k.de>
	<CAJrcDBdk9nzP=VMu6WNNpLJyemoTGOKYW=SYbcXeqT9O=biHCQ@mail.gmail.com>
Message-ID: <136E6694-C448-4F5D-B354-48B337696C5F@n-k.de>

Ok, there's a difference, but no working workaround...

Previously, I declared the bean in a class annotated with @KeycloakConfiguration - the described error occured when starting the server up.

After moving the bean definition to another class, annotated with @Configuration only, the server powers up, but there are a lot (and I mean really a lot) of these messages when I try to call the page in the browser:

java.lang.StackOverflowError: null
	at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
	at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
	at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
	.....

I'll try to get a example app with the configuration over the weekend, so that you are able to repdroduce. Unfortunately I now have to leave and can't proceed to work on it.
In the meantime, if you like, you can have a look here:
https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeycloakAdapterSecurityConfig.java
https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeyclaokSpringSecurityConfig.java

- Niko



> Am 28.09.2018 um 16:49 schrieb Pedro Igor Silva <psilva at redhat.com>:
> 
> Can you confirm that you are able to workaround the issue by declaring the bean creatin in a different class annotated with @Configuration ?
> 
> Regards.
> 
> 
> On Fri, Sep 28, 2018 at 11:21 AM Niko K?bler <niko at n-k.de <mailto:niko at n-k.de>> wrote:
> Hi Sebi,
> 
> thanks for confirming.
> Ticket is created: https://issues.jboss.org/browse/KEYCLOAK-8444 <https://issues.jboss.org/browse/KEYCLOAK-8444>
> 
> - Niko
> 
> 
>> Am 28.09.2018 um 16:09 schrieb Sebastien Blanc <sblanc at redhat.com <mailto:sblanc at redhat.com>>:
>> 
>> Hi Niko ! 
>> 
>> Indeed something is wrong here, I can reproduce it. Could you open a ticket ? I will take a look at it ASAP.
>> 
>> Sebi 
>> 
>> On Fri, Sep 28, 2018 at 3:51 PM Niko K?bler <niko at n-k.de <mailto:niko at n-k.de>> wrote:
>> Hi all,
>> 
>> I just updated my Spring Boot w/ Spring Security demo installation to KC 4.5.0.Final.
>> To be able to use the Spring Boot configuration with Spring Security Adapter, I have this bean configuration:
>> 
>> @Bean
>> public KeycloakConfigResolver keycloakConfigResolver() {
>>     return new KeycloakSpringBootConfigResolver();
>> }
>> 
>> This worked well until 4.4.0.Final.
>> After upgrading to 4.5.0.Final, I get an error when Spring is trying to create the bean registry. Here is the relevant part of the stack trace:
>> 
>> Caused by: org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'keycloakConfigResolver': Requested bean is currently in creation: Is there an unresolvable circular reference?
>>         at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:339) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:215) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:583) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>         ... 69 common frames omitted
>> 
>> 
>> I see, that there was a change in KeycloakSpringBootConfigResolver a few days ago, but I don't really get it... Perhaps it's me, perhaps it's an error?
>> Do I have to define my KeycloakConfigResolver bean in another way?
>> 
>> Can anybody help me?
>> 
>> Regards,
>> - Niko
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

From psilva at redhat.com  Fri Sep 28 11:23:43 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 28 Sep 2018 12:23:43 -0300
Subject: [keycloak-user] Spring Boot Adapter: Error creating
 KeycloakConfigResolver with KC 4.5.0.Final
In-Reply-To: <136E6694-C448-4F5D-B354-48B337696C5F@n-k.de>
References: <C26A033D-835F-4F78-90C9-FD2F04C0FB7E@n-k.de>
	<CAMZCGg_NEJDU+o9wGZzYuGPPBNA27J8ZNVj35fhj7tuVXpExeg@mail.gmail.com>
	<4F95B39A-4D28-46AE-9E71-59EF9AA8E307@n-k.de>
	<CAJrcDBdk9nzP=VMu6WNNpLJyemoTGOKYW=SYbcXeqT9O=biHCQ@mail.gmail.com>
	<136E6694-C448-4F5D-B354-48B337696C5F@n-k.de>
Message-ID: <CAJrcDBdJta8Ngt-+RGiGTd_DoisM5889oXV0GAkd_3b=H46OSg@mail.gmail.com>

OK, thanks for the update. I did test the solution I mentioned and it
worked for one of the quickstarts we have.

FYI, the changes you mentioned in KeycloakSpringBootConfigResolver are
related to KEYCLOAK-8133. If you could give me something to reproduce the
last issue you mentioned, I appreciate.

Regards.
Pedro Igor

On Fri, Sep 28, 2018 at 12:16 PM Niko K?bler <niko at n-k.de> wrote:

> Ok, there's a difference, but no working workaround...
>
> Previously, I declared the bean in a class annotated with
> @KeycloakConfiguration - the described error occured when starting the
> server up.
>
> After moving the bean definition to another class, annotated with
> @Configuration only, the server powers up, but there are a lot (and I mean
> really a lot) of these messages when I try to call the page in the browser:
>
> java.lang.StackOverflowError: null
> at
> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45)
> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
> at
> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45)
> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
> at
> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45)
> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
> .....
>
> I'll try to get a example app with the configuration over the weekend, so
> that you are able to repdroduce. Unfortunately I now have to leave and
> can't proceed to work on it.
> In the meantime, if you like, you can have a look here:
>
> https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeycloakAdapterSecurityConfig.java
>
> https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeyclaokSpringSecurityConfig.java
>
> - Niko
>
>
>
> Am 28.09.2018 um 16:49 schrieb Pedro Igor Silva <psilva at redhat.com>:
>
> Can you confirm that you are able to workaround the issue by declaring the
> bean creatin in a different class annotated with @Configuration ?
>
> Regards.
>
>
> On Fri, Sep 28, 2018 at 11:21 AM Niko K?bler <niko at n-k.de> wrote:
>
>> Hi Sebi,
>>
>> thanks for confirming.
>> Ticket is created: https://issues.jboss.org/browse/KEYCLOAK-8444
>>
>> - Niko
>>
>>
>> Am 28.09.2018 um 16:09 schrieb Sebastien Blanc <sblanc at redhat.com>:
>>
>> Hi Niko !
>>
>> Indeed something is wrong here, I can reproduce it. Could you open a
>> ticket ? I will take a look at it ASAP.
>>
>> Sebi
>>
>> On Fri, Sep 28, 2018 at 3:51 PM Niko K?bler <niko at n-k.de> wrote:
>>
>>> Hi all,
>>>
>>> I just updated my Spring Boot w/ Spring Security demo installation to KC
>>> 4.5.0.Final.
>>> To be able to use the Spring Boot configuration with Spring Security
>>> Adapter, I have this bean configuration:
>>>
>>> @Bean
>>> public KeycloakConfigResolver keycloakConfigResolver() {
>>>     return new KeycloakSpringBootConfigResolver();
>>> }
>>>
>>> This worked well until 4.4.0.Final.
>>> After upgrading to 4.5.0.Final, I get an error when Spring is trying to
>>> create the bean registry. Here is the relevant part of the stack trace:
>>>
>>> Caused by:
>>> org.springframework.beans.factory.BeanCurrentlyInCreationException: Error
>>> creating bean with name 'keycloakConfigResolver': Requested bean is
>>> currently in creation: Is there an unresolvable circular reference?
>>>         at
>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:339)
>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at
>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:215)
>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315)
>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at
>>> org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251)
>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at
>>> org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135)
>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at
>>> org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062)
>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at
>>> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:583)
>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         ... 69 common frames omitted
>>>
>>>
>>> I see, that there was a change in KeycloakSpringBootConfigResolver a few
>>> days ago, but I don't really get it... Perhaps it's me, perhaps it's an
>>> error?
>>> Do I have to define my KeycloakConfigResolver bean in another way?
>>>
>>> Can anybody help me?
>>>
>>> Regards,
>>> - Niko
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>

From ulrik.sjolin at gmail.com  Fri Sep 28 11:26:46 2018
From: ulrik.sjolin at gmail.com (=?UTF-8?Q?Ulrik_Sj=C3=B6lin?=)
Date: Fri, 28 Sep 2018 08:26:46 -0700
Subject: [keycloak-user] Problem understanding authorization grants
Message-ID: <CAP5c5mQtxp=-pOcM2wLfaFS_-DiFp9AiiTBk6UNg+P8QBLtQjw@mail.gmail.com>

Hello,

My name is Ulrik Sj?lin and where I work we are currently looking into
Keycloak (4.4). I have a question regarding permissions and policy
evaluation.

My very simple setup is like this:

User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
Write, Delete)
User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
via the Keycloak web UI.

There a 5 scope-based permissions, one for each scope, that allows the
owner & admin each scope (Only Owner and Administrators Policy). My idea
here is that the owner of a resource
should not have to add the permissions on himself to be able to access the
resource.

I now run evaluate and I get a surprising result:

Input:
User JDoe
Resource: JDoe
Scope: Any

Output:
Result
PERMIT
Scopes
Delete
Admin
Policies
Resource owner (jdoe at keycloak.org) grants access to alice at keycloak.org
decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Read.
Only Owner and Administrators Policy voted to PERMIT .
Write Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Write.
Only Owner and Administrators Policy voted to PERMIT .
Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
decision. Granted Scopes: Delete.
Only Owner and Administrators Policy voted to PERMIT .
Admin Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
Granted Scopes: Admin.
Only Owner and Administrators Policy voted to PERMIT .
Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
decision. Granted Scopes: Peek.
Peek resource role policy voted to PERMIT .
Only Owner and Administrators Policy voted to PERMIT .


I would expect JDoe to have full access to his resource since he is the
owner and all the policies are reporting PERMIT. It is the top DENY that I
can?t wrap my head around.
The grants JDoe has given to Alice are removed from his own grants list, is
this expected behavior? Why do grants to user Alice affect the grants of
user JDoe?

Best Regards,

Ulrik

From niko at n-k.de  Fri Sep 28 11:41:42 2018
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Fri, 28 Sep 2018 17:41:42 +0200
Subject: [keycloak-user] Spring Boot Adapter: Error creating
 KeycloakConfigResolver with KC 4.5.0.Final
In-Reply-To: <CAJrcDBdJta8Ngt-+RGiGTd_DoisM5889oXV0GAkd_3b=H46OSg@mail.gmail.com>
References: <C26A033D-835F-4F78-90C9-FD2F04C0FB7E@n-k.de>
	<CAMZCGg_NEJDU+o9wGZzYuGPPBNA27J8ZNVj35fhj7tuVXpExeg@mail.gmail.com>
	<4F95B39A-4D28-46AE-9E71-59EF9AA8E307@n-k.de>
	<CAJrcDBdk9nzP=VMu6WNNpLJyemoTGOKYW=SYbcXeqT9O=biHCQ@mail.gmail.com>
	<136E6694-C448-4F5D-B354-48B337696C5F@n-k.de>
	<CAJrcDBdJta8Ngt-+RGiGTd_DoisM5889oXV0GAkd_3b=H46OSg@mail.gmail.com>
Message-ID: <FD772277-7D65-47AF-989B-72C4E21E5361@n-k.de>

Here's reproducable demo: https://github.com/dasniko/kc-sb-sec-demo
Power it up and try to access http://localhost:9000/ - this will return a 500 and there's a loooong error on the console
(You even don't need a KC server running, the error happens before accessing the server)

- Niko

> Am 28.09.2018 um 17:23 schrieb Pedro Igor Silva <psilva at redhat.com>:
> 
> OK, thanks for the update. I did test the solution I mentioned and it worked for one of the quickstarts we have.
> 
> FYI, the changes you mentioned in KeycloakSpringBootConfigResolver are related to KEYCLOAK-8133. If you could give me something to reproduce the last issue you mentioned, I appreciate.
> 
> Regards.
> Pedro Igor
> 
> On Fri, Sep 28, 2018 at 12:16 PM Niko K?bler <niko at n-k.de <mailto:niko at n-k.de>> wrote:
> Ok, there's a difference, but no working workaround...
> 
> Previously, I declared the bean in a class annotated with @KeycloakConfiguration - the described error occured when starting the server up.
> 
> After moving the bean definition to another class, annotated with @Configuration only, the server powers up, but there are a lot (and I mean really a lot) of these messages when I try to call the page in the browser:
> 
> java.lang.StackOverflowError: null
> 	at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
> 	at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
> 	at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
> 	.....
> 
> I'll try to get a example app with the configuration over the weekend, so that you are able to repdroduce. Unfortunately I now have to leave and can't proceed to work on it.
> In the meantime, if you like, you can have a look here:
> https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeycloakAdapterSecurityConfig.java <https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeycloakAdapterSecurityConfig.java>
> https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeyclaokSpringSecurityConfig.java <https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeyclaokSpringSecurityConfig.java>
> 
> - Niko
> 
> 
> 
>> Am 28.09.2018 um 16:49 schrieb Pedro Igor Silva <psilva at redhat.com <mailto:psilva at redhat.com>>:
>> 
>> Can you confirm that you are able to workaround the issue by declaring the bean creatin in a different class annotated with @Configuration ?
>> 
>> Regards.
>> 
>> 
>> On Fri, Sep 28, 2018 at 11:21 AM Niko K?bler <niko at n-k.de <mailto:niko at n-k.de>> wrote:
>> Hi Sebi,
>> 
>> thanks for confirming.
>> Ticket is created: https://issues.jboss.org/browse/KEYCLOAK-8444 <https://issues.jboss.org/browse/KEYCLOAK-8444>
>> 
>> - Niko
>> 
>> 
>>> Am 28.09.2018 um 16:09 schrieb Sebastien Blanc <sblanc at redhat.com <mailto:sblanc at redhat.com>>:
>>> 
>>> Hi Niko ! 
>>> 
>>> Indeed something is wrong here, I can reproduce it. Could you open a ticket ? I will take a look at it ASAP.
>>> 
>>> Sebi 
>>> 
>>> On Fri, Sep 28, 2018 at 3:51 PM Niko K?bler <niko at n-k.de <mailto:niko at n-k.de>> wrote:
>>> Hi all,
>>> 
>>> I just updated my Spring Boot w/ Spring Security demo installation to KC 4.5.0.Final.
>>> To be able to use the Spring Boot configuration with Spring Security Adapter, I have this bean configuration:
>>> 
>>> @Bean
>>> public KeycloakConfigResolver keycloakConfigResolver() {
>>>     return new KeycloakSpringBootConfigResolver();
>>> }
>>> 
>>> This worked well until 4.4.0.Final.
>>> After upgrading to 4.5.0.Final, I get an error when Spring is trying to create the bean registry. Here is the relevant part of the stack trace:
>>> 
>>> Caused by: org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'keycloakConfigResolver': Requested bean is currently in creation: Is there an unresolvable circular reference?
>>>         at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:339) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:215) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:583) ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>         ... 69 common frames omitted
>>> 
>>> 
>>> I see, that there was a change in KeycloakSpringBootConfigResolver a few days ago, but I don't really get it... Perhaps it's me, perhaps it's an error?
>>> Do I have to define my KeycloakConfigResolver bean in another way?
>>> 
>>> Can anybody help me?
>>> 
>>> Regards,
>>> - Niko
>>> 
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>


From psilva at redhat.com  Fri Sep 28 12:22:22 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 28 Sep 2018 13:22:22 -0300
Subject: [keycloak-user] Problem understanding authorization grants
In-Reply-To: <CAP5c5mQtxp=-pOcM2wLfaFS_-DiFp9AiiTBk6UNg+P8QBLtQjw@mail.gmail.com>
References: <CAP5c5mQtxp=-pOcM2wLfaFS_-DiFp9AiiTBk6UNg+P8QBLtQjw@mail.gmail.com>
Message-ID: <CAJrcDBeHqbsud6n24_68=Wjvq=UFVM=mA35B3HvTyWQvJc0HQw@mail.gmail.com>

Hi,

What permissions did you actually get in the token ? Wondering if this is
an issue with the evaluation tool report.

Regards.
Pedro Igor

On Fri, Sep 28, 2018 at 1:03 PM Ulrik Sj?lin <ulrik.sjolin at gmail.com> wrote:

> Hello,
>
> My name is Ulrik Sj?lin and where I work we are currently looking into
> Keycloak (4.4). I have a question regarding permissions and policy
> evaluation.
>
> My very simple setup is like this:
>
> User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
> Write, Delete)
> User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
> User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
> via the Keycloak web UI.
>
> There a 5 scope-based permissions, one for each scope, that allows the
> owner & admin each scope (Only Owner and Administrators Policy). My idea
> here is that the owner of a resource
> should not have to add the permissions on himself to be able to access the
> resource.
>
> I now run evaluate and I get a surprising result:
>
> Input:
> User JDoe
> Resource: JDoe
> Scope: Any
>
> Output:
> Result
> PERMIT
> Scopes
> Delete
> Admin
> Policies
> Resource owner (jdoe at keycloak.org) grants access to alice at keycloak.org
> decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
> Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
> Granted Scopes: Read.
> Only Owner and Administrators Policy voted to PERMIT .
> Write Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
> Granted Scopes: Write.
> Only Owner and Administrators Policy voted to PERMIT .
> Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
> decision. Granted Scopes: Delete.
> Only Owner and Administrators Policy voted to PERMIT .
> Admin Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
> Granted Scopes: Admin.
> Only Owner and Administrators Policy voted to PERMIT .
> Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
> decision. Granted Scopes: Peek.
> Peek resource role policy voted to PERMIT .
> Only Owner and Administrators Policy voted to PERMIT .
>
>
> I would expect JDoe to have full access to his resource since he is the
> owner and all the policies are reporting PERMIT. It is the top DENY that I
> can?t wrap my head around.
> The grants JDoe has given to Alice are removed from his own grants list, is
> this expected behavior? Why do grants to user Alice affect the grants of
> user JDoe?
>
> Best Regards,
>
> Ulrik
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Fri Sep 28 13:24:33 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 28 Sep 2018 14:24:33 -0300
Subject: [keycloak-user] Problem understanding authorization grants
In-Reply-To: <CAJrcDBeHqbsud6n24_68=Wjvq=UFVM=mA35B3HvTyWQvJc0HQw@mail.gmail.com>
References: <CAP5c5mQtxp=-pOcM2wLfaFS_-DiFp9AiiTBk6UNg+P8QBLtQjw@mail.gmail.com>
	<CAJrcDBeHqbsud6n24_68=Wjvq=UFVM=mA35B3HvTyWQvJc0HQw@mail.gmail.com>
Message-ID: <CAJrcDBeKv52RP=2nFiA9jt=664w=QVdv9a_ranEoO4z_vxOUow@mail.gmail.com>

You are right, there is a bug there.

The problem is that evaluation is also evaluating UMA permissions for
resource owners and if there is no "resource-based permission" for the
resource it will result in a deny. So far, we have been considering UMA
where at least one permission is granting access to the resource. When
using only scope permissions, the issue shows up. If you could at least
define a permission that is evaluated for all your resources (define a type
for your resources + a permission for this type), you should work around
this.

I've submitted a fix to https://issues.jboss.org/browse/KEYCLOAK-8445.

Regards.
Pedro Igor

On Fri, Sep 28, 2018 at 1:22 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> What permissions did you actually get in the token ? Wondering if this is
> an issue with the evaluation tool report.
>
> Regards.
> Pedro Igor
>
> On Fri, Sep 28, 2018 at 1:03 PM Ulrik Sj?lin <ulrik.sjolin at gmail.com>
> wrote:
>
>> Hello,
>>
>> My name is Ulrik Sj?lin and where I work we are currently looking into
>> Keycloak (4.4). I have a question regarding permissions and policy
>> evaluation.
>>
>> My very simple setup is like this:
>>
>> User Alice owns Alice_Resource which has 5 scopes (Admin, Peek, Read,
>> Write, Delete)
>> User JDoe owns JDoe_Resource which has the same scopes as Alice_Resource
>> User JDoe has given user Alice Peek, Read, Write access to JDoe_Resource
>> via the Keycloak web UI.
>>
>> There a 5 scope-based permissions, one for each scope, that allows the
>> owner & admin each scope (Only Owner and Administrators Policy). My idea
>> here is that the owner of a resource
>> should not have to add the permissions on himself to be able to access the
>> resource.
>>
>> I now run evaluate and I get a surprising result:
>>
>> Input:
>> User JDoe
>> Resource: JDoe
>> Scope: Any
>>
>> Output:
>> Result
>> PERMIT
>> Scopes
>> Delete
>> Admin
>> Policies
>> Resource owner (jdoe at keycloak.org) grants access to alice at keycloak.org
>> decision was DENY by UNANIMOUS decision. Denied Scopes: Read, Write, Peek.
>> Read Entity Resource Permission decision was PERMIT by UNANIMOUS decision.
>> Granted Scopes: Read.
>> Only Owner and Administrators Policy voted to PERMIT .
>> Write Entity Resource Permission decision was PERMIT by UNANIMOUS
>> decision.
>> Granted Scopes: Write.
>> Only Owner and Administrators Policy voted to PERMIT .
>> Delete Entitiy Resource Permission decision was PERMIT by UNANIMOUS
>> decision. Granted Scopes: Delete.
>> Only Owner and Administrators Policy voted to PERMIT .
>> Admin Entity Resource Permission decision was PERMIT by UNANIMOUS
>> decision.
>> Granted Scopes: Admin.
>> Only Owner and Administrators Policy voted to PERMIT .
>> Peek Entity Resource Permission decision was PERMIT by AFFIRMATIVE
>> decision. Granted Scopes: Peek.
>> Peek resource role policy voted to PERMIT .
>> Only Owner and Administrators Policy voted to PERMIT .
>>
>>
>> I would expect JDoe to have full access to his resource since he is the
>> owner and all the policies are reporting PERMIT. It is the top DENY that I
>> can?t wrap my head around.
>> The grants JDoe has given to Alice are removed from his own grants list,
>> is
>> this expected behavior? Why do grants to user Alice affect the grants of
>> user JDoe?
>>
>> Best Regards,
>>
>> Ulrik
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From psilva at redhat.com  Fri Sep 28 13:51:41 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 28 Sep 2018 14:51:41 -0300
Subject: [keycloak-user] Spring Boot Adapter: Error creating
 KeycloakConfigResolver with KC 4.5.0.Final
In-Reply-To: <FD772277-7D65-47AF-989B-72C4E21E5361@n-k.de>
References: <C26A033D-835F-4F78-90C9-FD2F04C0FB7E@n-k.de>
	<CAMZCGg_NEJDU+o9wGZzYuGPPBNA27J8ZNVj35fhj7tuVXpExeg@mail.gmail.com>
	<4F95B39A-4D28-46AE-9E71-59EF9AA8E307@n-k.de>
	<CAJrcDBdk9nzP=VMu6WNNpLJyemoTGOKYW=SYbcXeqT9O=biHCQ@mail.gmail.com>
	<136E6694-C448-4F5D-B354-48B337696C5F@n-k.de>
	<CAJrcDBdJta8Ngt-+RGiGTd_DoisM5889oXV0GAkd_3b=H46OSg@mail.gmail.com>
	<FD772277-7D65-47AF-989B-72C4E21E5361@n-k.de>
Message-ID: <CAJrcDBdCs8ATWyYHqmVk476aZmwTf1L-o-CnNcrvu8Qg3RFNvg@mail.gmail.com>

I found the cause of those errors that you are facing. To solve your
problem, do not return instances of KeycloakSpringBootConfigResolver. But
create your own implementation of KeycloakConfigResolver.

The KeycloakSpringBootConfigResolver changed to consider whether or not the
application is producing a bean for KeycloakConfigResolver to delegate
resolution of deployments to the bean. That was necessary to avoid
resolving deployments twice when using security constraints. See
KEYCLOAK-8133 for more details.

But yeah, backward compatibility is broken for spring security (spring
boot without spring security is fine though). Let's discuss on
https://issues.jboss.org/browse/KEYCLOAK-8444.

Thanks for the code.

On Fri, Sep 28, 2018 at 12:41 PM Niko K?bler <niko at n-k.de> wrote:

> Here's reproducable demo: https://github.com/dasniko/kc-sb-sec-demo
> Power it up and try to access http://localhost:9000/ - this will return a
> 500 and there's a loooong error on the console
> (You even don't need a KC server running, the error happens before
> accessing the server)
>
> - Niko
>
> Am 28.09.2018 um 17:23 schrieb Pedro Igor Silva <psilva at redhat.com>:
>
> OK, thanks for the update. I did test the solution I mentioned and it
> worked for one of the quickstarts we have.
>
> FYI, the changes you mentioned in KeycloakSpringBootConfigResolver are
> related to KEYCLOAK-8133. If you could give me something to reproduce the
> last issue you mentioned, I appreciate.
>
> Regards.
> Pedro Igor
>
> On Fri, Sep 28, 2018 at 12:16 PM Niko K?bler <niko at n-k.de> wrote:
>
>> Ok, there's a difference, but no working workaround...
>>
>> Previously, I declared the bean in a class annotated with
>> @KeycloakConfiguration - the described error occured when starting the
>> server up.
>>
>> After moving the bean definition to another class, annotated with
>> @Configuration only, the server powers up, but there are a lot (and I mean
>> really a lot) of these messages when I try to call the page in the browser:
>>
>> java.lang.StackOverflowError: null
>> at
>> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45)
>> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
>> at
>> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45)
>> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
>> at
>> org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45)
>> ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final]
>> .....
>>
>> I'll try to get a example app with the configuration over the weekend, so
>> that you are able to repdroduce. Unfortunately I now have to leave and
>> can't proceed to work on it.
>> In the meantime, if you like, you can have a look here:
>>
>> https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeycloakAdapterSecurityConfig.java
>>
>> https://github.com/dasniko/keycloak-authdemo/blob/master/shop/src/main/java/dasniko/authdemo/shop/KeyclaokSpringSecurityConfig.java
>>
>> - Niko
>>
>>
>>
>> Am 28.09.2018 um 16:49 schrieb Pedro Igor Silva <psilva at redhat.com>:
>>
>> Can you confirm that you are able to workaround the issue by declaring
>> the bean creatin in a different class annotated with @Configuration ?
>>
>> Regards.
>>
>>
>> On Fri, Sep 28, 2018 at 11:21 AM Niko K?bler <niko at n-k.de> wrote:
>>
>>> Hi Sebi,
>>>
>>> thanks for confirming.
>>> Ticket is created: https://issues.jboss.org/browse/KEYCLOAK-8444
>>>
>>> - Niko
>>>
>>>
>>> Am 28.09.2018 um 16:09 schrieb Sebastien Blanc <sblanc at redhat.com>:
>>>
>>> Hi Niko !
>>>
>>> Indeed something is wrong here, I can reproduce it. Could you open a
>>> ticket ? I will take a look at it ASAP.
>>>
>>> Sebi
>>>
>>> On Fri, Sep 28, 2018 at 3:51 PM Niko K?bler <niko at n-k.de> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I just updated my Spring Boot w/ Spring Security demo installation to
>>>> KC 4.5.0.Final.
>>>> To be able to use the Spring Boot configuration with Spring Security
>>>> Adapter, I have this bean configuration:
>>>>
>>>> @Bean
>>>> public KeycloakConfigResolver keycloakConfigResolver() {
>>>>     return new KeycloakSpringBootConfigResolver();
>>>> }
>>>>
>>>> This worked well until 4.4.0.Final.
>>>> After upgrading to 4.5.0.Final, I get an error when Spring is trying to
>>>> create the bean registry. Here is the relevant part of the stack trace:
>>>>
>>>> Caused by:
>>>> org.springframework.beans.factory.BeanCurrentlyInCreationException: Error
>>>> creating bean with name 'keycloakConfigResolver': Requested bean is
>>>> currently in creation: Is there an unresolvable circular reference?
>>>>         at
>>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.beforeSingletonCreation(DefaultSingletonBeanRegistry.java:339)
>>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>>         at
>>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:215)
>>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>>         at
>>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315)
>>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>>         at
>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
>>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>>         at
>>>> org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251)
>>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>>         at
>>>> org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135)
>>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>>         at
>>>> org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062)
>>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>>         at
>>>> org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:583)
>>>> ~[spring-beans-5.0.9.RELEASE.jar:5.0.9.RELEASE]
>>>>         ... 69 common frames omitted
>>>>
>>>>
>>>> I see, that there was a change in KeycloakSpringBootConfigResolver a
>>>> few days ago, but I don't really get it... Perhaps it's me, perhaps it's an
>>>> error?
>>>> Do I have to define my KeycloakConfigResolver bean in another way?
>>>>
>>>> Can anybody help me?
>>>>
>>>> Regards,
>>>> - Niko
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>

From oneal.kevin at gmail.com  Sat Sep 29 23:19:01 2018
From: oneal.kevin at gmail.com (KevinO)
Date: Sat, 29 Sep 2018 22:19:01 -0500
Subject: [keycloak-user] Column Sorting
Message-ID: <CAF9RioTY=5CH37kL2R0gaKC_hGzen86p+i3nnquFUPMdwbHi6Q@mail.gmail.com>

Hi everyone,

Is there any opposition to me adding column sorting? This is the ticket for
it:
https://issues.jboss.org/browse/KEYCLOAK-4676

I've tested a solution that uses standard angular ordering. I don't want to
update all the tables if this is a feature that is not wanted.

Thanks,

Kevin