From madhura.nishshanka at gmail.com Fri Feb 1 01:36:40 2019 From: madhura.nishshanka at gmail.com (madhura nishshanka) Date: Fri, 1 Feb 2019 12:06:40 +0530 Subject: [keycloak-user] Uncaught server error: java.lang.IllegalStateException: Could not find composite in role admin: Message-ID: Hi All, I am getting following exception when I execute create realm and delete realm rest APIs concurrently. Is this a known issue in keycloak?. The jmeter script used is also attached. Can some one please help me on this? ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-4) Uncaught server error: java.lang.IllegalStateException: Could not find composite in role admin: 4c8f06e2-74f0-4d83-94af-1ae61e1aecde at org.keycloak.models.cache.infinispan.RoleAdapter.getComposites(RoleAdapter.java:136) at org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:190) at org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:173) at org.keycloak.models.cache.infinispan.UserAdapter.hasRole(UserAdapter.java:313) at org.keycloak.authorization.common.UserModelIdentity.hasRealmRole(UserModelIdentity.java:57) at org.keycloak.services.resources.admin.permissions.MgmtPermissions.canCreateRealm(MgmtPermissions.java:384) at org.keycloak.services.resources.admin.permissions.MgmtPermissions.requireCreateRealm(MgmtPermissions.java:389) at org.keycloak.services.resources.admin.RealmsAdminResource.importRealm(RealmsAdminResource.java:135) at sun.reflect.GeneratedMethodAccessor767.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748). Thanks Madhura -------------- next part -------------- A non-text attachment was scrubbed... Name: Keycloak performance script.jmx Type: application/octet-stream Size: 41283 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190201/8418cd8e/attachment-0001.obj From sergey at shimkiv.com Fri Feb 1 02:14:36 2019 From: sergey at shimkiv.com (Serhii Shymkiv) Date: Fri, 1 Feb 2019 09:14:36 +0200 Subject: [keycloak-user] Release notes for 4.8.1, 4.8.2 & 4.8.3 In-Reply-To: References: Message-ID: https://issues.jboss.org/browse/KEYCLOAK-8724?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC -- Best regards, Serhii Shymkiv. On Fri, Feb 1, 2019, 06:41 Kamal Mettananda Hi all > > I am trying to figure out the changes in 4.8.3 vs 4.8.1. However, in the > release notes page ( > https://www.keycloak.org/docs/latest/release_notes/index.html) I can only > see some information about 4.8.0. > > Could someone please point me to a location where I can figure out the > features and fixes? > > Thanks > Kamal Mettananda > www.digizol.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mkanis at redhat.com Fri Feb 1 02:28:43 2019 From: mkanis at redhat.com (Martin Kanis) Date: Fri, 1 Feb 2019 08:28:43 +0100 Subject: [keycloak-user] Release notes for 4.8.1, 4.8.2 & 4.8.3 In-Reply-To: References: Message-ID: This shows only a single issue. Try following https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20OR%20fixVersion%20%3D%204.8.2.Final%20OR%20fixVersion%20%3D%204.8.1.Final%20 On Fri, Feb 1, 2019 at 8:16 AM Serhii Shymkiv wrote: > > https://issues.jboss.org/browse/KEYCLOAK-8724?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC > > > > -- > Best regards, > Serhii Shymkiv. > > On Fri, Feb 1, 2019, 06:41 Kamal Mettananda > > Hi all > > > > I am trying to figure out the changes in 4.8.3 vs 4.8.1. However, in the > > release notes page ( > > https://www.keycloak.org/docs/latest/release_notes/index.html) I can > only > > see some information about 4.8.0. > > > > Could someone please point me to a location where I can figure out the > > features and fixes? > > > > Thanks > > Kamal Mettananda > > www.digizol.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sergey at shimkiv.com Fri Feb 1 02:36:45 2019 From: sergey at shimkiv.com (Serhii Shymkiv) Date: Fri, 1 Feb 2019 09:36:45 +0200 Subject: [keycloak-user] Release notes for 4.8.1, 4.8.2 & 4.8.3 In-Reply-To: References: Message-ID: What single issue you're talking about ? Single "Fix Version" - yes, but nobody stops you from selecting more items from the corresponding drop-down list with no need to switch to the advanced search On Fri, Feb 1, 2019 at 9:28 AM Martin Kanis wrote: > This shows only a single issue. Try following > https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20OR%20fixVersion%20%3D%204.8.2.Final%20OR%20fixVersion%20%3D%204.8.1.Final%20 > > On Fri, Feb 1, 2019 at 8:16 AM Serhii Shymkiv wrote: > >> >> https://issues.jboss.org/browse/KEYCLOAK-8724?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC >> >> >> >> -- >> Best regards, >> Serhii Shymkiv. >> >> On Fri, Feb 1, 2019, 06:41 Kamal Mettananda > >> > Hi all >> > >> > I am trying to figure out the changes in 4.8.3 vs 4.8.1. However, in the >> > release notes page ( >> > https://www.keycloak.org/docs/latest/release_notes/index.html) I can >> only >> > see some information about 4.8.0. >> > >> > Could someone please point me to a location where I can figure out the >> > features and fixes? >> > >> > Thanks >> > Kamal Mettananda >> > www.digizol.com >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- Best regards, Serhii Shymkiv. From mkanis at redhat.com Fri Feb 1 03:00:08 2019 From: mkanis at redhat.com (Martin Kanis) Date: Fri, 1 Feb 2019 09:00:08 +0100 Subject: [keycloak-user] Release notes for 4.8.1, 4.8.2 & 4.8.3 In-Reply-To: References: Message-ID: Obviously we both have a different Jira look in our browsers :) Your link shows me a single issue with no drop-down at all. Just a small arrows which I missed first. That is why I provided a different view. Cheers On Fri, Feb 1, 2019 at 8:37 AM Serhii Shymkiv wrote: > What single issue you're talking about ? > Single "Fix Version" - yes, but nobody stops you from selecting more items > from the corresponding drop-down list with no need to switch to the > advanced search > > On Fri, Feb 1, 2019 at 9:28 AM Martin Kanis wrote: > >> This shows only a single issue. Try following >> https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20OR%20fixVersion%20%3D%204.8.2.Final%20OR%20fixVersion%20%3D%204.8.1.Final%20 >> >> On Fri, Feb 1, 2019 at 8:16 AM Serhii Shymkiv wrote: >> >>> >>> https://issues.jboss.org/browse/KEYCLOAK-8724?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC >>> >>> >>> >>> -- >>> Best regards, >>> Serhii Shymkiv. >>> >>> On Fri, Feb 1, 2019, 06:41 Kamal Mettananda >> >>> > Hi all >>> > >>> > I am trying to figure out the changes in 4.8.3 vs 4.8.1. However, in >>> the >>> > release notes page ( >>> > https://www.keycloak.org/docs/latest/release_notes/index.html) I can >>> only >>> > see some information about 4.8.0. >>> > >>> > Could someone please point me to a location where I can figure out the >>> > features and fixes? >>> > >>> > Thanks >>> > Kamal Mettananda >>> > www.digizol.com >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > > -- > Best regards, > Serhii Shymkiv. > From sergey at shimkiv.com Fri Feb 1 03:08:05 2019 From: sergey at shimkiv.com (Serhii Shymkiv) Date: Fri, 1 Feb 2019 10:08:05 +0200 Subject: [keycloak-user] Release notes for 4.8.1, 4.8.2 & 4.8.3 In-Reply-To: References: Message-ID: Grand so On Fri, Feb 1, 2019 at 10:00 AM Martin Kanis wrote: > Obviously we both have a different Jira look in our browsers :) Your link > shows me a single issue with no drop-down at all. Just a small arrows which > I missed first. That is why I provided a different view. > > Cheers > > On Fri, Feb 1, 2019 at 8:37 AM Serhii Shymkiv wrote: > >> What single issue you're talking about ? >> Single "Fix Version" - yes, but nobody stops you from selecting more >> items from the corresponding drop-down list with no need to switch to the >> advanced search >> >> On Fri, Feb 1, 2019 at 9:28 AM Martin Kanis wrote: >> >>> This shows only a single issue. Try following >>> https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20OR%20fixVersion%20%3D%204.8.2.Final%20OR%20fixVersion%20%3D%204.8.1.Final%20 >>> >>> On Fri, Feb 1, 2019 at 8:16 AM Serhii Shymkiv >>> wrote: >>> >>>> >>>> https://issues.jboss.org/browse/KEYCLOAK-8724?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC >>>> >>>> >>>> >>>> -- >>>> Best regards, >>>> Serhii Shymkiv. >>>> >>>> On Fri, Feb 1, 2019, 06:41 Kamal Mettananda >>> >>>> > Hi all >>>> > >>>> > I am trying to figure out the changes in 4.8.3 vs 4.8.1. However, in >>>> the >>>> > release notes page ( >>>> > https://www.keycloak.org/docs/latest/release_notes/index.html) I can >>>> only >>>> > see some information about 4.8.0. >>>> > >>>> > Could someone please point me to a location where I can figure out the >>>> > features and fixes? >>>> > >>>> > Thanks >>>> > Kamal Mettananda >>>> > www.digizol.com >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> >> -- >> Best regards, >> Serhii Shymkiv. >> > -- Best regards, Serhii Shymkiv. From dt at acutus.pro Fri Feb 1 05:17:38 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 13:17:38 +0300 Subject: [keycloak-user] Expose role attributes in Keycloak javascript adapter In-Reply-To: References: Message-ID: <1549016258.3673.3.camel@acutus.pro> Hello Tom, You can enrich the user's access/ID token with the help of the script mapper like below: // ================================================ var roles = Java.from(new java.util.ArrayList(token.realmAccess.roles)); var foo = new java.util.ArrayList(); for (var r in roles) { var attrs = keycloakSession.realms().getRealmRole(realm, roles[r]).attributes; foo.add({ role: roles[r], attrs: attrs }); } token.setOtherClaims('foo', foo); // ================================================ Here, a dedicated claim ("foo") is used to contain role+attribute info. Using existing "realm_access" or "resource_access" claims is not a good idea, since adapters expect a particular structure there. You can also try to do it more JavaScript-way, like e.g. using map instead of for loop, but remember script mappers are very pedantic about Java vs. JavaScript types and collections. Also don't forget to run Keycloak with -Dkeycloak.profile.feature.scripts=enabled or -Dkeycloak.profile=preview . Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2019-01-31 at 15:57 -0500, Tom Barber wrote: > Hi folks, > > We?ve got some attributes in the Keycloak roles. Is there a way to release > them with a user using the Javascript adapter? > > Thanks > > Tom > From dt at acutus.pro Fri Feb 1 05:19:37 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 13:19:37 +0300 Subject: [keycloak-user] Custom Authenticator In-Reply-To: References: Message-ID: <1549016377.3673.5.camel@acutus.pro> Hello Artem, Take a look at this: https://github.com/stianst/keycloak-experimental/tree/master/magic-link Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2019-01-31 at 18:13 +0100, Artem Grebenkin wrote: > Hi folks, > > I have following use case. There is a service which creates ("registers") a > user in keycloak over REST API. After that I would like to login the user > automatically. So I need some kind of link which I can return to the > browser and which will login the user and redirect them back to some > location. > > Where I have to look? Can somebody give me some advice and some keywords. > > Thanks for your help > Artem > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Fri Feb 1 06:09:59 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 1 Feb 2019 09:09:59 -0200 Subject: [keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called. In-Reply-To: References: Message-ID: Hi, Could you share the code for your custom CIP, please ? Are you sure the factory's name is the same as what you defined in your adapter configuration ? Regards. Pedro Igor On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko wrote: > Hello guys! > > Can someone help me please with the following problem. > > I need to configure context based access control for my REST-service, when > attributes of the protected resources are pushed to Keycloak server for > policy evaluation. Protected service is built on Spring Boot. > > I?ve configured the system and all works fine with OOTB Claim Information > Point provider ?claims?. But I need a custom one. And this custom CIP is > not working. I see from the debug logging, that policy enforcer calls > ?getName()? and ?init()? on my CIP Factory, but _never_ calls ?create()?, > thus, never instantiates the CIP. > > Below are application.properties for Spring boot and CIP config file. My > custom CIP Provider has ?document? name. I call both /documents/- Get an > > Thank you, > Alexey > > application.properties > ---------------------------------- > svc.name=docs-uma > server.port = 8085 > keycloak.realm=DemoApp > keycloak.auth-server-url=http://localhost:8180/auth > keycloak.ssl-required=external > keycloak.resource=docs-svc-uma > keycloak.cors=true > keycloak.use-resource-role-mappings=true > keycloak.verify-token-audience=false > keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a > keycloak.confidential-port=0 > keycloak.bearer-only=true > > keycloak.securityConstraints[0].securityCollections[0].name = secured > operation > keycloak.securityConstraints[0].authRoles[0] = user > keycloak.securityConstraints[0].securityCollections[0].patterns[0] = > /documents > keycloak.securityConstraints[0].securityCollections[0].patterns[1] = > /documents/ > > keycloak.securityConstraints[1].securityCollections[0].name = admin > operation > keycloak.securityConstraints[1].authRoles[0] = admin > keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin > keycloak.securityConstraints[1].securityCollections[0].patterns[1] = > /admin/ > > logging.level.org.keycloak=DEBUG > > logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG > > # policy enforcer > keycloak.policy-enforcer-config.lazy-load-paths=true > keycloak.policy-enforcer-config.on-deny-redirect-to=/public > > keycloak.policy-enforcer-config.paths[0].name=Public Resources > keycloak.policy-enforcer-config.paths[0].path=/* > > keycloak.policy-enforcer-config.paths[1].name=Document creation > keycloak.policy-enforcer-config.paths[1].path=/documents/* > keycloak.policy-enforcer-config.paths[1].methods[0].method=POST > > keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create > > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method} > > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method} > > keycloak.policy-enforcer-config.paths[2].name=Document List > keycloak.policy-enforcer-config.paths[2].path=/documents > keycloak.policy-enforcer-config.paths[2].methods[0].method=GET > > keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list > > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method} > > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method} > > keycloak.policy-enforcer-config.paths[3].name=Admin Resources > keycloak.policy-enforcer-config.paths[3].path=/admin/* > > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri} > > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri} > > > > META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory > ------------------------------------------------------------------------ > > dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Feb 1 06:30:23 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 14:30:23 +0300 Subject: [keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called. In-Reply-To: References: Message-ID: <1549020623.3673.8.camel@acutus.pro> Hello Alexey, Seems like currently only the first configured CIP is evaluated [1]. With only one CIP, I've been able to get my custom provider working. I think this is a defect, and suggest that you join us in keycloak-dev under the "Authz services feedback" thread, where we discuss CIPs and Spring Boot among other things (however the issue is not SB-specific). [1] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authorization/AbstractPolicyEnforcer.java#L365 Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2019-01-31 at 18:47 +0300, Alexey Titorenko wrote: > Hello guys! > > Can someone help me please with the following problem. > > I need to configure context based access control for my REST-service, when attributes of the protected resources are pushed to Keycloak server for policy evaluation. Protected service is built on Spring Boot.? > > I?ve configured the system and all works fine with OOTB Claim Information Point provider ?claims?. But I need a custom one. And this custom CIP is not working. I see from the debug logging, that policy enforcer calls ?getName()? and ?init()? on my CIP Factory, but _never_ calls ?create()?, thus, never instantiates the CIP. > > Below are application.properties for Spring boot and CIP config file. My custom CIP Provider has ?document? name. I call both /documents/- Get an > > Thank you,? > Alexey > > application.properties > ---------------------------------- > svc.name=docs-uma > server.port = 8085 > keycloak.realm=DemoApp > keycloak.auth-server-url=http://localhost:8180/auth > keycloak.ssl-required=external > keycloak.resource=docs-svc-uma > keycloak.cors=true > keycloak.use-resource-role-mappings=true > keycloak.verify-token-audience=false > keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a > keycloak.confidential-port=0 > keycloak.bearer-only=true > > keycloak.securityConstraints[0].securityCollections[0].name = secured operation > keycloak.securityConstraints[0].authRoles[0] = user > keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents > keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/ > > keycloak.securityConstraints[1].securityCollections[0].name = admin operation > keycloak.securityConstraints[1].authRoles[0] = admin > keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin > keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/ > > logging.level.org.keycloak=DEBUG > logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG > > # policy enforcer > keycloak.policy-enforcer-config.lazy-load-paths=true > keycloak.policy-enforcer-config.on-deny-redirect-to=/public > > keycloak.policy-enforcer-config.paths[0].name=Public Resources > keycloak.policy-enforcer-config.paths[0].path=/* > > keycloak.policy-enforcer-config.paths[1].name=Document creation > keycloak.policy-enforcer-config.paths[1].path=/documents/* > keycloak.policy-enforcer-config.paths[1].methods[0].method=POST > keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method} > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method} > > keycloak.policy-enforcer-config.paths[2].name=Document List > keycloak.policy-enforcer-config.paths[2].path=/documents > keycloak.policy-enforcer-config.paths[2].methods[0].method=GET > keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method} > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method} > ???????? > keycloak.policy-enforcer-config.paths[3].name=Admin Resources > keycloak.policy-enforcer-config.paths[3].path=/admin/* > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri} > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri} > > > META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory > ------------------------------------------------------------------------ > dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Feb 1 06:35:48 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 14:35:48 +0300 Subject: [keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called. In-Reply-To: References: Message-ID: <1549020948.3673.10.camel@acutus.pro> Oh, no need for Alexey to?go to keycloak-dev, since Pedro is already here :) Please see my answer above, I've been able to reproduce the issue and trace it down to the AbstractPolicyEnforcer::getClaims(). Dmitry On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote: > Hi, > > Could you share the code for your custom CIP, please ? Are you sure the > factory's name is the same as what you defined in your adapter > configuration ? > > Regards. > Pedro Igor > > On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko > wrote: > > > Hello guys! > > > > Can someone help me please with the following problem. > > > > I need to configure context based access control for my REST-service, when > > attributes of the protected resources are pushed to Keycloak server for > > policy evaluation. Protected service is built on Spring Boot. > > > > I?ve configured the system and all works fine with OOTB Claim Information > > Point provider ?claims?. But I need a custom one. And this custom CIP is > > not working. I see from the debug logging, that policy enforcer calls > > ?getName()? and ?init()? on my CIP Factory, but _never_ calls ?create()?, > > thus, never instantiates the CIP. > > > > Below are application.properties for Spring boot and CIP config file. My > > custom CIP Provider has ?document? name. I call both /documents/- Get an > > > > Thank you, > > Alexey > > > > application.properties > > ---------------------------------- > > svc.name=docs-uma > > server.port = 8085 > > keycloak.realm=DemoApp > > keycloak.auth-server-url=http://localhost:8180/auth > > keycloak.ssl-required=external > > keycloak.resource=docs-svc-uma > > keycloak.cors=true > > keycloak.use-resource-role-mappings=true > > keycloak.verify-token-audience=false > > keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a > > keycloak.confidential-port=0 > > keycloak.bearer-only=true > > > > keycloak.securityConstraints[0].securityCollections[0].name = secured > > operation > > keycloak.securityConstraints[0].authRoles[0] = user > > keycloak.securityConstraints[0].securityCollections[0].patterns[0] = > > /documents > > keycloak.securityConstraints[0].securityCollections[0].patterns[1] = > > /documents/ > > > > keycloak.securityConstraints[1].securityCollections[0].name = admin > > operation > > keycloak.securityConstraints[1].authRoles[0] = admin > > keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin > > keycloak.securityConstraints[1].securityCollections[0].patterns[1] = > > /admin/ > > > > logging.level.org.keycloak=DEBUG > > > > logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG > > > > # policy enforcer > > keycloak.policy-enforcer-config.lazy-load-paths=true > > keycloak.policy-enforcer-config.on-deny-redirect-to=/public > > > > keycloak.policy-enforcer-config.paths[0].name=Public Resources > > keycloak.policy-enforcer-config.paths[0].path=/* > > > > keycloak.policy-enforcer-config.paths[1].name=Document creation > > keycloak.policy-enforcer-config.paths[1].path=/documents/* > > keycloak.policy-enforcer-config.paths[1].methods[0].method=POST > > > > keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create > > > > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method} > > > > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method} > > > > keycloak.policy-enforcer-config.paths[2].name=Document List > > keycloak.policy-enforcer-config.paths[2].path=/documents > > keycloak.policy-enforcer-config.paths[2].methods[0].method=GET > > > > keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list > > > > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method} > > > > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method} > > > > keycloak.policy-enforcer-config.paths[3].name=Admin Resources > > keycloak.policy-enforcer-config.paths[3].path=/admin/* > > > > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri} > > > > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri} > > > > > > > > META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory > > ------------------------------------------------------------------------ > > > > dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Feb 1 06:59:58 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 14:59:58 +0300 Subject: [keycloak-user] Force certain realm users to login via IDP In-Reply-To: References: Message-ID: <1549022398.3891.1.camel@acutus.pro> Hello Tim, I think your solution is viable. In your script authenticator, you can use authenticationSession.getExecutionStatus() to determine which auth method has been actually used. Alternatively, I'd suggest something similar to the built-in identity-provider-redirector [1], but with the different condition to trigger redirect (e.g. admin role membership instead of kc_idp_hint presence). However, this would be harder to implement in JavaScript. [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2019-01-31 at 13:49 +0000, Tim Hedlund wrote: > We are looking into using IDP (Azure AD) for login. Some users (admins) will then authenticate there. The need for this is that Keycloak admins (user management in certain realm) will need to authenticate via two factor because of company policies. So I've already setup a working integration with AD. The problem now is that pre-existing users that already had a login and password in Keycloak must no longer be able to use login/password. This is to force IDP (two factor) login. > > I've tried to "Disable Credentials" for "password" for such a user but still he could login. > > I'm thinking of a solution where we script a custom browser flow action where we check is the user is a admin and then denies him if using password. > > Any thoughts or suggestions? > > Regards > Tim > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From eduard.matuszak at worldline.com Fri Feb 1 07:22:45 2019 From: eduard.matuszak at worldline.com (Matuszak, Eduard) Date: Fri, 1 Feb 2019 12:22:45 +0000 Subject: [keycloak-user] Client authentication with signed JWT failed: Token is not active Message-ID: <61D077C6283D454FAFD06F6AC4AB74D73836D460@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello I have observed error-messages from Keycloak with this content: {"error":"unauthorized_client","error_description":"Client authentication with signed JWT failed: Token is not active"}) response: {"error":"unauthorized_client","error_description":"Client authentication with signed JWT failed: Token is not active"} Scanning for an explaination to find out how this can happen did not yield to a sufficient answer and Keycloak's code did not really clear up the problem. Perhaps the problem can be mitigated by setting the token-expiration value in keycloak.json (which unfortunately seems not be explained in Keycloak's docu), which is set to it's default here, i.e. "token-expiration": 10? If someone has any idea or experience on how this error could have come up, it would be nice to let me know? Best regards, Eduard Matuszak From titorenko at dtg.technology Fri Feb 1 09:03:18 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Fri, 1 Feb 2019 17:03:18 +0300 Subject: [keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called. In-Reply-To: <1549020948.3673.10.camel@acutus.pro> References: <1549020948.3673.10.camel@acutus.pro> Message-ID: Thank you, guys! > On 1 Feb 2019, at 14:35, Dmitry Telegin
wrote: > > Oh, no need for Alexey to go to keycloak-dev, since Pedro is already here :) > > Please see my answer above, I've been able to reproduce the issue and trace it down to the AbstractPolicyEnforcer::getClaims(). > > Dmitry > > On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote: >> Hi, >> >> Could you share the code for your custom CIP, please ? Are you sure the >> factory's name is the same as what you defined in your adapter >> configuration ? >> >> Regards. >> Pedro Igor >> >> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko >> wrote: >> >>> Hello guys! >>> >>> Can someone help me please with the following problem. >>> >>> I need to configure context based access control for my REST-service, when >>> attributes of the protected resources are pushed to Keycloak server for >>> policy evaluation. Protected service is built on Spring Boot. >>> >>> I?ve configured the system and all works fine with OOTB Claim Information >>> Point provider ?claims?. But I need a custom one. And this custom CIP is >>> not working. I see from the debug logging, that policy enforcer calls >>> ?getName()? and ?init()? on my CIP Factory, but _never_ calls ?create()?, >>> thus, never instantiates the CIP. >>> >>> Below are application.properties for Spring boot and CIP config file. My >>> custom CIP Provider has ?document? name. I call both /documents/- Get an >>> >>> Thank you, >>> Alexey >>> >>> application.properties >>> ---------------------------------- >>> svc.name=docs-uma >>> server.port = 8085 >>> keycloak.realm=DemoApp >>> keycloak.auth-server-url=http://localhost:8180/auth >>> keycloak.ssl-required=external >>> keycloak.resource=docs-svc-uma >>> keycloak.cors=true >>> keycloak.use-resource-role-mappings=true >>> keycloak.verify-token-audience=false >>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a >>> keycloak.confidential-port=0 >>> keycloak.bearer-only=true >>> >>> keycloak.securityConstraints[0].securityCollections[0].name = secured >>> operation >>> keycloak.securityConstraints[0].authRoles[0] = user >>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = >>> /documents >>> keycloak.securityConstraints[0].securityCollections[0].patterns[1] = >>> /documents/ >>> >>> keycloak.securityConstraints[1].securityCollections[0].name = admin >>> operation >>> keycloak.securityConstraints[1].authRoles[0] = admin >>> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin >>> keycloak.securityConstraints[1].securityCollections[0].patterns[1] = >>> /admin/ >>> >>> logging.level.org.keycloak=DEBUG >>> >>> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG >>> >>> # policy enforcer >>> keycloak.policy-enforcer-config.lazy-load-paths=true >>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public >>> >>> keycloak.policy-enforcer-config.paths[0].name=Public Resources >>> keycloak.policy-enforcer-config.paths[0].path=/* >>> >>> keycloak.policy-enforcer-config.paths[1].name=Document creation >>> keycloak.policy-enforcer-config.paths[1].path=/documents/* >>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST >>> >>> keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create >>> >>> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method} >>> >>> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method} >>> >>> keycloak.policy-enforcer-config.paths[2].name=Document List >>> keycloak.policy-enforcer-config.paths[2].path=/documents >>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET >>> >>> keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list >>> >>> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method} >>> >>> keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method} >>> >>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources >>> keycloak.policy-enforcer-config.paths[3].path=/admin/* >>> >>> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri} >>> >>> keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri} >>> >>> >>> >>> META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory >>> ------------------------------------------------------------------------ >>> >>> dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From lorenzo.luconi at iit.cnr.it Fri Feb 1 09:47:23 2019 From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi) Date: Fri, 1 Feb 2019 15:47:23 +0100 Subject: [keycloak-user] View all users button doesn't work with user federation Message-ID: <9553D0A7-1071-45A1-AC96-450A811AD3F8@iit.cnr.it> I just upgraded my Kecloak installation from 4.5 to 4.8.3. I?m using a custom user federation provider and after the upgrade the ?View all users? button in Users tab returns only internal users and not the users from my identity provider. I can lookup and authenticate any users, but the button returns an empty list. I tested also older releases like 4.6 and 4.7 and the problem persist. Is this the expected behavior of new releases? In migration documentation I didn?t find anything about changes in SPI. Thanks, Lorenzo From tim.hedlund at outlook.com Fri Feb 1 10:01:01 2019 From: tim.hedlund at outlook.com (Tim Hedlund) Date: Fri, 1 Feb 2019 15:01:01 +0000 Subject: [keycloak-user] Force certain realm users to login via IDP In-Reply-To: <1549022398.3891.1.camel@acutus.pro> References: <1549022398.3891.1.camel@acutus.pro> Message-ID: Hi Dmitry, I like your alternative solution. I will have a go with that. Thank you very much! I appreciate it. Regards Tim -----Original Message----- From: Dmitry Telegin [mailto:dt at acutus.pro] Sent: den 1 februari 2019 13:00 To: Tim Hedlund; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Force certain realm users to login via IDP Hello Tim, I think your solution is viable. In your script authenticator, you can use authenticationSession.getExecutionStatus() to determine which auth method has been actually used. Alternatively, I'd suggest something similar to the built-in identity-provider-redirector [1], but with the different condition to trigger redirect (e.g. admin role membership instead of kc_idp_hint presence). However, this would be harder to implement in JavaScript. [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2019-01-31 at 13:49 +0000, Tim Hedlund wrote: > We are looking into using IDP (Azure AD) for login. Some users (admins) will then authenticate there. The need for this is that Keycloak admins (user management in certain realm) will need to authenticate via two factor because of company policies. So I've already setup a working integration with AD. The problem now is that pre-existing users that already had a login and password in Keycloak must no longer be able to use login/password. This is to force IDP (two factor) login. > > I've tried to "Disable Credentials" for "password" for such a user but still he could login. > > I'm thinking of a solution where we script a custom browser flow action where we check is the user is a admin and then denies him if using password. > > Any thoughts or suggestions? > > Regards > Tim > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pavel.masloff at gmail.com Fri Feb 1 10:38:10 2019 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Fri, 1 Feb 2019 16:38:10 +0100 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: References: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> Message-ID: Hi Niko, all Is it possible to get the refresh token in the same manner? Thanks :) Regards, Pavel Maslov, MS On Fri, Dec 28, 2018 at 12:16 PM Niko K?bler wrote: > As you can see, the bean definition ist Request-scoped. > This leads to a new bean instance for every request, and thus for each and > every user :) > > > > Am 28.12.2018 um 11:46 schrieb Pavel Maslov : > > Hey Niko, > > Excellent, this is exactly what I was looking for! > In your example does the *accessToken *injected field return a token for > each and every user respectively (not the same)? > Thank you very "many" (much) :)) > > Regards, > Pavel Maslov, MS > > > On Fri, Dec 28, 2018 at 11:38 AM Niko K?bler wrote: > >> Hi Pavel, >> >> that's quite easy (as most things with Spring Boot). >> >> You can get the AccessToken object through the HttpServletRequest, >> KeycloakPrincipal and KeycloakSecurityContext. >> In my projects, I do some bean definitions like here: >> https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java >> Then, you can just inject the AccessToken or KeycloakSecurityContext >> where you want, like this: >> https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java >> >> Instead of the AccessToken, you can also get the IdentityToken, of course. >> >> HTH, >> - Niko >> >> >> > Am 28.12.2018 um 11:22 schrieb Pavel Maslov : >> > >> > Hi, guys. Haven't been here for quite a while :) >> > >> > >> > I'm using the Springboot Keycloak adapter >> > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my >> REST >> > API via bearer token [1]. And it works! Cool. >> > >> > Now, I would like to get the access token in my @RestController, or even >> > better some information about the user. Is it possible? >> > >> > Thanks in advance. >> > >> > Regards, >> > Pavel Maslov, MS >> > >> > [1] https://github.com/maslick/barkoder >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > From itsmurugappan at gmail.com Fri Feb 1 10:50:20 2019 From: itsmurugappan at gmail.com (Murugappan Sevugan Chetty) Date: Fri, 1 Feb 2019 07:50:20 -0800 Subject: [keycloak-user] Key cloak gatekeeper - match claims with realm access Message-ID: Hello, Below is a part of my token "realm_access": { "roles": [ "role1", "role2", "role3" ] } I need help with match claims config for gatekeeper. i tried like below and got an error match-claims: realm_access: role1 unable to parse claim as string: realm_access","error":"unable to parse claim as string array: realm_access"} Thanks From lorenzo.luconi at iit.cnr.it Fri Feb 1 10:54:54 2019 From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi) Date: Fri, 1 Feb 2019 16:54:54 +0100 Subject: [keycloak-user] Not existent attributes for users from user-federeation cause NPE Message-ID: <8320EBA1-2472-4D80-9A6F-36B68FF9B485@iit.cnr.it> I?m using Keycloak version 4.8.3 with a custom user federation plugin. I created a new realm, configured my user federation plugin and created a new client. I tried to authenticate and I got an error 500 from keycloak. In Keycloak log I found this NullPointerException: 14:09:15,472 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NullPointerException at org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:414) at org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:415) at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:93) at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:101) at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:117) at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:119) at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81) at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:606) at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81) at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:422) at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:795) at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:544) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:569) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:186) at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:402) ?.. After some tests I found the problem: the ?Assigned Default Client Scopes? list, in my newly created client, includes the ?profile? scope. The ?profile? scope includes a lot of attributes and not all of them are exported from my federation plugin for my users. Removing profile scope solve the problem and now I can successfully authenticate my federeted users. In class KeycloakModelUtils the are two implementation of the method resolveAttribute: public static List resolveAttribute(GroupModel group, String name) { List values = group.getAttribute(name); if (values != null && !values.isEmpty()) return values; if (group.getParentId() == null) return null; return resolveAttribute(group.getParent(), name); } public static Collection resolveAttribute(UserModel user, String name, boolean aggregateAttrs) { List values = user.getAttribute(name); Set aggrValues = new HashSet(); if (!values.isEmpty()) { if (!aggregateAttrs) { return values; } aggrValues.addAll(values); } for (GroupModel group : user.getGroups()) { values = resolveAttribute(group, name); if (values != null && !values.isEmpty()) { if (!aggregateAttrs) { return values; } aggrValues.addAll(values); } } return aggrValues; } As you can see the first implementation checks if values is null, but not the second one where I got NPE. In my UserModel implementation I override the getAttrubute method: public class UserAdapter extends AbstractUserAdapterFederatedStorage { ?.. @Override public List getAttribute(String name) { if (attributes.containsKey(name)) { return attributes.get(name); } return super.getAttribute(name); } } If I force this method to return an empty list instead of null value, this solve the problem. Is this the right fix? getAttribute method must not returns a null value? I hope this helps. Thanks, Lorenzo From dt at acutus.pro Fri Feb 1 12:12:27 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 20:12:27 +0300 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: References: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> Message-ID: <1549041147.23571.1.camel@acutus.pro> Hello Pavel, Just cast your KeycloakSecurityContext to org.keycloak.adapters.RefreshableKeycloakSecurityContext and call getRefreshToken(). Udachi :) Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2019-02-01 at 16:38 +0100, Pavel Maslov wrote: > Hi Niko, all > > Is it possible to get the refresh token in the same manner? > Thanks :) > > Regards, > Pavel Maslov, MS > > > > On Fri, Dec 28, 2018 at 12:16 PM Niko K?bler wrote: > > > As you can see, the bean definition ist Request-scoped. > > This leads to a new bean instance for every request, and thus for each and > > every user :) > > > > > > > > Am 28.12.2018 um 11:46 schrieb Pavel Maslov : > > > > Hey Niko, > > > > Excellent, this is exactly what I was looking for! > > In your example does the *accessToken *injected field return a token for > > each and every user respectively (not the same)? > > Thank you very "many" (much) :)) > > > > Regards, > > Pavel Maslov, MS > > > > > > > > On Fri, Dec 28, 2018 at 11:38 AM Niko K?bler wrote: > > > > > Hi Pavel, > > > > > > that's quite easy (as most things with Spring Boot). > > > > > > You can get the AccessToken object through the HttpServletRequest, > > > KeycloakPrincipal and KeycloakSecurityContext. > > > In my projects, I do some bean definitions like here: > > > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java > > > Then, you can just inject the AccessToken or KeycloakSecurityContext > > > where you want, like this: > > > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java > > > > > > Instead of the AccessToken, you can also get the IdentityToken, of course. > > > > > > HTH, > > > - Niko > > > > > > > > > > Am 28.12.2018 um 11:22 schrieb Pavel Maslov : > > > > > > > > Hi, guys. Haven't been here for quite a while :) > > > > > > > > > > > > I'm using the Springboot Keycloak adapter > > > > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my > > > > > > REST > > > > API via bearer token [1]. And it works! Cool. > > > > > > > > Now, I would like to get the access token in my @RestController, or even > > > > better some information about the user. Is it possible? > > > > > > > > Thanks in advance. > > > > > > > > Regards, > > > > Pavel Maslov, MS > > > > > > > > [1] https://github.com/maslick/barkoder > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Feb 1 13:10:55 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 21:10:55 +0300 Subject: [keycloak-user] Not existent attributes for users from user-federeation cause NPE In-Reply-To: <8320EBA1-2472-4D80-9A6F-36B68FF9B485@iit.cnr.it> References: <8320EBA1-2472-4D80-9A6F-36B68FF9B485@iit.cnr.it> Message-ID: <1549044655.23571.3.camel@acutus.pro> Hello Lorenzo, Out of interest I've tried to play with keycloak-quickstarts/user-storage-simple. I was able to authenticate as "tbrady" even though its UserModel obviously returns null from getAttribute(). But in this case KeycloakModelUtils::resolveAttribute() is invoked not on the UserModel supplied by the provider, but rather on o.k.models.cache.infinispan.UserAdapter wrapper (which performs null checking and returns an empty list in that case). Not sure why resolveAttribute is invoked on your UserAdapter directly, but I think it's safe to return an empty list too. Did you try keycloak-quickstarts/user-storage-jpa by the way? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2019-02-01 at 16:54 +0100, Lorenzo Luconi Trombacchi wrote: > I?m using Keycloak version 4.8.3 with a custom user federation plugin. I created a new realm, configured my user federation plugin and created a new client. I tried to authenticate and I got an error 500 from keycloak. > In Keycloak log I found this NullPointerException: > > 14:09:15,472 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NullPointerException > > ? at org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:414) > > ? at org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:415) > > ? at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:93) > > ? at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:101) > > ? at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:117) > > ? at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:119) > > ? at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81) > > ? at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:606) > > ? at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81) > > ? at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:422) > > ? at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:795) > > ? at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:544) > > ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:569) > > ? at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:186) > > ? at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:402) > ?.. > > After some tests I found the problem: the ?Assigned Default Client Scopes? list, in my newly created client, includes the ?profile? scope.? > The ?profile? scope includes a lot of attributes and not all of them are exported from my federation plugin for my users. Removing profile scope solve the problem and now I can successfully authenticate my federeted users. > > In class KeycloakModelUtils??the are two implementation of the method resolveAttribute: > > ????public static List??resolveAttribute(GroupModel group, String name) { > ????????List values = group.getAttribute(name); > ????????if (values != null && !values.isEmpty()) return values; > ????????if (group.getParentId() == null) return null; > ????????return resolveAttribute(group.getParent(), name); > > ????} > > > ????public static Collection resolveAttribute(UserModel user, String name, boolean aggregateAttrs) { > ????????List values = user.getAttribute(name); > ????????Set aggrValues = new HashSet(); > ????????if (!values.isEmpty()) { > ????????????if (!aggregateAttrs) { > ????????????????return values; > ????????????} > ????????????aggrValues.addAll(values); > ????????} > ????????for (GroupModel group : user.getGroups()) { > ????????????values = resolveAttribute(group, name); > ????????????if (values != null && !values.isEmpty()) { > ????????????????if (!aggregateAttrs) { > ????????????????????return values; > ????????????????} > ????????????????aggrValues.addAll(values); > ????????????} > ????????} > ????????return aggrValues; > ????} > > > As you can see the first implementation checks if values is null, but not the second one where I got NPE. > > In my UserModel implementation I override the getAttrubute method: > > public class UserAdapter extends AbstractUserAdapterFederatedStorage { > > ?.. > ????@Override > ????public List getAttribute(String name) { > ????????if (attributes.containsKey(name)) { > ????????????return attributes.get(name); > ????????} > > ????????return super.getAttribute(name); > ????} > > } > > > If I force this method to return an empty list instead of null value, this solve the problem. Is this the right fix? getAttribute method must not returns a null value? > > > I hope this helps. > > Thanks, > Lorenzo > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Fri Feb 1 13:32:02 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 1 Feb 2019 16:32:02 -0200 Subject: [keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called. In-Reply-To: References: <1549020948.3673.10.camel@acutus.pro> Message-ID: I've created https://issues.jboss.org/browse/KEYCLOAK-9478. Dmitry is right and I sent a PR with a fix. Tests were also included for custom CIPs. Regards. Pedro Igor On Fri, Feb 1, 2019 at 12:03 PM Alexey Titorenko wrote: > Thank you, guys! > > > > On 1 Feb 2019, at 14:35, Dmitry Telegin
wrote: > > > > Oh, no need for Alexey to go to keycloak-dev, since Pedro is already > here :) > > > > Please see my answer above, I've been able to reproduce the issue and > trace it down to the AbstractPolicyEnforcer::getClaims(). > > > > Dmitry > > > > On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote: > >> Hi, > >> > >> Could you share the code for your custom CIP, please ? Are you sure the > >> factory's name is the same as what you defined in your adapter > >> configuration ? > >> > >> Regards. > >> Pedro Igor > >> > >> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko > > >> wrote: > >> > >>> Hello guys! > >>> > >>> Can someone help me please with the following problem. > >>> > >>> I need to configure context based access control for my REST-service, > when > >>> attributes of the protected resources are pushed to Keycloak server for > >>> policy evaluation. Protected service is built on Spring Boot. > >>> > >>> I?ve configured the system and all works fine with OOTB Claim > Information > >>> Point provider ?claims?. But I need a custom one. And this custom CIP > is > >>> not working. I see from the debug logging, that policy enforcer calls > >>> ?getName()? and ?init()? on my CIP Factory, but _never_ calls > ?create()?, > >>> thus, never instantiates the CIP. > >>> > >>> Below are application.properties for Spring boot and CIP config file. > My > >>> custom CIP Provider has ?document? name. I call both /documents/- Get > an > >>> > >>> Thank you, > >>> Alexey > >>> > >>> application.properties > >>> ---------------------------------- > >>> svc.name=docs-uma > >>> server.port = 8085 > >>> keycloak.realm=DemoApp > >>> keycloak.auth-server-url=http://localhost:8180/auth > >>> keycloak.ssl-required=external > >>> keycloak.resource=docs-svc-uma > >>> keycloak.cors=true > >>> keycloak.use-resource-role-mappings=true > >>> keycloak.verify-token-audience=false > >>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a > >>> keycloak.confidential-port=0 > >>> keycloak.bearer-only=true > >>> > >>> keycloak.securityConstraints[0].securityCollections[0].name = secured > >>> operation > >>> keycloak.securityConstraints[0].authRoles[0] = user > >>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = > >>> /documents > >>> keycloak.securityConstraints[0].securityCollections[0].patterns[1] = > >>> /documents/ > >>> > >>> keycloak.securityConstraints[1].securityCollections[0].name = admin > >>> operation > >>> keycloak.securityConstraints[1].authRoles[0] = admin > >>> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = > /admin > >>> keycloak.securityConstraints[1].securityCollections[0].patterns[1] = > >>> /admin/ > >>> > >>> logging.level.org.keycloak=DEBUG > >>> > >>> > logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG > >>> > >>> # policy enforcer > >>> keycloak.policy-enforcer-config.lazy-load-paths=true > >>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public > >>> > >>> keycloak.policy-enforcer-config.paths[0].name=Public Resources > >>> keycloak.policy-enforcer-config.paths[0].path=/* > >>> > >>> keycloak.policy-enforcer-config.paths[1].name=Document creation > >>> keycloak.policy-enforcer-config.paths[1].path=/documents/* > >>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST > >>> > >>> > keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create > >>> > >>> > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method} > >>> > >>> > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method} > >>> > >>> keycloak.policy-enforcer-config.paths[2].name=Document List > >>> keycloak.policy-enforcer-config.paths[2].path=/documents > >>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET > >>> > >>> > keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list > >>> > >>> > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method} > >>> > >>> > keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method} > >>> > >>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources > >>> keycloak.policy-enforcer-config.paths[3].path=/admin/* > >>> > >>> > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri} > >>> > >>> > keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri} > >>> > >>> > >>> > >>> > META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory > >>> > ------------------------------------------------------------------------ > >>> > >>> > dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From dt at acutus.pro Fri Feb 1 13:35:22 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 21:35:22 +0300 Subject: [keycloak-user] Incomplete ClientRepresentation returned from /{realm}/clients REST endpoint In-Reply-To: References: Message-ID: <1549046122.23571.5.camel@acutus.pro> Hello John, Indeed, there is no explicit stripping of the keys from the ClientRepresentation, but the key will be omitted in the case of null value. Probably you've picked a client which has the fields simply unset. Just examine the JSON for some of the internal clients like realm-management, you'll see the fields in place. The only exception is the "secret" field, which should be retrieved via the dedicated /client-secret endpoint. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2019-01-31 at 10:50 -0500, John Dennis wrote: > A GET on the /{realm}/clients REST endpoint is supposed to return an? > array of ClientRepresentation JSON objects. This is documented here: > > https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clients_resource > > According to the REST documentation? > (https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clientrepresentation)? > a ClientRepresentation is supposed to contain the following top level keys: > > access > adminUrl > attributes > authenticationFlowBindingOverrides > authorizationServicesEnabled > authorizationSettings > baseUrl > bearerOnly > clientAuthenticatorType > clientId > consentRequired > defaultClientScopes > defaultRoles > description > directAccessGrantsEnabled > enabled > frontchannelLogout > fullScopeAllowed > id > implicitFlowEnabled > name > nodeReRegistrationTimeout > notBefore > optionalClientScopes > origin > protocol > protocolMappers > publicClient > redirectUris > registeredNodes > registrationAccessToken > rootUrl > secret > serviceAccountsEnabled > standardFlowEnabled > surrogateAuthRequired > webOrigins > > However when authenticated as the admin in the master realm on Keycloak? > version 4.8.2.Final a GET on /{realm}/clients returns? > ClientRepresentation's containing only these keys: > > access > attributes > authenticationFlowBindingOverrides > bearerOnly > clientAuthenticatorType > clientId > consentRequired > defaultClientScopes > directAccessGrantsEnabled > enabled > frontchannelLogout > fullScopeAllowed > id > implicitFlowEnabled > nodeReRegistrationTimeout > notBefore > optionalClientScopes > protocol > publicClient > redirectUris > serviceAccountsEnabled > standardFlowEnabled > surrogateAuthRequired > webOrigins > > This means the following keys are omitted from the ClientRepresentation.? > Why? > > adminUrl > authorizationServicesEnabled > authorizationSettings > baseUrl > defaultRoles > description > name > origin > protocolMappers > registeredNodes > registrationAccessToken > rootUrl > secret > > As far as I can tell the documented ClientRepresentation closely matches? > what is in the code here: > > https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/idm/ClaimRepresentation.java > > I believe this is the method used to return the ClientRepresentation? > from the REST endpoint: > > https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44e7b519533/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java#L98 > > The conversion from model to representation occurs here: > > https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44e7b519533/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java#L528 > > I don't see anything which is dropping the missing keys in the returned? > ClientRepresentation. > > Is something filtering the result? > > The context for the question arises from this: We were creating a client? > via a PUT and allowing Keycloak to generate the client secret, we then? > wanted to extract the client secret from the ClientRepresentation but? > it's absent. I can also undersand why the client secret might be omitted? > for security reasons (although I did find that seems to replace that? > value with "**********", but that's not happening either, it's just? > absent). That's when we noticed it wasn't just the client secret that? > was missign but 12 other keys as well. > From dt at acutus.pro Fri Feb 1 13:37:21 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 21:37:21 +0300 Subject: [keycloak-user] Custom ClaimInformationPointProvider for Spring Boot not called. In-Reply-To: References: <1549020948.3673.10.camel@acutus.pro> Message-ID: <1549046241.23571.6.camel@acutus.pro> Cheers, kudos and thumbs up :) Dmitry On Fri, 2019-02-01 at 16:32 -0200, Pedro Igor Silva wrote: > I've created?https://issues.jboss.org/browse/KEYCLOAK-9478. Dmitry is > right and I sent a PR with a fix. Tests were also included for custom > CIPs. > > Regards. > Pedro Igor > > On Fri, Feb 1, 2019 at 12:03 PM Alexey Titorenko ology> wrote: > > Thank you, guys! > > > > > > > On 1 Feb 2019, at 14:35, Dmitry Telegin
wrote: > > >? > > > Oh, no need for Alexey to go to keycloak-dev, since Pedro is > > already here :) > > >? > > > Please see my answer above, I've been able to reproduce the issue > > and trace it down to the AbstractPolicyEnforcer::getClaims(). > > >? > > > Dmitry > > >? > > > On Fri, 2019-02-01 at 09:09 -0200, Pedro Igor Silva wrote: > > >> Hi, > > >>? > > >> Could you share the code for your custom CIP, please ? Are you > > sure the > > >> factory's name is the same as what you defined in your adapter > > >> configuration ? > > >>? > > >> Regards. > > >> Pedro Igor > > >>? > > >> On Thu, Jan 31, 2019 at 2:09 PM Alexey Titorenko > technology> > > >> wrote: > > >>? > > >>> Hello guys! > > >>>? > > >>> Can someone help me please with the following problem. > > >>>? > > >>> I need to configure context based access control for my REST- > > service, when > > >>> attributes of the protected resources are pushed to Keycloak > > server for > > >>> policy evaluation. Protected service is built on Spring Boot. > > >>>? > > >>> I?ve configured the system and all works fine with OOTB Claim > > Information > > >>> Point provider ?claims?. But I need a custom one. And this > > custom CIP is > > >>> not working. I see from the debug logging, that policy enforcer > > calls > > >>> ?getName()? and ?init()? on my CIP Factory, but _never_ calls > > ?create()?, > > >>> thus, never instantiates the CIP. > > >>>? > > >>> Below are application.properties for Spring boot and CIP config > > file. My > > >>> custom CIP Provider has ?document? name. I call both > > /documents/- Get an > > >>>? > > >>> Thank you, > > >>> Alexey > > >>>? > > >>> application.properties > > >>> ---------------------------------- > > >>> svc.name=docs-uma > > >>> server.port = 8085 > > >>> keycloak.realm=DemoApp > > >>> keycloak.auth-server-url=http://localhost:8180/auth > > >>> keycloak.ssl-required=external > > >>> keycloak.resource=docs-svc-uma > > >>> keycloak.cors=true > > >>> keycloak.use-resource-role-mappings=true > > >>> keycloak.verify-token-audience=false > > >>> keycloak.credentials.secret=0e55734e-aadc-4268-8757- > > b5dca453980a > > >>> keycloak.confidential-port=0 > > >>> keycloak.bearer-only=true > > >>>? > > >>> keycloak.securityConstraints[0].securityCollections[0].name = > > secured > > >>> operation > > >>> keycloak.securityConstraints[0].authRoles[0] = user > > >>> > > keycloak.securityConstraints[0].securityCollections[0].patterns[0] > > = > > >>> /documents > > >>> > > keycloak.securityConstraints[0].securityCollections[0].patterns[1] > > = > > >>> /documents/ > > >>>? > > >>> keycloak.securityConstraints[1].securityCollections[0].name = > > admin > > >>> operation > > >>> keycloak.securityConstraints[1].authRoles[0] = admin > > >>> > > keycloak.securityConstraints[1].securityCollections[0].patterns[0] > > = /admin > > >>> > > keycloak.securityConstraints[1].securityCollections[0].patterns[1] > > = > > >>> /admin/ > > >>>? > > >>> logging.level.org.keycloak=DEBUG > > >>>? > > >>> > > logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloa > > k.cip=DEBUG > > >>>? > > >>> # policy enforcer > > >>> keycloak.policy-enforcer-config.lazy-load-paths=true > > >>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public > > >>>? > > >>> keycloak.policy-enforcer-config.paths[0].name=Public Resources > > >>> keycloak.policy-enforcer-config.paths[0].path=/* > > >>>? > > >>> keycloak.policy-enforcer-config.paths[1].name=Document creation > > >>> keycloak.policy-enforcer-config.paths[1].path=/documents/* > > >>> keycloak.policy-enforcer-config.paths[1].methods[0].method=POST > > >>>? > > >>> keycloak.policy-enforcer- > > config.paths[1].methods[0].scopes[0]=urn:docs-svc- > > uma:resources:documents:create > > >>>? > > >>> keycloak.policy-enforcer- > > config.paths[1].claimInformationPointConfig.claims[test]={request.m > > ethod} > > >>>? > > >>> keycloak.policy-enforcer- > > config.paths[1].claimInformationPointConfig.document[uri]={request. > > method} > > >>>? > > >>> keycloak.policy-enforcer-config.paths[2].name=Document List > > >>> keycloak.policy-enforcer-config.paths[2].path=/documents > > >>> keycloak.policy-enforcer-config.paths[2].methods[0].method=GET > > >>>? > > >>> keycloak.policy-enforcer- > > config.paths[2].methods[0].scopes[0]=urn:docs-svc- > > uma:resources:documents:list > > >>>? > > >>> keycloak.policy-enforcer- > > config.paths[2].claimInformationPointConfig.claims[test]={request.m > > ethod} > > >>>? > > >>> keycloak.policy-enforcer- > > config.paths[2].claimInformationPointConfig.document[uri]={request. > > method} > > >>>? > > >>> keycloak.policy-enforcer-config.paths[3].name=Admin Resources > > >>> keycloak.policy-enforcer-config.paths[3].path=/admin/* > > >>>? > > >>> keycloak.policy-enforcer- > > config.paths[3].claimInformationPointConfig.claims[some- > > claim]={request.uri} > > >>>? > > >>> keycloak.policy-enforcer- > > config.paths[3].claimInformationPointConfig.claims[claims-from- > > document]={request.uri} > > >>>? > > >>>? > > >>>? > > >>> META- > > INF/services/org.keycloak.adapters.authorization.ClaimInformationPo > > intProviderFactory > > >>> ------------------------------------------------------------- > > ----------- > > >>>? > > >>> > > dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.Document > > CIPProviderFactory > > >>>? > > >>> _______________________________________________ > > >>> keycloak-user mailing list > > >>> keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>? > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From dt at acutus.pro Fri Feb 1 13:53:30 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 21:53:30 +0300 Subject: [keycloak-user] Logout from IDP with Spring Keycloak adaptor In-Reply-To: References: Message-ID: <1549047210.23571.8.camel@acutus.pro> Hello Hylton, Something tells me you've got an OIDC client and a SAML IdP :) Make sure you have Single Logout Service URL configured and backchannel logout enabled for your IdP in Keycloak. You may also need to explicitly allow single logout functionality in the IdP itself. Also I suggest that you use network monitor to make sure that the proper logout request is sent from Keycloak to the IdP. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2019-01-31 at 06:25 +0200, Hylton Peimer wrote: > I have a Keycloak Security Adaptor setup with a logout URL "/sso/logout". > > The user logins in using to my application using an IDP, and then logs out > by POSTing to the /sso/logout the - they are redirected to the login page. > > However when attempted to login again, the user doesn't need to > reauthenticate. It seems Spring doesn't logout from the IDP. > > Is there a simple way to get Spring to logout from the IDP? Should I change > the logout URL? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Feb 1 14:35:56 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 22:35:56 +0300 Subject: [keycloak-user] Admin client API - usersResource.list(offset, limit) - slowness In-Reply-To: References: Message-ID: <1549049756.23571.10.camel@acutus.pro> Hello Shweta, What version of Keycloak are you using? How many users/clients/roles are there? The query is invoked from o.k.models.jpa.ClientScopeAdapter::getScopeMappings() method [1]. In my setup, it is only called about a dozen of times during server startup. You can set a tracepoint on that method to make sure it is called that frequently, and to determine the code path that leads to this. [1] https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/models/jpa/ClientScopeAdapter.java#L232 Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2019-01-30 at 23:14 +0000, Shetty, Shweta wrote: > We are seeing extreme slowness in using this API, we are still not sure what could be the culprit. We enabled more logging on the postgres side of thing, thinking it could be related to keycloak ? postgres slowness. Once we enabled more logging, we do see that keycloak is issuing a query like this one at a rate of about one per millisecond > ```select clientscop0_.ROLE_ID as col_0_0_ from CLIENT_SCOPE_ROLE_MAPPING clientscop0_ where clientscop0_.SCOPE_ID=$1``` > > This fills up the logs so that it is hard to see anything else. > > This could be the cause of the problem; which could be slowing postgres down. We wanted to know if its some configuration issue which we can optimize to overcome this issue or if it?s a known issue. Please advice. > > Shweta > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Shweta.Shetty at Teradata.com Fri Feb 1 14:40:08 2019 From: Shweta.Shetty at Teradata.com (Shetty, Shweta) Date: Fri, 1 Feb 2019 19:40:08 +0000 Subject: [keycloak-user] First User login with LDAP integration - very slow Message-ID: <9AC0D02F-2837-4375-AD20-E2F29E624EBC@teradata.com> Hi Folks, We have integrated keycloak with LDAP Federation and we are having issues with first login of users after a group sync. 1) Do group sync with group-ldap mapper 2) Login user1 with 60 groups from LDAP ? it takes anywhere from 9sec-10sec. 3) This first login time increases with increase in groups Has anyone seen this issue before? We are very particular about the time taken during the user login. Did anyone mitigate this issue with any configuration changes or such? Is this a known issue? Any advice is highly appreciated. It looks like its building the cache with user and group ? is there any way to do this caching for users before the users login to speed things up ? Thanks From dt at acutus.pro Fri Feb 1 15:03:29 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 23:03:29 +0300 Subject: [keycloak-user] Getting 'Failed to find provider' when attempting to set default SPI provider In-Reply-To: References: Message-ID: <1549051409.23571.12.camel@acutus.pro> Hello Jared, I've just tried to deploy a dummy EmailSenderProvider to Keycloak 4.8.3.Final, worked perfectly including the default setting. Could you try deploying to 4.8.3 too? Also I've been deploying as a JAR, not WAR. You could also try that and see if it makes any difference. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2019-01-30 at 12:00 -0500, Jared Blashka wrote: > I'm trying to use a custom Email sender provider with keycloak 3.4.3.Final > but something isn't working correctly because keycloak fails to start up > with: > > java.lang.RuntimeException: Failed to find provider serviceEmailSender for > emailSender > > I'm deploying the provider via a war in the /deployments directory. I have > the factory class listed in the > META-INF/services/org.keycloak.email.EmailSenderProviderFactory file > > I've added this to the keycloak-server subsystem > > ???????????? > ????????????????serviceEmailSender > ???????????????? > ???????????? > > If I leave out the entry and restart the server I can > see that the init() method is called on my EmailSenderProviderFactory > implementation so as far as I can tell everything is configured correctly. > But keycloak doesn't like when I try to set this provider as the default. > Is there something I'm missing? > > Jared > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Feb 1 15:13:17 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 23:13:17 +0300 Subject: [keycloak-user] Add optional LDAP userPassword hashing In-Reply-To: <9b8eac664ecc4ebc8e710d1630f2bb43@calvados.fr> References: <9b8eac664ecc4ebc8e710d1630f2bb43@calvados.fr> Message-ID: <1549051997.23571.14.camel@acutus.pro> Hello Jean-Damien, When deploying via the standalone/deployments dir, you'll need to provide a META-INF/jboss-deployment-structure.xml similar to this: AFAIK other dependencies (keycloak-core,?keycloak-services,?keycloak-server-spi) should be provided implicitly, so no need to declare them. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2019-01-30 at 11:50 +0000, BOUVIER Jean-Damien wrote: > Hi all ! > > My problem is described in the KEYCLOAK-4989 issue, titled < add optional LDAP userPassword hashing > > > I'm in the worst case scenario as I use OpenLDAP that doesn't hash password by default and the way it has been installed, I don't have the < ppolicy overlay > available. > So Keycloak sends password in clear text and I thought that I could add specific OpenLDAP configuration to hash the password before. > The LDAP administration has already some specific configuration for AD and I thought that I could start from here. (org.keycloak.storage.ldap.mappers.msad. MSADUserAccountControlStorageMapperFactory for example) > > So, I've written my own StorageMapperFactory : > > public class OpenLDAPUserAccountControlStorageMapperFactory implements LDAPStorageMapperFactory > > That needs these dependencies : > > ??? > ???????? > ????????????org.keycloak > ????????????keycloak-core > ????????????${version.keycloak} > ????????????provided > ???????? > ???????? > ????????????org.keycloak > ????????????keycloak-services > ????????????${version.keycloak} > ????????????provided > ???????? > ???????? > ????????????org.keycloak > ????????????keycloak-server-spi > ????????????${version.keycloak} > ????????????provided > ???????? > ???????? > ????????????org.keycloak > ????????????keycloak-ldap-federation > ????????????${version.keycloak} > ????????????provided > ???????? > ???? > > But whenever I try to deploy the jar, I get : > > cat hash-password-openldap-provider.jar.failed > {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"hash-password-openldap-provider.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"hash-password-openldap-provider.jar\" > ????Caused by: java.lang.NoClassDefFoundError: Failed to link fr/calvados/keycloak/storage/ldap/mappers/openldap/OpenLDAPUserAccountControlStorageMapperFactory (Module \"deployment.hash-password-openldap-provider.jar\" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPStorageMapperFactory"}} > > I probably lack one dependence but I can't find which one as the error message doesn't give a clue and my maven project compiles. > > Could you help me to find out what is wrong ? > > Regards, > Jean-Damien Bouvier > > > > Calvados D?partement - www.calvados.fr > ************************************************************************************************** > ? Cette transmission contient des informations confidentielles et/ou personnelles > appartenant au conseil d?partemental du Calvados pour ?tre utilis?es exclusivement par le > destinataire. Toute utilisation, reproduction, publication, diffusion en l'?tat ou > partiellement par une autre personne que le destinataire est interdite, sauf autorisation > expresse du conseil d?partemental du Calvados. En cas d'erreur de transmission, merci de > d?truire le(s) document(s) re?u(s). Le conseil d?partemental du Calvados n'est pas > responsable des virus, alt?rations, falsifications. > Droits r?serv?s - conseil d?partemental du Calvados?. > ************************************************************************************************** > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Feb 1 15:25:21 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 23:25:21 +0300 Subject: [keycloak-user] Send email on creating new user In-Reply-To: References: Message-ID: <1549052721.23571.16.camel@acutus.pro> Hello Pavel, This is not out of the box unfortunately. There is a built-in event listener with email sending capability [1], but it is limited to a subset of login-related events (like update password etc.) However you could use org.keycloak.events.email.EmailEventListenerProvider as a template to implement your own event listener. You should introduce your FTL template, then listen for admin events with resourceType == USER && operationType == CREATE, and finally call emailTemplateProvider...send() method. [1] https://www.keycloak.org/docs/latest/server_admin/#event-listener Feel free to ask any other voprosy :) Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2019-01-30 at 12:19 +0100, Pavel Maslov wrote: > Hi all, > > > When I manually create a new user from the Keycloak Admin Console (UI), can > Keycloak automatically send an email to that person? > > > From what I can see now the user does not know that I have created an > > account, unless I inform them (e.g. by email). > > > Regards, > Pavel Maslov, MS > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Fri Feb 1 15:32:24 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 01 Feb 2019 23:32:24 +0300 Subject: [keycloak-user] Showing error messages originating from external identity providers In-Reply-To: References: Message-ID: <1549053144.23571.18.camel@acutus.pro> Hello Guy, Could you please clarify whether you have configured Active Directory as a User Federation source, or Azure as an OIDC/SAML identity provider? Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2019-01-28 at 10:35 +0200, Guy Marom wrote: > Hello all, > > First of - thanks for developing this. The product is very useful for us! > > Second, I wanted to ask about external identity providers. We have an > integration with *Azure Active Directory* and I configured an app in Azure > that does not allow all users to use it by default, instead I need to > assign a user to the app. > When I try to login to Keycloak with a user that's unauthorized, I get > redirected to Keycloak's login page with no error message shown. > Is there a way to fix this (other than editing the HTML template of the > login page)? > > Thanks, > Guy Marom > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From polfilm at gmail.com Fri Feb 1 16:44:22 2019 From: polfilm at gmail.com (Peter S) Date: Fri, 1 Feb 2019 21:44:22 +0000 Subject: [keycloak-user] Domains for Realms Message-ID: Can I run different domains for different realms in the same keycloak cluster? I have several services but they are so different from the master domain, would be great to assign a domain to a realm. Any hints? Peter. From craig at baseventure.com Fri Feb 1 17:36:36 2019 From: craig at baseventure.com (Craig Setera) Date: Fri, 1 Feb 2019 16:36:36 -0600 Subject: [keycloak-user] Action token implementation extensions?? Message-ID: In addition to my question yesterday about REST endpoint extensions, I now have a new issue. Basically, my hope/plan was to create a REST endpoint and use that to retrieve a new type of action token that I was implementing. I was able to create a new REST endpoint and validate that the incoming user has the authority we want to require to initiate the new action. Now, I'm trying to create the new action token to be returned. I've implemented all of the necessary interfaces. However, it is failing to deploy properly because all of the required classes are part of the keycloak-services module which appears to not be accessible. Am I missing something here? How can I create a new action token implementation and get it properly deployed and working? Thanks, Craig ================================= *Craig Setera* *Chief Technology Officer* From dt at acutus.pro Fri Feb 1 17:51:31 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 02 Feb 2019 01:51:31 +0300 Subject: [keycloak-user] Action token implementation extensions?? In-Reply-To: References: Message-ID: <1549061491.23571.22.camel@acutus.pro> Hello Craig, In JBoss/Wildfly environment, you need to explicitly declare runtime dependencies. I assume that you're deploying your provider via dropping the JAR into the standalone/deployments dir. In this case, you need to have META-INF/jboss-deployment-structure.xml like this: If you are deploying as a module, use "module add ... --dependencies=org.keycloak.keycloak-services" jboss-cli command. It will auto-create the proper XML module descriptor for you. Cheers, Dmitry On Fri, 2019-02-01 at 16:36 -0600, Craig Setera wrote: > In addition to my question yesterday about REST endpoint extensions, I now > have a new issue.??Basically, my hope/plan was to create a REST endpoint > and use that to retrieve a new type of action token that I was > implementing.??I was able to create a new REST endpoint and validate that > the incoming user has the authority we want to require to initiate the new > action. > > Now, I'm trying to create the new action token to be returned.??I've > implemented all of the necessary interfaces.??However, it is failing to > deploy properly because all of the required classes are part of the > keycloak-services module which appears to not be accessible.??Am I missing > something here???How can I create a new action token implementation and get > it properly deployed and working? > > Thanks, > Craig > > ================================= > *Craig Setera* > > *Chief Technology Officer* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From craig at baseventure.com Fri Feb 1 20:52:49 2019 From: craig at baseventure.com (Craig Setera) Date: Fri, 1 Feb 2019 19:52:49 -0600 Subject: [keycloak-user] Action token implementation extensions?? In-Reply-To: <1549061491.23571.22.camel@acutus.pro> References: <1549061491.23571.22.camel@acutus.pro> Message-ID: As usual, Dmitry has the right answer. What is interesting (annoying?) is that I was trying to do this per the Wildfly docs with a "Dependencies" attribute in my JAR manifest. However, that didn't work and I assumed that it was something deeper. I assumed that if that didn't work that the jboss-deployment-structure.xml file wouldn't be any different. As always - Thanks to Dmitry for saving me! Craig ================================= *Craig Setera* *Chief Technology Officer* On Fri, Feb 1, 2019 at 4:51 PM Dmitry Telegin
wrote: > Hello Craig, > > In JBoss/Wildfly environment, you need to explicitly declare runtime > dependencies. I assume that you're deploying your provider via dropping the > JAR into the standalone/deployments dir. In this case, you need to have > META-INF/jboss-deployment-structure.xml like this: > > > > > > > > > > > If you are deploying as a module, use "module add ... > --dependencies=org.keycloak.keycloak-services" jboss-cli command. It will > auto-create the proper XML module descriptor for you. > > Cheers, > Dmitry > > From chjas26 at gmail.com Fri Feb 1 23:54:47 2019 From: chjas26 at gmail.com (jaswanth chilaka) Date: Sat, 2 Feb 2019 10:24:47 +0530 Subject: [keycloak-user] keycloak federation Message-ID: Hi I'm jaswanth. I was recently working on keycloak and I want to federate keycloak with openam. here we want keycloak as IDP and openam as SP. so I have few doubts regarding that, how could you configure opeam with kecloak. does keycloak support openam circle of trust? Thanks & Regards, Jaswanth From linuxhippy at gmail.com Sat Feb 2 03:07:45 2019 From: linuxhippy at gmail.com (Clemens Eisserer) Date: Sat, 2 Feb 2019 09:07:45 +0100 Subject: [keycloak-user] How to disable request restore in OIDCFilterSessionStore (how to make eclipse RAP work with keycloak)? Message-ID: Hi, I am trying make a server-side framework (eclipse RAP) integrate nicely with keycloak. The issue I am facing is, the client-side part of the framework is using XMLHttpRequests and therefore can not cope with the HTTP-302 redirects sent by the keycloak servlet in case the HttpSession times out. Instead it expects some hand-craftet JSON to perform the redirect itself - I've implemented it using a HttpServletResponse facade so I can later manually re-do the redirect genereated by Keycloak (please see code at end of mail) and this seems to work fine. However, after the redirect, Keycloak seems to restore the old request in OIDCFilterSessionStore which initially caused the redirect. The server-side framework-code receives the outdated POST and goes nuts (instead of the expected GET to re-start the whole session), only if I remove __REDIRECT_URI manually (leads to needRequestRestore = false) everything works as expected. Is there any way to disable this request-restoring process with public API, instead of messing with the HttpSession in an undocumented way? Thank you in advance, Clemens PS: risking beeing a support-vampire, what is the idea behind this request-restoring process? The browser network log looks like: 1. POST (application URL, session timed out) -> response: {"head": {"redirect": "https://..../protocol/openid-connect/auth?response_type=code&client_id=someid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%someapplication%2F?cid%3Dd28559d9&state=7dcab171-d3bc-423d-94ea-14ccc9369ca3&login=true&scope=openid"}} 2. Browser loads keycloak login page itself using GET: https://....../protocol/openid-connect/auth?response_type=code&client_id=someid&redirect_uri=http://localhost:8080/someapplication/?cid=d28559d9&state=7dcab171-d3bc-423d-94ea-14ccc9369ca3&login=true&scope=openid 3. keycloak login page immediatly redirects (302) to the application again: http://localhost:8080/someapplication/?cid=d28559d9&state=7dcab171-d3bc-423d-94ea-14ccc9369ca3&code=6V8e2h-yNHLpDbwqkQaegLAi3Ih2YqHA47DR_Sbeq50.3c6a0415-c45c-4bf1-bba8-c03280784b8f 4. the keycloak filter in the application redirects again to the application URL, cuts off the parameters: http://localhost:8080/someapplication/?cid=d28559d9 However for this request keycloak restores some previous request, so the initial GET request sent by the browser becomes POST, confuses the JS application framework. Code: // Use a fascade here which ignores sendError() issued by the keycloak filter, // this way we are able to reload the login-page instead HttpServletResponseFascade responseFascade = new HttpServletResponseFascade(response); // request.getSession(true).removeAttribute("__REDIRECT_URI"); //does not work without super.doFilter(req, responseFascade, chain); if(responseFascade.getStatus() == 302) { String location = responseFascade.getLocation(); if(request.getMethod().equalsIgnoreCase("POST")) { response.setStatus(200); PrintWriter pw = response.getWriter(); pw.println("{\"head\": {\"redirect\": \"" + location + "\"}}"); pw.flush(); } else { response.setHeader("Location", location); response.setStatus(responseFascade.getStatus()); } From pavel.masloff at gmail.com Sat Feb 2 13:58:52 2019 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Sat, 2 Feb 2019 19:58:52 +0100 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: <1549041147.23571.1.camel@acutus.pro> References: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> <1549041147.23571.1.camel@acutus.pro> Message-ID: Hi Dmitry, This only gives a string representation of the refresh token. Well, I would like the expiration date property as well. Regards, Pavel Maslov, MS On Fri, Feb 1, 2019 at 6:12 PM Dmitry Telegin
wrote: > Hello Pavel, > > Just cast your KeycloakSecurityContext to > org.keycloak.adapters.RefreshableKeycloakSecurityContext and call > getRefreshToken(). > > Udachi :) > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2019-02-01 at 16:38 +0100, Pavel Maslov wrote: > > Hi Niko, all > > > > Is it possible to get the refresh token in the same manner? > > Thanks :) > > > > Regards, > > Pavel Maslov, MS > > > > > > > On Fri, Dec 28, 2018 at 12:16 PM Niko K?bler wrote: > > > > > As you can see, the bean definition ist Request-scoped. > > > This leads to a new bean instance for every request, and thus for each > and > > > every user :) > > > > > > > > > > > > Am 28.12.2018 um 11:46 schrieb Pavel Maslov : > > > > > > Hey Niko, > > > > > > Excellent, this is exactly what I was looking for! > > > In your example does the *accessToken *injected field return a token > for > > > each and every user respectively (not the same)? > > > Thank you very "many" (much) :)) > > > > > > Regards, > > > Pavel Maslov, MS > > > > > > > > > > > On Fri, Dec 28, 2018 at 11:38 AM Niko K?bler wrote: > > > > > > > Hi Pavel, > > > > > > > > that's quite easy (as most things with Spring Boot). > > > > > > > > You can get the AccessToken object through the HttpServletRequest, > > > > KeycloakPrincipal and KeycloakSecurityContext. > > > > In my projects, I do some bean definitions like here: > > > > > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java > > > > Then, you can just inject the AccessToken or KeycloakSecurityContext > > > > where you want, like this: > > > > > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java > > > > > > > > Instead of the AccessToken, you can also get the IdentityToken, of > course. > > > > > > > > HTH, > > > > - Niko > > > > > > > > > > > > > Am 28.12.2018 um 11:22 schrieb Pavel Maslov < > pavel.masloff at gmail.com>: > > > > > > > > > > Hi, guys. Haven't been here for quite a while :) > > > > > > > > > > > > > > > I'm using the Springboot Keycloak adapter > > > > > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure > my > > > > > > > > REST > > > > > API via bearer token [1]. And it works! Cool. > > > > > > > > > > Now, I would like to get the access token in my @RestController, > or even > > > > > better some information about the user. Is it possible? > > > > > > > > > > Thanks in advance. > > > > > > > > > > Regards, > > > > > Pavel Maslov, MS > > > > > > > > > > [1] https://github.com/maslick/barkoder > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at acutus.pro Sat Feb 2 17:05:23 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Sun, 03 Feb 2019 01:05:23 +0300 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: References: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> <1549041147.23571.1.camel@acutus.pro> Message-ID: <1549145123.3647.7.camel@acutus.pro> Hi Pavel, KeycloakSecurityContext has a parseToken() method just for that, but it's private for some reasons. However it's trivial, so you can easily borrow those six lines :) Cheers, Dmitry On Sat, 2019-02-02 at 19:58 +0100, Pavel Maslov wrote: > Hi Dmitry, > > This only gives a string representation of the refresh token. Well, I would like the expiration?date property as well. > > Regards, > Pavel Maslov, MS > > > > On Fri, Feb 1, 2019 at 6:12 PM Dmitry Telegin
wrote: > > Hello Pavel, > > > > Just cast your KeycloakSecurityContext to org.keycloak.adapters.RefreshableKeycloakSecurityContext and call getRefreshToken(). > > > > Udachi :) > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Fri, 2019-02-01 at 16:38 +0100, Pavel Maslov wrote: > > > Hi Niko, all > > >? > > > Is it possible to get the refresh token in the same manner? > > > Thanks :) > > >? > > > Regards, > > > Pavel Maslov, MS > > >? > > >? > > > > > > On Fri, Dec 28, 2018 at 12:16 PM Niko K?bler wrote: > > >? > > > > As you can see, the bean definition ist Request-scoped. > > > > This leads to a new bean instance for every request, and thus for each and > > > > every user :) > > > >? > > > >? > > > >? > > > > Am 28.12.2018 um 11:46 schrieb Pavel Maslov : > > > >? > > > > Hey Niko, > > > >? > > > > Excellent, this is exactly what I was looking for! > > > > In your example does the *accessToken *injected field return a token for > > > > each and every user respectively (not the same)? > > > > Thank you very "many" (much) :)) > > > >? > > > > Regards, > > > > Pavel Maslov, MS > > > >? > > > >? > > > > > > > > On Fri, Dec 28, 2018 at 11:38 AM Niko K?bler wrote: > > > >? > > > > > Hi Pavel, > > > > >? > > > > > that's quite easy (as most things with Spring Boot). > > > > >? > > > > > You can get the AccessToken object through the HttpServletRequest, > > > > > KeycloakPrincipal and KeycloakSecurityContext. > > > > > In my projects, I do some bean definitions like here: > > > > > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java > > > > > Then, you can just inject the AccessToken or KeycloakSecurityContext > > > > > where you want, like this: > > > > > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java > > > > >? > > > > > Instead of the AccessToken, you can also get the IdentityToken, of course. > > > > >? > > > > > HTH, > > > > > - Niko > > > > >? > > > > >? > > > > > > Am 28.12.2018 um 11:22 schrieb Pavel Maslov : > > > > > >? > > > > > > Hi, guys. Haven't been here for quite a while :) > > > > > >? > > > > > >? > > > > > > I'm using the Springboot Keycloak adapter > > > > > > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my > > > > >? > > > > > REST > > > > > > API via bearer token [1]. And it works! Cool. > > > > > >? > > > > > > Now, I would like to get the access token in my @RestController, or even > > > > > > better some information about the user. Is it possible? > > > > > >? > > > > > > Thanks in advance. > > > > > >? > > > > > > Regards, > > > > > > Pavel Maslov, MS > > > > > >? > > > > > > [1] https://github.com/maslick/barkoder > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > >? > > > > >? > > >? > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From ntakei at sios.com Sun Feb 3 02:08:45 2019 From: ntakei at sios.com (Noriyuki TAKEI) Date: Sun, 3 Feb 2019 16:08:45 +0900 Subject: [keycloak-user] source code of keycloak version 3.4.3 Message-ID: Hi. I,d like to get keycloak source code of version 3.4.3. Please tell me where I can get this. From fsf.eff at protonmail.com Sun Feb 3 03:27:07 2019 From: fsf.eff at protonmail.com (John Doe) Date: Sun, 03 Feb 2019 08:27:07 +0000 Subject: [keycloak-user] Configure authorization with SAML Message-ID: Dear Keycloak users, First of all I would like to thank you for committing on this project. I configured Keycloak with FreeIPA. I have single realm in Keycloak (master realm) and All of my SAML clients are in this realm, Right now I want to limit access to "Weekdone.com SAML client" for certain users and as I searched I found out there is no authorization on SAML and it's under development, Can you please tell me about it's status? If it's not available right now, How can I implement it? Is it Ok if I create a "weekdone users" group in FreeIPA and create another realm in Keycloak and add weekdone SAML client to that realm? I think that makes a mess in the long-term but I found no other solution. References to this issue: http://lists.jboss.org/pipermail/keycloak-user/2017-September/011759.html https://www.reddit.com/r/selfhosted/comments/8ah2we/keycloak_authorization_services_for_saml/ Best Regards. From pavel.masloff at gmail.com Sun Feb 3 04:53:22 2019 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Sun, 3 Feb 2019 10:53:22 +0100 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: <1549145123.3647.7.camel@acutus.pro> References: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> <1549041147.23571.1.camel@acutus.pro> <1549145123.3647.7.camel@acutus.pro> Message-ID: Awesome, thanks! :) On Sat, Feb 2, 2019, 23:05 Dmitry Telegin
Hi Pavel, > > KeycloakSecurityContext has a parseToken() method just for that, but it's > private for some reasons. However it's trivial, so you can easily borrow > those six lines :) > > Cheers, > Dmitry > > On Sat, 2019-02-02 at 19:58 +0100, Pavel Maslov wrote: > > Hi Dmitry, > > > > This only gives a string representation of the refresh token. Well, I > would like the expiration date property as well. > > > > Regards, > > Pavel Maslov, MS > > > > > > > On Fri, Feb 1, 2019 at 6:12 PM Dmitry Telegin
wrote: > > > Hello Pavel, > > > > > > Just cast your KeycloakSecurityContext to > org.keycloak.adapters.RefreshableKeycloakSecurityContext and call > getRefreshToken(). > > > > > > Udachi :) > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Fri, 2019-02-01 at 16:38 +0100, Pavel Maslov wrote: > > > > Hi Niko, all > > > > > > > > Is it possible to get the refresh token in the same manner? > > > > Thanks :) > > > > > > > > Regards, > > > > Pavel Maslov, MS > > > > > > > > > > > > > > > On Fri, Dec 28, 2018 at 12:16 PM Niko K?bler > wrote: > > > > > > > > > As you can see, the bean definition ist Request-scoped. > > > > > This leads to a new bean instance for every request, and thus for > each and > > > > > every user :) > > > > > > > > > > > > > > > > > > > > Am 28.12.2018 um 11:46 schrieb Pavel Maslov < > pavel.masloff at gmail.com>: > > > > > > > > > > Hey Niko, > > > > > > > > > > Excellent, this is exactly what I was looking for! > > > > > In your example does the *accessToken *injected field return a > token for > > > > > each and every user respectively (not the same)? > > > > > Thank you very "many" (much) :)) > > > > > > > > > > Regards, > > > > > Pavel Maslov, MS > > > > > > > > > > > > > > > > > > > On Fri, Dec 28, 2018 at 11:38 AM Niko K?bler > wrote: > > > > > > > > > > > Hi Pavel, > > > > > > > > > > > > that's quite easy (as most things with Spring Boot). > > > > > > > > > > > > You can get the AccessToken object through the > HttpServletRequest, > > > > > > KeycloakPrincipal and KeycloakSecurityContext. > > > > > > In my projects, I do some bean definitions like here: > > > > > > > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java > > > > > > Then, you can just inject the AccessToken or > KeycloakSecurityContext > > > > > > where you want, like this: > > > > > > > https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java > > > > > > > > > > > > Instead of the AccessToken, you can also get the IdentityToken, > of course. > > > > > > > > > > > > HTH, > > > > > > - Niko > > > > > > > > > > > > > > > > > > > Am 28.12.2018 um 11:22 schrieb Pavel Maslov < > pavel.masloff at gmail.com>: > > > > > > > > > > > > > > Hi, guys. Haven't been here for quite a while :) > > > > > > > > > > > > > > > > > > > > > I'm using the Springboot Keycloak adapter > > > > > > > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to > secure my > > > > > > > > > > > > REST > > > > > > > API via bearer token [1]. And it works! Cool. > > > > > > > > > > > > > > Now, I would like to get the access token in my > @RestController, or even > > > > > > > better some information about the user. Is it possible? > > > > > > > > > > > > > > Thanks in advance. > > > > > > > > > > > > > > Regards, > > > > > > > Pavel Maslov, MS > > > > > > > > > > > > > > [1] https://github.com/maslick/barkoder > > > > > > > _______________________________________________ > > > > > > > keycloak-user mailing list > > > > > > > keycloak-user at lists.jboss.org > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From davidjbrewer at eupraxialabs.com Sun Feb 3 07:24:44 2019 From: davidjbrewer at eupraxialabs.com (David Brewer) Date: Sun, 3 Feb 2019 06:24:44 -0600 Subject: [keycloak-user] source code of keycloak version 3.4.3 In-Reply-To: References: Message-ID: Try this: https://github.com/keycloak/keycloak/releases Dave On Sun, Feb 3, 2019 at 1:11 AM Noriyuki TAKEI wrote: > Hi. > > I,d like to get keycloak source code of version 3.4.3. > Please tell me where I can get this. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *David J. Brewer* *SVP/Cloud Architecture* *(512) 681-4501* From craig at baseventure.com Sun Feb 3 09:29:22 2019 From: craig at baseventure.com (Craig Setera) Date: Sun, 3 Feb 2019 08:29:22 -0600 Subject: [keycloak-user] Launch change password flow from action token? Message-ID: With Dmitry's help, my action token is now functional in terms of the token handler being called. Part of my new function is to launch the change password for a particular user. Is there a good/easy example in the code base that shows how I might do that from my action token handler function? Thanks! Craig ================================= *Craig Setera* *Chief Technology Officer* ` From sblanc at redhat.com Sun Feb 3 11:04:34 2019 From: sblanc at redhat.com (Sebastien Blanc) Date: Sun, 3 Feb 2019 17:04:34 +0100 Subject: [keycloak-user] source code of keycloak version 3.4.3 In-Reply-To: References: Message-ID: Or you can browse it directly here https://github.com/keycloak/keycloak/tree/3.4.3.Final On Sun, Feb 3, 2019 at 1:27 PM David Brewer wrote: > Try this: > > https://github.com/keycloak/keycloak/releases > > Dave > > On Sun, Feb 3, 2019 at 1:11 AM Noriyuki TAKEI wrote: > > > Hi. > > > > I,d like to get keycloak source code of version 3.4.3. > > Please tell me where I can get this. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > *David J. Brewer* > *SVP/Cloud Architecture* > > *(512) 681-4501* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pavel.masloff at gmail.com Sun Feb 3 11:46:51 2019 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Sun, 3 Feb 2019 17:46:51 +0100 Subject: [keycloak-user] [spring-boot-adapter] get token/principal/etc. In-Reply-To: References: <8884E564-CA03-4940-BCC3-CF6F7CA6C87F@n-k.de> <1549041147.23571.1.camel@acutus.pro> <1549145123.3647.7.camel@acutus.pro> Message-ID: Dmitry, in the end I used the TokenUtil.getRefreshToken method :) Regards, Pavel Maslov, MS On Sun, Feb 3, 2019 at 10:53 AM Pavel Maslov wrote: > Awesome, thanks! :) > > On Sat, Feb 2, 2019, 23:05 Dmitry Telegin
>> Hi Pavel, >> >> KeycloakSecurityContext has a parseToken() method just for that, but it's >> private for some reasons. However it's trivial, so you can easily borrow >> those six lines :) >> >> Cheers, >> Dmitry >> >> On Sat, 2019-02-02 at 19:58 +0100, Pavel Maslov wrote: >> > Hi Dmitry, >> > >> > This only gives a string representation of the refresh token. Well, I >> would like the expiration date property as well. >> > >> > Regards, >> > Pavel Maslov, MS >> > >> > >> > > On Fri, Feb 1, 2019 at 6:12 PM Dmitry Telegin
wrote: >> > > Hello Pavel, >> > > >> > > Just cast your KeycloakSecurityContext to >> org.keycloak.adapters.RefreshableKeycloakSecurityContext and call >> getRefreshToken(). >> > > >> > > Udachi :) >> > > Dmitry Telegin >> > > CTO, Acutus s.r.o. >> > > Keycloak Consulting and Training >> > > >> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> > > +42 (022) 888-30-71 >> > > E-mail: info at acutus.pro >> > > >> > > On Fri, 2019-02-01 at 16:38 +0100, Pavel Maslov wrote: >> > > > Hi Niko, all >> > > > >> > > > Is it possible to get the refresh token in the same manner? >> > > > Thanks :) >> > > > >> > > > Regards, >> > > > Pavel Maslov, MS >> > > > >> > > > >> > > > > > > On Fri, Dec 28, 2018 at 12:16 PM Niko K?bler >> wrote: >> > > > >> > > > > As you can see, the bean definition ist Request-scoped. >> > > > > This leads to a new bean instance for every request, and thus for >> each and >> > > > > every user :) >> > > > > >> > > > > >> > > > > >> > > > > Am 28.12.2018 um 11:46 schrieb Pavel Maslov < >> pavel.masloff at gmail.com>: >> > > > > >> > > > > Hey Niko, >> > > > > >> > > > > Excellent, this is exactly what I was looking for! >> > > > > In your example does the *accessToken *injected field return a >> token for >> > > > > each and every user respectively (not the same)? >> > > > > Thank you very "many" (much) :)) >> > > > > >> > > > > Regards, >> > > > > Pavel Maslov, MS >> > > > > >> > > > > >> > > > > > > > > On Fri, Dec 28, 2018 at 11:38 AM Niko K?bler >> wrote: >> > > > > >> > > > > > Hi Pavel, >> > > > > > >> > > > > > that's quite easy (as most things with Spring Boot). >> > > > > > >> > > > > > You can get the AccessToken object through the >> HttpServletRequest, >> > > > > > KeycloakPrincipal and KeycloakSecurityContext. >> > > > > > In my projects, I do some bean definitions like here: >> > > > > > >> https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/KeycloakSpringbootDemoApplication.java >> > > > > > Then, you can just inject the AccessToken or >> KeycloakSecurityContext >> > > > > > where you want, like this: >> > > > > > >> https://github.com/dasniko/keycloak-springboot-demo/blob/master/src/main/java/dasniko/customer/CrmController.java >> > > > > > >> > > > > > Instead of the AccessToken, you can also get the IdentityToken, >> of course. >> > > > > > >> > > > > > HTH, >> > > > > > - Niko >> > > > > > >> > > > > > >> > > > > > > Am 28.12.2018 um 11:22 schrieb Pavel Maslov < >> pavel.masloff at gmail.com>: >> > > > > > > >> > > > > > > Hi, guys. Haven't been here for quite a while :) >> > > > > > > >> > > > > > > >> > > > > > > I'm using the Springboot Keycloak adapter >> > > > > > > (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to >> secure my >> > > > > > >> > > > > > REST >> > > > > > > API via bearer token [1]. And it works! Cool. >> > > > > > > >> > > > > > > Now, I would like to get the access token in my >> @RestController, or even >> > > > > > > better some information about the user. Is it possible? >> > > > > > > >> > > > > > > Thanks in advance. >> > > > > > > >> > > > > > > Regards, >> > > > > > > Pavel Maslov, MS >> > > > > > > >> > > > > > > [1] https://github.com/maslick/barkoder >> > > > > > > _______________________________________________ >> > > > > > > keycloak-user mailing list >> > > > > > > keycloak-user at lists.jboss.org >> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > > >> > > > > > >> > > > >> > > > _______________________________________________ >> > > > keycloak-user mailing list >> > > > keycloak-user at lists.jboss.org >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > >> > From pa at pauloangelo.com Sun Feb 3 12:16:39 2019 From: pa at pauloangelo.com (Paulo Angelo) Date: Sun, 3 Feb 2019 15:16:39 -0200 Subject: [keycloak-user] Integration with GuardianKey Message-ID: Hi all, We are trying to integrate KeyCloak with GuardianKey. However, we have doubts related to the best way to do this and the best point in the KeyCloak?s code for this integration. GuardianKey is a service to protect systems against authentication attacks. It uses Machine Learning and analyses the user's behavior, threat intelligence and psychometrics (or behavioral biometrics). The protected system (in the concrete case, KeyCloak) must send an event via REST for the GuardianKey on each login attempt. More info at https://guardiankey.io . The best way to integrate would be on having a hook in the procedure that process the user credentials submission in KeyCloak (the script that receives the POST), something such as: if() { boolean loginFailed = checkLoginInKeyCloak(); GuardianKeyEvent event = createEventForGuardianKey(username,loginFailed); boolean GuardianKeyValidation = checkGuardianKeyViaREST(event); if(GuardianKeyValidation){ // Allow access } else { // Deny access } } Where is the best place to create this integration? Is there a way to create a hook for this purpose? Should we create an extension? Any help is welcome. Thank you in advance. Best regards, -- Att, Paulo Angelo From ntakei at sios.com Sun Feb 3 12:48:38 2019 From: ntakei at sios.com (Noriyuki TAKEI) Date: Mon, 4 Feb 2019 02:48:38 +0900 Subject: [keycloak-user] source code of keycloak version 3.4.3 In-Reply-To: References: Message-ID: Hi,all. Thanks for your quick reply. I could get the source code!! 2019?2?4?(?) 1:04 Sebastien Blanc : > Or you can browse it directly here > https://github.com/keycloak/keycloak/tree/3.4.3.Final > > On Sun, Feb 3, 2019 at 1:27 PM David Brewer > wrote: > >> Try this: >> >> https://github.com/keycloak/keycloak/releases >> >> Dave >> >> On Sun, Feb 3, 2019 at 1:11 AM Noriyuki TAKEI wrote: >> >> > Hi. >> > >> > I,d like to get keycloak source code of version 3.4.3. >> > Please tell me where I can get this. >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> -- >> *David J. Brewer* >> *SVP/Cloud Architecture* >> >> *(512) 681-4501* >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From ntakei at sios.com Sun Feb 3 13:06:27 2019 From: ntakei at sios.com (Noriyuki TAKEI) Date: Mon, 4 Feb 2019 03:06:27 +0900 Subject: [keycloak-user] Modify source code, recompile and deploy Message-ID: Hi. I,d like to modify source code of keycloak(version 3.4.3), recompile and deploy. Exactly, the source file I'd like to modify is org/keycloak/social/google/GoogleIdentityProvider.java. I am now running keycloak as standalone mode. I guess the following way to recompile. # git clone https://github.com/keycloak/keycloak.git # git checkout 3.4.3.Final # cd distribution/server-dist # mvn clean package It worked fine. Please tell me the way to deploy recompiled package. From dt at acutus.pro Sun Feb 3 16:30:26 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 04 Feb 2019 00:30:26 +0300 Subject: [keycloak-user] Modify source code, recompile and deploy In-Reply-To: References: Message-ID: <1549229426.7030.8.camel@acutus.pro> Hello?Noriyuki, You'll find the built distribution under distribution/server-dist/target dir. You can deploy it just like you would deploy a regular Keycloak distro. However, this is not the recommended way to do things like this. Identity providers in Keycloak are pluggable, so you should create your customized identity provider based on Google and deploy it to the normal Keycloak installation. See discussion of the similar problem [1]. [1] http://lists.jboss.org/pipermail/keycloak-user/2018-July/014490.html Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2019-02-04 at 03:06 +0900, Noriyuki TAKEI wrote: > Hi. > > I,d like to modify source code of keycloak(version 3.4.3), recompile and > deploy. > Exactly, the source file I'd like to modify is > org/keycloak/social/google/GoogleIdentityProvider.java. > > I am now running keycloak as standalone mode. > > I guess the following way to recompile. > > # git clone https://github.com/keycloak/keycloak.git > # git checkout 3.4.3.Final > # cd distribution/server-dist > # mvn clean package > > It worked fine. > > Please tell me the way to deploy recompiled package. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Sun Feb 3 16:42:31 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 04 Feb 2019 00:42:31 +0300 Subject: [keycloak-user] Launch change password flow from action token? In-Reply-To: References: Message-ID: <1549230151.7030.10.camel@acutus.pro> Hi again Craig :) Since password reset?in Keycloak is also implemented as an action token, I think you need to simply borrow its handleToken() method [1]. [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java#L62 Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sun, 2019-02-03 at 08:29 -0600, Craig Setera wrote: > With Dmitry's help, my action token is now functional in terms of the token > handler being called.??Part of my new function is to launch the change > password for a particular user.??Is there a good/easy example in the code > base that shows how I might do that from my action token handler function? > > Thanks! > Craig > > ================================= > > *Craig Setera* > > *Chief Technology Officer* > ` > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jprouty at cctus.com Sun Feb 3 19:13:53 2019 From: jprouty at cctus.com (Jason Prouty) Date: Mon, 4 Feb 2019 00:13:53 +0000 Subject: [keycloak-user] One time password Message-ID: I would like to use Keycloak with OTP only instead of Password and OTP. Is this possible? From denis.danov at dreamix.eu Mon Feb 4 03:06:18 2019 From: denis.danov at dreamix.eu (Denis Danov) Date: Mon, 4 Feb 2019 10:06:18 +0200 Subject: [keycloak-user] How to find applications a user can access from KC DB Message-ID: Hi keycloak users, some time before I asked if it is possible to find all applications a user has access to from the REST API. It turned out that it is not possible out of the box. Now I am exploring the idea to extract this data from DB. Our Keycloak instance has federation user provider LDAP which is already synced and I can see users and roles in KC. However on Keycloak's account page I can see more roles assigned to a user than in DB. Is there different data provider than the DB for Keycloak to build its mapping between user and the list of application he can access in the account page? Regards, Denis From denis.danov at dreamix.eu Mon Feb 4 03:06:58 2019 From: denis.danov at dreamix.eu (Denis Danov) Date: Mon, 4 Feb 2019 10:06:58 +0200 Subject: [keycloak-user] Retrieve all accessible applications for the logged user In-Reply-To: References: <1547785533.9262.1.camel@acutus.pro> Message-ID: Hi all, Now I am exploring the idea to extract this data from DB. Our Keycloak instance has federation user provider LDAP which is already synced and I can see users and roles in KC. However on Keycloak's account page I can see more roles assigned to a user than in DB. Is there different data provider than the DB for Keycloak to build its mapping between user and the list of application he can access in the account page? Regards, Denis On Fri, Jan 18, 2019 at 4:30 PM Denis Danov wrote: > Hi Dmitry, Stan, > > thank you for the responses. We will check the custom REST API option. > Thank you a lot about the information. > > On Fri, Jan 18, 2019 at 6:25 AM Dmitry Telegin
wrote: > >> Hello Denis, just my 2? in addition to what Stan said, >> >> If you can't wait for the account REST service to be merged, you can >> create your own REST service to expose the data you need. >> >> Check out Server Development [1] for how to create custom REST resources, >> BeerCloak [2] for how to secure them and ApplicationsBean.java [3] for how >> to obtain application list. >> >> [1] >> https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest >> [2] https://github.com/dteleguin/beercloak >> [3] >> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java >> >> Cheers, >> Dmitry Telegin >> CTO, Acutus s.r.o. >> Keycloak Consulting and Training >> >> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> +42 (022) 888-30-71 >> E-mail: info at acutus.pro >> >> On Thu, 2019-01-17 at 14:11 +0200, Denis Danov wrote: >> > Hi Keycloak members, >> > >> > I am excited writing to you and I hope someone will answer. >> > I am working on an application that should be registered and secured in >> > Keycloak. Once the user is authenticated we want to show list of all >> other >> > applications that the user has access to. >> > Can this information be retrieved via REST API as I can see that it is >> > already available from Keycloak UI for user's account under section >> > applications >> > https://www.keycloak.org/docs/3.3/server_admin/topics/account.html >> > >> > Regards, >> > Denis Danov >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From slaskawi at redhat.com Mon Feb 4 03:09:36 2019 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Mon, 4 Feb 2019 09:09:36 +0100 Subject: [keycloak-user] One time password In-Reply-To: References: Message-ID: Personally, I would discourage you from doing that. Note, that after a new user logs in using his username and password, Keycloak displays a screen with OTP configuration. So disabling username/password login would practically prevent new users from logging into your application. On Mon, Feb 4, 2019 at 1:26 AM Jason Prouty wrote: > I would like to use Keycloak with OTP only instead of Password and OTP. > > Is this possible? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From slaskawi at redhat.com Mon Feb 4 03:34:40 2019 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Mon, 4 Feb 2019 09:34:40 +0100 Subject: [keycloak-user] Domains for Realms In-Reply-To: References: Message-ID: Personally, I haven't tried running such a setup but I believe I have some suggestion, how to make it work: - Wildfly has a feature called Virtual Host [1][2]. You could use this feature to separate your realms. - Keycloak also needs to know its public address. Therefore, you might need to provide your own Hostname SPI implementation [3] [1] http://docs.wildfly.org/12/Admin_Guide.html#host-configuration [2] http://www.mastertheboss.com/jboss-web/jbosswebserver/jboss-as-virtual-host-configuration [3] https://www.keycloak.org/docs/latest/server_admin/index.html#request-provider On Fri, Feb 1, 2019 at 10:53 PM Peter S wrote: > Can I run different domains for different realms in the same keycloak > cluster? I have several services but they are so different from the master > domain, would be great to assign a domain to a realm. Any hints? > > Peter. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From lorenzo.luconi at iit.cnr.it Mon Feb 4 03:57:52 2019 From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi) Date: Mon, 4 Feb 2019 09:57:52 +0100 Subject: [keycloak-user] Not existent attributes for users from user-federeation cause NPE In-Reply-To: <1549044655.23571.3.camel@acutus.pro> References: <8320EBA1-2472-4D80-9A6F-36B68FF9B485@iit.cnr.it> <1549044655.23571.3.camel@acutus.pro> Message-ID: Hello Dmitry, thank you for your reply. I developed my keycloak spi based on keycloak-quickstarts/user-storage-jpa, but this project is two years old. The getAttribute in this project looks like my implementation: https://github.com/keycloak/keycloak-quickstarts/blob/3b739ff053a2ee024a2a01dd207bf638962a93f6/user-storage-jpa/src/main/java/org/keycloak/quickstart/storage/user/UserAdapter.java#L126 @Override public List getAttribute(String name) { if (name.equals("phone")) { List phone = new LinkedList<>(); phone.add(entity.getPhone()); return phone; } else { return super.getAttribute(name); } } In case of a missing attribute this method returns a null value and then a Null Pointer Exception is thrown. I think the keycloak code should be fixed to avoid NPE or at least the example should be changed. Anyway this works for me: @Override public List getAttribute(String name) { final List values; if (attributes.containsKey(name)) { values = attributes.get(name); } else { values = super.getAttribute(name); } return Optional.ofNullable(values).orElse(Collections.emptyList()); } Thanks, Lorenzo > Il giorno 1 feb 2019, alle ore 19:10, Dmitry Telegin
ha scritto: > > Hello Lorenzo, > > Out of interest I've tried to play with keycloak-quickstarts/user-storage-simple. I was able to authenticate as "tbrady" even though its UserModel obviously returns null from getAttribute(). But in this case KeycloakModelUtils::resolveAttribute() is invoked not on the UserModel supplied by the provider, but rather on o.k.models.cache.infinispan.UserAdapter wrapper (which performs null checking and returns an empty list in that case). Not sure why resolveAttribute is invoked on your UserAdapter directly, but I think it's safe to return an empty list too. > > Did you try keycloak-quickstarts/user-storage-jpa by the way? > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Fri, 2019-02-01 at 16:54 +0100, Lorenzo Luconi Trombacchi wrote: >> I?m using Keycloak version 4.8.3 with a custom user federation plugin. I created a new realm, configured my user federation plugin and created a new client. I tried to authenticate and I got an error 500 from keycloak. >> In Keycloak log I found this NullPointerException: >> >> 14:09:15,472 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NullPointerException >>> at org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:414) >>> at org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:415) >>> at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:93) >>> at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:101) >>> at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:117) >>> at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:119) >>> at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81) >>> at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:606) >>> at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81) >>> at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:422) >>> at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:795) >>> at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:544) >>> at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:569) >>> at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:186) >>> at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:402) >> ?.. >> >> After some tests I found the problem: the ?Assigned Default Client Scopes? list, in my newly created client, includes the ?profile? scope. >> The ?profile? scope includes a lot of attributes and not all of them are exported from my federation plugin for my users. Removing profile scope solve the problem and now I can successfully authenticate my federeted users. >> >> In class KeycloakModelUtils the are two implementation of the method resolveAttribute: >> >> public static List resolveAttribute(GroupModel group, String name) { >> List values = group.getAttribute(name); >> if (values != null && !values.isEmpty()) return values; >> if (group.getParentId() == null) return null; >> return resolveAttribute(group.getParent(), name); >> >> } >> >> >> public static Collection resolveAttribute(UserModel user, String name, boolean aggregateAttrs) { >> List values = user.getAttribute(name); >> Set aggrValues = new HashSet(); >> if (!values.isEmpty()) { >> if (!aggregateAttrs) { >> return values; >> } >> aggrValues.addAll(values); >> } >> for (GroupModel group : user.getGroups()) { >> values = resolveAttribute(group, name); >> if (values != null && !values.isEmpty()) { >> if (!aggregateAttrs) { >> return values; >> } >> aggrValues.addAll(values); >> } >> } >> return aggrValues; >> } >> >> >> As you can see the first implementation checks if values is null, but not the second one where I got NPE. >> >> In my UserModel implementation I override the getAttrubute method: >> >> public class UserAdapter extends AbstractUserAdapterFederatedStorage { >> >> ?.. >> @Override >> public List getAttribute(String name) { >> if (attributes.containsKey(name)) { >> return attributes.get(name); >> } >> >> return super.getAttribute(name); >> } >> >> } >> >> >> If I force this method to return an empty list instead of null value, this solve the problem. Is this the right fix? getAttribute method must not returns a null value? >> >> >> I hope this helps. >> >> Thanks, >> Lorenzo >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From dharlaftis at ekt.gr Mon Feb 4 04:39:40 2019 From: dharlaftis at ekt.gr (Dimitris Charlaftis) Date: Mon, 4 Feb 2019 11:39:40 +0200 Subject: [keycloak-user] assign client roles to a user using keycloak rest API Message-ID: Hello, I want to assign a client role to a specfic user using keycloak rest API. From the documentaion, i tried this: I have a realm called internal_applications and a client under this realm called test_app. In this client (test_app), I have manually created some client roles, i.e. administrator. Then, I hit the server with postman HTTP POST http:///auth/admin/realms//users BODY: { "username": "jim at ka.gr ", "firstName": "Jim", "lastName": "Sanders", "email": "jim at ka.gr ", "clientRoles": { "test_app": ["administrator"] } } This http call adds the user jim at ka.gr to keycloak, but DOES NOT ASSIGN the already existing client role administrator to him. How can I do this? Please, help... Dimitris -- _____________________________ Dimitris Charlaftis Software Engineer National Documentation Center email: dharlaftis at ekt.gr _____________________________ --- This email has been checked for viruses by AVG. https://www.avg.com From titorenko at dtg.technology Mon Feb 4 04:49:25 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Mon, 4 Feb 2019 12:49:25 +0300 Subject: [keycloak-user] Policy Enforcer: enforcement-mode=ENFORCING question Message-ID: <1BE68D4B-7D2C-4DF9-A3F5-989A2C9CCA9A@dtg.technology> Hello guys! Could someone help me with this. I?m playing with policy enforcers in test Spring Boot application trying to find how to apply it to our cases. I?m trying to investigate how 'ENFORCING? mode is working with scope based permissions. My intuitive understanding of this: if resource does not have any permissions defined on it, then access is denied for any scope requested. if resource has some permissions, then access to scopes, not covered by any existing permissions is always denied. What I see in reality: first case works fine. Access to my service is denied If no permissions defined on it. if the resource has a permission, controlling access to one scope, then access to the other scopes is always GRANTED. In particular, I?ve created demo REST document storage service, which defines CRUD operations, plus one ?list? operation to get list of documents for an entity. All these operations are covered by a corresponding scope (create, view, update, delete, list). After that: If I have no permissions defined for this service, then no access is granted whatever scope I request. If I define scope-based permission, let?s say, controlling access to the ?list? scope on the resource, then access is automatically granted to requests for all CRUD operations, for example, for ?create' operation. Is it how this is intended to work or not? My expectation is that everything should be denied (every scope), until explicitly allowed by some permission. Below are debug log messages that might be of some interest, my policy enforcer config, and some screenshots. The first log entry corresponds to ?create? operation with ?create? scope and the other one ? to ?list? operation. Thank you, Alexey. From Logs: 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/{id}', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]]. 2019-02-04 12:29:11.846 DEBUG 5364 --- [nio-8085-exec-3] o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[list]}]]. Config svc.name=docs-uma server.port = 8085 keycloak.realm=DemoApp keycloak.auth-server-url=http://localhost:8180/auth keycloak.ssl-required=external keycloak.resource=docs-svc-uma keycloak.cors=true keycloak.use-resource-role-mappings=true keycloak.verify-token-audience=false keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a keycloak.confidential-port=0 keycloak.bearer-only=true keycloak.securityConstraints[0].securityCollections[0].name = secured operation keycloak.securityConstraints[0].authRoles[0] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/* keycloak.securityConstraints[1].securityCollections[0].name = admin operation keycloak.securityConstraints[1].authRoles[0] = admin keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/ logging.level.org.keycloak=DEBUG logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG # policy enforcer keycloak.policy-enforcer-config.enforcement-mode=ENFORCING keycloak.policy-enforcer-config.lazy-load-paths=true keycloak.policy-enforcer-config.on-deny-redirect-to=/public keycloak.policy-enforcer-config.paths[0].name=Public Resources keycloak.policy-enforcer-config.paths[0].path=/* keycloak.policy-enforcer-config.paths[1].name=Admin Resources keycloak.policy-enforcer-config.paths[1].path=/admin/* keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[some-claim]={request.uri} keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[claims-from-document]={request.uri} keycloak.policy-enforcer-config.paths[2].name=Documents keycloak.policy-enforcer-config.paths[2].path=/documents/ keycloak.policy-enforcer-config.paths[2].methods[0].method=POST keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=create keycloak.policy-enforcer-config.paths[2].methods[1].method=GET keycloak.policy-enforcer-config.paths[2].methods[1].scopes[0]=list keycloak.policy-enforcer-config.paths[3].name=Documents keycloak.policy-enforcer-config.paths[3].path=/documents/{id} keycloak.policy-enforcer-config.paths[3].methods[0].method=GET keycloak.policy-enforcer-config.paths[3].methods[0].scopes[0]=get keycloak.policy-enforcer-config.paths[3].methods[1].method=POST keycloak.policy-enforcer-config.paths[3].methods[1].scopes[0]=update keycloak.policy-enforcer-config.paths[3].methods[2].method=DELETE keycloak.policy-enforcer-config.paths[3].methods[2].scopes[0]=delete Client authorisation config: { "allowRemoteResourceManagement": true, "policyEnforcementMode": "ENFORCING", "resources": [ { "name": "Admin Resources", "type": "urn:docs-svc-uma:resources:admin", "ownerManagedAccess": false, "attributes": {}, "_id": "0ca1b086-c3d1-47eb-8fa6-3bb699af8791", "uris": [ "/admin/*", "/admin" ], "icon_uri": "" }, { "name": "Documents", "type": "urn:docs-svc-uma:resources:documents", "ownerManagedAccess": false, "attributes": {}, "_id": "b14999a7-0853-4063-8fe6-c0469a975846", "uris": [ "/documents/{id}", "/documents/" ], "scopes": [ { "name": "view" }, { "name": "update" }, { "name": "delete" }, { "name": "create" }, { "name": "list" } ] } ], "policies": [ { "id": "72f8ced8-8b2f-41f3-be41-c371e5d66788", "name": "Default Policy", "description": "A policy that grants access only for users within this realm", "type": "js", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n" } }, { "id": "b786a8bb-3705-4df6-86cd-c041065d3703", "name": "Never", "type": "js", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "code": "$evaluation.deny();" } }, { "id": "6ca70fa3-907b-4368-97cb-3aadc1b6d5db", "name": "List Documents", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"Documents\"]", "scopes": "[\"list\"]", "applyPolicies": "[\"Default Policy\"]" } } ], "scopes": [ { "id": "be6a7101-f5a3-4b9f-a6be-349e167e89ae", "name": "create" }, { "id": "ba3a7575-db45-407b-b74a-4e8b1fc461c2", "name": "delete" }, { "id": "e749c197-b70a-4ccd-a719-1c9ef40b6050", "name": "update" }, { "id": "d72a9d39-3750-41c4-954f-0db7853cb964", "name": "list" }, { "id": "6ee46777-a0ee-492a-bb4e-ef8aaeb8f402", "name": "view", "iconUri": "" } ] } From psilva at redhat.com Mon Feb 4 07:32:56 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 4 Feb 2019 10:32:56 -0200 Subject: [keycloak-user] Policy Enforcer: enforcement-mode=ENFORCING question In-Reply-To: <1BE68D4B-7D2C-4DF9-A3F5-989A2C9CCA9A@dtg.technology> References: <1BE68D4B-7D2C-4DF9-A3F5-989A2C9CCA9A@dtg.technology> Message-ID: The main point here is that you are granted with a permission without any scope: 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/{id}', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]]. The policy enforcer understands that "no scopes" means access to the resource itself and that explains why you are able to access that protected resource. The reason why you are granted with permission with no scopes is that the policy engine checks whether or not the permission (regardless if scope or resource based) is associated with a resource. If so, access to the resource is granted. You can try removing the resource from "List Documents" permission and leave only the "list" scope. Another option is define a scope-based permission to each scope. For last, I'm wondering if we should only grant access to a resource if the permissions ia actually a resource-based permission. So you will none of the steps above would be necessary and your configuration will work as expected. Wdyt ? On Mon, Feb 4, 2019 at 7:54 AM Alexey Titorenko wrote: > Hello guys! > > Could someone help me with this. > > I?m playing with policy enforcers in test Spring Boot application trying > to find how to apply it to our cases. I?m trying to investigate how > 'ENFORCING? mode is working with scope based permissions. > > My intuitive understanding of this: > if resource does not have any permissions defined on it, then access is > denied for any scope requested. > if resource has some permissions, then access to scopes, not covered by > any existing permissions is always denied. > > What I see in reality: > first case works fine. Access to my service is denied If no permissions > defined on it. > if the resource has a permission, controlling access to one scope, then > access to the other scopes is always GRANTED. > > In particular, I?ve created demo REST document storage service, which > defines CRUD operations, plus one ?list? operation to get list of documents > for an entity. All these operations are covered by a corresponding scope > (create, view, update, delete, list). After that: > If I have no permissions defined for this service, then no access is > granted whatever scope I request. > If I define scope-based permission, let?s say, controlling access to the > ?list? scope on the resource, then access is automatically granted to > requests for all CRUD operations, for example, for ?create' operation. > > Is it how this is intended to work or not? My expectation is that > everything should be denied (every scope), until explicitly allowed by some > permission. > > Below are debug log messages that might be of some interest, my policy > enforcer config, and some screenshots. > > The first log entry corresponds to ?create? operation with ?create? scope > and the other one ? to ?list? operation. > > Thank you, > Alexey. > > From Logs: > 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] > o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path > [PathConfig{name='Documents', type='null', path='/documents/{id}', > scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', > enforcerMode='ENFORCING'}]. Permissions [[Permission > {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]]. > > 2019-02-04 12:29:11.846 DEBUG 5364 --- [nio-8085-exec-3] > o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path > [PathConfig{name='Documents', type='null', path='/documents/', scopes=[], > id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. > Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, > name=Documents, scopes=[list]}]]. > > > Config > svc.name=docs-uma > server.port = 8085 > keycloak.realm=DemoApp > keycloak.auth-server-url=http://localhost:8180/auth > keycloak.ssl-required=external > keycloak.resource=docs-svc-uma > keycloak.cors=true > keycloak.use-resource-role-mappings=true > keycloak.verify-token-audience=false > keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a > keycloak.confidential-port=0 > keycloak.bearer-only=true > > keycloak.securityConstraints[0].securityCollections[0].name = secured > operation > keycloak.securityConstraints[0].authRoles[0] = user > keycloak.securityConstraints[0].securityCollections[0].patterns[0] = > /documents > keycloak.securityConstraints[0].securityCollections[0].patterns[1] = > /documents/* > > keycloak.securityConstraints[1].securityCollections[0].name = admin > operation > keycloak.securityConstraints[1].authRoles[0] = admin > keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin > keycloak.securityConstraints[1].securityCollections[0].patterns[1] = > /admin/ > > logging.level.org.keycloak=DEBUG > > logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG > > # policy enforcer > keycloak.policy-enforcer-config.enforcement-mode=ENFORCING > keycloak.policy-enforcer-config.lazy-load-paths=true > keycloak.policy-enforcer-config.on-deny-redirect-to=/public > > keycloak.policy-enforcer-config.paths[0].name=Public Resources > keycloak.policy-enforcer-config.paths[0].path=/* > > keycloak.policy-enforcer-config.paths[1].name=Admin Resources > keycloak.policy-enforcer-config.paths[1].path=/admin/* > > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[some-claim]={request.uri} > > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[claims-from-document]={request.uri} > > keycloak.policy-enforcer-config.paths[2].name=Documents > keycloak.policy-enforcer-config.paths[2].path=/documents/ > keycloak.policy-enforcer-config.paths[2].methods[0].method=POST > keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=create > keycloak.policy-enforcer-config.paths[2].methods[1].method=GET > keycloak.policy-enforcer-config.paths[2].methods[1].scopes[0]=list > keycloak.policy-enforcer-config.paths[3].name=Documents > keycloak.policy-enforcer-config.paths[3].path=/documents/{id} > keycloak.policy-enforcer-config.paths[3].methods[0].method=GET > keycloak.policy-enforcer-config.paths[3].methods[0].scopes[0]=get > keycloak.policy-enforcer-config.paths[3].methods[1].method=POST > keycloak.policy-enforcer-config.paths[3].methods[1].scopes[0]=update > keycloak.policy-enforcer-config.paths[3].methods[2].method=DELETE > keycloak.policy-enforcer-config.paths[3].methods[2].scopes[0]=delete > > Client authorisation config: > { > "allowRemoteResourceManagement": true, > "policyEnforcementMode": "ENFORCING", > "resources": [ > { > "name": "Admin Resources", > "type": "urn:docs-svc-uma:resources:admin", > "ownerManagedAccess": false, > "attributes": {}, > "_id": "0ca1b086-c3d1-47eb-8fa6-3bb699af8791", > "uris": [ > "/admin/*", > "/admin" > ], > "icon_uri": "" > }, > { > "name": "Documents", > "type": "urn:docs-svc-uma:resources:documents", > "ownerManagedAccess": false, > "attributes": {}, > "_id": "b14999a7-0853-4063-8fe6-c0469a975846", > "uris": [ > "/documents/{id}", > "/documents/" > ], > "scopes": [ > { > "name": "view" > }, > { > "name": "update" > }, > { > "name": "delete" > }, > { > "name": "create" > }, > { > "name": "list" > } > ] > } > ], > "policies": [ > { > "id": "72f8ced8-8b2f-41f3-be41-c371e5d66788", > "name": "Default Policy", > "description": "A policy that grants access only for users within > this realm", > "type": "js", > "logic": "POSITIVE", > "decisionStrategy": "AFFIRMATIVE", > "config": { > "code": "// by default, grants any permission associated with this > policy\n$evaluation.grant();\n" > } > }, > { > "id": "b786a8bb-3705-4df6-86cd-c041065d3703", > "name": "Never", > "type": "js", > "logic": "POSITIVE", > "decisionStrategy": "UNANIMOUS", > "config": { > "code": "$evaluation.deny();" > } > }, > { > "id": "6ca70fa3-907b-4368-97cb-3aadc1b6d5db", > "name": "List Documents", > "type": "scope", > "logic": "POSITIVE", > "decisionStrategy": "UNANIMOUS", > "config": { > "resources": "[\"Documents\"]", > "scopes": "[\"list\"]", > "applyPolicies": "[\"Default Policy\"]" > } > } > ], > "scopes": [ > { > "id": "be6a7101-f5a3-4b9f-a6be-349e167e89ae", > "name": "create" > }, > { > "id": "ba3a7575-db45-407b-b74a-4e8b1fc461c2", > "name": "delete" > }, > { > "id": "e749c197-b70a-4ccd-a719-1c9ef40b6050", > "name": "update" > }, > { > "id": "d72a9d39-3750-41c4-954f-0db7853cb964", > "name": "list" > }, > { > "id": "6ee46777-a0ee-492a-bb4e-ef8aaeb8f402", > "name": "view", > "iconUri": "" > } > ] > } > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From titorenko at dtg.technology Mon Feb 4 07:39:39 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Mon, 4 Feb 2019 15:39:39 +0300 Subject: [keycloak-user] Policy Enforcer: enforcement-mode=ENFORCING question In-Reply-To: References: <1BE68D4B-7D2C-4DF9-A3F5-989A2C9CCA9A@dtg.technology> Message-ID: <6098E33D-212F-494A-8632-40A05CD82167@dtg.technology> Hi Pedro. Ok, I understand. To my opinion it is a bit not intuitive and dangerous, as scope based permission opens access to the whole resource. Yes, if I specify permissions for all scopes, then it works fine. Thank you! Alexey > On 4 Feb 2019, at 15:32, Pedro Igor Silva wrote: > > The main point here is that you are granted with a permission without any scope: > > 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/{id}', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]]. > > The policy enforcer understands that "no scopes" means access to the resource itself and that explains why you are able to access that protected resource. > > The reason why you are granted with permission with no scopes is that the policy engine checks whether or not the permission (regardless if scope or resource based) is associated with a resource. If so, access to the resource is granted. > > You can try removing the resource from "List Documents" permission and leave only the "list" scope. > > Another option is define a scope-based permission to each scope. > > For last, I'm wondering if we should only grant access to a resource if the permissions ia actually a resource-based permission. So you will none of the steps above would be necessary and your configuration will work as expected. > > Wdyt ? > > > On Mon, Feb 4, 2019 at 7:54 AM Alexey Titorenko wrote: > Hello guys! > > Could someone help me with this. > > I?m playing with policy enforcers in test Spring Boot application trying to find how to apply it to our cases. I?m trying to investigate how 'ENFORCING? mode is working with scope based permissions. > > My intuitive understanding of this: > if resource does not have any permissions defined on it, then access is denied for any scope requested. > if resource has some permissions, then access to scopes, not covered by any existing permissions is always denied. > > What I see in reality: > first case works fine. Access to my service is denied If no permissions defined on it. > if the resource has a permission, controlling access to one scope, then access to the other scopes is always GRANTED. > > In particular, I?ve created demo REST document storage service, which defines CRUD operations, plus one ?list? operation to get list of documents for an entity. All these operations are covered by a corresponding scope (create, view, update, delete, list). After that: > If I have no permissions defined for this service, then no access is granted whatever scope I request. > If I define scope-based permission, let?s say, controlling access to the ?list? scope on the resource, then access is automatically granted to requests for all CRUD operations, for example, for ?create' operation. > > Is it how this is intended to work or not? My expectation is that everything should be denied (every scope), until explicitly allowed by some permission. > > Below are debug log messages that might be of some interest, my policy enforcer config, and some screenshots. > > The first log entry corresponds to ?create? operation with ?create? scope and the other one ? to ?list? operation. > > Thank you, > Alexey. > > From Logs: > 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/{id}', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]]. > > 2019-02-04 12:29:11.846 DEBUG 5364 --- [nio-8085-exec-3] o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[list]}]]. > > > Config > svc.name =docs-uma > server.port = 8085 > keycloak.realm=DemoApp > keycloak.auth-server-url=http://localhost:8180/auth > keycloak.ssl-required=external > keycloak.resource=docs-svc-uma > keycloak.cors=true > keycloak.use-resource-role-mappings=true > keycloak.verify-token-audience=false > keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a > keycloak.confidential-port=0 > keycloak.bearer-only=true > > keycloak.securityConstraints[0].securityCollections[0].name = secured operation > keycloak.securityConstraints[0].authRoles[0] = user > keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents > keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/* > > keycloak.securityConstraints[1].securityCollections[0].name = admin operation > keycloak.securityConstraints[1].authRoles[0] = admin > keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin > keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/ > > logging.level.org.keycloak=DEBUG > logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG > > # policy enforcer > keycloak.policy-enforcer-config.enforcement-mode=ENFORCING > keycloak.policy-enforcer-config.lazy-load-paths=true > keycloak.policy-enforcer-config.on-deny-redirect-to=/public > > keycloak.policy-enforcer-config.paths[0].name=Public Resources > keycloak.policy-enforcer-config.paths[0].path=/* > > keycloak.policy-enforcer-config.paths[1].name=Admin Resources > keycloak.policy-enforcer-config.paths[1].path=/admin/* > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[some-claim]={request.uri} > keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[claims-from-document]={request.uri} > > keycloak.policy-enforcer-config.paths[2].name=Documents > keycloak.policy-enforcer-config.paths[2].path=/documents/ > keycloak.policy-enforcer-config.paths[2].methods[0].method=POST > keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=create > keycloak.policy-enforcer-config.paths[2].methods[1].method=GET > keycloak.policy-enforcer-config.paths[2].methods[1].scopes[0]=list > keycloak.policy-enforcer-config.paths[3].name=Documents > keycloak.policy-enforcer-config.paths[3].path=/documents/{id} > keycloak.policy-enforcer-config.paths[3].methods[0].method=GET > keycloak.policy-enforcer-config.paths[3].methods[0].scopes[0]=get > keycloak.policy-enforcer-config.paths[3].methods[1].method=POST > keycloak.policy-enforcer-config.paths[3].methods[1].scopes[0]=update > keycloak.policy-enforcer-config.paths[3].methods[2].method=DELETE > keycloak.policy-enforcer-config.paths[3].methods[2].scopes[0]=delete > > Client authorisation config: > { > "allowRemoteResourceManagement": true, > "policyEnforcementMode": "ENFORCING", > "resources": [ > { > "name": "Admin Resources", > "type": "urn:docs-svc-uma:resources:admin", > "ownerManagedAccess": false, > "attributes": {}, > "_id": "0ca1b086-c3d1-47eb-8fa6-3bb699af8791", > "uris": [ > "/admin/*", > "/admin" > ], > "icon_uri": "" > }, > { > "name": "Documents", > "type": "urn:docs-svc-uma:resources:documents", > "ownerManagedAccess": false, > "attributes": {}, > "_id": "b14999a7-0853-4063-8fe6-c0469a975846", > "uris": [ > "/documents/{id}", > "/documents/" > ], > "scopes": [ > { > "name": "view" > }, > { > "name": "update" > }, > { > "name": "delete" > }, > { > "name": "create" > }, > { > "name": "list" > } > ] > } > ], > "policies": [ > { > "id": "72f8ced8-8b2f-41f3-be41-c371e5d66788", > "name": "Default Policy", > "description": "A policy that grants access only for users within this realm", > "type": "js", > "logic": "POSITIVE", > "decisionStrategy": "AFFIRMATIVE", > "config": { > "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n" > } > }, > { > "id": "b786a8bb-3705-4df6-86cd-c041065d3703", > "name": "Never", > "type": "js", > "logic": "POSITIVE", > "decisionStrategy": "UNANIMOUS", > "config": { > "code": "$evaluation.deny();" > } > }, > { > "id": "6ca70fa3-907b-4368-97cb-3aadc1b6d5db", > "name": "List Documents", > "type": "scope", > "logic": "POSITIVE", > "decisionStrategy": "UNANIMOUS", > "config": { > "resources": "[\"Documents\"]", > "scopes": "[\"list\"]", > "applyPolicies": "[\"Default Policy\"]" > } > } > ], > "scopes": [ > { > "id": "be6a7101-f5a3-4b9f-a6be-349e167e89ae", > "name": "create" > }, > { > "id": "ba3a7575-db45-407b-b74a-4e8b1fc461c2", > "name": "delete" > }, > { > "id": "e749c197-b70a-4ccd-a719-1c9ef40b6050", > "name": "update" > }, > { > "id": "d72a9d39-3750-41c4-954f-0db7853cb964", > "name": "list" > }, > { > "id": "6ee46777-a0ee-492a-bb4e-ef8aaeb8f402", > "name": "view", > "iconUri": "" > } > ] > } > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Ori.Doolman at amdocs.com Mon Feb 4 07:39:39 2019 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Mon, 4 Feb 2019 12:39:39 +0000 Subject: [keycloak-user] using my own email template engine Message-ID: Hi, I'd like to have my own email templating engine and email notification system, rather using the built-in FreeMarker one coming OOTB with Keycloak. I wonder what the best way would be to do that. I see that relevant classes are FreeMarkerEmailTemplateProvider, FreeMarkerEmailTemplateProviderFactory. I also see that there is an SPI EmailTemplateSpi class, but I see no documentation about it. Is this the SPI I should use and implement? Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [cid:image001.png at 01D2C8DE.BFF33E10] This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3506 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190204/d5fd19d9/attachment-0001.png From slaskawi at redhat.com Mon Feb 4 07:40:36 2019 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Mon, 4 Feb 2019 13:40:36 +0100 Subject: [keycloak-user] Remove realm in HA environment throw org.keycloak.models.ModelException: javax.persistence.OptimisticLockException In-Reply-To: References: Message-ID: Let me add +Marek Posolda , maybe he'll have better idea, what might be causing this... The error happened here [1]. Hibernate wanted to remove a given RoleEntity object but between `em.remove(roleEntity)` and `em.flush()`, some other transaction had removed that object from the database. One of the things that could result in such a behavior is deleting multiple realms at the same time. Could you please tell us more about your test? How it works, does it perform operations in sequential order or in parallel? One improvement we could do on our side is to swap flushing the EntityManager and publishing events. That could also potentially solve your problem. Marek, what do you think about this? Thanks, Sebastian [1] https://github.com/keycloak/keycloak/blob/7d85ce93bbf33eb11981a6c118abc48cab39742d/model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java#L320 On Fri, Feb 1, 2019 at 5:12 AM madhura nishshanka < madhura.nishshanka at gmail.com> wrote: > Hi All, > > I am getting "org.keycloak.models.ModelException: > javax.persistence.OptimisticLockException: Batch update returned unexpected > row count from update [0]; actual row count: 0; expected: 1" When a realm > is delte from keycloak java admin client. This occurs in a HA environment > when we do a performance test. Can someone please help me on this? > > I am using keycloak 4.8.1 final. > > Full exception > 11:56:25,452 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-2) Uncaught server error: org.keycloak.models.ModelException: > javax.persistence.OptimisticLockException: Batch update returned unexpected > row count from update [0]; actual row count: 0; expected: 1 > at > > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) > at > > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) > at com.sun.proxy.$Proxy99.flush(Unknown Source) > at > > org.keycloak.models.jpa.JpaRealmProvider.removeRole(JpaRealmProvider.java:320) > at > > org.keycloak.models.jpa.JpaRealmProvider.removeClient(JpaRealmProvider.java:567) > at > > *org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:153)* > at > > org.keycloak.models.cache.infinispan.RealmCacheSession.removeRealm(RealmCacheSession.java:486) > at > > org.keycloak.services.managers.RealmManager.removeRealm(RealmManager.java:248) > at > > org.keycloak.services.resources.admin.RealmAdminResource.deleteRealm(RealmAdminResource.java:453) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > at > > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > at > > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > at > > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > at > > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at > > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > at > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > at > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at > > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at > > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at > > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at > > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > Caused by: javax.persistence.OptimisticLockException: Batch update returned > unexpected row count from update [0]; actual row count: 0; expected: 1 > at > > org.hibernate.internal.ExceptionConverterImpl.wrapStaleStateException(ExceptionConverterImpl.java:238) > at > > org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:93) > at > > org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181) > at > > org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188) > at > org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1460) > at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1440) > at sun.reflect.GeneratedMethodAccessor483.invoke(Unknown Source) > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) > ... 78 more > Caused by: org.hibernate.StaleStateException: Batch update returned > unexpected row count from update [0]; actual row count: 0; expected: 1 > at > > org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:67) > at > > org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:54) > at > > org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:46) > at > > org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3478) > at > > org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3735) > at > > org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:99) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:604) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:478) > at > > org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:356) > at > > org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) > at > org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1454) > ... 83 more > > Thanks > Madhura > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Mon Feb 4 07:41:00 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 4 Feb 2019 10:41:00 -0200 Subject: [keycloak-user] Policy Enforcer: enforcement-mode=ENFORCING question In-Reply-To: <6098E33D-212F-494A-8632-40A05CD82167@dtg.technology> References: <1BE68D4B-7D2C-4DF9-A3F5-989A2C9CCA9A@dtg.technology> <6098E33D-212F-494A-8632-40A05CD82167@dtg.technology> Message-ID: Or just leave "list" and remove the resource from your permission .... I agree with you, will open a JIRA to make this more intuitive. Tks On Mon, Feb 4, 2019 at 10:39 AM Alexey Titorenko wrote: > Hi Pedro. > > Ok, I understand. To my opinion it is a bit not intuitive and dangerous, > as scope based permission opens access to the whole resource. Yes, if I > specify permissions for all scopes, then it works fine. > > Thank you! > > Alexey > > > On 4 Feb 2019, at 15:32, Pedro Igor Silva wrote: > > The main point here is that you are granted with a permission without any > scope: > > 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] > o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path > [PathConfig{name='Documents', type='null', path='/documents/{id}', > scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', > enforcerMode='ENFORCING'}]. Permissions [[Permission > {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]]. > > The policy enforcer understands that "no scopes" means access to the > resource itself and that explains why you are able to access that protected > resource. > > The reason why you are granted with permission with no scopes is that the > policy engine checks whether or not the permission (regardless if scope or > resource based) is associated with a resource. If so, access to the > resource is granted. > > You can try removing the resource from "List Documents" permission and > leave only the "list" scope. > > Another option is define a scope-based permission to each scope. > > For last, I'm wondering if we should only grant access to a resource if > the permissions ia actually a resource-based permission. So you will none > of the steps above would be necessary and your configuration will work as > expected. > > Wdyt ? > > > On Mon, Feb 4, 2019 at 7:54 AM Alexey Titorenko > wrote: > >> Hello guys! >> >> Could someone help me with this. >> >> I?m playing with policy enforcers in test Spring Boot application trying >> to find how to apply it to our cases. I?m trying to investigate how >> 'ENFORCING? mode is working with scope based permissions. >> >> My intuitive understanding of this: >> if resource does not have any permissions defined on it, then access is >> denied for any scope requested. >> if resource has some permissions, then access to scopes, not covered by >> any existing permissions is always denied. >> >> What I see in reality: >> first case works fine. Access to my service is denied If no permissions >> defined on it. >> if the resource has a permission, controlling access to one scope, then >> access to the other scopes is always GRANTED. >> >> In particular, I?ve created demo REST document storage service, which >> defines CRUD operations, plus one ?list? operation to get list of documents >> for an entity. All these operations are covered by a corresponding scope >> (create, view, update, delete, list). After that: >> If I have no permissions defined for this service, then no access is >> granted whatever scope I request. >> If I define scope-based permission, let?s say, controlling access to the >> ?list? scope on the resource, then access is automatically granted to >> requests for all CRUD operations, for example, for ?create' operation. >> >> Is it how this is intended to work or not? My expectation is that >> everything should be denied (every scope), until explicitly allowed by some >> permission. >> >> Below are debug log messages that might be of some interest, my policy >> enforcer config, and some screenshots. >> >> The first log entry corresponds to ?create? operation with ?create? scope >> and the other one ? to ?list? operation. >> >> Thank you, >> Alexey. >> >> From Logs: >> 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] >> o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path >> [PathConfig{name='Documents', type='null', path='/documents/{id}', >> scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', >> enforcerMode='ENFORCING'}]. Permissions [[Permission >> {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]]. >> >> 2019-02-04 12:29:11.846 DEBUG 5364 --- [nio-8085-exec-3] >> o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path >> [PathConfig{name='Documents', type='null', path='/documents/', scopes=[], >> id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. >> Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, >> name=Documents, scopes=[list]}]]. >> >> >> Config >> svc.name=docs-uma >> server.port = 8085 >> keycloak.realm=DemoApp >> keycloak.auth-server-url=http://localhost:8180/auth >> keycloak.ssl-required=external >> keycloak.resource=docs-svc-uma >> keycloak.cors=true >> keycloak.use-resource-role-mappings=true >> keycloak.verify-token-audience=false >> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a >> keycloak.confidential-port=0 >> keycloak.bearer-only=true >> >> keycloak.securityConstraints[0].securityCollections[0].name = secured >> operation >> keycloak.securityConstraints[0].authRoles[0] = user >> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = >> /documents >> keycloak.securityConstraints[0].securityCollections[0].patterns[1] = >> /documents/* >> >> keycloak.securityConstraints[1].securityCollections[0].name = admin >> operation >> keycloak.securityConstraints[1].authRoles[0] = admin >> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = >> /admin >> keycloak.securityConstraints[1].securityCollections[0].patterns[1] = >> /admin/ >> >> logging.level.org.keycloak=DEBUG >> >> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG >> >> # policy enforcer >> keycloak.policy-enforcer-config.enforcement-mode=ENFORCING >> keycloak.policy-enforcer-config.lazy-load-paths=true >> keycloak.policy-enforcer-config.on-deny-redirect-to=/public >> >> keycloak.policy-enforcer-config.paths[0].name=Public Resources >> keycloak.policy-enforcer-config.paths[0].path=/* >> >> keycloak.policy-enforcer-config.paths[1].name=Admin Resources >> keycloak.policy-enforcer-config.paths[1].path=/admin/* >> >> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[some-claim]={request.uri} >> >> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[claims-from-document]={request.uri} >> >> keycloak.policy-enforcer-config.paths[2].name=Documents >> keycloak.policy-enforcer-config.paths[2].path=/documents/ >> keycloak.policy-enforcer-config.paths[2].methods[0].method=POST >> keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=create >> keycloak.policy-enforcer-config.paths[2].methods[1].method=GET >> keycloak.policy-enforcer-config.paths[2].methods[1].scopes[0]=list >> keycloak.policy-enforcer-config.paths[3].name=Documents >> keycloak.policy-enforcer-config.paths[3].path=/documents/{id} >> keycloak.policy-enforcer-config.paths[3].methods[0].method=GET >> keycloak.policy-enforcer-config.paths[3].methods[0].scopes[0]=get >> keycloak.policy-enforcer-config.paths[3].methods[1].method=POST >> keycloak.policy-enforcer-config.paths[3].methods[1].scopes[0]=update >> keycloak.policy-enforcer-config.paths[3].methods[2].method=DELETE >> keycloak.policy-enforcer-config.paths[3].methods[2].scopes[0]=delete >> >> Client authorisation config: >> { >> "allowRemoteResourceManagement": true, >> "policyEnforcementMode": "ENFORCING", >> "resources": [ >> { >> "name": "Admin Resources", >> "type": "urn:docs-svc-uma:resources:admin", >> "ownerManagedAccess": false, >> "attributes": {}, >> "_id": "0ca1b086-c3d1-47eb-8fa6-3bb699af8791", >> "uris": [ >> "/admin/*", >> "/admin" >> ], >> "icon_uri": "" >> }, >> { >> "name": "Documents", >> "type": "urn:docs-svc-uma:resources:documents", >> "ownerManagedAccess": false, >> "attributes": {}, >> "_id": "b14999a7-0853-4063-8fe6-c0469a975846", >> "uris": [ >> "/documents/{id}", >> "/documents/" >> ], >> "scopes": [ >> { >> "name": "view" >> }, >> { >> "name": "update" >> }, >> { >> "name": "delete" >> }, >> { >> "name": "create" >> }, >> { >> "name": "list" >> } >> ] >> } >> ], >> "policies": [ >> { >> "id": "72f8ced8-8b2f-41f3-be41-c371e5d66788", >> "name": "Default Policy", >> "description": "A policy that grants access only for users within >> this realm", >> "type": "js", >> "logic": "POSITIVE", >> "decisionStrategy": "AFFIRMATIVE", >> "config": { >> "code": "// by default, grants any permission associated with >> this policy\n$evaluation.grant();\n" >> } >> }, >> { >> "id": "b786a8bb-3705-4df6-86cd-c041065d3703", >> "name": "Never", >> "type": "js", >> "logic": "POSITIVE", >> "decisionStrategy": "UNANIMOUS", >> "config": { >> "code": "$evaluation.deny();" >> } >> }, >> { >> "id": "6ca70fa3-907b-4368-97cb-3aadc1b6d5db", >> "name": "List Documents", >> "type": "scope", >> "logic": "POSITIVE", >> "decisionStrategy": "UNANIMOUS", >> "config": { >> "resources": "[\"Documents\"]", >> "scopes": "[\"list\"]", >> "applyPolicies": "[\"Default Policy\"]" >> } >> } >> ], >> "scopes": [ >> { >> "id": "be6a7101-f5a3-4b9f-a6be-349e167e89ae", >> "name": "create" >> }, >> { >> "id": "ba3a7575-db45-407b-b74a-4e8b1fc461c2", >> "name": "delete" >> }, >> { >> "id": "e749c197-b70a-4ccd-a719-1c9ef40b6050", >> "name": "update" >> }, >> { >> "id": "d72a9d39-3750-41c4-954f-0db7853cb964", >> "name": "list" >> }, >> { >> "id": "6ee46777-a0ee-492a-bb4e-ef8aaeb8f402", >> "name": "view", >> "iconUri": "" >> } >> ] >> } >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From psilva at redhat.com Mon Feb 4 07:46:02 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 4 Feb 2019 10:46:02 -0200 Subject: [keycloak-user] Configure authorization with SAML In-Reply-To: References: Message-ID: Hi John, Yes, there is no easy way to do that right now when using SAML. There is an extension [1] though that works for OIDC. I dunno if we are going to invest authorization in SAML, but you can open an RFE and try to get votes from other interested parties. Best regards. Pedro Igor [1] https://www.keycloak.org/extensions.html On Sun, Feb 3, 2019 at 6:32 AM John Doe wrote: > Dear Keycloak users, > First of all I would like to thank you for committing on this project. > > I configured Keycloak with FreeIPA. I have single realm in Keycloak > (master realm) and All of my SAML clients are in this realm, Right now I > want to limit access to "Weekdone.com SAML client" for certain users and as > I searched I found out there is no authorization on SAML and it's under > development, Can you please tell me about it's status? > > If it's not available right now, How can I implement it? > Is it Ok if I create a "weekdone users" group in FreeIPA and create > another realm in Keycloak and add weekdone SAML client to that realm? > > I think that makes a mess in the long-term but I found no other solution. > > References to this issue: > http://lists.jboss.org/pipermail/keycloak-user/2017-September/011759.html > > https://www.reddit.com/r/selfhosted/comments/8ah2we/keycloak_authorization_services_for_saml/ > > Best Regards. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From titorenko at dtg.technology Mon Feb 4 07:59:47 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Mon, 4 Feb 2019 15:59:47 +0300 Subject: [keycloak-user] Policy Enforcer: enforcement-mode=ENFORCING question In-Reply-To: References: <1BE68D4B-7D2C-4DF9-A3F5-989A2C9CCA9A@dtg.technology> <6098E33D-212F-494A-8632-40A05CD82167@dtg.technology> <87075730-D3DB-461E-AB33-B1087D160519@dtg.technology> Message-ID: Thanks! > On 4 Feb 2019, at 15:58, Pedro Igor Silva wrote: > > Yeah, you are right. I've created https://issues.jboss.org/browse/KEYCLOAK-9483 to track this and make this behaviour more intuitive without forcing you to create additional permissions or only associate scopes. > > On Mon, Feb 4, 2019 at 10:52 AM Alexey Titorenko wrote: > Ok, thank you, Pedro. > > Just few words about this. > > If I see description of ?Resource? field, then it says that it is just a filter for scopes field shown below it (see screenshot below). It this filter has side affects and changes access area, then it is even more strange and dangerous. > This might be problematic if I have two resources in my service that have same set of scopes (or intersecting sets). > > > Again, thank you for Jira ticket. > > Alexey > > > > > > >> On 4 Feb 2019, at 15:41, Pedro Igor Silva > wrote: >> >> Or just leave "list" and remove the resource from your permission .... >> >> I agree with you, will open a JIRA to make this more intuitive. >> >> Tks >> >> >> On Mon, Feb 4, 2019 at 10:39 AM Alexey Titorenko > wrote: >> Hi Pedro. >> >> Ok, I understand. To my opinion it is a bit not intuitive and dangerous, as scope based permission opens access to the whole resource. Yes, if I specify permissions for all scopes, then it works fine. >> >> Thank you! >> >> Alexey >> >> >>> On 4 Feb 2019, at 15:32, Pedro Igor Silva > wrote: >>> >>> The main point here is that you are granted with a permission without any scope: >>> >>> 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/{id}', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]]. >>> >>> The policy enforcer understands that "no scopes" means access to the resource itself and that explains why you are able to access that protected resource. >>> >>> The reason why you are granted with permission with no scopes is that the policy engine checks whether or not the permission (regardless if scope or resource based) is associated with a resource. If so, access to the resource is granted. >>> >>> You can try removing the resource from "List Documents" permission and leave only the "list" scope. >>> >>> Another option is define a scope-based permission to each scope. >>> >>> For last, I'm wondering if we should only grant access to a resource if the permissions ia actually a resource-based permission. So you will none of the steps above would be necessary and your configuration will work as expected. >>> >>> Wdyt ? >>> >>> >>> On Mon, Feb 4, 2019 at 7:54 AM Alexey Titorenko > wrote: >>> Hello guys! >>> >>> Could someone help me with this. >>> >>> I?m playing with policy enforcers in test Spring Boot application trying to find how to apply it to our cases. I?m trying to investigate how 'ENFORCING? mode is working with scope based permissions. >>> >>> My intuitive understanding of this: >>> if resource does not have any permissions defined on it, then access is denied for any scope requested. >>> if resource has some permissions, then access to scopes, not covered by any existing permissions is always denied. >>> >>> What I see in reality: >>> first case works fine. Access to my service is denied If no permissions defined on it. >>> if the resource has a permission, controlling access to one scope, then access to the other scopes is always GRANTED. >>> >>> In particular, I?ve created demo REST document storage service, which defines CRUD operations, plus one ?list? operation to get list of documents for an entity. All these operations are covered by a corresponding scope (create, view, update, delete, list). After that: >>> If I have no permissions defined for this service, then no access is granted whatever scope I request. >>> If I define scope-based permission, let?s say, controlling access to the ?list? scope on the resource, then access is automatically granted to requests for all CRUD operations, for example, for ?create' operation. >>> >>> Is it how this is intended to work or not? My expectation is that everything should be denied (every scope), until explicitly allowed by some permission. >>> >>> Below are debug log messages that might be of some interest, my policy enforcer config, and some screenshots. >>> >>> The first log entry corresponds to ?create? operation with ?create? scope and the other one ? to ?list? operation. >>> >>> Thank you, >>> Alexey. >>> >>> From Logs: >>> 2019-02-04 12:29:12.698 DEBUG 5364 --- [nio-8085-exec-4] o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/{id}', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[]}]]. >>> >>> 2019-02-04 12:29:11.846 DEBUG 5364 --- [nio-8085-exec-3] o.k.a.a.AbstractPolicyEnforcer : Authorization GRANTED for path [PathConfig{name='Documents', type='null', path='/documents/', scopes=[], id='b14999a7-0853-4063-8fe6-c0469a975846', enforcerMode='ENFORCING'}]. Permissions [[Permission {id=b14999a7-0853-4063-8fe6-c0469a975846, name=Documents, scopes=[list]}]]. >>> >>> >>> Config >>> svc.name =docs-uma >>> server.port = 8085 >>> keycloak.realm=DemoApp >>> keycloak.auth-server-url=http://localhost:8180/auth >>> keycloak.ssl-required=external >>> keycloak.resource=docs-svc-uma >>> keycloak.cors=true >>> keycloak.use-resource-role-mappings=true >>> keycloak.verify-token-audience=false >>> keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a >>> keycloak.confidential-port=0 >>> keycloak.bearer-only=true >>> >>> keycloak.securityConstraints[0].securityCollections[0].name = secured operation >>> keycloak.securityConstraints[0].authRoles[0] = user >>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents >>> keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/* >>> >>> keycloak.securityConstraints[1].securityCollections[0].name = admin operation >>> keycloak.securityConstraints[1].authRoles[0] = admin >>> keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin >>> keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/ >>> >>> logging.level.org.keycloak=DEBUG >>> logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG >>> >>> # policy enforcer >>> keycloak.policy-enforcer-config.enforcement-mode=ENFORCING >>> keycloak.policy-enforcer-config.lazy-load-paths=true >>> keycloak.policy-enforcer-config.on-deny-redirect-to=/public >>> >>> keycloak.policy-enforcer-config.paths[0].name=Public Resources >>> keycloak.policy-enforcer-config.paths[0].path=/* >>> >>> keycloak.policy-enforcer-config.paths[1].name=Admin Resources >>> keycloak.policy-enforcer-config.paths[1].path=/admin/* >>> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[some-claim]={request.uri} >>> keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[claims-from-document]={request.uri} >>> >>> keycloak.policy-enforcer-config.paths[2].name=Documents >>> keycloak.policy-enforcer-config.paths[2].path=/documents/ >>> keycloak.policy-enforcer-config.paths[2].methods[0].method=POST >>> keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=create >>> keycloak.policy-enforcer-config.paths[2].methods[1].method=GET >>> keycloak.policy-enforcer-config.paths[2].methods[1].scopes[0]=list >>> keycloak.policy-enforcer-config.paths[3].name=Documents >>> keycloak.policy-enforcer-config.paths[3].path=/documents/{id} >>> keycloak.policy-enforcer-config.paths[3].methods[0].method=GET >>> keycloak.policy-enforcer-config.paths[3].methods[0].scopes[0]=get >>> keycloak.policy-enforcer-config.paths[3].methods[1].method=POST >>> keycloak.policy-enforcer-config.paths[3].methods[1].scopes[0]=update >>> keycloak.policy-enforcer-config.paths[3].methods[2].method=DELETE >>> keycloak.policy-enforcer-config.paths[3].methods[2].scopes[0]=delete >>> >>> Client authorisation config: >>> { >>> "allowRemoteResourceManagement": true, >>> "policyEnforcementMode": "ENFORCING", >>> "resources": [ >>> { >>> "name": "Admin Resources", >>> "type": "urn:docs-svc-uma:resources:admin", >>> "ownerManagedAccess": false, >>> "attributes": {}, >>> "_id": "0ca1b086-c3d1-47eb-8fa6-3bb699af8791", >>> "uris": [ >>> "/admin/*", >>> "/admin" >>> ], >>> "icon_uri": "" >>> }, >>> { >>> "name": "Documents", >>> "type": "urn:docs-svc-uma:resources:documents", >>> "ownerManagedAccess": false, >>> "attributes": {}, >>> "_id": "b14999a7-0853-4063-8fe6-c0469a975846", >>> "uris": [ >>> "/documents/{id}", >>> "/documents/" >>> ], >>> "scopes": [ >>> { >>> "name": "view" >>> }, >>> { >>> "name": "update" >>> }, >>> { >>> "name": "delete" >>> }, >>> { >>> "name": "create" >>> }, >>> { >>> "name": "list" >>> } >>> ] >>> } >>> ], >>> "policies": [ >>> { >>> "id": "72f8ced8-8b2f-41f3-be41-c371e5d66788", >>> "name": "Default Policy", >>> "description": "A policy that grants access only for users within this realm", >>> "type": "js", >>> "logic": "POSITIVE", >>> "decisionStrategy": "AFFIRMATIVE", >>> "config": { >>> "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n" >>> } >>> }, >>> { >>> "id": "b786a8bb-3705-4df6-86cd-c041065d3703", >>> "name": "Never", >>> "type": "js", >>> "logic": "POSITIVE", >>> "decisionStrategy": "UNANIMOUS", >>> "config": { >>> "code": "$evaluation.deny();" >>> } >>> }, >>> { >>> "id": "6ca70fa3-907b-4368-97cb-3aadc1b6d5db", >>> "name": "List Documents", >>> "type": "scope", >>> "logic": "POSITIVE", >>> "decisionStrategy": "UNANIMOUS", >>> "config": { >>> "resources": "[\"Documents\"]", >>> "scopes": "[\"list\"]", >>> "applyPolicies": "[\"Default Policy\"]" >>> } >>> } >>> ], >>> "scopes": [ >>> { >>> "id": "be6a7101-f5a3-4b9f-a6be-349e167e89ae", >>> "name": "create" >>> }, >>> { >>> "id": "ba3a7575-db45-407b-b74a-4e8b1fc461c2", >>> "name": "delete" >>> }, >>> { >>> "id": "e749c197-b70a-4ccd-a719-1c9ef40b6050", >>> "name": "update" >>> }, >>> { >>> "id": "d72a9d39-3750-41c4-954f-0db7853cb964", >>> "name": "list" >>> }, >>> { >>> "id": "6ee46777-a0ee-492a-bb4e-ef8aaeb8f402", >>> "name": "view", >>> "iconUri": "" >>> } >>> ] >>> } >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > From denis.danov at dreamix.eu Mon Feb 4 08:45:46 2019 From: denis.danov at dreamix.eu (Denis Danov) Date: Mon, 4 Feb 2019 15:45:46 +0200 Subject: [keycloak-user] User to role and user to group relationships are not imported from LDAP Message-ID: Hi Keycloak users, Is it possible to extract the relationship between user and role, user and group, role and group? In our setup we have LDAP user fenederation and we have configured role and group mappers in IMPORT mode. However I cannot see the data in keycloak's DB. Is there additional configuration that needs to be made. Regards, Denis From madhura.nishshanka at gmail.com Mon Feb 4 08:47:17 2019 From: madhura.nishshanka at gmail.com (madhura nishshanka) Date: Mon, 4 Feb 2019 19:17:17 +0530 Subject: [keycloak-user] Remove realm in HA environment throw org.keycloak.models.ModelException: javax.persistence.OptimisticLockException In-Reply-To: References: Message-ID: I was invoking following 1,2,and 3 steps sequentially in one thread and then the 4th step in a seperate thread. The whole test was done with multiple theads in parallel. 1) Create realm with a user 2) Create another user on the same realm 3) Delete orginal user 4) Delete the new realm. On Mon, Feb 4, 2019, 6:10 PM Sebastian Laskawiec Let me add +Marek Posolda , maybe he'll have better > idea, what might be causing this... > > The error happened here [1]. Hibernate wanted to remove a given RoleEntity > object but between `em.remove(roleEntity)` and `em.flush()`, some other > transaction had removed that object from the database. > > One of the things that could result in such a behavior is deleting > multiple realms at the same time. Could you please tell us more about your > test? How it works, does it perform operations in sequential order or in > parallel? > > One improvement we could do on our side is to swap flushing the > EntityManager and publishing events. That could also potentially solve your > problem. Marek, what do you think about this? > > Thanks, > Sebastian > > [1] > https://github.com/keycloak/keycloak/blob/7d85ce93bbf33eb11981a6c118abc48cab39742d/model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java#L320 > > On Fri, Feb 1, 2019 at 5:12 AM madhura nishshanka < > madhura.nishshanka at gmail.com> wrote: > >> Hi All, >> >> I am getting "org.keycloak.models.ModelException: >> javax.persistence.OptimisticLockException: Batch update returned >> unexpected >> row count from update [0]; actual row count: 0; expected: 1" When a realm >> is delte from keycloak java admin client. This occurs in a HA environment >> when we do a performance test. Can someone please help me on this? >> >> I am using keycloak 4.8.1 final. >> >> Full exception >> 11:56:25,452 ERROR [org.keycloak.services.error.KeycloakErrorHandler] >> (default task-2) Uncaught server error: >> org.keycloak.models.ModelException: >> javax.persistence.OptimisticLockException: Batch update returned >> unexpected >> row count from update [0]; actual row count: 0; expected: 1 >> at >> >> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) >> at >> >> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) >> at com.sun.proxy.$Proxy99.flush(Unknown Source) >> at >> >> org.keycloak.models.jpa.JpaRealmProvider.removeRole(JpaRealmProvider.java:320) >> at >> >> org.keycloak.models.jpa.JpaRealmProvider.removeClient(JpaRealmProvider.java:567) >> at >> >> *org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:153)* >> at >> >> org.keycloak.models.cache.infinispan.RealmCacheSession.removeRealm(RealmCacheSession.java:486) >> at >> >> org.keycloak.services.managers.RealmManager.removeRealm(RealmManager.java:248) >> at >> >> org.keycloak.services.resources.admin.RealmAdminResource.deleteRealm(RealmAdminResource.java:453) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) >> at >> >> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) >> at >> >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) >> at >> >> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) >> at >> >> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) >> at >> >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) >> at >> >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) >> at >> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) >> at >> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) >> at >> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) >> at >> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) >> at >> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) >> at >> >> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) >> at >> >> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) >> at >> >> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) >> at >> >> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) >> at >> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) >> at >> >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) >> at >> >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) >> at >> >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) >> at >> >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >> at >> >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> >> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) >> at >> >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) >> at >> >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> >> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) >> at >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) >> at >> >> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) >> at >> >> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >> at >> >> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) >> at >> >> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) >> at >> >> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) >> at >> >> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) >> at >> >> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: javax.persistence.OptimisticLockException: Batch update >> returned >> unexpected row count from update [0]; actual row count: 0; expected: 1 >> at >> >> org.hibernate.internal.ExceptionConverterImpl.wrapStaleStateException(ExceptionConverterImpl.java:238) >> at >> >> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:93) >> at >> >> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181) >> at >> >> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188) >> at >> org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1460) >> at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1440) >> at sun.reflect.GeneratedMethodAccessor483.invoke(Unknown Source) >> at >> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> >> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) >> ... 78 more >> Caused by: org.hibernate.StaleStateException: Batch update returned >> unexpected row count from update [0]; actual row count: 0; expected: 1 >> at >> >> org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:67) >> at >> >> org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:54) >> at >> >> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:46) >> at >> >> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3478) >> at >> >> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3735) >> at >> >> org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:99) >> at >> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:604) >> at >> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:478) >> at >> >> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:356) >> at >> >> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) >> at >> org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1454) >> ... 83 more >> >> Thanks >> Madhura >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From dt at acutus.pro Mon Feb 4 18:01:43 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 05 Feb 2019 02:01:43 +0300 Subject: [keycloak-user] User to role and user to group relationships are not imported from LDAP In-Reply-To: References: Message-ID: <1549321303.6049.8.camel@acutus.pro> Hello Denis, Which version of Keycloak are you using? By "cannot see data in Keycloak's DB" do you mean directly in the database, or just in Admin Console GUI? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2019-02-04 at 15:45 +0200, Denis Danov wrote: > Hi Keycloak users, > > Is it possible to extract the relationship between user and role, user and > group, role and group? > In our setup we have LDAP user fenederation and we have configured role and > group mappers in IMPORT mode. However I cannot see the data in keycloak's > DB. Is there additional configuration that needs to be made. > > Regards, > Denis > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Feb 4 18:15:25 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 05 Feb 2019 02:15:25 +0300 Subject: [keycloak-user] Customize saml response In-Reply-To: References: Message-ID: <1549322125.6049.10.camel@acutus.pro> Hello Pulkit, This is how identity brokering works. Keycloak cannot simply reuse the incoming SAML assertion, so it creates a new one for your target application. But there is a limited control over the attribute passthrough via mappers. What are the exact attributes you're talking about? Do you think they can be mapped to user properties/attributes? (like first name / last name etc.) Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2019-01-29 at 18:55 +0530, Pulkit Srivastava wrote: > Hi, > I am??using as external idp with keycloak. External idp sends SAML response > to keycloak but keycloak modifies that response before sending it to the > application, so i am unable to get some important attributes. How can we > stop keycloak from modifying the response or how can we customize the > response. > > Thanks, > Pulkit > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Feb 4 18:21:33 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 05 Feb 2019 02:21:33 +0300 Subject: [keycloak-user] using my own email template engine In-Reply-To: References: Message-ID: <1549322493.6049.12.camel@acutus.pro> Hi Ori, Yes, this is the right SPI. Since it's internal and not as popular as custom REST, JPA etc. SPIs, you probably won't find anything in the docs or quickstarts. Hence, the built-in FreeMarkerEmailTemplateProvider is the best and the only example available :) Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2019-02-04 at 12:39 +0000, Ori Doolman wrote: > Hi, > > I'd like to have my own email templating engine and email notification system, rather using the built-in FreeMarker one coming OOTB with Keycloak. > I wonder what the best way would be to do that. > > > I see that relevant classes are FreeMarkerEmailTemplateProvider, FreeMarkerEmailTemplateProviderFactory. > I also see that there is an SPI EmailTemplateSpi class, but I see no documentation about it. > > Is this the SPI I should use and implement? > > > > > Thanks, > > Ori Doolman > Lead Software Architect > Amdocs Optima > > +972 9 778 6914 (office) > +972 50 9111442 (mobile) > > > [cid:image001.png at 01D2C8DE.BFF33E10] > > > This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Feb 4 18:27:36 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 05 Feb 2019 02:27:36 +0300 Subject: [keycloak-user] assign client roles to a user using keycloak rest API In-Reply-To: References: Message-ID: <1549322856.6049.14.camel@acutus.pro> Hello Dimitris, You should use another call to a role-mappers endpoint, see [1] and [2]. [1] https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_role_mapper_resource [2] https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_client_role_mappings_resource Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2019-02-04 at 11:39 +0200, Dimitris Charlaftis wrote: > Hello, > > I want to assign a client role to a specfic user using keycloak rest API. > > ?From the documentaion, i tried this: > > I have a realm called internal_applications and a client under this? > realm called test_app. In this client (test_app), I have manually? > created some client roles, i.e. administrator. > > > Then, I hit the server with postman > > HTTP POST http:///auth/admin/realms//users > > BODY: > > { > > "username": "jim at ka.gr ", > "firstName": "Jim", > "lastName": "Sanders", > > "email": "jim at ka.gr ", > "clientRoles": { > "test_app": ["administrator"] > } > > } > > > This http call adds the user jim at ka.gr to keycloak, but DOES NOT ASSIGN? > the already existing client role administrator to him. > > How can I do this? > > Please, help... > > Dimitris > > From dt at acutus.pro Mon Feb 4 18:38:46 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 05 Feb 2019 02:38:46 +0300 Subject: [keycloak-user] Getting timestamp from EVENT_ENTITY In-Reply-To: References: Message-ID: <1549323526.6049.17.camel@acutus.pro> Hello Edmund, This is beyond the SQL spec, and therefore will be database-dependent. For example, with PostgreSQL you can do this: SELECT to_timestamp(event_time/1000) FROM event_entity; Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2019-01-29 at 14:07 +0800, Edmund Loh wrote: > The EVENT_TIME column in the EVENT_ENTITY table is stored as datatype > NUMBER(38,0). How can I go about converting this to a timestamp through the > use of SQL statements? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Feb 4 19:32:52 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 05 Feb 2019 03:32:52 +0300 Subject: [keycloak-user] Role Mappings on Subsequent Logons In-Reply-To: <3B6263F0-3A89-4573-B1F3-3658A6041113@contoso.com> References: <3B6263F0-3A89-4573-B1F3-3658A6041113@contoso.com> Message-ID: <1549326772.6049.20.camel@acutus.pro> Hi Will, The claims are in fact reevaluated upon subsequent logons, but only in the aspect of role revocation [1]. In other words, the role is revoked when the claim "disappears", but isn't granted should the claim "appear". It's trivial to fix; I think you could file a JIRA issue and maybe submit a PR. Meanwhile, you could implement and deploy your own custom IdentityProviderMapper containing the fix. [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/oidc/mappers/ClaimToRoleMapper.java#L108 Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Fri, 2019-01-18 at 13:30 +0000, Will Osborn wrote: > Hi, > > I have setup a keycloak server and using an identity provider successfully setup SSO with claims to role mappings.??Is there any way to allow subsequent logons to recheck the claims and reapply the role mappings so if they change in the identity provide system those changes are passed through to Keycloak? > > Thanks > Will > > [/var/folders/zg/5xxh34t177b013xm4c89lzw00000gp/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/AeG8I8l0vp2nAAAAABJRU5ErkJggg==] > Will Osborn | Head of delivery > Phone +44 203 9301640 > VAKT Global Ltd, Floor 24 > 1 Canada Square, > London, E14 5AB > Disclaimer: This e-mail and any attachment may contain information that is privileged or confidential. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. > > Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. > > VAKT Global Limited is registered in England and Wales under the Company Number 11295972. Its registered office is Floor 24, 1 Canada Square, London, E14 5AB. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Feb 5 01:20:39 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Feb 2019 07:20:39 +0100 Subject: [keycloak-user] Switching to Native JavaScript promise by default In-Reply-To: <1548656273.19952.1.camel@acutus.pro> References: <1548656273.19952.1.camel@acutus.pro> Message-ID: The switch will most likely be done in Keycloak 6, which is a while from now. So we should fix any issues in the meantime. Can you report a bug for this issue please? On Mon, 28 Jan 2019 at 07:18, Dmitry Telegin
wrote: > Hi, are there any particular plans for it? > > I think I've found a promise-related bug in JS adapter, but not sure if it > makes any sense fixing it, since the whole thing is going to be > transitioned to native promises. > > The bug is that the success()/error() functions are expected in doLogin() > (keycloak.js:145), but the corresponding createPromise() is called without > explicit true arg (line 1163), so if { promiseType: 'native' } is used, > doLogin() will barf with "TypeError: kc.login(...).success is not a > function". > > Cheers, > Dmitry > > On Thu, 2019-01-17 at 08:55 +0100, Stian Thorgersen wrote: > > I would like to switch the JavaScript adapter to use Native promises by > > default and deprecate the legacy promise with the aim to remove it in the > > future. > > > > This would result in users that want to continue to use the legacy > promise > > having to explicitly enable this in the config. > > > > I see this as the best path to eventually remove the legacy promises. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From madhura.nishshanka at gmail.com Tue Feb 5 02:04:49 2019 From: madhura.nishshanka at gmail.com (madhura nishshanka) Date: Tue, 5 Feb 2019 12:34:49 +0530 Subject: [keycloak-user] Uncaught server error: java.lang.IllegalStateException: Could not find composite in role admin: In-Reply-To: References: Message-ID: Can some one please help me on this? On Fri, Feb 1, 2019 at 12:06 PM madhura nishshanka < madhura.nishshanka at gmail.com> wrote: > Hi All, > > I am getting following exception when I execute create realm and delete > realm rest APIs concurrently. Is this a known issue in keycloak?. The > jmeter script used is also attached. Can some one please help me on this? > > ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-4) > Uncaught server error: java.lang.IllegalStateException: Could not find > composite in role admin: 4c8f06e2-74f0-4d83-94af-1ae61e1aecde > at > org.keycloak.models.cache.infinispan.RoleAdapter.getComposites(RoleAdapter.java:136) > at > org.keycloak.models.utils.KeycloakModelUtils.searchFor(KeycloakModelUtils.java:190) > at > org.keycloak.models.cache.infinispan.RoleAdapter.hasRole(RoleAdapter.java:173) > at > org.keycloak.models.cache.infinispan.UserAdapter.hasRole(UserAdapter.java:313) > at > org.keycloak.authorization.common.UserModelIdentity.hasRealmRole(UserModelIdentity.java:57) > at > org.keycloak.services.resources.admin.permissions.MgmtPermissions.canCreateRealm(MgmtPermissions.java:384) > at > org.keycloak.services.resources.admin.permissions.MgmtPermissions.requireCreateRealm(MgmtPermissions.java:389) > at > org.keycloak.services.resources.admin.RealmsAdminResource.importRealm(RealmsAdminResource.java:135) > at sun.reflect.GeneratedMethodAccessor767.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > at > org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > at > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > at > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748). > > Thanks > Madhura > From denis.danov at dreamix.eu Tue Feb 5 02:32:11 2019 From: denis.danov at dreamix.eu (Denis Danov) Date: Tue, 5 Feb 2019 09:32:11 +0200 Subject: [keycloak-user] User to role and user to group relationships are not imported from LDAP In-Reply-To: <1549321303.6049.8.camel@acutus.pro> References: <1549321303.6049.8.camel@acutus.pro> Message-ID: Hi Dmitry, we are using community version 3.4.3.Final. Also we are accessing the database directly because the REST API does not provide the data we need. Regards, Denis On Tue, Feb 5, 2019 at 1:01 AM Dmitry Telegin
wrote: > Hello Denis, > > Which version of Keycloak are you using? By "cannot see data in Keycloak's > DB" do you mean directly in the database, or just in Admin Console GUI? > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Mon, 2019-02-04 at 15:45 +0200, Denis Danov wrote: > > Hi Keycloak users, > > > > Is it possible to extract the relationship between user and role, user > and > > group, role and group? > > In our setup we have LDAP user fenederation and we have configured role > and > > group mappers in IMPORT mode. However I cannot see the data in keycloak's > > DB. Is there additional configuration that needs to be made. > > > > Regards, > > Denis > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dharlaftis at ekt.gr Tue Feb 5 03:46:41 2019 From: dharlaftis at ekt.gr (Dimitris Charlaftis) Date: Tue, 5 Feb 2019 10:46:41 +0200 Subject: [keycloak-user] assign client roles to a user using keycloak rest API In-Reply-To: <1549322856.6049.14.camel@acutus.pro> References: <1549322856.6049.14.camel@acutus.pro> Message-ID: ?ello, thank you for the reply. In [2], in the call POST /{realm}/groups/{id}/role-mappings/clients/{client} there is no reference to the username, so The API cannot understand which user we are referring to. I want to assign a client role to a specific user, but it seems that this call you sent me refers to adding roles per client application. Please, can you help? Regards, Dimitris On 2/5/2019 1:27 AM, Dmitry Telegin wrote: > Hello Dimitris, > > You should use another call to a role-mappers endpoint, see [1] and [2]. > > [1] https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_role_mapper_resource > [2] https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_client_role_mappings_resource > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Mon, 2019-02-04 at 11:39 +0200, Dimitris Charlaftis wrote: >> Hello, >> >> I want to assign a client role to a specfic user using keycloak rest API. >> >> ?From the documentaion, i tried this: >> >> I have a realm called internal_applications and a client under this >> realm called test_app. In this client (test_app), I have manually >> created some client roles, i.e. administrator. >> >> >> Then, I hit the server with postman >> >> HTTP POST http:///auth/admin/realms//users >> >> BODY: >> >> { >>> "username": "jim at ka.gr ", >> "firstName": "Jim", >> "lastName": "Sanders", >>> "email": "jim at ka.gr ", >> "clientRoles": { >> "test_app": ["administrator"] >> } >> >> } >> >>> This http call adds the user jim at ka.gr to keycloak, but DOES NOT ASSIGN >> the already existing client role administrator to him. >> >> How can I do this? >> >> Please, help... >> >> Dimitris >> >> -- _____________________________ Dimitris Charlaftis Software Engineer National Documentation Center email: dharlaftis at ekt.gr _____________________________ --- This email has been checked for viruses by AVG. https://www.avg.com From titorenko at dtg.technology Tue Feb 5 04:12:26 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Tue, 5 Feb 2019 12:12:26 +0300 Subject: [keycloak-user] Policy Evaluation Rules Message-ID: Hello guys! Could you please help me with understanding how policies are evaluated? I have REST service with several operations. Each of them is protected by corresponding scope (create, view, update, delete, list). For each of these scopes I defined scope based permission which controls access to its scope. All of the permissions have just one ?Default? policy, which grants access to any user. An ?delete? permissions in addition has JavaScript-based policy which checks if caller is author of the document. So, only one permission is configured to evaluate ?Author? policy. I expect, that ?Author? policy will only be evaluated, when ?delete? operation on service is called. But I see, that it is evaluated each time ANY operation is called. So, if all policies are evaluated for each call, then what is a purpose of specifying policies in permissions? What is a right way to use policies then? Thank you, Alexey. From Felix.Knecht at hrm-systems.ch Tue Feb 5 04:37:24 2019 From: Felix.Knecht at hrm-systems.ch (Felix Knecht) Date: Tue, 5 Feb 2019 09:37:24 +0000 Subject: [keycloak-user] Get the realms through the Client Admin Api Message-ID: <9e378f4090d74138819e71ea725b8f06@hrm-systems.ch> Ciao Luca In my case it turned out, that the TestEasy client used the wrong annotations provider. So the @JsonProperty was not recognized and was null therefore. What helped in my case was to set the annotation provider explicitely: ResteasyClientBuilder clientBuilder = new ResteasyClientBuilder() .connectionPoolSize(20) .maxPooledPerRoute(2); ResteasyJackson2Provider jacksonProvider = new ResteasyJackson2Provider() {}; ObjectMapper objectMapper = new ObjectMapper(); objectMapper.setAnnotationIntrospector(new JacksonAnnotationIntrospector()); jacksonProvider.setMapper(objectMapper); clientBuilder.register(jacksonProvider, 100); client = clientBuilder.build(); Keycloak keycloak = KeycloakBuilder.builder() .serverUrl("http://localhost:8180/auth") .resteasyClient(client) .clientId("admin-cli") .realm("master") .username("admin") .password("admin") .build(); keycloak.realm("master").clients().findAll(); Cheers Felix From max at mascanc.net Tue Feb 5 05:09:34 2019 From: max at mascanc.net (max at mascanc.net) Date: Tue, 5 Feb 2019 11:09:34 +0100 Subject: [keycloak-user] Issue with SAML AuthnRequest Message-ID: <20190205100934.mybiqca6gnhkic56@spirit6.local> Hi All, I'm using KeyCloack keycloak-4.8.3.Final with Java build 1.8.0_151-b12 as SAML Identity provider. My client sends signed SAML AuthnRequests using the HTTP POST Web Browser SSO profile, and keycloack fails verifying the siganture (different digests). By dumping the SAMLRequest message with wireshark in the keycloack machine and validating its signature with Oxygen 12, the signature is fine. However keycloack has an issue verifying it, with the attached log. This is usually a canonicalization problem. I could provide the TCPDumps to reproduce the error. Any idea? Thanks a lot! 2019-02-04 17:10:38,458 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper 2019-02-04 17:10:38,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false 2019-02-04 17:10:38,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit 2019-02-04 17:10:38,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end 2019-02-04 17:10:38,459 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 2019-02-04 17:10:43,458 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper 2019-02-04 17:10:43,458 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false 2019-02-04 17:10:43,458 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit 2019-02-04 17:10:43,458 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end 2019-02-04 17:10:43,458 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 2019-02-04 17:10:48,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper 2019-02-04 17:10:48,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false 2019-02-04 17:10:48,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit 2019-02-04 17:10:48,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end 2019-02-04 17:10:48,459 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 2019-02-04 17:10:53,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper 2019-02-04 17:10:53,460 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false 2019-02-04 17:10:53,460 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit 2019-02-04 17:10:53,460 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end 2019-02-04 17:10:53,460 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 2019-02-04 17:10:58,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper 2019-02-04 17:10:58,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false 2019-02-04 17:10:58,460 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit 2019-02-04 17:10:58,460 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end 2019-02-04 17:10:58,460 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 2019-02-04 17:10:59,520 DEBUG [io.undertow.request] (default I/O-3) Matched prefix path /auth for path /auth/realms/master/protocol/saml 2019-02-04 17:10:59,521 DEBUG [io.undertow.request.security] (default task-97) Attempting to authenticate /auth/realms/master/protocol/saml, authentication required: false 2019-02-04 17:10:59,521 DEBUG [io.undertow.request.security] (default task-97) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 7238f9bf for /auth/realms/master/protocol/saml 2019-02-04 17:10:59,521 DEBUG [io.undertow.request.security] (default task-97) Authentication result was ATTEMPTED for /auth/realms/master/protocol/saml 2019-02-04 17:10:59,521 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-97) new JtaTransactionWrapper 2019-02-04 17:10:59,521 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-97) was existing? false 2019-02-04 17:10:59,522 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) RESTEASY002315: PathInfo: /realms/master/protocol/saml 2019-02-04 17:10:59,522 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-97) Hibernate RegisteredSynchronization successfully registered with JTA platform 2019-02-04 17:10:59,523 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-97) SAML POST 2019-02-04 17:10:59,524 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-97) SAML POST Binding 2019-02-04 17:10:59,524 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-97) bcAIFrQ6IYwak1tF9MQgcoxBFm5pWy+0xJxlt0C8mzU= 2019-02-04 17:10:59,529 DEBUG [org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo] (default task-97) Data to be signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiM0NmZhYThkNy1mZDcxLTRjMDAtOGJhZC05MjFhNWJkOWU1YzgiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI+PC9kczpUcmFuc2Zvcm0+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PC9kczpUcmFuc2Zvcm0+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5iY0FJRnJRNklZd2FrMXRGOU1RZ2NveEJGbTVwV3krMHhKeGx0MEM4bXpVPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPg== 2019-02-04 17:10:59,530 ERROR [org.keycloak.protocol.saml.SamlService] (default task-97) request validation failed: org.keycloak.common.VerificationException: Invalid signature on document at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:83) at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:68) at org.keycloak.protocol.saml.SamlService$PostBindingProtocol.verifySignature(SamlService.java:501) at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:244) at org.keycloak.protocol.saml.SamlService$BindingProtocol.execute(SamlService.java:491) at org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:581) at sun.reflect.GeneratedMethodAccessor871.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) 2019-02-04 17:10:59,531 DEBUG [org.hibernate.event.internal.AbstractSaveEventListener] (default task-97) Generated identifier: d4e07837-2fa9-4a74-9971-5847bbe24e88, using strategy: org.hibernate.id.Assigned 2019-02-04 17:10:59,532 WARN [org.keycloak.events] (default task-97) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.10.10.54, error=invalid_signature 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) Couldn't find template in cache for "error.ftl"("en_US", UTF-8, parsed); will try to load it. 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) TemplateLoader.findTemplateSource("error_en_US.ftl"): Not found 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) TemplateLoader.findTemplateSource("error_en.ftl"): Not found 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) TemplateLoader.findTemplateSource("error.ftl"): Found 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) Loading template for "error.ftl"("en_US", UTF-8, parsed) from "file:/opt/keycloak/themes/base/login/error.ftl" 2019-02-04 17:10:59,533 DEBUG [freemarker.cache] (default task-97) Couldn't find template in cache for "template.ftl"("en_US", UTF-8, parsed); will try to load it. 2019-02-04 17:10:59,534 DEBUG [freemarker.cache] (default task-97) TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found 2019-02-04 17:10:59,534 DEBUG [freemarker.cache] (default task-97) TemplateLoader.findTemplateSource("template_en.ftl"): Not found 2019-02-04 17:10:59,534 DEBUG [freemarker.cache] (default task-97) TemplateLoader.findTemplateSource("template.ftl"): Found 2019-02-04 17:10:59,534 DEBUG [freemarker.cache] (default task-97) Loading template for "template.ftl"("en_US", UTF-8, parsed) from "file:/opt/keycloak/themes/base/login/template.ftl" 2019-02-04 17:10:59,538 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-97) JtaTransactionWrapper commit 2019-02-04 17:10:59,538 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-97) Processing flush-time cascades 2019-02-04 17:10:59,538 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-97) Dirty checking collections 2019-02-04 17:10:59,538 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-97) Flushed: 1 insertions, 0 updates, 0 deletions to 1 objects 2019-02-04 17:10:59,538 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-97) Flushed: 0 (re)creations, 0 updates, 0 removals to 0 collections 2019-02-04 17:10:59,538 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-97) Listing entities: 2019-02-04 17:10:59,538 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-97) org.keycloak.events.jpa.EventEntity{clientId=null, realmId=master, ipAddress=10.10.10.54, id=d4e07837-2fa9-4a74-9971-5847bbe24e88, sessionId=null, time=1549296659531, error=invalid_signature, type=LOGIN_ERROR, userId=null, detailsJson=null} 2019-02-04 17:10:59,539 DEBUG [org.hibernate.SQL] (default task-97) insert into EVENT_ENTITY (CLIENT_ID, DETAILS_JSON, ERROR, IP_ADDRESS, REALM_ID, SESSION_ID, EVENT_TIME, TYPE, USER_ID, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) 2019-02-04 17:10:59,539 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-97) KeycloakDS: getConnection(null, WrappedConnectionRequestInfo at 2116b544[userName=keycloak]) [0/15] 2019-02-04 17:10:59,544 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-97) Skipping aggressive release due to manual disabling 2019-02-04 17:10:59,544 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-97) Initiating JDBC connection release from afterStatement 2019-02-04 17:10:59,546 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-97) Initiating JDBC connection release from afterTransaction 2019-02-04 17:10:59,546 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-97) KeycloakDS: returnConnection(27223045, false) [0/15] 2019-02-04 17:10:59,547 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-97) JtaTransactionWrapper end 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) MessageBodyWriter: org.jboss.resteasy.plugins.providers.ByteArrayProvider 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) MessageBodyWriter: org.jboss.resteasy.plugins.providers.ByteArrayProvider 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext, Method : proceed 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) WriterInterceptor: org.jboss.resteasy.security.doseta.DigitalSigningInterceptor 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.security.doseta.i18n] (default task-97) Interceptor : org.jboss.resteasy.security.doseta.DigitalSigningInterceptor, Method : aroundWriteTo 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) Interceptor Context: org.jboss.resteasy.core.interception.ServerWriterInterceptorContext, Method : proceed 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) MessageBodyWriter: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) MessageBodyWriter: org.jboss.resteasy.plugins.providers.ByteArrayProvider 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-97) Provider : org.jboss.resteasy.plugins.providers.ByteArrayProvider, Method : writeTo 2019-02-04 17:11:03,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper 2019-02-04 17:11:03,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false 2019-02-04 17:11:03,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit 2019-02-04 17:11:03,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end 2019-02-04 17:11:03,459 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 2019-02-04 17:11:08,459 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper 2019-02-04 17:11:08,460 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false 2019-02-04 17:11:08,460 DEBUG [org.keycloak.models.sessions.infinispan.changes.sessions.PersisterLastSessionRefreshStore] (Timer-2) Updating 0 userSessions with lastSessionRefresh: 1549296608 2019-02-04 17:11:08,460 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (Timer-2) Hibernate RegisteredSynchronization successfully registered with JTA platform 2019-02-04 17:11:08,460 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper commit 2019-02-04 17:11:08,460 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (Timer-2) Initiating JDBC connection release from afterTransaction 2019-02-04 17:11:08,460 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end 2019-02-04 17:11:08,460 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 From jfherouard.almerys at gmail.com Tue Feb 5 05:16:44 2019 From: jfherouard.almerys at gmail.com (=?UTF-8?Q?Jean=2DFran=C3=A7ois_HEROUARD?=) Date: Tue, 5 Feb 2019 11:16:44 +0100 Subject: [keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser) Message-ID: Hi, I find a strange behaviour when using mappers with an identity providers (tested on old KC 3.4 but also on KC 4.8.3). Here is my case: I configured an OIDC identity provider with the following mappers : - Claim to role: if token has claim "LICORNCLAIM" with value "true" then user has role "WONDERFULROLE" - Attribute importer: import token claim "LICORNCLAIM" as user attribute On first connection (external to internal token exchange), user is created and has only the role, not the attribute. On next token exchange, user has the attribute and the role. After some debug I found that TokenEndpoint.importUserFromExternalIdentity behaves differently if user already exists or not (import new user or update it). UserAttributeMapper is implementing "updateBrokeredUser" but not "importNewUser" (abstract method does nothing). AttributeToRoleMapper class overrides both methods and works well. Most AbstractIdentityProviderMapper implementations also overrides both. Should I open a JIRA for this ? Thanks. From calltosenthil at rediffmail.com Tue Feb 5 05:22:39 2019 From: calltosenthil at rediffmail.com (senthil nathan) Date: 5 Feb 2019 10:22:39 -0000 Subject: [keycloak-user] =?utf-8?q?Regarding_the_email_Verification_link?= Message-ID: <1549362084.S.3419.18806.f4-234-195.1549362159.23025@webmail.rediffmail.com> Dear KeyCloak Users, We have requirement to get the email verification link URL accessible to public, when we use admin rest API. In Our Current architecture application is running with private IP, Key Cloak is hosted in separately, which can accessible via load balancer. We would like to use the admin rest API for getting the verification link in email with the load balancer url instead of private IP URL (keycloak and Application uses private IP for admin rest API communication ) Any help on resolving this issue is appreciated Regards SPS. Nathan From geoff at opticks.io Tue Feb 5 05:53:24 2019 From: geoff at opticks.io (Geoffrey Cleaves) Date: Tue, 5 Feb 2019 11:53:24 +0100 Subject: [keycloak-user] assign client roles to a user using keycloak rest API In-Reply-To: References: <1549322856.6049.14.camel@acutus.pro> Message-ID: Hi, I think you're looking for this, it's not very easy to find in the docs. Search for the string below: POST /{realm}/users/{id}/role-mappings/clients/{client} The body would need to look something like this: [ { "id": "5da312c5-1c65-4306-affb-6e2132dfb052", "name": "admin", "composite": true, "clientRole": true, "containerId": "32296d33-f288-4762-b723-77218f1feb7d" } ] The containerId is the same as the {client} in the endpoint. I'm not sure it is required. On Tue, 5 Feb 2019 at 09:50, Dimitris Charlaftis wrote: > ?ello, > > thank you for the reply. > > In [2], in the call > > POST /{realm}/groups/{id}/role-mappings/clients/{client} > there is no reference to the username, so The API cannot understand which > user we are referring to. > > I want to assign a client role to a specific user, but it seems that this > call you sent me refers to adding roles per client application. > > Please, can you help? > Regards, > Dimitris > > On 2/5/2019 1:27 AM, Dmitry Telegin wrote: > > Hello Dimitris, > > > > You should use another call to a role-mappers endpoint, see [1] and [2]. > > > > [1] > https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_role_mapper_resource > > [2] > https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_client_role_mappings_resource > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Mon, 2019-02-04 at 11:39 +0200, Dimitris Charlaftis wrote: > >> Hello, > >> > >> I want to assign a client role to a specfic user using keycloak rest > API. > >> > >> From the documentaion, i tried this: > >> > >> I have a realm called internal_applications and a client under this > >> realm called test_app. In this client (test_app), I have manually > >> created some client roles, i.e. administrator. > >> > >> > >> Then, I hit the server with postman > >> > >> HTTP POST http:// > /auth/admin/realms//users > >> > >> BODY: > >> > >> { > >>> "username": "jim at ka.gr ", > >> "firstName": "Jim", > >> "lastName": "Sanders", > >>> "email": "jim at ka.gr ", > >> "clientRoles": { > >> "test_app": ["administrator"] > >> } > >> > >> } > >> > >>> This http call adds the user jim at ka.gr to keycloak, but DOES NOT > ASSIGN > >> the already existing client role administrator to him. > >> > >> How can I do this? > >> > >> Please, help... > >> > >> Dimitris > >> > >> > -- > _____________________________ > > Dimitris Charlaftis > Software Engineer > > National Documentation Center > email: dharlaftis at ekt.gr > _____________________________ > > > > --- > This email has been checked for viruses by AVG. > https://www.avg.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Regards, Geoffrey Cleaves From mail at markdejong.org Tue Feb 5 05:55:33 2019 From: mail at markdejong.org (Mark de Jng) Date: Tue, 5 Feb 2019 11:55:33 +0100 Subject: [keycloak-user] Restrict access to admin console by checking if header exists Message-ID: Hi, I want to restrict the access to admin console by checking if the `CF-Connecting-IP` does not exist for a specific path. I?ve checked this documentation:?http://undertow.io/undertow-docs/undertow-docs-2.0.0/#predicates-attributes-and-handlers And I?ve come this far, but undertow complains that my expression is not valid: Any clue? Thanks Mark From psilva at redhat.com Tue Feb 5 07:12:04 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 5 Feb 2019 10:12:04 -0200 Subject: [keycloak-user] Policy Evaluation Rules In-Reply-To: References: Message-ID: It depends on how you are sending the authorization requests. If you request permissions to a resource, permissions associated with the resource and any associated scope will be evaluated. However, if you only send a authorization request for a particular scope only permissions (and associated policies) associated with that scope are evaluated. On Tue, Feb 5, 2019 at 7:19 AM Alexey Titorenko wrote: > Hello guys! > > Could you please help me with understanding how policies are evaluated? > > I have REST service with several operations. Each of them is protected by > corresponding scope (create, view, update, delete, list). For each of these > scopes I defined scope based permission which controls access to its scope. > > All of the permissions have just one ?Default? policy, which grants access > to any user. An ?delete? permissions in addition has JavaScript-based > policy which checks if caller is author of the document. So, only one > permission is configured to evaluate ?Author? policy. > > I expect, that ?Author? policy will only be evaluated, when ?delete? > operation on service is called. But I see, that it is evaluated each time > ANY operation is called. > > So, if all policies are evaluated for each call, then what is a purpose of > specifying policies in permissions? What is a right way to use policies > then? > > > Thank you, > Alexey. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Tue Feb 5 08:31:04 2019 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Tue, 5 Feb 2019 14:31:04 +0100 Subject: [keycloak-user] Remove realm in HA environment throw org.keycloak.models.ModelException: javax.persistence.OptimisticLockException In-Reply-To: References: Message-ID: So perhaps you can slightly modify your performance test to do steps 1..3 multiple times and then just wipe out all the realms that were created? On Mon, Feb 4, 2019 at 2:47 PM madhura nishshanka < madhura.nishshanka at gmail.com> wrote: > I was invoking following 1,2,and 3 steps sequentially in one thread and > then the 4th step in a seperate thread. The whole test was done with > multiple theads in parallel. > > 1) Create realm with a user > 2) Create another user on the same realm > 3) Delete orginal user > 4) Delete the new realm. > > On Mon, Feb 4, 2019, 6:10 PM Sebastian Laskawiec wrote: > >> Let me add +Marek Posolda , maybe he'll have better >> idea, what might be causing this... >> >> The error happened here [1]. Hibernate wanted to remove a >> given RoleEntity object but between `em.remove(roleEntity)` and >> `em.flush()`, some other transaction had removed that object from the >> database. >> >> One of the things that could result in such a behavior is deleting >> multiple realms at the same time. Could you please tell us more about your >> test? How it works, does it perform operations in sequential order or in >> parallel? >> >> One improvement we could do on our side is to swap flushing the >> EntityManager and publishing events. That could also potentially solve your >> problem. Marek, what do you think about this? >> >> Thanks, >> Sebastian >> >> [1] >> https://github.com/keycloak/keycloak/blob/7d85ce93bbf33eb11981a6c118abc48cab39742d/model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java#L320 >> >> On Fri, Feb 1, 2019 at 5:12 AM madhura nishshanka < >> madhura.nishshanka at gmail.com> wrote: >> >>> Hi All, >>> >>> I am getting "org.keycloak.models.ModelException: >>> javax.persistence.OptimisticLockException: Batch update returned >>> unexpected >>> row count from update [0]; actual row count: 0; expected: 1" When a realm >>> is delte from keycloak java admin client. This occurs in a HA environment >>> when we do a performance test. Can someone please help me on this? >>> >>> I am using keycloak 4.8.1 final. >>> >>> Full exception >>> 11:56:25,452 ERROR [org.keycloak.services.error.KeycloakErrorHandler] >>> (default task-2) Uncaught server error: >>> org.keycloak.models.ModelException: >>> javax.persistence.OptimisticLockException: Batch update returned >>> unexpected >>> row count from update [0]; actual row count: 0; expected: 1 >>> at >>> >>> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) >>> at >>> >>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) >>> at com.sun.proxy.$Proxy99.flush(Unknown Source) >>> at >>> >>> org.keycloak.models.jpa.JpaRealmProvider.removeRole(JpaRealmProvider.java:320) >>> at >>> >>> org.keycloak.models.jpa.JpaRealmProvider.removeClient(JpaRealmProvider.java:567) >>> at >>> >>> *org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:153)* >>> at >>> >>> org.keycloak.models.cache.infinispan.RealmCacheSession.removeRealm(RealmCacheSession.java:486) >>> at >>> >>> org.keycloak.services.managers.RealmManager.removeRealm(RealmManager.java:248) >>> at >>> >>> org.keycloak.services.resources.admin.RealmAdminResource.deleteRealm(RealmAdminResource.java:453) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at >>> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>> at >>> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at >>> >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) >>> at >>> >>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) >>> at >>> >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) >>> at >>> >>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) >>> at >>> >>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) >>> at >>> >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) >>> at >>> >>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) >>> at >>> >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) >>> at >>> >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) >>> at >>> >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) >>> at >>> >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) >>> at >>> >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) >>> at >>> >>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) >>> at >>> >>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) >>> at >>> >>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) >>> at >>> >>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) >>> at >>> >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) >>> at >>> >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) >>> at >>> >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>> at >>> >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) >>> at >>> >>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) >>> at >>> >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>> at >>> >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>> at >>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >>> at >>> >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>> at >>> >>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>> at >>> >>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>> at >>> >>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) >>> at >>> >>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>> at >>> >>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>> at >>> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> >>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) >>> at >>> >>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>> at >>> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> >>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>> at >>> >>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>> at >>> >>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>> at >>> >>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>> at >>> >>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>> at >>> >>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>> at >>> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> >>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>> at >>> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> >>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) >>> at >>> >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) >>> at >>> >>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) >>> at >>> >>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >>> at >>> >>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >>> at >>> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >>> at >>> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >>> at >>> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >>> at >>> >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>> at >>> >>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) >>> at >>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) >>> at >>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) >>> at >>> >>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) >>> at >>> >>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) >>> at >>> >>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) >>> at >>> >>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: javax.persistence.OptimisticLockException: Batch update >>> returned >>> unexpected row count from update [0]; actual row count: 0; expected: 1 >>> at >>> >>> org.hibernate.internal.ExceptionConverterImpl.wrapStaleStateException(ExceptionConverterImpl.java:238) >>> at >>> >>> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:93) >>> at >>> >>> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181) >>> at >>> >>> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188) >>> at >>> org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1460) >>> at >>> org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1440) >>> at sun.reflect.GeneratedMethodAccessor483.invoke(Unknown Source) >>> at >>> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at >>> >>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) >>> ... 78 more >>> Caused by: org.hibernate.StaleStateException: Batch update returned >>> unexpected row count from update [0]; actual row count: 0; expected: 1 >>> at >>> >>> org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:67) >>> at >>> >>> org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:54) >>> at >>> >>> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:46) >>> at >>> >>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3478) >>> at >>> >>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3735) >>> at >>> >>> org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:99) >>> at >>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:604) >>> at >>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:478) >>> at >>> >>> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:356) >>> at >>> >>> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) >>> at >>> org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1454) >>> ... 83 more >>> >>> Thanks >>> Madhura >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From dt at acutus.pro Tue Feb 5 12:19:30 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 05 Feb 2019 20:19:30 +0300 Subject: [keycloak-user] Restrict access to admin console by checking if header exists In-Reply-To: References: Message-ID: <1549387170.3726.2.camel@acutus.pro> Hello Mark, Try this: First, there should be no space between the comma and the header name. Second, you need to provide a handler (response code in your case). Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2019-02-05 at 11:55 +0100, Mark de Jng wrote: > Hi, > > I want to restrict the access to admin console by checking if the `CF-Connecting-IP` does not exist for a specific path. > > I?ve checked this documentation:?http://undertow.io/undertow-docs/undertow-docs-2.0.0/#predicates-attributes-and-handlers > > And I?ve come this far, but undertow complains that my expression is not valid: > > > > Any clue? > > Thanks > > Mark > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From philippe.gauthier at inspq.qc.ca Tue Feb 5 14:56:57 2019 From: philippe.gauthier at inspq.qc.ca (Philippe Gauthier) Date: Tue, 5 Feb 2019 19:56:57 +0000 Subject: [keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser) In-Reply-To: References: Message-ID: Hello Jean-Fran?ois. There is a Jira already Open aoubt this issue: https://issues.jboss.org/browse/KEYCLOAK-8690 I already voted for it to be fixed, you may do the same. Thankyou. ________________________________ De : keycloak-user-bounces at lists.jboss.org de la part de Jean-Fran?ois HEROUARD Envoy? : 5 f?vrier 2019 05:16 ? : keycloak-user at lists.jboss.org Objet : [keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser) Hi, I find a strange behaviour when using mappers with an identity providers (tested on old KC 3.4 but also on KC 4.8.3). Here is my case: I configured an OIDC identity provider with the following mappers : - Claim to role: if token has claim "LICORNCLAIM" with value "true" then user has role "WONDERFULROLE" - Attribute importer: import token claim "LICORNCLAIM" as user attribute On first connection (external to internal token exchange), user is created and has only the role, not the attribute. On next token exchange, user has the attribute and the role. After some debug I found that TokenEndpoint.importUserFromExternalIdentity behaves differently if user already exists or not (import new user or update it). UserAttributeMapper is implementing "updateBrokeredUser" but not "importNewUser" (abstract method does nothing). AttributeToRoleMapper class overrides both methods and works well. Most AbstractIdentityProviderMapper implementations also overrides both. Should I open a JIRA for this ? Thanks. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7C%7Ce1d5e67e3adf42506ab108d68b5333fa%7C1cfd1395271149f5b90fba4278776919%7C0%7C1%7C636849586800378607&sdata=xI78kiaqmTafaY8qOC5qeio1yR2qlcM7TvK0hClg8Ys%3D&reserved=0 From jfherouard.almerys at gmail.com Wed Feb 6 04:57:38 2019 From: jfherouard.almerys at gmail.com (=?UTF-8?Q?Jean=2DFran=C3=A7ois_HEROUARD?=) Date: Wed, 6 Feb 2019 10:57:38 +0100 Subject: [keycloak-user] UserAttributeMapper with an Identity Provider : not working on first connection (importNewUser), working on next connections (updateBrokeredUser) In-Reply-To: References: Message-ID: I vote for it, I did not catch that one but it will affect my external users authorizations also. I think attribute mapper is different, here is my patch UserAttributeMapper.java (directly re-using update at user creation does the job) : @Override public void importNewUser(KeycloakSession session, RealmModel realm, UserModel user, IdentityProviderMapperModel mapperModel, BrokeredIdentityContext context) { updateBrokeredUser(session, realm, user, mapperModel, context); } Le mar. 5 f?vr. 2019 ? 20:56, Philippe Gauthier < philippe.gauthier at inspq.qc.ca> a ?crit : > Hello Jean-Fran?ois. > > There is a Jira already Open aoubt this issue: > https://issues.jboss.org/browse/KEYCLOAK-8690 > > I already voted for it to be fixed, you may do the same. > > Thankyou. > ------------------------------ > *De :* keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> de la part de Jean-Fran?ois > HEROUARD > *Envoy? :* 5 f?vrier 2019 05:16 > *? :* keycloak-user at lists.jboss.org > *Objet :* [keycloak-user] UserAttributeMapper with an Identity Provider : > not working on first connection (importNewUser), working on next > connections (updateBrokeredUser) > > Hi, > > I find a strange behaviour when using mappers with an identity providers > (tested on old KC 3.4 but also on KC 4.8.3). > > Here is my case: > I configured an OIDC identity provider with the following mappers : > - Claim to role: if token has claim "LICORNCLAIM" with value "true" then > user has role "WONDERFULROLE" > - Attribute importer: import token claim "LICORNCLAIM" as user attribute > > On first connection (external to internal token exchange), user is created > and has only the role, not the attribute. On next token exchange, user has > the attribute and the role. > > After some debug I found that TokenEndpoint.importUserFromExternalIdentity > behaves differently if user already exists or not (import new user or > update it). UserAttributeMapper is implementing "updateBrokeredUser" but > not "importNewUser" (abstract method does nothing). AttributeToRoleMapper > class overrides both methods and works well. Most > AbstractIdentityProviderMapper implementations also overrides both. > > Should I open a JIRA for this ? > > Thanks. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7C%7Ce1d5e67e3adf42506ab108d68b5333fa%7C1cfd1395271149f5b90fba4278776919%7C0%7C1%7C636849586800378607&sdata=xI78kiaqmTafaY8qOC5qeio1yR2qlcM7TvK0hClg8Ys%3D&reserved=0 > From titorenko at dtg.technology Wed Feb 6 05:08:54 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Wed, 6 Feb 2019 13:08:54 +0300 Subject: [keycloak-user] Policy Evaluation Rules In-Reply-To: References: Message-ID: Hi! Ok, thank you. Seems, that the reason is the same as for my previous questions :) Alexey > On 5 Feb 2019, at 15:12, Pedro Igor Silva wrote: > > It depends on how you are sending the authorization requests. If you request permissions to a resource, permissions associated with the resource and any associated scope will be evaluated. However, if you only send a authorization request for a particular scope only permissions (and associated policies) associated with that scope are evaluated. > > On Tue, Feb 5, 2019 at 7:19 AM Alexey Titorenko wrote: > Hello guys! > > Could you please help me with understanding how policies are evaluated? > > I have REST service with several operations. Each of them is protected by corresponding scope (create, view, update, delete, list). For each of these scopes I defined scope based permission which controls access to its scope. > > All of the permissions have just one ?Default? policy, which grants access to any user. An ?delete? permissions in addition has JavaScript-based policy which checks if caller is author of the document. So, only one permission is configured to evaluate ?Author? policy. > > I expect, that ?Author? policy will only be evaluated, when ?delete? operation on service is called. But I see, that it is evaluated each time ANY operation is called. > > So, if all policies are evaluated for each call, then what is a purpose of specifying policies in permissions? What is a right way to use policies then? > > > Thank you, > Alexey. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From michael.gulitz at aseaco.de Wed Feb 6 05:21:43 2019 From: michael.gulitz at aseaco.de (Michael Gulitz) Date: Wed, 6 Feb 2019 11:21:43 +0100 Subject: [keycloak-user] Connect EAP with third party Identity Manager Message-ID: <2fcc3256-5398-4401-8767-3545f5714899@aseaco.de> Hello! We have implemented an JEE application on EAP 7 with three layers (UI (OpenUI5), REST API, EJB layer) and are using keycloak adapters and keycloak server in our local environment. This setup works fine so far with security context in all layers. But now we have to deploy the application to a different environment and must connect to a NetIQ identity server via OpenId, but the keycloak adapter uses its own specific URL pattern, etc. I cannot find any documentation how to configure EAP to allow authentication with other identity managers than keycloak or JBoss SSO. For OAuth Picktlink documentation also points to the keylcoak project. Can anyone help? Thanks, Michael From titorenko at dtg.technology Wed Feb 6 05:27:41 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Wed, 6 Feb 2019 13:27:41 +0300 Subject: [keycloak-user] Http CIP and Client's Access Token Message-ID: Hello guys! Could someone please help me with my investigation of PolicyEnforcer? I?m currently checking how ?http? claim information point is working. Let?s imagine typical situation when some client calls service, which, it turn, uses ?http? CIP. That is, we have following scheme: CLIENT -> Service -> ClaimSerivce The question is about the token, which is used to call ClaimService. I would expect, that Service should get its own token which provides access to ClaimService. But I see, that it uses CLIENT?s token. Which imho means, that: Client knows from his token about this ClaimService although he shouldn?t from the security point of view. Although, it some schemes it may be required, I agree. But not always. Service calls ClaimService using not his own rights, but client?s rights, which makes it more difficult to control and audit access. Usage of ClaimService is an internal detail of the Service and may change at any time. In this case we need to reconfigure tokens for all clients calling Service, which is, again, not good. What do you think about this? Am I right or wrong? Or should we consider OOTB 'http' CIP as a reference only? Also, http CIP does not support path parameters, which is typical situation for REST. Only query parameters. Alexey From Pavel.Micka at zoomint.com Wed Feb 6 05:39:22 2019 From: Pavel.Micka at zoomint.com (Pavel Micka) Date: Wed, 6 Feb 2019 10:39:22 +0000 Subject: [keycloak-user] Securing multitenant microservices Message-ID: Hi, We are currently planning how to implement Keycloak to our solution. Our solution is a multitenant application composed of many microservices with fronting API and React.js clients. Our tenants are all using the same instances of the microservices (those are shared). We will go with implicit token flow, passing the JWT token through all the dependencies to achieve defense-in-depth (aka: the services do the authorization). So as we'll have many tenants we will also have many realms. Because clients are bound to individual realm, we will need to duplicate (re-register through dynamic registration every client) many times. For the worse, we will probably also use UMA, which is bound to the client, hence the privileges will be duplicated as well... Now the questions: 1) Is it somehow possible to inherit or template the definition of the realm, so we would only change the "master realm template" and the changes would propagate to all the individual tenant realms 2) If this is not possible, what is the recommended way to support this scenario with many tenants and many services? Especially when we expect that the clients will evolve, hence updating all the clients+uma in many realms may be very painful... Thanks for your advice! Pavel // PS: if there is any good article or presentation how to achieve this, goal, please send it to me. I will be very grateful. From psilva at redhat.com Wed Feb 6 05:50:50 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 6 Feb 2019 08:50:50 -0200 Subject: [keycloak-user] Securing multitenant microservices In-Reply-To: References: Message-ID: On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka wrote: > Hi, > > We are currently planning how to implement Keycloak to our solution. Our > solution is a multitenant application composed of many microservices with > fronting API and React.js clients. Our tenants are all using the same > instances of the microservices (those are shared). > We will go with implicit token flow, passing the JWT token through all the > dependencies to achieve defense-in-depth (aka: the services do the > authorization). > > So as we'll have many tenants we will also have many realms. Because > clients are bound to individual realm, we will need to duplicate > (re-register through dynamic registration every client) many times. For the > worse, we will probably also use UMA, which is bound to the client, hence > the privileges will be duplicated as well... > > Now the questions: > > 1) Is it somehow possible to inherit or template the definition of > the realm, so we would only change the "master realm template" and the > changes would propagate to all the individual tenant realms > This is not possible. However, we have discussed a similar solution when we were working with Openshift Integration. I can't remember how we called this at that time, Stian should remember .... > > 2) If this is not possible, what is the recommended way to support > this scenario with many tenants and many services? Especially when we > expect that the clients will evolve, hence updating all the clients+uma in > many realms may be very painful... > I don't think you have other option. Maybe you can make the job less painful by using our APIs to help provisioning new tenants with the "shared" configuration. > > Thanks for your advice! > > Pavel > > > // PS: if there is any good article or presentation how to achieve this, > goal, please send it to me. I will be very grateful. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Wed Feb 6 06:04:16 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 6 Feb 2019 09:04:16 -0200 Subject: [keycloak-user] Http CIP and Client's Access Token In-Reply-To: References: Message-ID: On Wed, Feb 6, 2019 at 8:31 AM Alexey Titorenko wrote: > Hello guys! > > Could someone please help me with my investigation of PolicyEnforcer? > > I?m currently checking how ?http? claim information point is working. > > Let?s imagine typical situation when some client calls service, which, it > turn, uses ?http? CIP. That is, we have following scheme: CLIENT -> > Service -> ClaimSerivce > > The question is about the token, which is used to call ClaimService. I > would expect, that Service should get its own token which provides access > to ClaimService. But I see, that it uses CLIENT?s token. Which imho means, > that: > Client knows from his token about this ClaimService although he shouldn?t > from the security point of view. Although, it some schemes it may be > required, I agree. But not always. > Service calls ClaimService using not his own rights, but client?s rights, > which makes it more difficult to control and audit access. > I see your point. However, the "http" CIP is just forwarding the client token in order to fetch from the claim service whatever claim associated with the subject represented by the token. We could easily support token exchange prior to a request to the claim service, but I think most of the times you just want to identify the subject and then resolve claims based on it. The main point here is that the claim service does not really provide a public API accessible for other components but services that are doing contextual authorization. > Usage of ClaimService is an internal detail of the Service and may change > at any time. In this case we need to reconfigure tokens for all clients > calling Service, which is, again, not good. Could you elaborate more about this, please ? > > What do you think about this? Am I right or wrong? Or should we consider > OOTB 'http' CIP as a reference only? > > Also, http CIP does not support path parameters, which is typical > situation for REST. Only query parameters. > You can use it as a reference and create your own based on it. Depending on what you have we can discuss including your changes to upstream. Regards. Pedro Igor > > Alexey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hariprasad.n at ramyamlab.com Wed Feb 6 06:14:49 2019 From: hariprasad.n at ramyamlab.com (Hariprasad N) Date: Wed, 6 Feb 2019 16:44:49 +0530 Subject: [keycloak-user] Securing multitenant microservices In-Reply-To: References: Message-ID: Hi Pedro Igor Silva, We also have similar requirement. you said *I don't think you have other option. Maybe you can make the job lesspainful by using our APIs to help provisioning new tenants with the"shared" configuration*. Can you tell me how with examples if possible. On Wed, Feb 6, 2019 at 4:27 PM Pedro Igor Silva wrote: > On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka > wrote: > > > Hi, > > > > We are currently planning how to implement Keycloak to our solution. Our > > solution is a multitenant application composed of many microservices with > > fronting API and React.js clients. Our tenants are all using the same > > instances of the microservices (those are shared). > > We will go with implicit token flow, passing the JWT token through all > the > > dependencies to achieve defense-in-depth (aka: the services do the > > authorization). > > > > So as we'll have many tenants we will also have many realms. Because > > clients are bound to individual realm, we will need to duplicate > > (re-register through dynamic registration every client) many times. For > the > > worse, we will probably also use UMA, which is bound to the client, hence > > the privileges will be duplicated as well... > > > > Now the questions: > > > > 1) Is it somehow possible to inherit or template the definition of > > the realm, so we would only change the "master realm template" and the > > changes would propagate to all the individual tenant realms > > > > This is not possible. However, we have discussed a similar solution when we > were working with Openshift Integration. I can't remember how we called > this at that time, Stian should remember .... > > > > > > 2) If this is not possible, what is the recommended way to support > > this scenario with many tenants and many services? Especially when we > > expect that the clients will evolve, hence updating all the clients+uma > in > > many realms may be very painful... > > > > I don't think you have other option. Maybe you can make the job less > painful by using our APIs to help provisioning new tenants with the > "shared" configuration. > > > > > > Thanks for your advice! > > > > Pavel > > > > > > // PS: if there is any good article or presentation how to achieve this, > > goal, please send it to me. I will be very grateful. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore ? 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n at ramyamlab.co m* *www.ramyamlab.com* From psilva at redhat.com Wed Feb 6 06:19:58 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 6 Feb 2019 09:19:58 -0200 Subject: [keycloak-user] Securing multitenant microservices In-Reply-To: References: Message-ID: Keycloak provides an API which is basically the same that is backing our administration console. You can basically manage everything from it. You could maybe start by this part of the docs [1]. If you are using Java, you can use a client library. [1] https://www.keycloak.org/docs/latest/server_development/index.html#admin-rest-api On Wed, Feb 6, 2019 at 9:15 AM Hariprasad N wrote: > Hi Pedro Igor Silva, > > We also have similar requirement. you said > > > *I don't think you have other option. Maybe you can make the job > lesspainful by using our APIs to help provisioning new tenants with > the"shared" configuration*. > > Can you tell me how with examples if possible. > > On Wed, Feb 6, 2019 at 4:27 PM Pedro Igor Silva wrote: > >> On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka >> wrote: >> >> > Hi, >> > >> > We are currently planning how to implement Keycloak to our solution. Our >> > solution is a multitenant application composed of many microservices >> with >> > fronting API and React.js clients. Our tenants are all using the same >> > instances of the microservices (those are shared). >> > We will go with implicit token flow, passing the JWT token through all >> the >> > dependencies to achieve defense-in-depth (aka: the services do the >> > authorization). >> > >> > So as we'll have many tenants we will also have many realms. Because >> > clients are bound to individual realm, we will need to duplicate >> > (re-register through dynamic registration every client) many times. For >> the >> > worse, we will probably also use UMA, which is bound to the client, >> hence >> > the privileges will be duplicated as well... >> > >> > Now the questions: >> > >> > 1) Is it somehow possible to inherit or template the definition of >> > the realm, so we would only change the "master realm template" and the >> > changes would propagate to all the individual tenant realms >> > >> >> This is not possible. However, we have discussed a similar solution when >> we >> were working with Openshift Integration. I can't remember how we called >> this at that time, Stian should remember .... >> >> >> > >> > 2) If this is not possible, what is the recommended way to support >> > this scenario with many tenants and many services? Especially when we >> > expect that the clients will evolve, hence updating all the clients+uma >> in >> > many realms may be very painful... >> > >> >> I don't think you have other option. Maybe you can make the job less >> painful by using our APIs to help provisioning new tenants with the >> "shared" configuration. >> >> >> > >> > Thanks for your advice! >> > >> > Pavel >> > >> > >> > // PS: if there is any good article or presentation how to achieve this, >> > goal, please send it to me. I will be very grateful. >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- > Thanks & Regards, > > Hari Prasad N > Senior Software Engineer > ------------------------------------------------- > Ramyam Intelligence Lab Pvt. Ltd., > Part of Arvato > 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, > Bangalore ? 560001, Karnataka, India. > > Phone: +91 80 67269266 > Mobile: +91 7022156319 > E-Mail: *hariprasad.n at ramyamlab.co m* > *www.ramyamlab.com* > From hariprasad.n at ramyamlab.com Wed Feb 6 06:26:25 2019 From: hariprasad.n at ramyamlab.com (Hariprasad N) Date: Wed, 6 Feb 2019 16:56:25 +0530 Subject: [keycloak-user] Securing multitenant microservices In-Reply-To: References: Message-ID: Thanks. I already have this in my mind, I thought you will give another solution, any way thanks. Is there any plan in future to create shared clients and roles across multiple realm. I have asked this requirement long back. Regards Hari Prasad N On Wed, Feb 6, 2019 at 4:50 PM Pedro Igor Silva wrote: > Keycloak provides an API which is basically the same that is backing our > administration console. You can basically manage everything from it. > > You could maybe start by this part of the docs [1]. If you are using Java, > you can use a client library. > > [1] > https://www.keycloak.org/docs/latest/server_development/index.html#admin-rest-api > > On Wed, Feb 6, 2019 at 9:15 AM Hariprasad N > wrote: > >> Hi Pedro Igor Silva, >> >> We also have similar requirement. you said >> >> >> *I don't think you have other option. Maybe you can make the job >> lesspainful by using our APIs to help provisioning new tenants with >> the"shared" configuration*. >> >> Can you tell me how with examples if possible. >> >> On Wed, Feb 6, 2019 at 4:27 PM Pedro Igor Silva >> wrote: >> >>> On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka >>> wrote: >>> >>> > Hi, >>> > >>> > We are currently planning how to implement Keycloak to our solution. >>> Our >>> > solution is a multitenant application composed of many microservices >>> with >>> > fronting API and React.js clients. Our tenants are all using the same >>> > instances of the microservices (those are shared). >>> > We will go with implicit token flow, passing the JWT token through all >>> the >>> > dependencies to achieve defense-in-depth (aka: the services do the >>> > authorization). >>> > >>> > So as we'll have many tenants we will also have many realms. Because >>> > clients are bound to individual realm, we will need to duplicate >>> > (re-register through dynamic registration every client) many times. >>> For the >>> > worse, we will probably also use UMA, which is bound to the client, >>> hence >>> > the privileges will be duplicated as well... >>> > >>> > Now the questions: >>> > >>> > 1) Is it somehow possible to inherit or template the definition of >>> > the realm, so we would only change the "master realm template" and the >>> > changes would propagate to all the individual tenant realms >>> > >>> >>> This is not possible. However, we have discussed a similar solution when >>> we >>> were working with Openshift Integration. I can't remember how we called >>> this at that time, Stian should remember .... >>> >>> >>> > >>> > 2) If this is not possible, what is the recommended way to support >>> > this scenario with many tenants and many services? Especially when we >>> > expect that the clients will evolve, hence updating all the >>> clients+uma in >>> > many realms may be very painful... >>> > >>> >>> I don't think you have other option. Maybe you can make the job less >>> painful by using our APIs to help provisioning new tenants with the >>> "shared" configuration. >>> >>> >>> > >>> > Thanks for your advice! >>> > >>> > Pavel >>> > >>> > >>> > // PS: if there is any good article or presentation how to achieve >>> this, >>> > goal, please send it to me. I will be very grateful. >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> -- >> Thanks & Regards, >> >> Hari Prasad N >> Senior Software Engineer >> ------------------------------------------------- >> Ramyam Intelligence Lab Pvt. Ltd., >> Part of Arvato >> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, >> Bangalore ? 560001, Karnataka, India. >> >> Phone: +91 80 67269266 >> Mobile: +91 7022156319 >> E-Mail: *hariprasad.n at ramyamlab.co m* >> *www.ramyamlab.com* >> > -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore ? 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n at ramyamlab.co m* *www.ramyamlab.com* From titorenko at dtg.technology Wed Feb 6 06:52:31 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Wed, 6 Feb 2019 14:52:31 +0300 Subject: [keycloak-user] Http CIP and Client's Access Token In-Reply-To: References: Message-ID: <96E98132-0F25-4ABA-93D2-2A5936326E33@dtg.technology> Hi Pedro! Thank you for response. Comments are below. > On 6 Feb 2019, at 14:04, Pedro Igor Silva wrote: > > On Wed, Feb 6, 2019 at 8:31 AM Alexey Titorenko wrote: > Hello guys! > > Could someone please help me with my investigation of PolicyEnforcer? > > I?m currently checking how ?http? claim information point is working. > > Let?s imagine typical situation when some client calls service, which, it turn, uses ?http? CIP. That is, we have following scheme: CLIENT -> Service -> ClaimSerivce > > The question is about the token, which is used to call ClaimService. I would expect, that Service should get its own token which provides access to ClaimService. But I see, that it uses CLIENT?s token. Which imho means, that: > Client knows from his token about this ClaimService although he shouldn?t from the security point of view. Although, it some schemes it may be required, I agree. But not always. > Service calls ClaimService using not his own rights, but client?s rights, which makes it more difficult to control and audit access. > > I see your point. However, the "http" CIP is just forwarding the client token in order to fetch from the claim service whatever claim associated with the subject represented by the token. We could easily support token exchange prior to a request to the claim service, but I think most of the times you just want to identify the subject and then resolve claims based on it. Ok, I see. Sounds reasonable. I have not played yet with token exchange? Can we use something similar to ?on-behalf-of? with token exchange? When Service exchanges Client?s token to a token issued to Service acting on behalf of Client? I my opinion it would be just perfect case, although, with performance penalty (which is +1 for current way). > > The main point here is that the claim service does not really provide a public API accessible for other components but services that are doing contextual authorization. > My point here is that internal services, including Claim Service, should also be secured and we should be able to control who can and who did access the Claim Service, ideally, in the same manner as we do for other services. Otherwise, we need to compensate this difference by network configuration, which only allows access to the Claim Service to a set of known services or use other means. Also, we cannot audit calls based on token, as it does not represent actual caller of the Claim Service. I see the idea of this implementation. In some cases it can be OK, In others we might need to add token exchange using current implementation as a reference. > Usage of ClaimService is an internal detail of the Service and may change at any time. In this case we need to reconfigure tokens for all clients calling Service, which is, again, not good. > > Could you elaborate more about this, please ? > Currently, my Service uses Claim Service to obtain some claims for Client. If Service implementation change, including security requirements, it may start using another ?New Claim Service? or many services for different claims or not using them at all any more. So, if I changed my Service, then I still need to ensure, that Client?s token also new roles for new Claim Services and so on. Resuming, if I change some service implementation, I?m OK with the need to change those clients (their config is Keycloak) which directly invoke it. But it might be a problem when I need to also changes those, which do not directly face changed service. It might be complicated if we have complex infrastructure with hundreds of services. At this moment I?m only elaborating safe, clear and systematic ways to use Keycloak in our projects.My understanding is not good yet. Sorry, if I say stupid things :) > > > What do you think about this? Am I right or wrong? Or should we consider OOTB 'http' CIP as a reference only? > > Also, http CIP does not support path parameters, which is typical situation for REST. Only query parameters. > > You can use it as a reference and create your own based on it. Depending on what you have we can discuss including your changes to upstream. Yes, sure. Thank you for you comments! > > Regards. > Pedro Igor > > > Alexey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From andreas.wieland at IDA-Analytics.de Wed Feb 6 07:36:59 2019 From: andreas.wieland at IDA-Analytics.de (Andreas Wieland) Date: Wed, 6 Feb 2019 12:36:59 +0000 Subject: [keycloak-user] Gatekeeper - Documentation Message-ID: Hi Keycloak Team, we just found out the hard way that not all possible parameters are described in your online documentation. We tried to use Gatekeeper as an Authorization Proxy but had problems with redirections. After a lot of testing and fiddling we found the following parameter for gatekeeper which helped: --base-uri value which helped our cause. If you start gatekeeper with the help flag it will be part of the list. But we used Gatekeeper with the docker image. Therefore, I would suggest to include a complete list of possible parameters at the end of the online documentation. Kind regards, Andreas Wieland Software Entwickler ?[cid:e491732f-2aef-4a9a-8d72-5145c61d358e] Intelligent Data Analytics GmbH & Co. KG c/o TechQuartier Platz der Einheit 2 60327 Frankfurt Mobil: 015172834024 Telefon: 06421/4805274 Telefax: 06421/4805275 E-Mail: andreas.wieland at ida-analytics.de Internet: www.ida-analytics.de Unternehmenssitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am Main, Registernummer: HRA 49357 | USt. ID-Nr.: DE310205810 | Finanzamt: Frankfurt am Main Pers?nlich haftende Gesellschafterin: IDA Intelligent Data Analytics GmbH | Sitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am Main | Handelsregister-Nummer: HRB 106805 | Gesch?ftsf?hrer: Mohamed Ayadi, Dipl.-Inf. Nils Bj?rn Krugmann, Dipl.-Inf. Matthias Leinweber, Dipl.-Inf. Marc Seidemann -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-hzhzszwa.png Type: image/png Size: 8351 bytes Desc: Outlook-hzhzszwa.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190206/8685fa2a/attachment.png From psilva at redhat.com Wed Feb 6 07:51:20 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 6 Feb 2019 10:51:20 -0200 Subject: [keycloak-user] Http CIP and Client's Access Token In-Reply-To: <96E98132-0F25-4ABA-93D2-2A5936326E33@dtg.technology> References: <96E98132-0F25-4ABA-93D2-2A5936326E33@dtg.technology> Message-ID: On Wed, Feb 6, 2019 at 9:52 AM Alexey Titorenko wrote: > Hi Pedro! > > Thank you for response. > > Comments are below. > > On 6 Feb 2019, at 14:04, Pedro Igor Silva wrote: > > On Wed, Feb 6, 2019 at 8:31 AM Alexey Titorenko > wrote: > >> Hello guys! >> >> Could someone please help me with my investigation of PolicyEnforcer? >> >> I?m currently checking how ?http? claim information point is working. >> >> Let?s imagine typical situation when some client calls service, which, it >> turn, uses ?http? CIP. That is, we have following scheme: CLIENT -> >> Service -> ClaimSerivce >> >> The question is about the token, which is used to call ClaimService. I >> would expect, that Service should get its own token which provides access >> to ClaimService. But I see, that it uses CLIENT?s token. Which imho means, >> that: >> Client knows from his token about this ClaimService although he shouldn?t >> from the security point of view. Although, it some schemes it may be >> required, I agree. But not always. >> Service calls ClaimService using not his own rights, but client?s rights, >> which makes it more difficult to control and audit access. >> > > I see your point. However, the "http" CIP is just forwarding the client > token in order to fetch from the claim service whatever claim associated > with the subject represented by the token. We could easily support token > exchange prior to a request to the claim service, but I think most of the > times you just want to identify the subject and then resolve claims based > on it. > > > Ok, I see. Sounds reasonable. > > I have not played yet with token exchange? Can we use something similar to > ?on-behalf-of? with token exchange? When Service exchanges Client?s token > to a token issued to Service acting on behalf of Client? I my opinion it > would be just perfect case, although, with performance penalty (which is +1 > for current way). > It will basically change the the azp and aud claims to the requester and target service, respectively. Yeah, there is a real performance penalty if we do that by default. > > > > The main point here is that the claim service does not really provide a > public API accessible for other components but services that are doing > contextual authorization. > > > > > My point here is that internal services, including Claim Service, should > also be secured and we should be able to control who can and who did access > the Claim Service, ideally, in the same manner as we do for other services. > Otherwise, we need to compensate this difference by network configuration, > which only allows access to the Claim Service to a set of known services or > use other means. Also, we cannot audit calls based on token, as it does not > represent actual caller of the Claim Service. > If you think about the CIP as a "proxy" it is basically forwarding the token to the claim service, but the actual requester is not the service but the client that originated the call. > > I see the idea of this implementation. In some cases it can be OK, In > others we might need to add token exchange using current implementation as > a reference. > > Usage of ClaimService is an internal detail of the Service and may change >> at any time. In this case we need to reconfigure tokens for all clients >> calling Service, which is, again, not good. > > > Could you elaborate more about this, please ? > > > Currently, my Service uses Claim Service to obtain some claims for Client. > If Service implementation change, including security requirements, it may > start using another ?New Claim Service? or many services for different > claims or not using them at all any more. So, if I changed my Service, then > I still need to ensure, that Client?s token also new roles for new Claim > Services and so on. > > Resuming, if I change some service implementation, I?m OK with the need to > change those clients (their config is Keycloak) which directly invoke it. > But it might be a problem when I need to also changes those, which do not > directly face changed service. It might be complicated if we have complex > infrastructure with hundreds of services. > I see now. Makes sense. However, you can make this less painful by using client scopes where a specific scope can be used to automatically include whatever claim you need in the token to access the claim(s) services. That would avoid you to change every single client but just include the scope in the list of default scopes. > > > At this moment I?m only elaborating safe, clear and systematic ways to use > Keycloak in our projects.My understanding is not good yet. Sorry, if I say > stupid things :) > Not at all, all valid points ! > > > > >> >> What do you think about this? Am I right or wrong? Or should we consider >> OOTB 'http' CIP as a reference only? >> >> Also, http CIP does not support path parameters, which is typical >> situation for REST. Only query parameters. >> > > You can use it as a reference and create your own based on it. Depending > on what you have we can discuss including your changes to upstream. > > > Yes, sure. > > Thank you for you comments! > > > Regards. > Pedro Igor > > >> >> Alexey >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From lkamal at gmail.com Wed Feb 6 08:03:55 2019 From: lkamal at gmail.com (Kamal Mettananda) Date: Wed, 6 Feb 2019 18:33:55 +0530 Subject: [keycloak-user] Release notes for 4.8.1, 4.8.2 & 4.8.3 In-Reply-To: References: Message-ID: Thanks all. --------------------------------------- Kamal Mettananda www.digizol.com On Fri, Feb 1, 2019 at 1:38 PM Serhii Shymkiv wrote: > Grand so > > On Fri, Feb 1, 2019 at 10:00 AM Martin Kanis wrote: > >> Obviously we both have a different Jira look in our browsers :) Your link >> shows me a single issue with no drop-down at all. Just a small arrows which >> I missed first. That is why I provided a different view. >> >> Cheers >> >> On Fri, Feb 1, 2019 at 8:37 AM Serhii Shymkiv wrote: >> >>> What single issue you're talking about ? >>> Single "Fix Version" - yes, but nobody stops you from selecting more >>> items from the corresponding drop-down list with no need to switch to the >>> advanced search >>> >>> On Fri, Feb 1, 2019 at 9:28 AM Martin Kanis wrote: >>> >>>> This shows only a single issue. Try following >>>> https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20OR%20fixVersion%20%3D%204.8.2.Final%20OR%20fixVersion%20%3D%204.8.1.Final%20 >>>> >>>> On Fri, Feb 1, 2019 at 8:16 AM Serhii Shymkiv >>>> wrote: >>>> >>>>> >>>>> https://issues.jboss.org/browse/KEYCLOAK-8724?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%204.8.3.Final%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC >>>>> >>>>> >>>>> >>>>> -- >>>>> Best regards, >>>>> Serhii Shymkiv. >>>>> >>>>> On Fri, Feb 1, 2019, 06:41 Kamal Mettananda >>>> >>>>> > Hi all >>>>> > >>>>> > I am trying to figure out the changes in 4.8.3 vs 4.8.1. However, in >>>>> the >>>>> > release notes page ( >>>>> > https://www.keycloak.org/docs/latest/release_notes/index.html) I >>>>> can only >>>>> > see some information about 4.8.0. >>>>> > >>>>> > Could someone please point me to a location where I can figure out >>>>> the >>>>> > features and fixes? >>>>> > >>>>> > Thanks >>>>> > Kamal Mettananda >>>>> > www.digizol.com >>>>> > _______________________________________________ >>>>> > keycloak-user mailing list >>>>> > keycloak-user at lists.jboss.org >>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> > >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>> >>> -- >>> Best regards, >>> Serhii Shymkiv. >>> >> > > -- > Best regards, > Serhii Shymkiv. > From bruno at abstractj.org Wed Feb 6 08:13:36 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 6 Feb 2019 11:13:36 -0200 Subject: [keycloak-user] Gatekeeper - Documentation In-Reply-To: References: Message-ID: <20190206131335.GA17913@abstractj.org> Hi Andreas, You can use the help flag with the docker image: docker run -it --rm keycloak/keycloak-gatekeeper --help If there's something at our docs you would like to contribute. Please file a Jira and submit a PR to https://github.com/keycloak/keycloak-documentation. On 2019-02-06, Andreas Wieland wrote: > Hi Keycloak Team, > > we just found out the hard way that not all possible parameters are described in your online documentation. > We tried to use Gatekeeper as an Authorization Proxy but had problems with redirections. > > After a lot of testing and fiddling we found the following parameter for gatekeeper which helped: > > --base-uri value > > which helped our cause. If you start gatekeeper with the help flag it will be part of the list. > But we used Gatekeeper with the docker image. > > > Therefore, I would suggest to include a complete list of possible parameters at the end of the online documentation. > > Kind regards, > > > Andreas Wieland > Software Entwickler > > ?[cid:e491732f-2aef-4a9a-8d72-5145c61d358e] > > Intelligent Data Analytics GmbH & Co. KG > > > > c/o TechQuartier > > Platz der Einheit 2 > 60327 Frankfurt > > Mobil: 015172834024 > > Telefon: 06421/4805274 > Telefax: 06421/4805275 > E-Mail: andreas.wieland at ida-analytics.de > > Internet: www.ida-analytics.de > > > Unternehmenssitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am Main, Registernummer: HRA 49357 | USt. ID-Nr.: DE310205810 | Finanzamt: Frankfurt am Main > > Pers?nlich haftende Gesellschafterin: IDA Intelligent Data Analytics GmbH | Sitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am Main | Handelsregister-Nummer: HRB 106805 | Gesch?ftsf?hrer: Mohamed Ayadi, Dipl.-Inf. Nils Bj?rn Krugmann, Dipl.-Inf. Matthias Leinweber, Dipl.-Inf. Marc Seidemann > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From uo67113 at gmail.com Wed Feb 6 08:13:46 2019 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Wed, 6 Feb 2019 14:13:46 +0100 Subject: [keycloak-user] Issue with SAML AuthnRequest In-Reply-To: <20190205100934.mybiqca6gnhkic56@spirit6.local> References: <20190205100934.mybiqca6gnhkic56@spirit6.local> Message-ID: Hello Max, May I ask you what is the client implementation? For my dev environment, using the tomcat saml adapter in the SP side and Keycloak 4.8.2.Final-SNAPSHOT in the IdP one is working: - SP: - jdk1.8.0_191 - Apache Tomcat 8.0.14 - keycloak tomcat saml adapter 4.8.2.Final-SNAPSHOT - - IdP: - jdk1.8.0_191 - keycloak 4.8.2.Final-SNAPSHOT (from org.keycloak:keycloak-testsuite-utils) If your client uses keycloak, at least in the java adapter you can define the signatureCanonicalizationMethod, but usually the default one ( http://www.w3.org/2001/10/xml-exc-c14n#) is OK. Check in your client if you can customize this. Hope it helps, Luis El mar., 5 feb. 2019 a las 11:11, escribi?: > Hi All, > > I'm using KeyCloack keycloak-4.8.3.Final with Java build > 1.8.0_151-b12 as SAML Identity provider. My client sends signed SAML > AuthnRequests using the HTTP POST Web Browser SSO profile, and keycloack > fails verifying > the siganture (different digests). > > By dumping the SAMLRequest message with wireshark in the keycloack > machine and validating its signature with Oxygen 12, the signature is > fine. However keycloack has an issue verifying it, with the attached log. > > This is usually a canonicalization problem. I could provide the TCPDumps > to reproduce the error. > > Any idea? > > Thanks a lot! > > > > > 2019-02-04 17:10:38,458 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new > JtaTransactionWrapper > 2019-02-04 17:10:38,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? > false > 2019-02-04 17:10:38,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper commit > 2019-02-04 17:10:38,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper end > 2019-02-04 17:10:38,459 DEBUG > [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed > scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 > 2019-02-04 17:10:43,458 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new > JtaTransactionWrapper > 2019-02-04 17:10:43,458 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? > false > 2019-02-04 17:10:43,458 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper commit > 2019-02-04 17:10:43,458 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper end > 2019-02-04 17:10:43,458 DEBUG > [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed > scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 > 2019-02-04 17:10:48,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new > JtaTransactionWrapper > 2019-02-04 17:10:48,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? > false > 2019-02-04 17:10:48,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper commit > 2019-02-04 17:10:48,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper end > 2019-02-04 17:10:48,459 DEBUG > [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed > scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 > 2019-02-04 17:10:53,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new > JtaTransactionWrapper > 2019-02-04 17:10:53,460 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? > false > 2019-02-04 17:10:53,460 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper commit > 2019-02-04 17:10:53,460 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper end > 2019-02-04 17:10:53,460 DEBUG > [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed > scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 > 2019-02-04 17:10:58,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new > JtaTransactionWrapper > 2019-02-04 17:10:58,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? > false > 2019-02-04 17:10:58,460 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper commit > 2019-02-04 17:10:58,460 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper end > 2019-02-04 17:10:58,460 DEBUG > [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed > scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 > 2019-02-04 17:10:59,520 DEBUG [io.undertow.request] (default I/O-3) > Matched prefix path /auth for path /auth/realms/master/protocol/saml > 2019-02-04 17:10:59,521 DEBUG [io.undertow.request.security] (default > task-97) Attempting to authenticate /auth/realms/master/protocol/saml, > authentication required: false > 2019-02-04 17:10:59,521 DEBUG [io.undertow.request.security] (default > task-97) Authentication outcome was NOT_ATTEMPTED with method > io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 7238f9bf > for /auth/realms/master/protocol/saml > 2019-02-04 17:10:59,521 DEBUG [io.undertow.request.security] (default > task-97) Authentication result was ATTEMPTED for > /auth/realms/master/protocol/saml > 2019-02-04 17:10:59,521 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (default task-97) new > JtaTransactionWrapper > 2019-02-04 17:10:59,521 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (default task-97) was > existing? false > 2019-02-04 17:10:59,522 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) RESTEASY002315: PathInfo: /realms/master/protocol/saml > 2019-02-04 17:10:59,522 DEBUG > [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] > (default task-97) Hibernate RegisteredSynchronization successfully > registered with JTA platform > 2019-02-04 17:10:59,523 DEBUG [org.keycloak.protocol.saml.SamlService] > (default task-97) SAML POST > 2019-02-04 17:10:59,524 DEBUG [org.keycloak.saml.SAMLRequestParser] > (default task-97) SAML POST Binding > 2019-02-04 17:10:59,524 DEBUG [org.keycloak.saml.SAMLRequestParser] > (default task-97) encoding="UTF-8"?> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > AssertionConsumerServiceURL=" > https://kv-pfg:8543/SpiritHealthPortal/SamlReceiver" Destination=" > http://kv-sws:8080/auth/realms/master/protocol/saml" ForceAuthn="true" > ID="46faa8d7-fd71-4c00-8badask-97) setElement(ds:CanonicalizationMethod, > "null") > 2019-02-04 17:10:59,529 DEBUG > [org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer] (default > task-97) Created transform for algorithm: > http://www.w3.org/2001/10/xml-exc-c14n# > 2019-02-04 > 17:10:59,529 DEBUG > [org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer] (default > task-97) isNodeSet() = true > 2019-02-04 17:10:59,529 DEBUG > [org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo] (default task-97) > Canonicalized SignedInfo: > 2019-02-04 17:10:59,529 DEBUG > [org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo] (default task-97) > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"> URI="#46faa8d7-fd71-4c00-8bad-921a5bd9e5c8"> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 > ">bcAIFrQ6IYwak1tF9MQgcoxBFm5pWy+0xJxlt0C8mzU= > 2019-02-04 17:10:59,529 DEBUG > [org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo] (default task-97) Data > to be > signed/verified:PGRzOlNpZ25lZEluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiM0NmZhYThkNy1mZDcxLTRjMDAtOGJhZC05MjFhNWJkOWU1YzgiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI+PC9kczpUcmFuc2Zvcm0+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PC9kczpUcmFuc2Zvcm0+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiPjwvZHM6RGlnZXN0TWV0aG9kPjxkczpEaWdlc3RWYWx1ZT5iY0FJRnJRNklZd2FrM! > > XRGOU1RZ2NveEJGbTVwV3krMHhKeGx0MEM4bXpVPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPg== > 2019-02-04 17:10:59,530 ERROR [org.keycloak.protocol.saml.SamlService] > (default task-97) request validation failed: > org.keycloak.common.VerificationException: Invalid signature on document > at > org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:83) > at > org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:68) > at > org.keycloak.protocol.saml.SamlService$PostBindingProtocol.verifySignature(SamlService.java:501) > at > org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:244) > at > org.keycloak.protocol.saml.SamlService$BindingProtocol.execute(SamlService.java:491) > at > org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:581) > at sun.reflect.GeneratedMethodAccessor871.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > at > org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > at > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > at > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > at > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > > 2019-02-04 17:10:59,531 DEBUG > [org.hibernate.event.internal.AbstractSaveEventListener] (default task-97) > Generated identifier: d4e07837-2fa9-4a74-9971-5847bbe24e88, using strategy: > org.hibernate.id.Assigned > 2019-02-04 17:10:59,532 WARN [org.keycloak.events] (default task-97) > type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, > ipAddress=10.10.10.54, error=invalid_signature > 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) > Couldn't find template in cache for "error.ftl"("en_US", UTF-8, parsed); > will try to load it. > 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) > TemplateLoader.findTemplateSource("error_en_US.ftl"): Not found > 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) > TemplateLoader.findTemplateSource("error_en.ftl"): Not found > 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) > TemplateLoader.findTemplateSource("error.ftl"): Found > 2019-02-04 17:10:59,532 DEBUG [freemarker.cache] (default task-97) Loading > template for "error.ftl"("en_US", UTF-8, parsed) from > "file:/opt/keycloak/themes/base/login/error.ftl" > 2019-02-04 17:10:59,533 DEBUG [freemarker.cache] (default task-97) > Couldn't find template in cache for "template.ftl"("en_US", UTF-8, parsed); > will try to load it. > 2019-02-04 17:10:59,534 DEBUG [freemarker.cache] (default task-97) > TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found > 2019-02-04 17:10:59,534 DEBUG [freemarker.cache] (default task-97) > TemplateLoader.findTemplateSource("template_en.ftl"): Not found > 2019-02-04 17:10:59,534 DEBUG [freemarker.cache] (default task-97) > TemplateLoader.findTemplateSource("template.ftl"): Found > 2019-02-04 17:10:59,534 DEBUG [freemarker.cache] (default task-97) Loading > template for "template.ftl"("en_US", UTF-8, parsed) from > "file:/opt/keycloak/themes/base/login/template.ftl" > 2019-02-04 17:10:59,538 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (default task-97) > JtaTransactionWrapper commit > 2019-02-04 17:10:59,538 DEBUG > [org.hibernate.event.internal.AbstractFlushingEventListener] (default > task-97) Processing flush-time cascades > 2019-02-04 17:10:59,538 DEBUG > [org.hibernate.event.internal.AbstractFlushingEventListener] (default > task-97) Dirty checking collections > 2019-02-04 17:10:59,538 DEBUG > [org.hibernate.event.internal.AbstractFlushingEventListener] (default > task-97) Flushed: 1 insertions, 0 updates, 0 deletions to 1 objects > 2019-02-04 17:10:59,538 DEBUG > [org.hibernate.event.internal.AbstractFlushingEventListener] (default > task-97) Flushed: 0 (re)creations, 0 updates, 0 removals to 0 collections > 2019-02-04 17:10:59,538 DEBUG [org.hibernate.internal.util.EntityPrinter] > (default task-97) Listing entities: > 2019-02-04 17:10:59,538 DEBUG [org.hibernate.internal.util.EntityPrinter] > (default task-97) org.keycloak.events.jpa.EventEntity{clientId=null, > realmId=master, ipAddress=10.10.10.54, > id=d4e07837-2fa9-4a74-9971-5847bbe24e88, sessionId=null, > time=1549296659531, error=invalid_signature, type=LOGIN_ERROR, userId=null, > detailsJson=null} > 2019-02-04 17:10:59,539 DEBUG [org.hibernate.SQL] (default task-97) > insert > into > EVENT_ENTITY > (CLIENT_ID, DETAILS_JSON, ERROR, IP_ADDRESS, REALM_ID, SESSION_ID, > EVENT_TIME, TYPE, USER_ID, ID) > values > (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) > 2019-02-04 17:10:59,539 DEBUG > [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default > task-97) KeycloakDS: getConnection(null, > WrappedConnectionRequestInfo at 2116b544[userName=keycloak]) [0/15] > 2019-02-04 17:10:59,544 DEBUG > [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-97) > Skipping aggressive release due to manual disabling > 2019-02-04 17:10:59,544 DEBUG > [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] > (default task-97) Initiating JDBC connection release from afterStatement > 2019-02-04 17:10:59,546 DEBUG > [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] > (default task-97) Initiating JDBC connection release from afterTransaction > 2019-02-04 17:10:59,546 DEBUG > [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default > task-97) KeycloakDS: returnConnection(27223045, false) [0/15] > 2019-02-04 17:10:59,547 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (default task-97) > JtaTransactionWrapper end > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) MessageBodyWriter: > org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) MessageBodyWriter: > org.jboss.resteasy.plugins.providers.ByteArrayProvider > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) MessageBodyWriter: > org.jboss.resteasy.plugins.providers.ByteArrayProvider > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) Interceptor Context: > org.jboss.resteasy.core.interception.ServerWriterInterceptorContext, > Method : proceed > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) WriterInterceptor: > org.jboss.resteasy.security.doseta.DigitalSigningInterceptor > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.security.doseta.i18n] > (default task-97) Interceptor : > org.jboss.resteasy.security.doseta.DigitalSigningInterceptor, Method : > aroundWriteTo > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) Interceptor Context: > org.jboss.resteasy.core.interception.ServerWriterInterceptorContext, > Method : proceed > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) MessageBodyWriter: > org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) MessageBodyWriter: > org.jboss.resteasy.plugins.providers.ByteArrayProvider > 2019-02-04 17:10:59,547 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-97) Provider : > org.jboss.resteasy.plugins.providers.ByteArrayProvider, Method : writeTo > 2019-02-04 17:11:03,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new > JtaTransactionWrapper > 2019-02-04 17:11:03,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? > false > 2019-02-04 17:11:03,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper commit > 2019-02-04 17:11:03,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper end > 2019-02-04 17:11:03,459 DEBUG > [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed > scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 > 2019-02-04 17:11:08,459 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new > JtaTransactionWrapper > 2019-02-04 17:11:08,460 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? > false > 2019-02-04 17:11:08,460 DEBUG > [org.keycloak.models.sessions.infinispan.changes.sessions.PersisterLastSessionRefreshStore] > (Timer-2) Updating 0 userSessions with lastSessionRefresh: 1549296608 > 2019-02-04 17:11:08,460 DEBUG > [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] > (Timer-2) Hibernate RegisteredSynchronization successfully registered with > JTA platform > 2019-02-04 17:11:08,460 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper commit > 2019-02-04 17:11:08,460 DEBUG > [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] > (Timer-2) Initiating JDBC connection release from afterTransaction > 2019-02-04 17:11:08,460 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) > JtaTransactionWrapper end > 2019-02-04 17:11:08,460 DEBUG > [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed > scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$783/1903918206 > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From geoff at opticks.io Wed Feb 6 08:18:26 2019 From: geoff at opticks.io (Geoffrey Cleaves) Date: Wed, 6 Feb 2019 14:18:26 +0100 Subject: [keycloak-user] Gatekeeper - Documentation In-Reply-To: References: Message-ID: In my experience, editing the documentation myself and making a pull request has been more effective in getting the docs up to date than asking the developers to do it. That being said, we can't do a very good job of updating the docs if we don't actually know all of the possible parameters and their function. On Wed, 6 Feb 2019 at 13:51, Andreas Wieland < andreas.wieland at ida-analytics.de> wrote: > Hi Keycloak Team, > > we just found out the hard way that not all possible parameters are > described in your online documentation. > We tried to use Gatekeeper as an Authorization Proxy but had problems with > redirections. > > After a lot of testing and fiddling we found the following parameter for > gatekeeper which helped: > > --base-uri value > > which helped our cause. If you start gatekeeper with the help flag it will > be part of the list. > But we used Gatekeeper with the docker image. > > > Therefore, I would suggest to include a complete list of possible > parameters at the end of the online documentation. > > Kind regards, > > > Andreas Wieland > Software Entwickler > > ?[cid:e491732f-2aef-4a9a-8d72-5145c61d358e] > > Intelligent Data Analytics GmbH & Co. KG > > > > c/o TechQuartier > > Platz der Einheit 2 > 60327 Frankfurt > > Mobil: 015172834024 > > Telefon: 06421/4805274 > Telefax: 06421/4805275 > E-Mail: andreas.wieland at ida-analytics.de > > Internet: www.ida-analytics.de > > > Unternehmenssitz: Frankfurt am Main | Handelsregister beim Amtsgericht: > Frankfurt am Main, Registernummer: HRA 49357 | USt. ID-Nr.: DE310205810 | > Finanzamt: Frankfurt am Main > > Pers?nlich haftende Gesellschafterin: IDA Intelligent Data Analytics GmbH > | Sitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am > Main | Handelsregister-Nummer: HRB 106805 | Gesch?ftsf?hrer: Mohamed Ayadi, > Dipl.-Inf. Nils Bj?rn Krugmann, Dipl.-Inf. Matthias Leinweber, Dipl.-Inf. > Marc Seidemann > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Regards, Geoffrey Cleaves From calltosenthil at rediffmail.com Wed Feb 6 09:17:24 2019 From: calltosenthil at rediffmail.com (senthil nathan) Date: 6 Feb 2019 14:17:24 -0000 Subject: [keycloak-user] =?utf-8?q?Not_able_to_add_multiple_regex_password?= =?utf-8?q?_policies?= Message-ID: <20190206141724.21373.qmail@f4mail-235-198.rediffmail.com> HI All For our application we would like to add three or more regex in password policies 1)Max size of the password 2)Always start with small case Only the latest regex is available after saving it. Could you explain how to add more regex patters ( We also tried the comma separated, but it not working) Regards SPS. Nathan From max at mascanc.net Wed Feb 6 09:30:41 2019 From: max at mascanc.net (max at mascanc.net) Date: Wed, 6 Feb 2019 15:30:41 +0100 Subject: [keycloak-user] Issue with SAML AuthnRequest In-Reply-To: References: <20190205100934.mybiqca6gnhkic56@spirit6.local> Message-ID: <20190206143041.7w5u5xhcb3ncznja@spirit6.local> Hi, On Wed, Feb 06, 2019 at 02:13:46PM +0100, Luis Rodr?guez Fern?ndez wrote: > May I ask you what is the client implementation? For my dev environment, Thanks for the answer! :-) It is a client built with OpenSAML. The signature created by it, according to Oxygen12, is valid (by validing the Base64 encoded SAML Authn Request obtained from WireShark). > > If your client uses keycloak, at least in the java adapter you can define > the signatureCanonicalizationMethod, but usually the default one ( > http://www.w3.org/2001/10/xml-exc-c14n#) is OK. Check in your client if you > can customize this. > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"> > URI="#46faa8d7-fd71-4c00-8bad-921a5bd9e5c8"> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 We do use this C14n algorithm already ... Uhmm... can it be that the received SOAP is passed through a DocumentBUilderFactory using Jaxb (thus adding fake namespaces) or Transforms with some level on indentation that breaks the signature, in the version 4.8.3? Thanks! From dt at acutus.pro Wed Feb 6 10:17:19 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 06 Feb 2019 18:17:19 +0300 Subject: [keycloak-user] Not able to add multiple regex password policies In-Reply-To: <20190206141724.21373.qmail@f4mail-235-198.rediffmail.com> References: <20190206141724.21373.qmail@f4mail-235-198.rediffmail.com> Message-ID: <1549466239.5705.1.camel@acutus.pro> Hello Nathan, I was able to reproduce the issue. Seems like Keycloak by design can have only one instance of each password policy type. I think the exception should be made for regexp policies. Meanwhile, could you please try the approach described here [1] to combine multiple regexps into one? [1] https://stackoverflow.com/questions/469913/regular-expressions-is-there-an-and-operator Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail:?info at acutus.pro On Wed, 2019-02-06 at 14:17 +0000, senthil nathan wrote: > HI All > > For our application we would like to add three or more regex in password policies? > 1)Max size of the password > 2)Always start with small case > > > Only the latest regex is available after saving it. > > Could you explain how to add more regex patters ( We also tried the comma separated, but it not working) > > Regards > SPS. Nathan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Feb 6 10:42:15 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 06 Feb 2019 18:42:15 +0300 Subject: [keycloak-user] Securing multitenant microservices In-Reply-To: References: Message-ID: <1549467735.5705.3.camel@acutus.pro> Hello Pavel and Hariprasad, As an alternative, you can do everything in one realm. There is a trick to implement ad-hoc "multi-tenancy" within one realm using OpenID Connect scope parameter in the form of "scope=openid tenant:XXX". Using tenant ID, you can dynamically brand account and email themes, propagate it to the tokens, use it in dynamic authorization policies etc. I'm currently writing a detailed article describing this approach. With this, you will have a shared set of clients, UMA, policies etc. However you will need to implement proper separation of users, e.g. using groups or user attributes. Feel free to ask any questions on this, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2019-02-06 at 10:39 +0000, Pavel Micka wrote: > Hi, > > We are currently planning how to implement Keycloak to our solution. Our solution is a multitenant application composed of many microservices with fronting API and React.js clients. Our tenants are all using the same instances of the microservices (those are shared). > We will go with implicit token flow, passing the JWT token through all the dependencies to achieve defense-in-depth (aka: the services do the authorization). > > So as we'll have many tenants we will also have many realms. Because clients are bound to individual realm, we will need to duplicate (re-register through dynamic registration every client) many times. For the worse, we will probably also use UMA, which is bound to the client, hence the privileges will be duplicated as well... > > Now the questions: > > 1)??????Is it somehow possible to inherit or template the definition of the realm, so we would only change the "master realm template" and the changes would propagate to all the individual tenant realms > > 2)??????If this is not possible, what is the recommended way to support this scenario with many tenants and many services? Especially when we expect that the clients will evolve, hence updating all the clients+uma in many realms may be very painful... > > Thanks for your advice! > > Pavel > > > // PS: if there is any good article or presentation how to achieve this, goal, please send it to me. I will be very grateful. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Feb 6 10:56:53 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 06 Feb 2019 18:56:53 +0300 Subject: [keycloak-user] Connect EAP with third party Identity Manager In-Reply-To: <2fcc3256-5398-4401-8767-3545f5714899@aseaco.de> References: <2fcc3256-5398-4401-8767-3545f5714899@aseaco.de> Message-ID: <1549468613.5705.5.camel@acutus.pro> Hello Michael, Unfortunately, Keycloak OpenID Connect adapter is not compatible with generic OIDC providers (on the contrary to SAML adapter). Please check out these threads [1] [2]. Basically, you have two options: to hack on KeycloakConfigResolver, or to deploy an intermediary Keycloak with brokering to NetIQ. The former is risky and not guaranteed to work at all, while the latter should work for sure (at the price of increased maintenance costs). [1] https://lists.jboss.org/pipermail/keycloak-user/2018-November/016193.html [2] http://lists.jboss.org/pipermail/keycloak-dev/2018-November/011378.html Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2019-02-06 at 11:21 +0100, Michael Gulitz wrote: > Hello! > > We have implemented an JEE application on EAP 7 with three layers (UI? > (OpenUI5), REST API, EJB layer) and are using keycloak adapters and? > keycloak server in our local environment. This setup works fine so far? > with security context in all layers. > > But now we have to deploy the application to a different environment and? > must connect to a NetIQ identity server via OpenId, but the keycloak? > adapter uses its own specific URL pattern, etc. > > I cannot find any documentation how to configure EAP to allow? > authentication with other identity managers than keycloak or JBoss SSO. > > For OAuth Picktlink documentation also points to the keylcoak project. > > Can anyone help? > > Thanks, > > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Feb 6 11:04:24 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 06 Feb 2019 19:04:24 +0300 Subject: [keycloak-user] Regarding the email Verification link In-Reply-To: <1549362084.S.3419.18806.f4-234-195.1549362159.23025@webmail.rediffmail.com> References: <1549362084.S.3419.18806.f4-234-195.1549362159.23025@webmail.rediffmail.com> Message-ID: <1549469064.5705.7.camel@acutus.pro> Hello Nathan, Keycloak uses Hostname SPI [1] to resolve hostname, which is in turn used to construct email verification link. There are two implementations OOTB, request-based and fixed [2]. You probably need a custom provider that would be a combination of both, conditionally resolving to external hostname in some cases. [1] https://github.com/keycloak/keycloak/tree/master/server-spi/src/main/java/org/keycloak/urls [2] https://www.keycloak.org/docs/latest/server_admin/#host Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2019-02-05 at 10:22 +0000, senthil nathan wrote: > Dear KeyCloak Users, > > We have requirement to get the email verification link URL accessible to public, when we use admin rest? > API. > > In Our Current architecture application is running with private IP, Key Cloak is hosted in separately,? > which can accessible via load balancer. We would like to use the admin rest API for getting the? > verification link in email with the load balancer url instead of private IP URL (keycloak and Application? > uses private IP for admin rest API communication ) > > Any help on resolving this issue is appreciated > > Regards > SPS. Nathan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From s.babych at dataclaritycorp.com Wed Feb 6 11:06:37 2019 From: s.babych at dataclaritycorp.com (Svyatoslav Babych) Date: Wed, 6 Feb 2019 16:06:37 +0000 Subject: [keycloak-user] custom REST endpoints with authenticated access Message-ID: Hi All, For our application we have implemented custom REST endpoints with authenticated access check like: this.auth = new AppAuthManager().authenticateBearerToken(session); if (auth == null) { throw new NotAuthorizedException("Authorization header must be provided"); } It works great for all requests except situation when master realm admin tries to call this endpoint at different realm (not his own) It works at /realms/master/{endpoint}, but doesn't for /realms/{realm}/{endpoint} Could you please help me wit this ? master admin for access uses: master realm, *admin-cli* client and has *admin* role assigned. Thank you, Regards Svyat Svyatoslav Babych | Senior Solution Architect, Technical team Lead s.babych at dataclaritycorp.com DataClarity Corporation | www.dataclaritycorp.com Facebook | Twitter | LinkedIn Confidentiality Notice: The information in this email and any attachments is confidential or proprietary and should be treated and marked as ?Confidential? DataClarity communication. If you are not the intended recipient of this email, any review, disclosure, copying, or distribution of it including any attachments is strictly prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies. Any information contained in this email is subject to the terms and conditions expressed in any applicable agreement. From Pavel.Micka at zoomint.com Wed Feb 6 11:23:18 2019 From: Pavel.Micka at zoomint.com (Pavel Micka) Date: Wed, 6 Feb 2019 16:23:18 +0000 Subject: [keycloak-user] Securing multitenant microservices In-Reply-To: <1549467735.5705.3.camel@acutus.pro> References: <1549467735.5705.3.camel@acutus.pro> Message-ID: Hi, Unfortunatelly its not possible in our case, as we also have per-tenant ability to use different user sources - both sychronization and SSO federation - as we generally import the users from external systems (telephony platforms, active directories...); or in other words, we do not have (almost any) local users. Best regards, Pavel // but yeah, this strategy would work nicely, if we did not have these tenant-specific additional contraints -----Original Message----- From: Dmitry Telegin
Sent: Wednesday, February 6, 2019 4:42 PM To: Pavel Micka ; keycloak-user at lists.jboss.org Cc: Hariprasad N Subject: Re: [keycloak-user] Securing multitenant microservices Hello Pavel and Hariprasad, As an alternative, you can do everything in one realm. There is a trick to implement ad-hoc "multi-tenancy" within one realm using OpenID Connect scope parameter in the form of "scope=openid tenant:XXX". Using tenant ID, you can dynamically brand account and email themes, propagate it to the tokens, use it in dynamic authorization policies etc. I'm currently writing a detailed article describing this approach. With this, you will have a shared set of clients, UMA, policies etc. However you will need to implement proper separation of users, e.g. using groups or user attributes. Feel free to ask any questions on this, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2019-02-06 at 10:39 +0000, Pavel Micka wrote: > Hi, > > We are currently planning how to implement Keycloak to our solution. Our solution is a multitenant application composed of many microservices with fronting API and React.js clients. Our tenants are all using the same instances of the microservices (those are shared). > We will go with implicit token flow, passing the JWT token through all the dependencies to achieve defense-in-depth (aka: the services do the authorization). > > So as we'll have many tenants we will also have many realms. Because clients are bound to individual realm, we will need to duplicate (re-register through dynamic registration every client) many times. For the worse, we will probably also use UMA, which is bound to the client, hence the privileges will be duplicated as well... > > Now the questions: > > 1)??????Is it somehow possible to inherit or template the definition of the realm, so we would only change the "master realm template" and the changes would propagate to all the individual tenant realms > > 2)??????If this is not possible, what is the recommended way to support this scenario with many tenants and many services? Especially when we expect that the clients will evolve, hence updating all the clients+uma in many realms may be very painful... > > Thanks for your advice! > > Pavel > > > // PS: if there is any good article or presentation how to achieve this, goal, please send it to me. I will be very grateful. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From chris.smith at cmfirstgroup.com Wed Feb 6 13:17:02 2019 From: chris.smith at cmfirstgroup.com (Chris Smith) Date: Wed, 6 Feb 2019 18:17:02 +0000 Subject: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain In-Reply-To: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67@redhat.com> References: <1548656466.19952.3.camel@acutus.pro> <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67@redhat.com> Message-ID: So I made a small addition and stepped through the authenticate method public Subject authenticateSubject(String username, String password) throws LoginException { String principal = getKerberosPrincipal(username); logger.debug("Validating password of principal: " + principal); loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password), createJaasConfiguration()); loginContext.login(); logger.debug("Principal " + principal + " authenticated succesfully"); ** Subject subject = loginContext.getSubject(); ** for (KerberosTicket ticket : subject.getPrivateCredentials(KerberosTicket.class)) { ** System.out.println(ticket.getClient().getName()); ** } return loginContext.getSubject(); } The subject that is gotten from the loginContext has one KerberosTicket private credential Googling has not given me any insight on where I go from here. Do you have any suggestions? -----Original Message----- From: Marek Posolda Sent: Tuesday, January 29, 2019 4:07 AM To: Dmitry Telegin
; Chris Smith ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain +1 GSSCredential is used just during SPNEGO authentication. You may possibly change the built-in authentication flows or userStorage provider, so that after verification with username/password, the GSSCredential will be somehow obtained from the JAAS Subject used for the authentication (See class KerberosUsernamePasswordAuthenticator for the details). However I am not sure if this is really possible and it will require some more deep-dive into the Keycloak codebase and Kerberos implementation in JDK... Just a hint... Marek On 28/01/2019 07:21, Dmitry Telegin wrote: > Hello Chris, > > AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication. > > Cheers, > Dmitry > > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote: >> Does anyone have feedback about getting a delegated GSSCredential? >> >> -----Original Message----- >>> From: keycloak-user-bounces at lists.jboss.org >>> On Behalf Of Chris Smith >> Sent: Wednesday, January 23, 2019 10:12 PM >> To: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is >> not in Active Directory domain >> >> Here is a Diagram of what I'm trying to do >> >> From: Chris Smith >> Sent: Wednesday, January 23, 2019 8:08 AM >>>> To: 'keycloak-user at lists.jboss.org' >> Subject: Get a GSSCredential when user browser is not in Active >> Directory domain >> >> I have setup my servlet to authenticate a user my web app using >> Keycloak Active Directory ldap user federation >> >> I can get a Delegated GSSCredential when the SPNEGO enabled browser??runs on a workstation in the AD domain. >> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet. >> >> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping). >> >> Less than 1% of the users will be using browsers on workstations in the Active Directory domain. >> >> Can Keycloak put a GSSCredential for the logged in user??in the Access Token when SPNEGO is not available from the browser? >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From David.Erie at datapath.com Wed Feb 6 16:27:15 2019 From: David.Erie at datapath.com (David Erie (US)) Date: Wed, 6 Feb 2019 21:27:15 +0000 Subject: [keycloak-user] user data > 255 characters is causing Exception Message-ID: Hi, We are storing some user preference data as attributes in Keycloak, and I am seeing this Exception in the Keycloak log file: 2019-02-06 13:43:55,413 WARN [org.keycloak.services.resources.admin.UserResource] (default task-2720) Could not update user!: org.keycloak.models.ModelException: org.hibernate.exception.DataException: could not execute statement at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.JpaExceptionConverter.convert(JpaExceptionConverter.java:31) at org.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:65) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.resources.admin.UserResource.updateUser(UserResource.java:172) Caused by: org.postgresql.util.PSQLException: ERROR: value too long for type character varying(255) Will it be possible to change that DB column definition to have no limit, or a much higher limit? Are there other ways to store long JSON strings with the User besides their attributes? Thanks, Dave From ssilvert at redhat.com Wed Feb 6 16:51:12 2019 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 6 Feb 2019 16:51:12 -0500 Subject: [keycloak-user] user data > 255 characters is causing Exception In-Reply-To: References: Message-ID: <405c3912-c9c4-2e04-2e79-86a4c07b5525@redhat.com> Hi David, Can you please file a JIRA for this? Stan On 2/6/2019 4:27 PM, David Erie (US) wrote: > Hi, > We are storing some user preference data as attributes in Keycloak, and I am seeing this Exception in the Keycloak log file: > > 2019-02-06 13:43:55,413 WARN [org.keycloak.services.resources.admin.UserResource] (default task-2720) Could not update user!: org.keycloak.models.ModelException: org.hibernate.exception.DataException: could not execute statement > at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) > at org.keycloak.connections.jpa.JpaExceptionConverter.convert(JpaExceptionConverter.java:31) > at org.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:65) > at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94) > at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) > at org.keycloak.services.resources.admin.UserResource.updateUser(UserResource.java:172) > > Caused by: org.postgresql.util.PSQLException: ERROR: value too long for type character varying(255) > > Will it be possible to change that DB column definition to have no limit, or a much higher limit? Are there other ways to store long JSON strings with the User besides their attributes? > > Thanks, > Dave > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mariusz at info.nl Thu Feb 7 04:36:51 2019 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Thu, 7 Feb 2019 09:36:51 +0000 Subject: [keycloak-user] Automatically login user after account creation via Admin REST client Message-ID: Hi. Our webapp is using Keycloak Tomcat adapter. We use Admin REST client to create user account in Keycloak when user subscribes for our PRO account. We have onboarding flow and for that we would like to login user just after he creates PRO account, so not redirect to keycloak login page and let user fill in credentials, but to do some REST call, or redirects what will cause adapter to login user automatically. For example: user subscribes for our PRO service, sets username, password, we make account in Keycloak via REST, and then on next step, user is logged in automatically. Is that possible? I know we can login user using standard Token endpoint, but that is not creating all Keycloak objects in session (KeycloakPrincipal, AccessToken, etc). Is there any good way to do it? Regards Mariusz Chruscielewski - Info.nl From Sascha.Skorupa at rwth-aachen.de Thu Feb 7 07:17:43 2019 From: Sascha.Skorupa at rwth-aachen.de (Skorupa, Sascha) Date: Thu, 7 Feb 2019 12:17:43 +0000 Subject: [keycloak-user] Deploying Keycloak on Openshift with MariaDB persistence produces errors in logs In-Reply-To: References: Message-ID: <60b86defe39d4adabd1b61ebe2d29a1b@rwth-aachen.de> Hi, I had the same problem with Keycloak 4.8.3 Docker Image and Galera Cluster. The problem seems to be in MariaDB Conncetor/J since version 2.2.5. With older versions it worked and with newer versions I need to change the connection-url to sth like this: jdbc:mariadb:failover://${SOME_URL}/${DB} jdbc:mariadb:sequential://${SOME_URL}/${DB} Unfortunately it was not possible to change the protocol part of that URL via Docker env variables, so I had to extend the image with some custom CLI scripts. Cheers, sascha ________________________________ Von: keycloak-user-bounces at lists.jboss.org im Auftrag von Cristi Cioriia Gesendet: Freitag, 26. Oktober 2018 15:25:09 An: keycloak-user at lists.jboss.org Betreff: [keycloak-user] Deploying Keycloak on Openshift with MariaDB persistence produces errors in logs Hello, While deploying Keycloak 4.5.0.Final in an Openshift environment, using Mariadb (Galera) as a database produces several exceptions in the logs, all of them being related to the communication between the Keycloak server and the database. The access to the Galera server (3 instances) is performed via a Maxscale proxy. The Galera server, Maxscale (deployment of 3 pods) and Keycloak (deployment of 2 replicas) are all deployed inside Openshift, on AWS (1master + 3 workers). I am hoping you guys can help with fixing these issues. The errors look like below: 08:40:46,603 WARN [org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory] (ConnectionValidator) IJ030027: Destroying connection that is not valid, due to the following exception: org.mariadb.jdbc.MariaDbConnection at 76883993: java.sql.SQLNonTransientConnectionException: (conn=24) unexpected end of stream, read 0 bytes from 4 (socket was closed by server) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) at org.mariadb.jdbc.MariaDbStatement.executeInternal(MariaDbStatement.java:334) at org.mariadb.jdbc.MariaDbStatement.execute(MariaDbStatement.java:386) at org.jboss.jca.adapters.jdbc.CheckValidConnectionSQL.isValidConnection(CheckValidConnectionSQL.java:74) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.isValidConnection(BaseWrapperManagedConnectionFactory.java:1273) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getInvalidConnections(BaseWrapperManagedConnectionFactory.java:1086) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.validateConnections(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1442) at org.jboss.jca.core.connectionmanager.pool.validator.ConnectionValidator$ConnectionValidatorRunner.run(ConnectionValidator.java:277) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.sql.SQLException: unexpected end of stream, read 0 bytes from 4 (socket was closed by server) Query is: SELECT 1 at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:119) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:199) at org.mariadb.jdbc.MariaDbStatement.executeInternal(MariaDbStatement.java:328) ... 9 more Caused by: java.io.EOFException: unexpected end of stream, read 0 bytes from 4 (socket was closed by server) at org.mariadb.jdbc.internal.io.input.StandardPacketInputStream.getPacketArray(StandardPacketInputStream.java:239) at org.mariadb.jdbc.internal.io.input.StandardPacketInputStream.getPacket(StandardPacketInputStream.java:207) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.readPacket(AbstractQueryProtocol.java:1347) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.getResult(AbstractQueryProtocol.java:1328) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:196) ... 10 more I suspect that the errors come from the way the jdbc data source is configured. The mariadb configurations related to connections and wait timeouts are like below: max_connections=1000 wait_timeout=180 The second issue I noticed was the following: one of the pods in the deployments (we deploy 2 replicas of Keycloak) sometimes does not start correctly because of the following exception, which is still related to the database connection: 08:13:03,409 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 52) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 more Caused by: java.lang.RuntimeException: Failed to connect to database at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:367) ... 43 more Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:690) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 45 more Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624) ... 48 more Caused by: java.sql.SQLNonTransientConnectionException: could not load system variables at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1093) at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:494) at org.mariadb.jdbc.MariaDbConnection.newConnection(MariaDbConnection.java:150) at org.mariadb.jdbc.Driver.connect(Driver.java:86) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321) ... 55 more Caused by: java.sql.SQLNonTransientConnectionException: could not load system variables at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.connException(ExceptionMapper.java:83) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readPipelineAdditionalData(AbstractConnectProtocol.java:606) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connect(AbstractConnectProtocol.java:477) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1089) ... 59 more Caused by: java.sql.SQLException: Error reading SessionVariables results. Socket is connected ? true at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readRequestSessionVariables(AbstractConnectProtocol.java:572) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readPipelineAdditionalData(AbstractConnectProtocol.java:603) ... 61 more The pod is in state running, but it is not ready, as it can be seen below: oc describe pod keycloak-787795bbcb-qng6j Name: keycloak-787795bbcb-qng6j Namespace: frame-2900 Start Time: Thu, 25 Oct 2018 10:03:30 +0200 Labels: application=keycloak pod-template-hash=3433516676 Annotations: openshift.io/scc=restricted Status: *Running* IP: 10.131.0.12 Controlled By: ReplicaSet/keycloak-787795bbcb Containers: keycloak: Container ID: docker://b703c13a70ffa24f696e08996590b972ec65e6b6041f8d08f50a44372b9e4760 Image: jboss/keycloak Image ID: docker-pullable:// docker.io/jboss/keycloak at sha256:cb5c24d06f22c51ca193e6d1e930d206ef0b841a745f8e475a08e33f10b38ad4 Ports: 8080/TCP, 8443/TCP *State: Waiting* * Reason: CrashLoopBackOff* Last State: Terminated Reason: Error Exit Code: 1 Started: Thu, 25 Oct 2018 10:12:43 +0200 Finished: Thu, 25 Oct 2018 10:13:03 +0200 Ready: False * Restart Count: 6* Liveness: http-get http://:8080/auth/realms/master delay=60s timeout=1s period=10s #success=1 #failure=3 Readiness: http-get http://:8080/auth/realms/master delay=30s timeout=1s period=10s #success=1 #failure=10 Environment: KEYCLOAK_USER: BokIm2Kl KEYCLOAK_PASSWORD: o8QobI0D PROXY_ADDRESS_FORWARDING: true DB_VENDOR: MARIADB JGROUPS_DISCOVERY_PROTOCOL: dns.DNS_PING JGROUPS_DISCOVERY_PROPERTIES: dns_query=keycloak.default.svc.cluster.local DB_ADDR: max-scale DB_DATABASE: keycloak DB_PORT: 4408 DB_USER: Optional: false DB_PASSWORD: Optional: false Mounts: /var/run/secrets/kubernetes.io/serviceaccount from frame-2900-token-k8cwj (ro) Conditions: Type Status Initialized True Ready False PodScheduled True Volumes: frame-2900-token-k8cwj: Type: Secret (a volume populated by a Secret) SecretName: frame-2900-token-k8cwj Optional: false QoS Class: BestEffort Node-Selectors: node-role.kubernetes.io/compute=true Tolerations: Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 11m default-scheduler Successfully assigned keycloak-787795bbcb-qng6j to ip-10-0-141-24.eu-west-1.compute.internal Normal SuccessfulMountVolume 11m kubelet, ip-10-0-141-24.eu-west-1.compute.internal MountVolume.SetUp succeeded for volume "frame-2900-token-k8cwj" Normal Pulled 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Successfully pulled image "jboss/keycloak" Normal Created 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Created container Normal Started 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Started container Normal Pulling 6m (x5 over 10m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal pulling image "jboss/keycloak" Warning BackOff 53s (x31 over 8m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Back-off restarting failed container The pod is restarted several times it seems, but it does not start correctly. I deleted the pod and it was recreated automatically by Openshift and the new pod started correctly. Then, there is a third issue that I've encountered while trying to login into the deployed application. While entering some wrong credentials I got an error page and noticed in the logs that there is still a database connection error: 08:18:12,405 WARN [org.keycloak.services] (default task-2) KC-SERVICES0013: Failed authentication: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not extract ResultSet at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492) at org.keycloak.models.jpa.JpaUserProvider.getUserByUsername(JpaUserProvider.java:526) at org.keycloak.storage.UserStorageManager.getUserByUsername(UserStorageManager.java:390) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:253) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:213) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:153) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263) at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:401) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:367) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:339) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:441) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.JDBCConnectionException: could not extract ResultSet at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:48) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79) at org.hibernate.loader.Loader.getResultSet(Loader.java:2122) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1905) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1881) at org.hibernate.loader.Loader.doQuery(Loader.java:925) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) at org.hibernate.loader.Loader.doList(Loader.java:2622) at org.hibernate.loader.Loader.doList(Loader.java:2605) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2434) at org.hibernate.loader.Loader.list(Loader.java:2429) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:370) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1339) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) ... 83 more Caused by: java.sql.SQLNonTransientConnectionException: (conn=476) Connection is closed at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:216) at org.mariadb.jdbc.MariaDbPreparedStatementClient.execute(MariaDbPreparedStatementClient.java:150) at org.mariadb.jdb c.MariaDbPreparedStatementClient.executeQuery(MariaDbPreparedStatementClient.java:164) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) ... 99 more Caused by: java.sql.SQLException: Connection is closed at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.cmdPrologue(AbstractQueryProtocol.java:1711) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:237) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:209) ... 103 more After a couple of seconds, the issue dissapeared, probably because Keycloak was able to get a valid connection from the connection pool. Thanks in advance for your help. Greetings, Cristi _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From msakho at redhat.com Thu Feb 7 07:19:31 2019 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 7 Feb 2019 13:19:31 +0100 Subject: [keycloak-user] keycloak-gatekeeper as a side car container Message-ID: Hello everyone, I'm looking for an deployment example with keycloak-gatekeeper as side car in kubernetes or openshift. If someone has any? Regards, *Meissa* From bruno at abstractj.org Thu Feb 7 07:45:03 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 7 Feb 2019 10:45:03 -0200 Subject: [keycloak-user] keycloak-gatekeeper as a side car container In-Reply-To: References: Message-ID: <20190207124503.GA19961@abstractj.org> Hi Meissa, the closest thing to this I think is the Keycloak demo https://github.com/keycloak/keycloak-demo. Although, it still points to the old Docker image. But please, give a try and feel free to report any issues. The following Jira was created to track this: https://issues.jboss.org/browse/KEYCLOAK-9513 On 2019-02-07, Meissa M'baye Sakho wrote: > Hello everyone, > I'm looking for an deployment example with keycloak-gatekeeper as side car > in kubernetes or openshift. > If someone has any? > Regards, > *Meissa* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From msakho at redhat.com Thu Feb 7 07:49:31 2019 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 7 Feb 2019 13:49:31 +0100 Subject: [keycloak-user] issue with jboss/keycloak:4.8.3.Final image Message-ID: I'm trying to connect to the cli inside a docker container built on the keycloak:4.8.3.Final docker image. When I'm inside the container, once I execute the following command i the keycloak bin directory. ./jboss-cli.sh --connect I'm getting the following eroors when I try to type anything. [standalone at localhost:9990 /] Exception in thread "CLI Terminal Connection (uninterruptable)" java.lang.ArithmeticException: / by zero at org.aesh.readline.Buffer.printInsertedData(Buffer.java:582) at org.aesh.readline.Buffer.insert(Buffer.java:231) at org.aesh.readline.AeshConsoleBuffer.writeChar(AeshConsoleBuffer.java:130) at org.aesh.readline.Readline$AeshInputProcessor.parse(Readline.java:262) at org.aesh.readline.Readline$AeshInputProcessor.access$100(Readline.java:174) at org.aesh.readline.Readline.readInput(Readline.java:95) at org.aesh.readline.Readline.access$1000(Readline.java:57) at org.aesh.readline.Readline$AeshInputProcessor.lambda$start$1(Readline.java:333) at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:118) at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:31) at org.aesh.io.Decoder.write(Decoder.java:133) at org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:216) at org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:203) at org.jboss.as.cli.impl.ReadlineConsole$CLITerminalConnection.lambda$null$1(ReadlineConsole.java:176) Any advice? MEISSA SAKHO From bruno at abstractj.org Thu Feb 7 07:54:46 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 7 Feb 2019 10:54:46 -0200 Subject: [keycloak-user] Gatekeeper - Documentation In-Reply-To: References: Message-ID: <20190207125445.GB19961@abstractj.org> Hi Geoffrey, one of the greatest benefits of open source is the fact that anyone can contribute to make the project better and also understand how it works. I cannot see anything more effective than this, because there's no need to ask people to do it. In the worst case scenario, there's still Jiras. But if you have a better suggestion about how we can make it better, please let us know. On 2019-02-06, Geoffrey Cleaves wrote: > In my experience, editing the documentation myself and making a pull > request has been more effective in getting the docs up to date than asking > the developers to do it. That being said, we can't do a very good job of > updating the docs if we don't actually know all of the possible parameters > and their function. > > On Wed, 6 Feb 2019 at 13:51, Andreas Wieland < > andreas.wieland at ida-analytics.de> wrote: > > > Hi Keycloak Team, > > > > we just found out the hard way that not all possible parameters are > > described in your online documentation. > > We tried to use Gatekeeper as an Authorization Proxy but had problems with > > redirections. > > > > After a lot of testing and fiddling we found the following parameter for > > gatekeeper which helped: > > > > --base-uri value > > > > which helped our cause. If you start gatekeeper with the help flag it will > > be part of the list. > > But we used Gatekeeper with the docker image. > > > > > > Therefore, I would suggest to include a complete list of possible > > parameters at the end of the online documentation. > > > > Kind regards, > > > > > > Andreas Wieland > > Software Entwickler > > > > ?[cid:e491732f-2aef-4a9a-8d72-5145c61d358e] > > > > Intelligent Data Analytics GmbH & Co. KG > > > > > > > > c/o TechQuartier > > > > Platz der Einheit 2 > > 60327 Frankfurt > > > > Mobil: 015172834024 > > > > Telefon: 06421/4805274 > > Telefax: 06421/4805275 > > E-Mail: andreas.wieland at ida-analytics.de > > > > Internet: www.ida-analytics.de > > > > > > Unternehmenssitz: Frankfurt am Main | Handelsregister beim Amtsgericht: > > Frankfurt am Main, Registernummer: HRA 49357 | USt. ID-Nr.: DE310205810 | > > Finanzamt: Frankfurt am Main > > > > Pers?nlich haftende Gesellschafterin: IDA Intelligent Data Analytics GmbH > > | Sitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am > > Main | Handelsregister-Nummer: HRB 106805 | Gesch?ftsf?hrer: Mohamed Ayadi, > > Dipl.-Inf. Nils Bj?rn Krugmann, Dipl.-Inf. Matthias Leinweber, Dipl.-Inf. > > Marc Seidemann > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > Regards, > Geoffrey Cleaves > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From lorenzo.luconi at iit.cnr.it Thu Feb 7 07:58:06 2019 From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi) Date: Thu, 7 Feb 2019 13:58:06 +0100 Subject: [keycloak-user] issue with jboss/keycloak:4.8.3.Final image In-Reply-To: References: Message-ID: For me it works: $ docker run -it --rm --name keycloak jboss/keycloak:4.8.3.Final $ docker exec -it keycloak /opt/jboss/keycloak/bin/jboss-cli.sh --connect [standalone at localhost:9990 /] Lorenzo > Il giorno 7 feb 2019, alle ore 13:49, Meissa M'baye Sakho ha scritto: > > I'm trying to connect to the cli inside a docker container built on the > keycloak:4.8.3.Final docker image. > When I'm inside the container, once I execute the following command i the > keycloak bin directory. > ./jboss-cli.sh --connect > I'm getting the following eroors when I try to type anything. > [standalone at localhost:9990 /] Exception in thread "CLI Terminal Connection > (uninterruptable)" java.lang.ArithmeticException: / by zero > at org.aesh.readline.Buffer.printInsertedData(Buffer.java:582) > at org.aesh.readline.Buffer.insert(Buffer.java:231) > at > org.aesh.readline.AeshConsoleBuffer.writeChar(AeshConsoleBuffer.java:130) > at > org.aesh.readline.Readline$AeshInputProcessor.parse(Readline.java:262) > at > org.aesh.readline.Readline$AeshInputProcessor.access$100(Readline.java:174) > at org.aesh.readline.Readline.readInput(Readline.java:95) > at org.aesh.readline.Readline.access$1000(Readline.java:57) > at > org.aesh.readline.Readline$AeshInputProcessor.lambda$start$1(Readline.java:333) > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:118) > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:31) > at org.aesh.io.Decoder.write(Decoder.java:133) > at > org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:216) > at > org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:203) > at > org.jboss.as.cli.impl.ReadlineConsole$CLITerminalConnection.lambda$null$1(ReadlineConsole.java:176) > Any advice? > > MEISSA SAKHO > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Thu Feb 7 08:05:31 2019 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Thu, 7 Feb 2019 14:05:31 +0100 Subject: [keycloak-user] issue with jboss/keycloak:4.8.3.Final image In-Reply-To: References: Message-ID: I might be wrong here - just guessing... My intuition tells me that aesh can't find the console (System.out or System.in). Perhaps you're running the image in non-interactive mode (without `-it`) or in a non-interactive environment (maybe an S2I build or something, stage build or anything similar to that). In such a case, you'd need to use the embedded server mode for the cli. Here's how I did it ages ago for the Cache Service (Red Hat Data Grid) [1]. [1] https://github.com/jboss-container-images/datagrid-7-image/blob/datagrid-services-dev/modules/os-datagrid-online-services-configuration/src/main/bash/profiles/caching-service.cli On Thu, Feb 7, 2019 at 1:59 PM Lorenzo Luconi Trombacchi < lorenzo.luconi at iit.cnr.it> wrote: > For me it works: > > $ docker run -it --rm --name keycloak jboss/keycloak:4.8.3.Final > > $ docker exec -it keycloak /opt/jboss/keycloak/bin/jboss-cli.sh --connect > [standalone at localhost:9990 /] > > Lorenzo > > > Il giorno 7 feb 2019, alle ore 13:49, Meissa M'baye Sakho < > msakho at redhat.com> ha scritto: > > > > I'm trying to connect to the cli inside a docker container built on the > > keycloak:4.8.3.Final docker image. > > When I'm inside the container, once I execute the following command i the > > keycloak bin directory. > > ./jboss-cli.sh --connect > > I'm getting the following eroors when I try to type anything. > > [standalone at localhost:9990 /] Exception in thread "CLI Terminal > Connection > > (uninterruptable)" java.lang.ArithmeticException: / by zero > > at org.aesh.readline.Buffer.printInsertedData(Buffer.java:582) > > at org.aesh.readline.Buffer.insert(Buffer.java:231) > > at > > org.aesh.readline.AeshConsoleBuffer.writeChar(AeshConsoleBuffer.java:130) > > at > > org.aesh.readline.Readline$AeshInputProcessor.parse(Readline.java:262) > > at > > > org.aesh.readline.Readline$AeshInputProcessor.access$100(Readline.java:174) > > at org.aesh.readline.Readline.readInput(Readline.java:95) > > at org.aesh.readline.Readline.access$1000(Readline.java:57) > > at > > > org.aesh.readline.Readline$AeshInputProcessor.lambda$start$1(Readline.java:333) > > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:118) > > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:31) > > at org.aesh.io.Decoder.write(Decoder.java:133) > > at > > > org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:216) > > at > > > org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:203) > > at > > > org.jboss.as.cli.impl.ReadlineConsole$CLITerminalConnection.lambda$null$1(ReadlineConsole.java:176) > > Any advice? > > > > MEISSA SAKHO > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From msakho at redhat.com Thu Feb 7 08:06:54 2019 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 7 Feb 2019 14:06:54 +0100 Subject: [keycloak-user] issue with jboss/keycloak:4.8.3.Final image In-Reply-To: References: Message-ID: Lorenzo, you have to type something one connected to the cli. Just after your command. try this one for example (or any other): /core-service=platform-mbean/type=runtime:read-attribute(name=system-properties) MEISSA SAKHO ARCHITECT EMEA TECH SPECIALIST Red Hat M: +33 (0) 6 9559 7778 TRIED. TESTED. TRUSTED. Le jeu. 7 f?vr. 2019 ? 13:58, Lorenzo Luconi Trombacchi < lorenzo.luconi at iit.cnr.it> a ?crit : > For me it works: > > $ docker run -it --rm --name keycloak jboss/keycloak:4.8.3.Final > > $ docker exec -it keycloak /opt/jboss/keycloak/bin/jboss-cli.sh --connect > [standalone at localhost:9990 /] > > Lorenzo > > > Il giorno 7 feb 2019, alle ore 13:49, Meissa M'baye Sakho < > msakho at redhat.com> ha scritto: > > > > I'm trying to connect to the cli inside a docker container built on the > > keycloak:4.8.3.Final docker image. > > When I'm inside the container, once I execute the following command i the > > keycloak bin directory. > > ./jboss-cli.sh --connect > > I'm getting the following eroors when I try to type anything. > > [standalone at localhost:9990 /] Exception in thread "CLI Terminal > Connection > > (uninterruptable)" java.lang.ArithmeticException: / by zero > > at org.aesh.readline.Buffer.printInsertedData(Buffer.java:582) > > at org.aesh.readline.Buffer.insert(Buffer.java:231) > > at > > org.aesh.readline.AeshConsoleBuffer.writeChar(AeshConsoleBuffer.java:130) > > at > > org.aesh.readline.Readline$AeshInputProcessor.parse(Readline.java:262) > > at > > > org.aesh.readline.Readline$AeshInputProcessor.access$100(Readline.java:174) > > at org.aesh.readline.Readline.readInput(Readline.java:95) > > at org.aesh.readline.Readline.access$1000(Readline.java:57) > > at > > > org.aesh.readline.Readline$AeshInputProcessor.lambda$start$1(Readline.java:333) > > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:118) > > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:31) > > at org.aesh.io.Decoder.write(Decoder.java:133) > > at > > > org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:216) > > at > > > org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:203) > > at > > > org.jboss.as.cli.impl.ReadlineConsole$CLITerminalConnection.lambda$null$1(ReadlineConsole.java:176) > > Any advice? > > > > MEISSA SAKHO > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From lorenzo.luconi at iit.cnr.it Thu Feb 7 08:09:28 2019 From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi) Date: Thu, 7 Feb 2019 14:09:28 +0100 Subject: [keycloak-user] issue with jboss/keycloak:4.8.3.Final image In-Reply-To: References: Message-ID: > Il giorno 7 feb 2019, alle ore 14:06, Meissa M'baye Sakho ha scritto: > > Lorenzo, > you have to type something one connected to the cli. Just after your command. yes, anyway I tried also your command. > try this one for example (or any other): > /core-service=platform-mbean/type=runtime:read-attribute(name=system-properties) [standalone at localhost:9990 /] /core-service=platform-mbean/type=runtime:read-attribute(name=system-properties) { "outcome" => "success", "result" => { "[Standalone]" => "", "awt.toolkit" => "sun.awt.X11.XToolkit", "file.encoding" => "UTF-8", "file.encoding.pkg" => "sun.io", "file.separator" => "/", "java.awt.graphicsenv" => "sun.awt.X11GraphicsEnvironment", "java.awt.headless" => "true", "java.awt.printerjob" => "sun.print.PSPrinterJob", "java.class.path" => "/opt/jboss/keycloak/jboss-modules.jar", "java.class.version" => "52.0", "java.endorsed.dirs" => "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre/lib/endorsed", "java.ext.dirs" => "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre/lib/ext:/usr/java/packages/lib/ext", "java.home" => "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre", "java.io.tmpdir" => "/tmp", "java.library.path" => "/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib", "java.naming.factory.url.pkgs" => "org.jboss.as.naming.interfaces", "java.net.preferIPv4Stack" => "true?, ?.. Lorenzo > > > MEISSA SAKHO > ARCHITECT EMEA TECH SPECIALIST > Red Hat? > M: +33 (0) 6 9559 7778 > > TRIED. TESTED. TRUSTED. > > Le jeu. 7 f?vr. 2019 ? 13:58, Lorenzo Luconi Trombacchi > a ?crit : > For me it works: > > $ docker run -it --rm --name keycloak jboss/keycloak:4.8.3.Final > > $ docker exec -it keycloak /opt/jboss/keycloak/bin/jboss-cli.sh --connect > [standalone at localhost:9990 /] > > Lorenzo > > > Il giorno 7 feb 2019, alle ore 13:49, Meissa M'baye Sakho > ha scritto: > > > > I'm trying to connect to the cli inside a docker container built on the > > keycloak:4.8.3.Final docker image. > > When I'm inside the container, once I execute the following command i the > > keycloak bin directory. > > ./jboss-cli.sh --connect > > I'm getting the following eroors when I try to type anything. > > [standalone at localhost:9990 /] Exception in thread "CLI Terminal Connection > > (uninterruptable)" java.lang.ArithmeticException: / by zero > > at org.aesh.readline.Buffer.printInsertedData(Buffer.java:582) > > at org.aesh.readline.Buffer.insert(Buffer.java:231) > > at > > org.aesh.readline.AeshConsoleBuffer.writeChar(AeshConsoleBuffer.java:130) > > at > > org.aesh.readline.Readline$AeshInputProcessor.parse(Readline.java:262) > > at > > org.aesh.readline.Readline$AeshInputProcessor.access$100(Readline.java:174) > > at org.aesh.readline.Readline.readInput(Readline.java:95) > > at org.aesh.readline.Readline.access$1000(Readline.java:57) > > at > > org.aesh.readline.Readline$AeshInputProcessor.lambda$start$1(Readline.java:333) > > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:118) > > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:31) > > at org.aesh.io.Decoder.write(Decoder.java:133) > > at > > org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:216) > > at > > org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:203) > > at > > org.jboss.as.cli.impl.ReadlineConsole$CLITerminalConnection.lambda$null$1(ReadlineConsole.java:176) > > Any advice? > > > > MEISSA SAKHO > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From msakho at redhat.com Thu Feb 7 08:14:02 2019 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Thu, 7 Feb 2019 14:14:02 +0100 Subject: [keycloak-user] issue with jboss/keycloak:4.8.3.Final image In-Reply-To: References: Message-ID: So there is something wrong in my side. I'm checking it. Le jeu. 7 f?vr. 2019 ? 14:09, Lorenzo Luconi Trombacchi < lorenzo.luconi at iit.cnr.it> a ?crit : > > > Il giorno 7 feb 2019, alle ore 14:06, Meissa M'baye Sakho < > msakho at redhat.com> ha scritto: > > Lorenzo, > you have to type something one connected to the cli. Just after your > command. > > > yes, anyway I tried also your command. > > try this one for example (or any other): > > /core-service=platform-mbean/type=runtime:read-attribute(name=system-properties) > > > > [standalone at localhost:9990 /] > /core-service=platform-mbean/type=runtime:read-attribute(name=system-properties) > { > "outcome" => "success", > "result" => { > "[Standalone]" => "", > "awt.toolkit" => "sun.awt.X11.XToolkit", > "file.encoding" => "UTF-8", > "file.encoding.pkg" => "sun.io", > "file.separator" => "/", > "java.awt.graphicsenv" => "sun.awt.X11GraphicsEnvironment", > "java.awt.headless" => "true", > "java.awt.printerjob" => "sun.print.PSPrinterJob", > "java.class.path" => "/opt/jboss/keycloak/jboss-modules.jar", > "java.class.version" => "52.0", > "java.endorsed.dirs" => > "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre/lib/endorsed", > "java.ext.dirs" => > "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre/lib/ext:/usr/java/packages/lib/ext", > "java.home" => > "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre", > "java.io.tmpdir" => "/tmp", > "java.library.path" => > "/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib", > "java.naming.factory.url.pkgs" => "org.jboss.as.naming.interfaces", > "java.net.preferIPv4Stack" => "true?, > > > ?.. > > > Lorenzo > > > > > > MEISSA SAKHO > > ARCHITECT EMEA TECH SPECIALIST > Red Hat > > M: +33 (0) 6 9559 7778 > TRIED. TESTED. TRUSTED. > > > Le jeu. 7 f?vr. 2019 ? 13:58, Lorenzo Luconi Trombacchi < > lorenzo.luconi at iit.cnr.it> a ?crit : > >> For me it works: >> >> $ docker run -it --rm --name keycloak jboss/keycloak:4.8.3.Final >> >> $ docker exec -it keycloak /opt/jboss/keycloak/bin/jboss-cli.sh --connect >> [standalone at localhost:9990 /] >> >> Lorenzo >> >> > Il giorno 7 feb 2019, alle ore 13:49, Meissa M'baye Sakho < >> msakho at redhat.com> ha scritto: >> > >> > I'm trying to connect to the cli inside a docker container built on the >> > keycloak:4.8.3.Final docker image. >> > When I'm inside the container, once I execute the following command i >> the >> > keycloak bin directory. >> > ./jboss-cli.sh --connect >> > I'm getting the following eroors when I try to type anything. >> > [standalone at localhost:9990 /] Exception in thread "CLI Terminal >> Connection >> > (uninterruptable)" java.lang.ArithmeticException: / by zero >> > at org.aesh.readline.Buffer.printInsertedData(Buffer.java:582) >> > at org.aesh.readline.Buffer.insert(Buffer.java:231) >> > at >> > >> org.aesh.readline.AeshConsoleBuffer.writeChar(AeshConsoleBuffer.java:130) >> > at >> > org.aesh.readline.Readline$AeshInputProcessor.parse(Readline.java:262) >> > at >> > >> org.aesh.readline.Readline$AeshInputProcessor.access$100(Readline.java:174) >> > at org.aesh.readline.Readline.readInput(Readline.java:95) >> > at org.aesh.readline.Readline.access$1000(Readline.java:57) >> > at >> > >> org.aesh.readline.Readline$AeshInputProcessor.lambda$start$1(Readline.java:333) >> > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:118) >> > at org.aesh.terminal.EventDecoder.accept(EventDecoder.java:31) >> > at org.aesh.io.Decoder.write(Decoder.java:133) >> > at >> > >> org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:216) >> > at >> > >> org.aesh.readline.tty.terminal.TerminalConnection.openBlocking(TerminalConnection.java:203) >> > at >> > >> org.jboss.as.cli.impl.ReadlineConsole$CLITerminalConnection.lambda$null$1(ReadlineConsole.java:176) >> > Any advice? >> > >> > MEISSA SAKHO >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > From arlen.thurber at datastax.com Thu Feb 7 11:16:56 2019 From: arlen.thurber at datastax.com (Arlen Thurber) Date: Thu, 7 Feb 2019 08:16:56 -0800 Subject: [keycloak-user] Identity first login flow Message-ID: Hello Keycloak community, I am looking for more information on an custom authentication method named Identity first login flow. I found this concept in a keycloak Jira ticket https://issues.jboss.org/browse/KEYCLOAK-1514 . The issue was opened 03/Jul/15. There was a discussion back in February of 2018 that mentioned that this functionality would be offered "out of the box", http://lists.jboss.org/pipermail/keycloak-dev/2018-February/010416.html , but i cant find any more mention of it, and the issue was just recently put into triage on 22/Jan/19. In the description of Identity first login flow : "This makes it possible to not require a password for a user when other authentication mechanisms are used (for example fingerprint, two-way ssl, etc.). Also, it allows automatically redirecting to an external IdP when the user is linked to an external IdP (either the user used the IdP to login before or a email domain has been configured to the IdP)." Does anyone have any more information about this concept, an example of it working, or advice on how this login flow could be achieved? Thank you, Arlen From ian at ianduffy.ie Thu Feb 7 11:36:23 2019 From: ian at ianduffy.ie (Ian Duffy) Date: Thu, 7 Feb 2019 16:36:23 +0000 Subject: [keycloak-user] Realm lookup from Realm ID (not realm name) Message-ID: Hi All, I'm using an Event SPI to publish create user keycloak events into ActiveMQ. These events consumed and stored into another service that allows for realm to username/email mappings. The Event payload contains the Realm ID (a UUID) rather than the Realm Name. I'm not seeing any way to query the realm through the API via Realm ID. Is there an approach for converting Realm ID to Realm Name? Thanks, Ian. From imartynovsp at gmail.com Thu Feb 7 11:59:01 2019 From: imartynovsp at gmail.com (=?UTF-8?B?0JzQsNGA0YLRi9C90L7QsiDQmNC70YzRjw==?=) Date: Thu, 7 Feb 2019 19:59:01 +0300 Subject: [keycloak-user] RP-initiated backchannel logout In-Reply-To: References: Message-ID: Thanks to Dmitry Telegin, here is the solution. Need to POST to end_session_endpoint, in my case https:// /auth/realms/sr1/protocol/openid-connect/logout/?refresh_token= with Authorizaton header equal to "Basic base64(client_id:client_secret)" The only problem is value of client_id and client_secret in Authorization header should be url-encoded according to section 2.3.1 of oauth spec ( https://www.rfc-editor.org/rfc/rfc6749.txt). But KC does not perform url-decode, if client_id/secret is taken from header. I want to make a fix for it (add url-decode). Will it be accepted? ??, 21 ???. 2019 ?. ? 11:10, ???????? ???? : > Hello, > My RP should support dropping user's session by admin. I need to drop KC > session together with RP's session. But I can't use frontchannel here as > admin is dropping session for another user. So RP-initiated backchannel > logout is required. I see no docs about this functionality in KC. We use > OpenID Connect between RP and KC, so I've searched protocol specs. > From section "3. RP-Initiated Logout Functionality" of > https://openid.net/specs/openid-connect-backchannel-1_0.html and from > section "5. RP-Initiated Logout" of > https://openid.net/specs/openid-connect-session-1_0.html one can conclude > that sending backchannel request to end_session_endpoint with ID token > should drop the session on KC side. > > Could you please comment, is my understanding correct? > From dt at acutus.pro Thu Feb 7 12:05:00 2019 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 07 Feb 2019 20:05:00 +0300 Subject: [keycloak-user] Realm lookup from Realm ID (not realm name) In-Reply-To: References: Message-ID: <1549559100.3785.1.camel@acutus.pro> Hello Ian, Please try this: session.realms().getRealm(id).getName(); KeycloakSession is available in the factory, so you should pass it to the provider instance e.g. via constructor argument. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2019-02-07 at 16:36 +0000, Ian Duffy wrote: > Hi All, > > I'm using an Event SPI to publish create user keycloak events into ActiveMQ. > > These events consumed and stored into another service that allows for realm > to username/email mappings. > > The Event payload contains the Realm ID (a UUID) rather than the Realm > Name. I'm not seeing any way to query the realm through the API via Realm > ID. Is there an approach for converting Realm ID to Realm Name? > > Thanks, > Ian. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From andrew.j.alexander at gmail.com Thu Feb 7 15:11:34 2019 From: andrew.j.alexander at gmail.com (Andrew J. Alexander) Date: Thu, 7 Feb 2019 15:11:34 -0500 Subject: [keycloak-user] Native iOS Facebook auth Message-ID: I am seeing this thread: http://lists.jboss.org/pipermail/keycloak-user/2017-February/009592.html And I am wondering a similar question - is there a way to use native Facebook access token to authenticate with Keycloak? Facebook is saying that they want my client to update their app to use the Facebook SDK for login as opposed to non-standard SDK (i.e. AeroGear/Keycloak) I am trying to use the token provided by Facebook on successful login, with absolutely no luck. What is the recommended way (or is there a guide) on how to do this? From luke at code-house.org Thu Feb 7 19:38:06 2019 From: luke at code-house.org (luke at code-house.org) Date: Fri, 8 Feb 2019 01:38:06 +0100 Subject: [keycloak-user] Password less keycloak with OIDC Federation Message-ID: Hi all, I?ve been going through new Keycloak use case and ran into situation where I am not certain which SPI or API to use. First of all, I would like users to not have any passwords and don't see Keycloak by most of time. I already confirmed that such state can be achieved with extra parameters for authorisation and identity brokering links which is great. Second part of scenario goes as follow: 1. I have external IdP which I trust entirely, let say google. 2. I don?t want to store user accounts - google does it well. 3. Keycloak is token mapper with possibility to store extra attributes. 4. Any personal information should be pseudo-anonymised (GDPR) 5. It would be great if I could log in user automatically with provider token sent to my service. I wen?t over developer docs and administration too. There is a paragraph about user federation and storage and few sentences about importing users. Based on these I can not really determine which one should I follow. I do not want to import users as there might be quite a lot of them. Copying entire profile information will occupy a lot of space and require syncing which I do not really want to do. Assuming that I will manage to get user federation (with no import) based on social broker login, will it be abuse of keycloak abilities? Will keycloak behave properly, if I will mock him down in a way that when identity broker asks about federated account - it will always get copy of its own data back? I found some points to use custom Authenticator, however I am not sure if it?s gonna fly as I haven?t found any confirmation that such way will actually work. Kind regards, ?ukasz ? Code-House http://code-house.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190208/aed4ce28/attachment.bin From Leigh.Kennedy at qlik.com Thu Feb 7 22:01:07 2019 From: Leigh.Kennedy at qlik.com (Leigh Kennedy) Date: Fri, 8 Feb 2019 03:01:07 +0000 Subject: [keycloak-user] Microsoft identity provider Message-ID: I am trying to set up Microsoft as an identity provider as per the instructions here: https://www.keycloak.org/docs/4.8/server_admin/#microsoft However after being redirected to Microsoft and logging in, I get the following error: "AADSTS50194: Application '35199672-0b05-45e0-8488-30e143f7902a' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant." However I don't see anywhere I can control the endpoints keycloak talks to at Microsoft. Has anyone done this? I get the feeling either Microsoft has changed some default, or the docs are missing something or both. Thanks. Leigh Kennedy From ian at ianduffy.ie Fri Feb 8 03:45:47 2019 From: ian at ianduffy.ie (Ian Duffy) Date: Fri, 8 Feb 2019 08:45:47 +0000 Subject: [keycloak-user] Require admins to specific email addresses for new users Message-ID: Hi All, I'm wanting to use keycloak in a multi-tenant environment where each tenant is a new realm. The tenant administrators should have access to manage the realm in order to add users, groups, configure identity providers and so on. For my multi-tenant setup, I'm copying something similar to slack.com and their multiple workspaces. - There should be a tenant onboarding system that will allow users to sign up to the system. Before creating a new tenant they must be authenticated against a client-id for the tenant manager. This authentication is just email verification using the magic link extension https://github.com/stianst/keycloak-experimental . Tenant creation is done by using the credentials of the master realm, the tenant manager will take in a tenant name and password, it will then go off and create a realm matching this name, a new user in that realm matching the verified email address used to create the realm and the supplied password, and a client for the tenanted application which will be served via a vanity URL e.g. tenant.example.org. - Allow discovery of which tenants my email address exists within. I've configured keycloak using https://github.com/thomasdarimont/wjax2018-spring-keycloak/tree/master/idm-system/keycloak/extensions/jms-event-forwarder to emit events to JMS. My tenant manager picks up these events and maintains a database of realm/tenant <-> email mappings. As such, the tenant manager is able to provide a verified email address with a list of tenants it's associated. - Allow passwordless login to an associated tenant or a created tenant. Before a user can create a tenant or list a tenant they are associated with they must verify their email address. As the user is verified, it makes little sense to have them login to newly created tenants or to associated tenants discovered via the tenant manager. The tenant manager uses impersonation to generate a cookie and places it into the user's browser to allow for a seamless transition from tenant manager to the tenant. Users accessing the tenant directly via the vanity URL will always be prompted for their tenant-specific username/password. The system I've described above assumes that each user uses their email address as their username or that they have a valid email address configured for their account. As mentioned above, I would like to hand off user creation to the tenant administrators. Is there any way to enforce that users created by the tenant administrators in the keycloak console must have email addresses and the email addresses must be verified on first login? My only thoughts for achieving this so far is to listen to user created events and for each one, always turn on "Update profile" and "Verify email" as this will force the user to do those things on first login. However, it would be neat to be able to modify keycloak to have these as defaults for every user created within the realm. Thanks, Ian. From luke at code-house.org Fri Feb 8 05:59:11 2019 From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=) Date: Fri, 8 Feb 2019 11:59:11 +0100 Subject: [keycloak-user] Password less keycloak with OIDC Federation In-Reply-To: References: Message-ID: <43fbfd04-fadf-9015-3484-7ba8937e7165@code-house.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I went through code, found a "RealmBean.isPassword" method and after few moments of sniffing managed to find solution. It is necessary to disable username password form in browser flow. By disabling username password form and having Identity Provider Redirector in place pinned to my favorite service I get automatic redirect to external IdP. What is interesting - leaving unconfigured IdP redirector caused troubles. Second part of process is still relevant and big mistery - how to avoid creation of account in keycloak and how to make pseudo-anonymisation. Best regards, ?ukasz - -- Code-House http://code-house.org On 08.02.2019 01:38, luke at code-house.org wrote: > Hi all, I?ve been going through new Keycloak use case and ran into > situation where I am not certain which SPI or API to use. First of > all, I would like users to not have any passwords and don't see > Keycloak by most of time. I already confirmed that such state can > be achieved with extra parameters for authorisation and identity > brokering links which is great. > > Second part of scenario goes as follow: 1. I have external IdP > which I trust entirely, let say google. 2. I don?t want to store > user accounts - google does it well. 3. Keycloak is token mapper > with possibility to store extra attributes. 4. Any personal > information should be pseudo-anonymised (GDPR) 5. It would be great > if I could log in user automatically with provider token sent to my > service. > > I wen?t over developer docs and administration too. There is a > paragraph about user federation and storage and few sentences about > importing users. Based on these I can not really determine which > one should I follow. I do not want to import users as there might > be quite a lot of them. Copying entire profile information will > occupy a lot of space and require syncing which I do not really > want to do. > > Assuming that I will manage to get user federation (with no import) > based on social broker login, will it be abuse of keycloak > abilities? Will keycloak behave properly, if I will mock him down > in a way that when identity broker asks about federated account - > it will always get copy of its own data back? I found some points > to use custom Authenticator, however I am not sure if it?s gonna > fly as I haven?t found any confirmation that such way will actually > work. > > Kind regards, ?ukasz ? Code-House http://code-house.org > -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEADg9iP9JyIvtOw5OAdrcj4PeJmUFAlxdYP8ACgkQAdrcj4Pe JmW5Xg/9H8gevRuEtoWkaN/TkURpxcdcq6LC7DG55IC2zCVzqkb2GvCluRiJ12Kp DhkX/ge7mr9RRhqfMDd6TmGZYr5eb4PGEFjZSOdkcfRhd2eur6AL60lb/8scLoGI +8CNJRTOLYNwwCn6XKS9hc6dDuWP+Qp05xktH/nYCu/OE1eq3xZA0e7a5oCKLTzY +edYuopjAYUpBf8kJEzl6efwmEH5rNyv6L0MYBIDZRLhdIOsAWLXCMCZ/fN7VjNj Yn38yEDhYqFY7ldGBQBmgsYTykqw0umFiiS2imksCBN1R6D0VbQtPf329XfU6jkM yWAngySNVIP7DkRW6m+zLeGeu9tW+JUcbl5h+xpfhFadGIIAcc9YkJmdB0dZ3ucp B+fExtoE4Zb0QGaZr3UbIlHhpYWOLWeImJFnph9aEXdDpmaE/4OQlmzBnPf/eT0R 1wWV4UUPBEco1G9NUSR+bqkX4evaZcVcW2bu1PmnJ28E5rZm/drlMh7EG0tF6TeO Y7Up1fOBKDaj1Y73Zr1v7yZIAdF3EVCJFV/FcV5lfKcmN/D3rOu0bsJTwTUKNs9I 5cGCclxR9jA06WQa1uuzzAyf86MzRqYek64f+kEMkjf2voNYPvRYbw6nU9Z+4l9c ERVLuMg8mY5MoMhoNdxaj2WcLmZcDL7zMzs3P9g0jWDDHcbiOiE= =1Y8v -----END PGP SIGNATURE----- From uo67113 at gmail.com Fri Feb 8 08:25:52 2019 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Fri, 8 Feb 2019 14:25:52 +0100 Subject: [keycloak-user] Issue with SAML AuthnRequest In-Reply-To: <20190208083404.auebd2mkpnvdborx@spirit6.local> References: <20190205100934.mybiqca6gnhkic56@spirit6.local> <20190208083404.auebd2mkpnvdborx@spirit6.local> Message-ID: Hello Max, mmm, I would need to get my hands dirty again with this. This reminds me that I had an issue with the logout verification signature, see here [1]. Disable the signature for the auth request would be acceptable for your system? Our security team it is OK with this, or maybe they never realized ;) Cheers, Luis [1] http://lists.jboss.org/pipermail/keycloak-user/2018-September/015420.html El vie., 8 feb. 2019 a las 9:34, escribi?: > Hi, > > On Wed, Feb 06, 2019 at 02:13:46PM +0100, Luis Rodr?guez Fern?ndez wrote: > > May I ask you what is the client implementation? For my dev environment, > > using the tomcat saml adapter in the SP side and Keycloak > > 4.8.2.Final-SNAPSHOT in the IdP one is working: > > It is strange: going in remote debug with eclipse (running in local in my > MacOS), > I have been able to obtain a succesful redirect, and I did not see any > trivial > points on how the assertion signature could be damaged. > > I'll investigate for encoding issues on the Linux machine. > > In the code, the only point in which the assertion is marshalled to DOM is > through > a call to parse() on the inputstream. > > The DOM builder factory is assigned to the threadlocal: why? Can it be > a threading issue, knowing the no thread safety of the dom implementation? > > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From andreas.wieland at IDA-Analytics.de Fri Feb 8 08:49:13 2019 From: andreas.wieland at IDA-Analytics.de (Andreas Wieland) Date: Fri, 8 Feb 2019 13:49:13 +0000 Subject: [keycloak-user] Microsoft identity provider In-Reply-To: References: Message-ID: Hi Leigh, in your azure configuration, you have to set your endpoint to be multi-tenant. A description how to do that can be found here: https://docs.microsoft.com/de-de/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#update-registration-to-be-multi-tenant kind regards, Andreas Wieland Software Entwickler ?[cid:ed998f13-1426-4194-8bf5-1deebe29570e] Intelligent Data Analytics GmbH & Co. KG c/o TechQuartier Platz der Einheit 2 60327 Frankfurt Mobil: 015172834024 Telefon: 06421/4805274 Telefax: 06421/4805275 E-Mail: andreas.wieland at ida-analytics.de Internet: www.ida-analytics.de Unternehmenssitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am Main, Registernummer: HRA 49357 | USt. ID-Nr.: DE310205810 | Finanzamt: Frankfurt am Main Pers?nlich haftende Gesellschafterin: IDA Intelligent Data Analytics GmbH | Sitz: Frankfurt am Main | Handelsregister beim Amtsgericht: Frankfurt am Main | Handelsregister-Nummer: HRB 106805 | Gesch?ftsf?hrer: Mohamed Ayadi, Dipl.-Inf. Nils Bj?rn Krugmann, Dipl.-Inf. Matthias Leinweber, Dipl.-Inf. Marc Seidemann ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Leigh Kennedy Sent: Friday, February 8, 2019 04:01 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Microsoft identity provider I am trying to set up Microsoft as an identity provider as per the instructions here: https://www.keycloak.org/docs/4.8/server_admin/#microsoft However after being redirected to Microsoft and logging in, I get the following error: "AADSTS50194: Application '35199672-0b05-45e0-8488-30e143f7902a' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant." However I don't see anywhere I can control the endpoints keycloak talks to at Microsoft. Has anyone done this? I get the feeling either Microsoft has changed some default, or the docs are missing something or both. Thanks. Leigh Kennedy _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-ab2rzgt2.png Type: image/png Size: 8351 bytes Desc: Outlook-ab2rzgt2.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190208/f3af09d9/attachment.png From geoff at opticks.io Fri Feb 8 14:57:03 2019 From: geoff at opticks.io (Geoffrey Cleaves) Date: Fri, 8 Feb 2019 20:57:03 +0100 Subject: [keycloak-user] Get all users with scope X to resource Y Message-ID: Hi, how would I go about getting a list of all the users who have a certain scope to a resource? Can it be done via the REST API? "Hey Keycloak, who can edit bank account 7?" Thanks From psilva at redhat.com Fri Feb 8 15:33:51 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 8 Feb 2019 18:33:51 -0200 Subject: [keycloak-user] Get all users with scope X to resource Y In-Reply-To: References: Message-ID: Hi, That is not possible. The evaluation is really based on a subject. Something like that would require a lot of processing ... On Fri, Feb 8, 2019 at 6:05 PM Geoffrey Cleaves wrote: > Hi, how would I go about getting a list of all the users who have a certain > scope to a resource? Can it be done via the REST API? > > "Hey Keycloak, who can edit bank account 7?" > > Thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bepittman at amplify.com Fri Feb 8 15:53:44 2019 From: bepittman at amplify.com (Ben Pittman) Date: Fri, 8 Feb 2019 15:53:44 -0500 Subject: [keycloak-user] Ability for user to have multiple IDP's of the same type per user Message-ID: Just wondering if anyone else would find this functionality useful. I have a custom IDP (not Google but similar, let's call it Acme IDP) that allows a single email to have multiple identities. For example me at acme.com could login as an ADMINISTRATOR or a PURCHASER with the only difference being what Keycloak calls the federated_user_id returned from ACME. Currently this isn't supported in Keycloak because of the foreign key constraint on federated_identity table (identity_provider, user_id). If this constraint is changed to (identity_provider, federated_user_id, user_id) and the FederatedIdentityEntity.java class is changed to represent the new constraint then voila I can support multiple IDP's of the same type per user. Just wondering if this has ever come up for anyone else before. Regards, Ben From Johny.Dee at seznam.cz Mon Feb 11 04:53:41 2019 From: Johny.Dee at seznam.cz (Vaclav Havlik) Date: Mon, 11 Feb 2019 10:53:41 +0100 (CET) Subject: [keycloak-user] TCPPING problem. References: <132L.4OIY.4yZG0TU0L{r.1SKjNt@seznam.cz> Message-ID: <1F4h.4PhI.4nYF{KAomAy.1SOKOb@seznam.cz> Hello. sorry, after some investigation I got it to work. The problem seems to have been, that I have to use a concrete address in interface, not any-addr . But here is another less problem. I have 2 instances of Keycloak on 2 different computers, namely 10.0.206.31 and 10.0.206.32 . Config files and log files are attached. I also use httpd load-balancer in front of them. It works very well with my specialized webapp called web_app_clustering, which is also attached . It is plain webapp, thus JSESSIONID is always sent. ? Now with Keycloak, I have set up a realm and SPNEGO & TOTP? to log into ? / auth/realms//account? .? To goal is to keep the session and avoid TOTP form again. 1. Keycloak sends AUTH_SESSION_ID, KEYCLOAK_IDENTITY and KEYCLOAK_SESSION, and it is not 100% reliable. Sometimes , when I log in into one instance and then I start the other instance and stop the first instance, it empties the cookies and display TOTP form again. But sometimes it works. 2. I wanted to experiment with attribute mode ( SYNC / ASYNC ) of replicated- cache / distributed-cache, but it errors that there is no such attribute. I am also attaching timeouts for the realm. Thank you, Venca. ---------- P?vodn? e-mail ---------- Od: Sebastian Laskawiec Komu: Vaclav Havlik Datum: 31. 1. 2019 13:42:35 P?edm?t: Re: [keycloak-user] TCPPING problem. "Hey Vaclav, Could you please send us your configuration xml (make sure you're using standalone-ha.xml) and output of your logs? Thanks, Sebastian On Thu, Jan 31, 2019 at 12:04 PM Vaclav Havlik wrote: > Dears, > I would like to ask a question. > > I have Wildfly, version WildFly Full 14.0.1.Final(http://14.0.1.final) > (WildFly Core 6.0.2.Final(http://6.0.2.final)) . > And then I have Keycloak, version Keycloak 4.7.0.Final(http://4.7.0.final) > > (WildFly Core 6.0.2.Final(http://6.0.2.final)) . > > Static cluster configuration, using TCPPING, works in Wildflys, but does > not > work in Keycloaks. > > I always have 2 instances on localhost (browser thus sends them the same > JSESSIONID). On both I have deployed a testing clustering webapp, with > which to test, if sessions are replicated. But Keycloaks do not pass > sessions to each other. I can see that when the page from the second > instance is reloaded in browser, it sends Set-Cookie header with another > cookie, as it obviously does not know the JSESSIONID from the first > instance. > > With Wildflys the same does work. > > Can you tell me, is there any reason, why this is the case, when Keycloak > uses Wildfly ? > > Thank you. With regards V. Havlik. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user " -------------- next part -------------- A non-text attachment was scrubbed... Name: keycloak_bug.tar.gz Type: application/x-gzip Size: 35256 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190211/974966a0/attachment-0001.gz -------------- next part -------------- A non-text attachment was scrubbed... Name: screen_kc.png Type: image/png Size: 76081 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190211/974966a0/attachment-0001.png From harish.tammireddygari at broadcom.com Mon Feb 11 05:59:43 2019 From: harish.tammireddygari at broadcom.com (Harish Tammireddygari) Date: Mon, 11 Feb 2019 16:29:43 +0530 Subject: [keycloak-user] Kerberos authentication failing with umlaut characters Message-ID: Hi, I have a user in my active directory with first name and logon name as *user?tz. *When I login into windows machine with this user and try to launch keycloak(where kerberos is enabled), it throws an error message as *"invalid username and password"* with the following exception. Also, I tried to add *-Dfile.encoding=UTF8* during startup but didn't work. *Does keycloak support kerberos authentication with umlaut characters?* 2019-02-06 01:26:08,282 WARN [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-29) Kerberos/SPNEGO authentication succeeded with username [user??tz], but couldn't find or create user with federation provider [ldap] 2019-02-06 01:26:08,282 ERROR [org.keycloak.events.EventBuilder] (default task-29) Failed to save event: java.lang.NullPointerException: Null keys are not supported! at java.util.Objects.requireNonNull(Objects.java:228) at org.infinispan.cache.impl.SimpleCacheImpl.get(SimpleCacheImpl.java:400) at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:287) at org.keycloak.models.cache.infinispan.CacheManager.get(CacheManager.java:95) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserById(UserCacheSession.java:192) at com.ca.ad.sv.keycloak.ext.events.JpaEventStoreProvider.getUsername(JpaEventStoreProvider.java:203) at com.ca.ad.sv.keycloak.ext.events.JpaEventStoreProvider.convertEvent(JpaEventStoreProvider.java:185) at com.ca.ad.sv.keycloak.ext.events.JpaEventStoreProvider.onEvent(JpaEventStoreProvider.java:140) at org.keycloak.events.EventBuilder.send(EventBuilder.java:177) at org.keycloak.events.EventBuilder.error(EventBuilder.java:164) at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:109) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:200) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2019-02-06 01:26:08,297 WARN [org.keycloak.events] (default task-29) type=LOGIN_ERROR, realmId=service_virtualization, clientId=security-admin-console, userId=null, ipAddress=10.162.26.187, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri= https://tamha02n247350.ca.com:51111/auth/admin/service_virtualization/console/, code_id=862c3e77-4ccf-4553-ba93-12030bb1b8f4, response_mode=fragment 2019-02-06 01:26:08,297 WARN [org.keycloak.services] (default task-29) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException at org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:224) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:201) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) From titorenko at dtg.technology Mon Feb 11 07:07:05 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Mon, 11 Feb 2019 15:07:05 +0300 Subject: [keycloak-user] Authorization Client - 403 Message-ID: <15337B34-A7DD-46F6-8CE6-CDEACBFF20B6@dtg.technology> Hello guys! I would like to as about behaviour of Authorization Client. I?m trying to get user entitlements using authorization client and see the following: If permissions allow access to the resource and scope requested, then everything is ok ? I get back token with requested permissions added to it; If permissions do not allow access to the resource, then I would expect returned token without any additional permissions added, but, instead, I get http error 403 (not authorised) from Keycloak. Is it expected behaviour? Having 403 when communicating to Keycloak makes me think, that my client is not authorised to make this call, while it seems, that this is signal about the fact that access to resource is not allowed. Alexey From psilva at redhat.com Mon Feb 11 07:55:23 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 11 Feb 2019 10:55:23 -0200 Subject: [keycloak-user] Authorization Client - 403 In-Reply-To: <15337B34-A7DD-46F6-8CE6-CDEACBFF20B6@dtg.technology> References: <15337B34-A7DD-46F6-8CE6-CDEACBFF20B6@dtg.technology> Message-ID: Hi, That is the expected behavior. The server fails with 403 in case your authorization request does not resolve to any permission. Regards. Pedro Igor On Mon, Feb 11, 2019 at 10:29 AM Alexey Titorenko wrote: > Hello guys! > > I would like to as about behaviour of Authorization Client. I?m trying to > get user entitlements using authorization client and see the following: > If permissions allow access to the resource and scope requested, then > everything is ok ? I get back token with requested permissions added to it; > If permissions do not allow access to the resource, then I would expect > returned token without any additional permissions added, but, instead, I > get http error 403 (not authorised) from Keycloak. > > Is it expected behaviour? Having 403 when communicating to Keycloak makes > me think, that my client is not authorised to make this call, while it > seems, that this is signal about the fact that access to resource is not > allowed. > > > Alexey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas.isaksen at toyota.no Mon Feb 11 08:14:04 2019 From: thomas.isaksen at toyota.no (Konsulent Thomas Isaksen (TNO)) Date: Mon, 11 Feb 2019 13:14:04 +0000 Subject: [keycloak-user] Problem with add-user-keycloak.sh Message-ID: Hi I'm trying to add the initial user to keycloak and I cannot do so using the console ("You need local access to create the initial admin user.") When I try to run the script as described in the documentation I get a message that (obviously) domain/servers/server-one/configuration does not exist. If I skip the sc parameter the user is generated under the standalone configuration folder .../bin/add-user-keycloak.sh --sc domain/servers/server-one/configuration -r master -u -p -- Thomas Isaksen From titorenko at dtg.technology Mon Feb 11 08:36:26 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Mon, 11 Feb 2019 16:36:26 +0300 Subject: [keycloak-user] Authorization Client - 403 In-Reply-To: References: <15337B34-A7DD-46F6-8CE6-CDEACBFF20B6@dtg.technology> Message-ID: <4F1DC80F-913B-4B3F-89BF-567CD9B6F986@dtg.technology> Ok, thank you! > On 11 Feb 2019, at 15:55, Pedro Igor Silva wrote: > > Hi, > > That is the expected behavior. The server fails with 403 in case your authorization request does not resolve to any permission. > > Regards. > Pedro Igor > > On Mon, Feb 11, 2019 at 10:29 AM Alexey Titorenko wrote: > Hello guys! > > I would like to as about behaviour of Authorization Client. I?m trying to get user entitlements using authorization client and see the following: > If permissions allow access to the resource and scope requested, then everything is ok ? I get back token with requested permissions added to it; > If permissions do not allow access to the resource, then I would expect returned token without any additional permissions added, but, instead, I get http error 403 (not authorised) from Keycloak. > > Is it expected behaviour? Having 403 when communicating to Keycloak makes me think, that my client is not authorised to make this call, while it seems, that this is signal about the fact that access to resource is not allowed. > > > Alexey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Mon Feb 11 08:51:46 2019 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Mon, 11 Feb 2019 14:51:46 +0100 Subject: [keycloak-user] TCPPING problem. In-Reply-To: <1F4h.4PhI.4nYF{KAomAy.1SOKOb@seznam.cz> References: <132L.4OIY.4yZG0TU0L{r.1SKjNt@seznam.cz> <1F4h.4PhI.4nYF{KAomAy.1SOKOb@seznam.cz> Message-ID: On Mon, Feb 11, 2019 at 10:53 AM Vaclav Havlik wrote: > Hello. > sorry, after some investigation I got it to work. The problem seems to > have been, that I have to use a concrete address in interface, not any-addr > . > Yes! This is how TCPPING works: https://github.com/belaban/JGroups/blob/master/src/org/jgroups/protocols/TCPPING.java#L25 There are some other, more dynamic protocols like MPING for the instance. I would need to know more about your environment (bare meta/cloud/any network traffic restrictions) to make a better suggestion. > > But here is another less problem. > I have 2 instances of Keycloak on 2 different computers, namely > 10.0.206.31 and 10.0.206.32 . Config files and log files are attached. I > also use httpd load-balancer in front of them. > > It works very well with my specialized webapp called *web_app_clustering*, > which is also attached . It is plain webapp, thus *JSESSIONID* is always > sent. > > Now with Keycloak, I have set up a realm and *SPNEGO* & *TOTP* to log > into */auth/realms//account* . To goal is to keep the session > and avoid TOTP form again. > > 1. > Keycloak sends *AUTH_SESSION_ID*, *KEYCLOAK_IDENTITY* and > *KEYCLOAK_SESSION*, and it is not 100% reliable. Sometimes , when I log > in into one instance and then I start the other instance and stop the first > instance, it empties the cookies and display TOTP form again. But sometimes > it works. > If you're using 2 nodes and our default standalone-ha.xml, this is a kind of behavior that may happen. Our distributed caches use number of owners equal to 1. That means, there's only one copy of each session object in the cache. If the owner of this item goes down (as a reminder - you use 2 nodes!), you lose that object. Try increasing this to 2 or changing this cache to the replicated mode. As a side note, I usually recommend running on odd number of nodes in distributed systems. I would highly recommend running 3 instances of Keycloak instead of 2. > > 2. > I wanted to experiment with attribute mode ( SYNC / ASYNC ) of > replicated-cache / distributed-cache, but it errors that there is no such > attribute. > Yes, all caches in Wildfly are SYNC: https://wildscribe.github.io/WildFly/13.0/subsystem/infinispan/cache-container/replicated-cache/index.html And here's the explanation from the docs: "Deprecated. This attribute will be ignored. All cache modes will be treated as SYNC. To perform asynchronous cache operations, use Infinispan's asynchronous cache API." Unfortunately it seems there is no way to set to ASYNC mode. However with your test scenario ASYNC may lead to more inconsistencies. My recommendation would be to stay with SYNC. > > I am also attaching timeouts for the realm. > > Thank you, Venca. > > > > ---------- P?vodn? e-mail ---------- > Od: Sebastian Laskawiec > Komu: Vaclav Havlik > Datum: 31. 1. 2019 13:42:35 > P?edm?t: Re: [keycloak-user] TCPPING problem. > > Hey Vaclav, > > Could you please send us your configuration xml (make sure you're using > standalone-ha.xml) and output of your logs? > > Thanks, > Sebastian > > On Thu, Jan 31, 2019 at 12:04 PM Vaclav Havlik > wrote: > > > Dears, > > I would like to ask a question. > > > > I have Wildfly, version WildFly Full 14.0.1.Final(http://14.0.1.final) > > (WildFly Core 6.0.2.Final(http://6.0.2.final)) . > > And then I have Keycloak, version Keycloak 4.7.0.Final( > http://4.7.0.final) > > > > (WildFly Core 6.0.2.Final(http://6.0.2.final)) . > > > > Static cluster configuration, using TCPPING, works in Wildflys, but does > > not > > work in Keycloaks. > > > > I always have 2 instances on localhost (browser thus sends them the same > > JSESSIONID). On both I have deployed a testing clustering webapp, with > > which to test, if sessions are replicated. But Keycloaks do not pass > > sessions to each other. I can see that when the page from the second > > instance is reloaded in browser, it sends Set-Cookie header with another > > cookie, as it obviously does not know the JSESSIONID from the first > > instance. > > > > With Wildflys the same does work. > > > > Can you tell me, is there any reason, why this is the case, when > Keycloak > > uses Wildfly ? > > > > Thank you. With regards V. Havlik. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From mauriciogiacomini at hotmail.com Mon Feb 11 09:12:38 2019 From: mauriciogiacomini at hotmail.com (=?iso-8859-1?Q?Maur=EDcio_Giacomini_Penteado?=) Date: Mon, 11 Feb 2019 14:12:38 +0000 Subject: [keycloak-user] OAuth2 with SAML2.0 Authentication Message-ID: Hi folks I am working with some legacy systems that rely on an identity server based on SAML tokens. Therefore, I do not have the excellent features provided by the OAuth2, OpenID, and UMA specifications on these systems. I am looking for some documents to help me activate Keycloak as an identity server that works with OAuth2, but using SAML tokens for authentication. It would help a lot if such configurations were possible. Please, if anyone knows documents to help me, let me know. Kind regards, Mauricio. From psilva at redhat.com Mon Feb 11 09:57:45 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 11 Feb 2019 12:57:45 -0200 Subject: [keycloak-user] OAuth2 with SAML2.0 Authentication In-Reply-To: References: Message-ID: Hi, You should be able to use OpenID protocol to your applications if Keycloak is configured as a broker to your existing SAML IdP. See https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker . Regards. Pedro Igor On Mon, Feb 11, 2019 at 12:17 PM Maur?cio Giacomini Penteado < mauriciogiacomini at hotmail.com> wrote: > Hi folks > > I am working with some legacy systems that rely on an identity server > based on SAML tokens. > Therefore, I do not have the excellent features provided by the OAuth2, > OpenID, and UMA specifications on these systems. > > I am looking for some documents to help me activate Keycloak as an > identity server that works with OAuth2, but using SAML tokens for > authentication. > It would help a lot if such configurations were possible. Please, if > anyone knows documents to help me, let me know. > > Kind regards, > Mauricio. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From khaendel at ehotel.de Mon Feb 11 12:33:49 2019 From: khaendel at ehotel.de (Ken Haendel) Date: Mon, 11 Feb 2019 18:33:49 +0100 Subject: [keycloak-user] What does "Session doesn't have required client" mean? Message-ID: Hello, I have a question concerning Keycloak 4.8.3. I am using the spring security adapter to secure our web-app with the keycloak and enabled login feature: remember-me. The user logs in from a browser and it redirects back to out web app. Our web-app calls another Keycloak secured REST-API endpoint internally using the KeycloakRestTemplate, because we need to authorize these calls as well using the same user of the web app. After some amount of time the REST-API call fails with the following error message: "ERROR RefreshableKeycloakSecurityContext Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Session doesn't have required client"}" and the keycloak log file contains the folowing warning: 17:25:51,929 WARN? [org.keycloak.events] (default task-1) type=REFRESH_TOKEN_ERROR, realmId=EHotel, clientId=IBE, userId=f:8db533c4-9733-48d4-8b30-28a50954b7ad:khaendel, ipAddress=192.168.1.76, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9fba841f-54bb-4c81-8f7b-6a7e1c5ab92e, client_auth_method=client-secret I cannot predict when exactly that happens, presumably after 15 minutes or after an hour. Token expiration is set as follows: SSO Session Idle: 5 minutes SSO Session Max: 5 minutes SSO Session Idle Remember Me: 1 Day SSO Session Max Remember Me: 1 Day Access Token Lifespan: 2 minutes It seems, that there is a client session cache involved (InfinispanUserSessionProvider), that looses information after a while. What does the error message mean and what am i doing wrong? Please help me out. Thank you in advance, Regards, Ken -------------- next part -------------- A non-text attachment was scrubbed... Name: khaendel.vcf Type: text/x-vcard Size: 185 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190211/dc6f162c/attachment.vcf From firozpalapra at outlook.com Mon Feb 11 12:40:18 2019 From: firozpalapra at outlook.com (Firoz Ahamed) Date: Mon, 11 Feb 2019 17:40:18 +0000 Subject: [keycloak-user] keycloak rest api usage to get all user details(including details of attached groups) in one call Message-ID: Hi All, We are creating a wrapper UI for user management on top of keycloak using the keycloak REST apis. To show the users created, we are using the users end point. However, the roles in our model are attached to the groups and we can only retrieve the user roles from the groups. We tried getting data from the groups and roles endpoint for each user to create the complete user data set, however the multiple calls are costly and take time to process and return the data. Is there any api end point which will get all user details along with the details of the groups attached to the user ? Thanks in advance, Firoz Sent from Mail for Windows 10 From jprouty at cctus.com Mon Feb 11 18:40:20 2019 From: jprouty at cctus.com (Jason Prouty) Date: Mon, 11 Feb 2019 23:40:20 +0000 Subject: [keycloak-user] Synology Message-ID: Has anyone used a sysnology as a client with Keycloak? The only documentation I show is for Azure and Websphere From ekemokai at gmail.com Mon Feb 11 22:50:27 2019 From: ekemokai at gmail.com (Edmond Kemokai) Date: Mon, 11 Feb 2019 22:50:27 -0500 Subject: [keycloak-user] Using system properties Message-ID: Hi, I am trying to do something like this: However the expected replacement of jetty.home is not happening...is this not supported ? From ekemokai at gmail.com Mon Feb 11 22:55:17 2019 From: ekemokai at gmail.com (Edmond Kemokai) Date: Mon, 11 Feb 2019 22:55:17 -0500 Subject: [keycloak-user] Using system properties In-Reply-To: References: Message-ID: Apologies, please disregard this. On Mon, Feb 11, 2019 at 10:50 PM Edmond Kemokai wrote: > Hi, > > I am trying to do something like this: > > > > > > > > However the expected replacement of jetty.home is not happening...is this > not supported ? > -- From chttl582 at gmail.com Tue Feb 12 01:05:45 2019 From: chttl582 at gmail.com (Jon Huang) Date: Tue, 12 Feb 2019 14:05:45 +0800 Subject: [keycloak-user] Is it possible to assign user group to specific user storage? In-Reply-To: <1548195964.27802.3.camel@acutus.pro> References: <1548195964.27802.3.camel@acutus.pro> Message-ID: Dear Dmitry Thanks for your help. I find there is Mappers tab with ldap provider. However I wrote custom federation provider via user storage SPI and there is no Mappers tab. (I can only see my Required Settings page) Did I miss some implementation work or user storage SPI does not support mappers binding? Regards Dmitry Telegin
? 2019?1?23? ?? ??6:26??? > Hello Jon, > > Open your federation provider settings, go to the Mappers tab, create a > mapper of type hardcoded-ldap-role-mapper, and type in role name (role > selector seems to be broken unfortunately). > > Repeat for every other role you need. Good luck :) > > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Tue, 2019-01-22 at 16:37 +0800, Jon Huang wrote: > > Hi everyone, > > Please forgive me if this issue was ever asked previously. > > > > I would like to know if it is possible to assign role to specific > > federation provider? > > (for example below, user1 & 2 has role1 and user3 has role2) > > It's hard to assign role to user one by one via UI. (too many users) > > Nor default group can only assign role to every user. > > Or is there any other way to achieve the goal? > > Thanks > > > > > > > > [image: image.png] > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.isaksen at toyota.no Tue Feb 12 03:57:04 2019 From: thomas.isaksen at toyota.no (Konsulent Thomas Isaksen (TNO)) Date: Tue, 12 Feb 2019 08:57:04 +0000 Subject: [keycloak-user] Problem with add-user-keycloak.sh In-Reply-To: References: Message-ID: Never mind, I found that there is a --domain switch to do this ./t -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Konsulent Thomas Isaksen (TNO) Sent: mandag 11. februar 2019 14:14 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Problem with add-user-keycloak.sh Hi I'm trying to add the initial user to keycloak and I cannot do so using the console ("You need local access to create the initial admin user.") When I try to run the script as described in the documentation I get a message that (obviously) domain/servers/server-one/configuration does not exist. If I skip the sc parameter the user is generated under the standalone configuration folder .../bin/add-user-keycloak.sh --sc domain/servers/server-one/configuration -r master -u -p -- Thomas Isaksen _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From egegunes at gmail.com Tue Feb 12 09:28:52 2019 From: egegunes at gmail.com (Ege Gunes) Date: Tue, 12 Feb 2019 17:28:52 +0300 Subject: [keycloak-user] Extending user registration and login Message-ID: <20190212142852.GB6011@hipantsbrutal> Hello all, I'm trying to integrate Keycloak with one backend and one frontend application. I want to get some extra information on registration. I managed to add required inputs to theme by following docs [1]. But I have a problem: I want user to select one of many options from a dropdown but I don't want to harcode this options to `registration.ftl`, I want to fetch those from my backend and populate options. Can you point me to some direction to achieve this? Also, is there any chance to customize login process to make user select one of this options on login form and authenticate user by matching selected option and username? For example, if I have schools in a dropdown menu and school number as username, can Keycloak check if user has exact school attribute and username and authenticate? Best, [1] https://www.keycloak.org/docs/3.1/server_development/topics/custom-attributes.html -- Ege Gunes https://gunes.io/publickey.txt From jambo_mcd at yahoo.co.uk Tue Feb 12 09:39:09 2019 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Tue, 12 Feb 2019 14:39:09 +0000 (UTC) Subject: [keycloak-user] KC installation DB problems In-Reply-To: References: Message-ID: <527857473.3878508.1549982349159@mail.yahoo.com> Hi, Did you receive any feedback on your issue below?? I am also having roughly the same issue as you however my KC is set up using Docker and Kubernetes. I have a mariadb (t2 micro) instance and after around 20 minutes of the container running i am getting the error "Unable to acquire JDBC Connection".? I believe this is an issue that the mariadb instance is running out of connections therefore i have tried to update my yaml where the entrypoint is set to change the standalone.xml file running a sed command to add in min-pool-size, max-pool-size and idle-timeouts-minutes. Adding in some echo error handling i can see that this is being added however when i log into the container and check the standalone.xml this is not there.? Regards, Jamie On Thursday, 20 September 2018, 18:41:36 BST, Henning Waack wrote: Dear all. I try to setup KC 4.2.1 (also tried with 4.0.0) on Ubuntu 18.04 with Mysq 5.7l/MariaDB 10.x. It works totally fine on my Vagrant box (I use Ansible), but on the "real" server the Liquibase init scripts time out. Please note that the DB is installed physically on the same machine as Keycloak, connection is done trough localhost. The error is some kind of transaction timeout exception, please see below the log. It is interesting to note that a) the script runs for more than 5 minutes before it fails, and b) most tables have been created in the DB, but after this error the state is unrecoverable. Do you have any pointers/hints on why I run into these timeout issues? I am totally at loss, having tried so many combinations (KC version x DB type x DB version), which all run fine on Vagrant but fail on the server. Thanks in advance & greetings Henning ------ 2018-09-20 19:00:53,220 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 49) Node name: sso, Site name: null 2018-09-20 19:00:55,982 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 49) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml 2018-09-20 19:05:53,240 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:e in state? RUN 2018-09-20 19:05:53,252 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:e 2018-09-20 19:05:53,938 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 in state? RUN 2018-09-20 19:05:53,940 WARN? [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 2018-09-20 19:06:13,864 INFO? [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 49) HHH000204: Processing PersistenceUnitInfo [ ? ? ? ? name: keycloak-default ? ? ? ? ...] 2018-09-20 19:06:13,913 INFO? [org.hibernate.Version] (ServerService Thread Pool -- 49) HHH000412: Hibernate Core {5.1.10.Final} 2018-09-20 19:06:13,914 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 49) HHH000206: hibernate.properties not found 2018-09-20 19:06:13,916 INFO? [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 49) HHH000021: Bytecode provider name : javassist 2018-09-20 19:06:13,943 INFO? [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 49) HCANN000001: Hibernate Commons Annotations {5.0.1.Final} 2018-09-20 19:06:14,076 INFO? [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 49) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect 2018-09-20 19:06:14,107 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 49) Envers integration enabled? : true 2018-09-20 19:06:14,534 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 49) HV000001: Hibernate Validator 5.3.5.Final 2018-09-20 19:06:15,154 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 49) HHH000397: Using ASTQueryTranslatorFactory 2018-09-20 19:06:15,842 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) SQL Error: 0, SQLState: null 2018-09-20 19:06:15,842 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) javax.resource.ResourceException: IJ000460: Error checking for a transaction 2018-09-20 19:06:15,843 INFO [org.hibernate.event.internal.DefaultLoadEventListener] (ServerService Thread Pool -- 49) HHH000327: Error performing load command : org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection 2018-09-20 19:06:15,844 WARN? [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 49) ARJUNA012077: Abort called on already aborted atomic action 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 2018-09-20 19:06:15,850 WARN? [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 49) ARJUNA012077: Abort called on already aborted atomic action 0:ffff91eff4af:-1fd3cdfc:5ba3d243:e 2018-09-20 19:06:15,853 INFO? [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal 2018-09-20 19:06:15,857 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 49) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) ? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) ? ? ? ? at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ? ? ? ? at java.util.concurrent.FutureTask.run(FutureTask.java:266) ? ? ? ? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ? ? ? ? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ? ? ? ? at java.lang.Thread.run(Thread.java:748) ? ? ? ? at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) ? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) ? ? ? ? at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) ? ? ? ? at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) ? ? ? ? at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) ? ? ? ? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) ? ? ? ? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) ? ? ? ? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) ? ? ? ? at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) ? ? ? ? at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) ? ? ? ? at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) ? ? ? ? at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) ? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) ? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) ? ? ? ? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) ? ? ? ? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ? ? ? ? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) ? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ? ? ? ? at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) ? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) ? ? ? ? at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) ? ? ? ? ... 6 more Caused by: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection ? ? ? ? at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) ? ? ? ? at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) ? ? ? ? at com.sun.proxy.$Proxy68.find(Unknown Source) ? ? ? ? at org.keycloak.models.jpa.MigrationModelAdapter.getStoredVersion(MigrationModelAdapter.java:38) ? ? ? ? at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:84) ? ? ? ? at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245) ? ? ? ? at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186) ? ? ? ? at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145) ? ? ? ? at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) ? ? ? ? at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) ? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ? ? ? ? at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ? ? ? ? at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ? ? ? ? at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ? ? ? ? at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ? ? ? ? ... 28 more Caused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection ? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) ? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1619) ? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1106) ? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1033) ? ? ? ? at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ? ? ? ? at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ? ? ? ? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ? ? ? ? at java.lang.reflect.Method.invoke(Method.java:498) ? ? ? ? at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) ? ? ? ? ... 41 more Caused by: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection ? ? ? ? at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47) ? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) ? ? ? ? at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) ? ? ? ? at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:87) ? ? ? ? at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getPhysicalConnection(LogicalConnectionManagedImpl.java:109) ? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.connection(StatementPreparerImpl.java:47) ? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146) ? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ? ? ? ? at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148) ? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.prepareQueryStatement(AbstractLoadPlanBasedLoader.java:241) ? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:185) ? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121) ? ? ? ? at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86) ? ? ? ? at org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:167) ? ? ? ? at org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4069) ? ? ? ? at org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:508) ? ? ? ? at org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:478) ? ? ? ? at org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:219) ? ? ? ? at org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:278) ? ? ? ? at org.hibernate.event.internal.DefaultLoadEventListener.doOnLoad(DefaultLoadEventListener.java:121) ? ? ? ? at org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:89) ? ? ? ? at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1142) ? ? ? ? at org.hibernate.internal.SessionImpl.access$2600(SessionImpl.java:167) ? ? ? ? at org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.doLoad(SessionImpl.java:2762) ? ? ? ? at org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2741) ? ? ? ? at org.hibernate.internal.SessionImpl.get(SessionImpl.java:978) ? ? ? ? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1075) ? ? ? ? ... 47 more Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000460: Error checking for a transaction ? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) ? ? ? ? at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) ? ? ? ? at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122) ? ? ? ? at org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:386) ? ? ? ? at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:84) ? ? ? ? ... 70 more Caused by: javax.resource.ResourceException: IJ000460: Error checking for a transaction ? ? ? ? at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:425) ? ? ? ? at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) ? ? ? ? at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ? ? ? ? ... 74 more Caused by: javax.resource.ResourceException: IJ000459: Transaction is not active: tx=Local transaction (delegate=TransactionImple < ac, BasicAction: 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 status: ActionStatus.ABORTED >, owner=Local transaction context for provider JBoss JTA transaction provider) ? ? ? ? at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:409) ? ? ? ? ... 76 more 2018-09-20 19:06:15,872 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0008: Undertow HTTPS listener https suspending 2018-09-20 19:06:15,872 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-3) WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] 2018-09-20 19:06:15,877 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] 2018-09-20 19:06:15,878 INFO? [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-6) WFLYJCA0019: Stopped Driver service with driver-name = h2 2018-09-20 19:06:15,881 INFO? [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = mariadb 2018-09-20 19:06:15,881 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443 2018-09-20 19:06:15,885 INFO? [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0008: Undertow HTTP listener default suspendi -- _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mauriciogiacomini at hotmail.com Tue Feb 12 11:48:16 2019 From: mauriciogiacomini at hotmail.com (=?iso-8859-1?Q?Maur=EDcio_Giacomini_Penteado?=) Date: Tue, 12 Feb 2019 16:48:16 +0000 Subject: [keycloak-user] OAuth2 with SAML2.0 Authentication In-Reply-To: References: , Message-ID: Hi folks, I did not know that keycloak could be installed as a broker to a SAML IdP. @Pedro Igor Silva - Many thanks for your help. I have one more question about that. Please, if anyone more can help me, let me know. What you think? Would it be possible to have keycloak as a broker to a set of applications providing and consuming REST services, but keep the SAML IdP directly accessible to legacy applications providing and consuming SOAP services? Kind regards, Mauricio. ________________________________ De: Pedro Igor Silva Enviado: segunda-feira, 11 de fevereiro de 2019 14:57 Para: Maur?cio Giacomini Penteado Cc: keycloak-user at lists.jboss.org Assunto: Re: [keycloak-user] OAuth2 with SAML2.0 Authentication Hi, You should be able to use OpenID protocol to your applications if Keycloak is configured as a broker to your existing SAML IdP. See https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker. Regards. Pedro Igor On Mon, Feb 11, 2019 at 12:17 PM Maur?cio Giacomini Penteado > wrote: Hi folks I am working with some legacy systems that rely on an identity server based on SAML tokens. Therefore, I do not have the excellent features provided by the OAuth2, OpenID, and UMA specifications on these systems. I am looking for some documents to help me activate Keycloak as an identity server that works with OAuth2, but using SAML tokens for authentication. It would help a lot if such configurations were possible. Please, if anyone knows documents to help me, let me know. Kind regards, Mauricio. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From almahdichihaoui at gmail.com Tue Feb 12 12:42:32 2019 From: almahdichihaoui at gmail.com (Al_Mahdi) Date: Tue, 12 Feb 2019 10:42:32 -0700 (MST) Subject: [keycloak-user] Initialize keycloak with locale in i18n Message-ID: <1549993352874-0.post@n6.nabble.com> In our application (React application) we have a business requirement to show the login page with the default language detected by i18next, I didn't find how to set the locale in keycloak init method, however, i used login method where the locale can be set. but, using the login method, i had redirection loop issue. - Is there any difference between logging in using init or login methods? - Are there clear or clean ways where i can send the locale to keycloak in order to show the page in the appropriate language? Thanks. -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From leandronunes85 at gmail.com Tue Feb 12 13:26:35 2019 From: leandronunes85 at gmail.com (Leandro Nunes) Date: Tue, 12 Feb 2019 18:26:35 +0000 Subject: [keycloak-user] Moving from two legacy identity systems to keycloak Message-ID: Hi, I recently joined a company as a software developer. The company has merged with another one a couple of years ago and that lead to lot of migration problems. We are now looking into unifying our user base under the same store and provide a single login/password for all products. With this in mind I started looking for a solution that would help us: and I found keycloak. I have been playing around with it but the truth is that I?m not very confident on how to approach such Herculean task. I have thought of a couple of options: 1) build a spi for each legacy systems and let keycloak talk with such systems for current users but register new users on keycloak?s own data store 2) have my legacy systems programmatically create a new user on keycloak every time someone logs in (as in slowly migrating users from the legacy datastores into keycloak). Bear in mind that either way I need to still be able to expose at least the original Id for the users on keycloak so that other systems that rely on them can still work. Any help around this is much appreciated! Thanks!!!! -- Regards, Leandro Nunes From ssilvert at redhat.com Tue Feb 12 14:42:01 2019 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 12 Feb 2019 14:42:01 -0500 Subject: [keycloak-user] Initialize keycloak with locale in i18n In-Reply-To: <1549993352874-0.post@n6.nabble.com> References: <1549993352874-0.post@n6.nabble.com> Message-ID: <3a7569b9-e7b2-07e7-2ad1-97b124c70c79@redhat.com> This might help: https://www.keycloak.org/docs/4.8/server_development/#_locale_selector But one problem is that you should be initializing Keycloak before you initialize React.? That means you won't have a chance for i18next to detect the locale before the login screen is shown. If the default LocaleSelectionProvider is not what you want then I suggest that you find out the algorithm i18next is using and build that into your own LocaleSelectionProvider. Stan On 2/12/2019 12:42 PM, Al_Mahdi wrote: > In our application (React application) we have a business requirement to show > the login page with the default language detected by i18next, I didn't find > how to set the locale in keycloak init method, however, i used login method > where the locale can be set. but, using the login method, i had redirection > loop issue. > - Is there any difference between logging in using init or login methods? > - Are there clear or clean ways where i can send the locale to keycloak in > order to show the page in the appropriate language? > > Thanks. > > > > -- > Sent from: http://keycloak-user.88327.x6.nabble.com/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mcoe at ebay.ca Tue Feb 12 16:02:28 2019 From: mcoe at ebay.ca (Coe, Matthew) Date: Tue, 12 Feb 2019 21:02:28 +0000 Subject: [keycloak-user] Keycloak + Infinispan Passivation Failure Message-ID: Hello! I?m attempting to configure a cluster of standalone Keycloak 4.7.0.Final instances to have their Infinispan data persisted. I?m using JDBCPING to create the cluster, and our user load is great enough that we don?t want to keep all our sessions in memory. I?ve configured the ?sessions? cache as follows:
The object-memory size is selected purely for testing purposes, so that I can quickly hit a point where data will need to be evicted from Infinispan. The problem I?m running into is that data is only persisted to MySQL is passivation is on, where it exhibits the predictable passivation behaviour. When I turn passivation to false, instead of acting as a write-through cache, will all data persisted, no data is persisted at all. Once I fill the object-memory size, sessions start getting dropped behind the scenes. Is this pilot error? Or have I found a bug in Infinispan? DEBUG-level logging doesn?t reveal any complaints from the underlying systems. Thanks! Matthew G P Coe Platform Software Developer T 416.969.2365 M 416.427.7315 E mcoe at ebay.com A 500 King Street West, Unit 200, M5V 1L8, Toronto, ON [Kijiji] -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 4295 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190212/7d9ced7b/attachment-0001.png From andrew.j.alexander at gmail.com Tue Feb 12 22:37:27 2019 From: andrew.j.alexander at gmail.com (Andrew J. Alexander) Date: Tue, 12 Feb 2019 22:37:27 -0500 Subject: [keycloak-user] Still no luck with native iOS Facebook auth Message-ID: I am just completely lost here. I need to integrate the Facebook SDK directly with Keycloak - Facebook is threatening to remove the ability to login entirely from my client's app. I am, however, absolutely and completely lost with how to do this in Keycloak. Here's my original post: http://lists.jboss.org/pipermail/keycloak-user/2017-February/009592.html And I am wondering a similar question - is there a way to use native Facebook access token to authenticate with Keycloak? Facebook is saying that they want my client to update their app to use the Facebook SDK for login as opposed to non-standard SDK (i.e. AeroGear/Keycloak) I am trying to use the token provided by Facebook on successful login, with absolutely no luck. What is the recommended way (or is there a guide) on how to do this? Is there absolutely any compliant way to integrate the iOS Facebook SDK with Keycloak? Anything at all? I've been working on this for two weeks and I'm completely lost and have no idea how to do it. From sblanc at redhat.com Wed Feb 13 01:52:47 2019 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 13 Feb 2019 07:52:47 +0100 Subject: [keycloak-user] Still no luck with native iOS Facebook auth In-Reply-To: References: Message-ID: Hi Andrew, Have you tired the token exchange service ? https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange On Wed, Feb 13, 2019 at 4:40 AM Andrew J. Alexander < andrew.j.alexander at gmail.com> wrote: > I am just completely lost here. > > I need to integrate the Facebook SDK directly with Keycloak - Facebook is > threatening to remove the ability to login entirely from my client's app. > > I am, however, absolutely and completely lost with how to do this in > Keycloak. > > Here's my original post: > > http://lists.jboss.org/pipermail/keycloak-user/2017-February/009592.html > > And I am wondering a similar question - is there a way to use native > Facebook access token to authenticate with Keycloak? > > Facebook is saying that they want my client to update their app to use the > Facebook SDK for login as opposed to non-standard SDK (i.e. > AeroGear/Keycloak) > > I am trying to use the token provided by Facebook on successful login, with > absolutely no luck. > > What is the recommended way (or is there a guide) on how to do this? > > > > Is there absolutely any compliant way to integrate the iOS Facebook SDK > with Keycloak? Anything at all? I've been working on this for two weeks and > I'm completely lost and have no idea how to do it. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hariprasad.n at ramyamlab.com Wed Feb 13 02:06:02 2019 From: hariprasad.n at ramyamlab.com (Hariprasad N) Date: Wed, 13 Feb 2019 12:36:02 +0530 Subject: [keycloak-user] Disable Default clients Edit and Delete options in Admin Console Message-ID: Hi All, Is there any possible way I can disable Edit and Delete options in clients screen of each realm for default clients including account, admin-cli, broker etc. The problem is our admins some time by mistake deleting the admin-cli client, then entire keycloak dont work, then we are clearing the database and freshly starting new realms. [image: keycloak-admin-console.PNG] -- Thanks & Regards, Hari Prasad N Senior Software Engineer ------------------------------------------------- Ramyam Intelligence Lab Pvt. Ltd., Part of Arvato 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road, Bangalore ? 560001, Karnataka, India. Phone: +91 80 67269266 Mobile: +91 7022156319 E-Mail: *hariprasad.n at ramyamlab.co m* *www.ramyamlab.com* -------------- next part -------------- A non-text attachment was scrubbed... Name: keycloak-admin-console.PNG Type: image/png Size: 22951 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190213/728d9e4e/attachment-0001.png From ssilvert at redhat.com Wed Feb 13 08:17:44 2019 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 13 Feb 2019 08:17:44 -0500 Subject: [keycloak-user] Initialize keycloak with locale in i18n In-Reply-To: References: <1549993352874-0.post@n6.nabble.com> <3a7569b9-e7b2-07e7-2ad1-97b124c70c79@redhat.com> Message-ID: <6dca5b7b-d8fe-eb76-3e95-91232dfb809b@redhat.com> If I remember correctly, the redirection loop is due to the fact that Keycloak wants to be initialized first. You could set the KEYCLOAK_LOCALE cookie.? If there is no kc_locale query parameter then the DefaultLocaleSelectorProvider will use the cookie to set the locale for login. On 2/13/2019 4:00 AM, Al Mahdi Chihaoui wrote: > Hi Stan, > Thanks for your reply, > We are using Express js to serve our React application, so we > initialize i18next before initializing Keycloak or React. > For the locale selectors, i didn't find how to set kc_local, it worked > with the login method but as i mentioned before, that method caused a > redirection loop. > Regards. > > On Tue, Feb 12, 2019 at 9:03 PM Stan Silvert > wrote: > > This might help: > https://www.keycloak.org/docs/4.8/server_development/#_locale_selector > > But one problem is that you should be initializing Keycloak before > you > initialize React.? That means you won't have a chance for i18next to > detect the locale before the login screen is shown. > > If the default LocaleSelectionProvider is not what you want then I > suggest that you find out the algorithm i18next is using and build > that > into your own LocaleSelectionProvider. > > Stan > > On 2/12/2019 12:42 PM, Al_Mahdi wrote: > > In our application (React application) we have a business > requirement to show > > the login page with the default language detected by i18next, I > didn't find > > how to set the locale in keycloak init method, however, i used > login method > > where the locale can be set. but, using the login method, i had > redirection > > loop issue. > > - Is there any difference between logging in using init or login > methods? > > - Are there clear or clean ways where i can send the locale to > keycloak in > > order to show the page in the appropriate language? > > > > Thanks. > > > > > > > > -- > > Sent from: http://keycloak-user.88327.x6.nabble.com/ > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > *Al Mahdi Chihaoui* > *Software Engineer* > *LinkedIn | Github > * > > */ > /* > * > * From vagelis.savvas at gmail.com Wed Feb 13 10:24:49 2019 From: vagelis.savvas at gmail.com (Vagelis Savvas) Date: Wed, 13 Feb 2019 17:24:49 +0200 Subject: [keycloak-user] Logout user Message-ID: <99ed7518-f9f8-d9a5-0982-e8acd9eb6b4f@gmail.com> Hello, at the moment I use an EventListenerProvider to listen for the EventType.LOGOUT event. I noticed that if a realm admin logs a user out from the Web GUI my event listener isn't invoked. Am I overlooking something? Thanx! Vagelis From mposolda at redhat.com Wed Feb 13 10:28:55 2019 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 13 Feb 2019 16:28:55 +0100 Subject: [keycloak-user] Keycloak + Infinispan Passivation Failure In-Reply-To: References: Message-ID: On 12/02/2019 22:02, Coe, Matthew wrote: > Hello! > > I?m attempting to configure a cluster of standalone Keycloak 4.7.0.Final instances to have their Infinispan data persisted. I?m using JDBCPING to create the cluster, and our user load is great enough that we don?t want to keep all our sessions in memory. > > I?ve configured the ?sessions? cache as follows: > > > > > > > > > >
>
>
> > The object-memory size is selected purely for testing purposes, so that I can quickly hit a point where data will need to be evicted from Infinispan. > > The problem I?m running into is that data is only persisted to MySQL is passivation is on, where it exhibits the predictable passivation behaviour. When I turn passivation to false, instead of acting as a write-through cache, will all data persisted, no data is persisted at all. Once I fill the object-memory size, sessions start getting dropped behind the scenes. > > Is this pilot error? Or have I found a bug in Infinispan? DEBUG-level logging doesn?t reveal any complaints from the underlying systems. We're programatically adding the flag to skip cacheStore/cacheLoad to many operations on userSession. The reason is, that for cross-dc scenario, we're programatically invoking execution of some operations on remote caches (JDG servers). In other words, no other infinispan stores besides remote-store will properly work. Feel free to create JIRA (or add yourself as a vote to existing JIRA as it maybe already exists). Marek > > Thanks! > > Matthew G P Coe > > Platform Software Developer > > > T 416.969.2365 > > M 416.427.7315 > > E mcoe at ebay.com > > A 500 King Street West, Unit 200, M5V 1L8, Toronto, ON > > > > [Kijiji] > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From marco.vecchietti at telecomitalia.it Thu Feb 14 05:02:22 2019 From: marco.vecchietti at telecomitalia.it (Vecchietti Marco) Date: Thu, 14 Feb 2019 10:02:22 +0000 Subject: [keycloak-user] How to add roles to acquired LDAP user Message-ID: <1550138542841.80457@telecomitalia.it> Hi, I know it's possible to map roles from LDAPto keycloak roles, I found documentation and samples on it. Unfortunatelly I need or I'd like to do the reverse work: maps keycloak roles to LDAP users. There's a way, for instance by extension or callback, to intercept login phase and enrich user with a specific set of roles. The goal is to obtain as a response a token (JVT token) with added roles. Otherwise I should use keycloak as authetication sever and a separated application server as authorization server.? Best regards Marco Vecchietti Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle persone indicate. La diffusione, copia o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere alla sua distruzione, Grazie. This e-mail and any attachments is confidential and may contain privileged information intended for the addressee(s) only. Dissemination, copying, printing or use by anybody else is unauthorised. If you are not the intended recipient, please delete this message and any attachments and advise the sender by return e-mail, Thanks. Rispetta l'ambiente. Non stampare questa mail se non ? necessario. From psilva at redhat.com Thu Feb 14 08:44:48 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 14 Feb 2019 11:44:48 -0200 Subject: [keycloak-user] UMA specs submitted to IETF Message-ID: Hi, The UMA work group did an important move this week by contributing [1] UMA 2.0 specs to IETF. As an OAuth2 extension, UMA aims to leverage OAuth2 in order to support asynchronous authorization, loosely coupled AS, clients and resource servers (in regards to authorization to protected resources) as well as give to resource owners more control over the permissions that govern access to their protected resources. Regards. Pedro Igor [1] https://mailarchive.ietf.org/arch/msg/oauth/r1mFPzQaXy322wSR3my5i1uCdXQ From bruno at abstractj.org Thu Feb 14 08:58:13 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 14 Feb 2019 11:58:13 -0200 Subject: [keycloak-user] UMA specs submitted to IETF In-Reply-To: References: Message-ID: That's great news! On Thu, Feb 14, 2019 at 11:49 AM Pedro Igor Silva wrote: > > Hi, > > The UMA work group did an important move this week by contributing [1] UMA > 2.0 specs to IETF. > > As an OAuth2 extension, UMA aims to leverage OAuth2 in order to support > asynchronous authorization, loosely coupled AS, clients and resource > servers (in regards to authorization to protected resources) as well as > give to resource owners more control over the permissions that govern > access to their protected resources. > > Regards. > Pedro Igor > > [1] https://mailarchive.ietf.org/arch/msg/oauth/r1mFPzQaXy322wSR3my5i1uCdXQ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From kapilkumarjoshi001 at gmail.com Thu Feb 14 13:49:22 2019 From: kapilkumarjoshi001 at gmail.com (kapil joshi) Date: Fri, 15 Feb 2019 00:19:22 +0530 Subject: [keycloak-user] Configuring SMTP settings via rest API Message-ID: Hi all, I wanted one small example of configuring SMTP settings via rest API. We are planning to create one similar UI as like keycloak. But use rest API to set it. Also how to test the saved settings, like is it saved or not Thanks Kapil From s.babych at dataclaritycorp.com Thu Feb 14 14:03:15 2019 From: s.babych at dataclaritycorp.com (Svyatoslav Babych) Date: Thu, 14 Feb 2019 19:03:15 +0000 Subject: [keycloak-user] Docker and Invalid token issuer Message-ID: Good morning everyone, Could you please help me with this, I believe, common problem: I setup keycloak in Docker container, and have second container what communicate with Keycloak through private IP. I acquire access token through public IP and then send request to this second container. As a result - "Invalid token issuer" exception. Unfortunately second container cannot use public IP. Appreciate any help with this ? Thank you, Best regards, Svyat Svyatoslav Babych | Senior Solution Architect, Technical team Lead s.babych at dataclaritycorp.com DataClarity Corporation | www.dataclaritycorp.com Facebook | Twitter | LinkedIn Confidentiality Notice: The information in this email and any attachments is confidential or proprietary and should be treated and marked as ?Confidential? DataClarity communication. If you are not the intended recipient of this email, any review, disclosure, copying, or distribution of it including any attachments is strictly prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies. Any information contained in this email is subject to the terms and conditions expressed in any applicable agreement. From andrew.j.alexander at gmail.com Thu Feb 14 14:23:06 2019 From: andrew.j.alexander at gmail.com (Andrew J. Alexander) Date: Thu, 14 Feb 2019 14:23:06 -0500 Subject: [keycloak-user] Still no luck with native iOS Facebook auth In-Reply-To: References: Message-ID: I'll take a look at this On Wed, Feb 13, 2019 at 1:52 AM Sebastien Blanc wrote: > Hi Andrew, > > Have you tired the token exchange service ? > https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange > > > > On Wed, Feb 13, 2019 at 4:40 AM Andrew J. Alexander < > andrew.j.alexander at gmail.com> wrote: > >> I am just completely lost here. >> >> I need to integrate the Facebook SDK directly with Keycloak - Facebook is >> threatening to remove the ability to login entirely from my client's app. >> >> I am, however, absolutely and completely lost with how to do this in >> Keycloak. >> >> Here's my original post: >> >> http://lists.jboss.org/pipermail/keycloak-user/2017-February/009592.html >> >> And I am wondering a similar question - is there a way to use native >> Facebook access token to authenticate with Keycloak? >> >> Facebook is saying that they want my client to update their app to use the >> Facebook SDK for login as opposed to non-standard SDK (i.e. >> AeroGear/Keycloak) >> >> I am trying to use the token provided by Facebook on successful login, >> with >> absolutely no luck. >> >> What is the recommended way (or is there a guide) on how to do this? >> >> >> >> Is there absolutely any compliant way to integrate the iOS Facebook SDK >> with Keycloak? Anything at all? I've been working on this for two weeks >> and >> I'm completely lost and have no idea how to do it. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From kapilkumarjoshi001 at gmail.com Thu Feb 14 22:08:57 2019 From: kapilkumarjoshi001 at gmail.com (kapil joshi) Date: Fri, 15 Feb 2019 08:38:57 +0530 Subject: [keycloak-user] Fwd: Configuring SMTP settings via rest API In-Reply-To: References: Message-ID: Hi all, I wanted one small example of configuring SMTP settings via rest API. We are planning to create one similar UI as like keycloak. But use rest API to set it. Also how to test the saved settings, like is it saved or not Thanks Kapil From andrew.j.alexander at gmail.com Thu Feb 14 23:19:53 2019 From: andrew.j.alexander at gmail.com (Andrew J. Alexander) Date: Thu, 14 Feb 2019 23:19:53 -0500 Subject: [keycloak-user] Still no luck with native iOS Facebook auth In-Reply-To: References: Message-ID: I'm not seeing a permissions tab, and I'm not finding where I should enable it: https://www.keycloak.org/docs/latest/securing_apps/keycloak-images/exchange-idp-permission-set.png On Thu, Feb 14, 2019 at 2:23 PM Andrew J. Alexander < andrew.j.alexander at gmail.com> wrote: > I'll take a look at this > > On Wed, Feb 13, 2019 at 1:52 AM Sebastien Blanc wrote: > >> Hi Andrew, >> >> Have you tired the token exchange service ? >> https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange >> >> >> >> On Wed, Feb 13, 2019 at 4:40 AM Andrew J. Alexander < >> andrew.j.alexander at gmail.com> wrote: >> >>> I am just completely lost here. >>> >>> I need to integrate the Facebook SDK directly with Keycloak - Facebook is >>> threatening to remove the ability to login entirely from my client's app. >>> >>> I am, however, absolutely and completely lost with how to do this in >>> Keycloak. >>> >>> Here's my original post: >>> >>> http://lists.jboss.org/pipermail/keycloak-user/2017-February/009592.html >>> >>> And I am wondering a similar question - is there a way to use native >>> Facebook access token to authenticate with Keycloak? >>> >>> Facebook is saying that they want my client to update their app to use >>> the >>> Facebook SDK for login as opposed to non-standard SDK (i.e. >>> AeroGear/Keycloak) >>> >>> I am trying to use the token provided by Facebook on successful login, >>> with >>> absolutely no luck. >>> >>> What is the recommended way (or is there a guide) on how to do this? >>> >>> >>> >>> Is there absolutely any compliant way to integrate the iOS Facebook SDK >>> with Keycloak? Anything at all? I've been working on this for two weeks >>> and >>> I'm completely lost and have no idea how to do it. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From Shweta.Shetty at Teradata.com Fri Feb 15 02:05:51 2019 From: Shweta.Shetty at Teradata.com (Shetty, Shweta) Date: Fri, 15 Feb 2019 07:05:51 +0000 Subject: [keycloak-user] Offline Token Issue Message-ID: I am using an offline token to refresh and using the following api : auth/realms/uda/protocol/openid-connect/token grant_type=refresh_token refresh_token=AAAA Basic Auth with the client credentials I am getting the following error? What does it mean to not have session? I do see active sessions in the admin dashboard on the client. What should I do to avoid getting this error ? { "error": "invalid_grant", "error_description": "Session doesn't have required client" } From Shweta.Shetty at Teradata.com Fri Feb 15 02:07:03 2019 From: Shweta.Shetty at Teradata.com (Shetty, Shweta) Date: Fri, 15 Feb 2019 07:07:03 +0000 Subject: [keycloak-user] Still no luck with native iOS Facebook auth In-Reply-To: References: Message-ID: You need to enable it using the following args -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final On 2/14/19, 8:19 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Andrew J. Alexander" wrote: [External Email] ________________________________ I'm not seeing a permissions tab, and I'm not finding where I should enable it: https://www.keycloak.org/docs/latest/securing_apps/keycloak-images/exchange-idp-permission-set.png On Thu, Feb 14, 2019 at 2:23 PM Andrew J. Alexander < andrew.j.alexander at gmail.com> wrote: > I'll take a look at this > > On Wed, Feb 13, 2019 at 1:52 AM Sebastien Blanc wrote: > >> Hi Andrew, >> >> Have you tired the token exchange service ? >> https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange >> >> >> >> On Wed, Feb 13, 2019 at 4:40 AM Andrew J. Alexander < >> andrew.j.alexander at gmail.com> wrote: >> >>> I am just completely lost here. >>> >>> I need to integrate the Facebook SDK directly with Keycloak - Facebook is >>> threatening to remove the ability to login entirely from my client's app. >>> >>> I am, however, absolutely and completely lost with how to do this in >>> Keycloak. >>> >>> Here's my original post: >>> >>> http://lists.jboss.org/pipermail/keycloak-user/2017-February/009592.html >>> >>> And I am wondering a similar question - is there a way to use native >>> Facebook access token to authenticate with Keycloak? >>> >>> Facebook is saying that they want my client to update their app to use >>> the >>> Facebook SDK for login as opposed to non-standard SDK (i.e. >>> AeroGear/Keycloak) >>> >>> I am trying to use the token provided by Facebook on successful login, >>> with >>> absolutely no luck. >>> >>> What is the recommended way (or is there a guide) on how to do this? >>> >>> >>> >>> Is there absolutely any compliant way to integrate the iOS Facebook SDK >>> with Keycloak? Anything at all? I've been working on this for two weeks >>> and >>> I'm completely lost and have no idea how to do it. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From andrew.j.alexander at gmail.com Fri Feb 15 02:10:49 2019 From: andrew.j.alexander at gmail.com (Andy) Date: Fri, 15 Feb 2019 02:10:49 -0500 Subject: [keycloak-user] Still no luck with native iOS Facebook auth In-Reply-To: References: Message-ID: <5EF71EA4-6E49-4BC7-A43C-6464471A53D5@gmail.com> I actually just figured this out about 15 minutes ago. Thank you for all your help so far. I?m pretty sure this is the solution I need! > On Feb 15, 2019, at 2:07 AM, Shetty, Shweta wrote: > > You need to enable it using the following args > -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled > -Dkeycloak.profile.feature.token_exchange=enabled > https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final > > On 2/14/19, 8:19 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Andrew J. Alexander" wrote: > > [External Email] > ________________________________ > > I'm not seeing a permissions tab, and I'm not finding where I should enable > it: > > https://www.keycloak.org/docs/latest/securing_apps/keycloak-images/exchange-idp-permission-set.png > > On Thu, Feb 14, 2019 at 2:23 PM Andrew J. Alexander < > andrew.j.alexander at gmail.com> wrote: > >> I'll take a look at this >> >>> On Wed, Feb 13, 2019 at 1:52 AM Sebastien Blanc wrote: >>> >>> Hi Andrew, >>> >>> Have you tired the token exchange service ? >>> https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange >>> >>> >>> >>> On Wed, Feb 13, 2019 at 4:40 AM Andrew J. Alexander < >>> andrew.j.alexander at gmail.com> wrote: >>> >>>> I am just completely lost here. >>>> >>>> I need to integrate the Facebook SDK directly with Keycloak - Facebook is >>>> threatening to remove the ability to login entirely from my client's app. >>>> >>>> I am, however, absolutely and completely lost with how to do this in >>>> Keycloak. >>>> >>>> Here's my original post: >>>> >>>> http://lists.jboss.org/pipermail/keycloak-user/2017-February/009592.html >>>> >>>> And I am wondering a similar question - is there a way to use native >>>> Facebook access token to authenticate with Keycloak? >>>> >>>> Facebook is saying that they want my client to update their app to use >>>> the >>>> Facebook SDK for login as opposed to non-standard SDK (i.e. >>>> AeroGear/Keycloak) >>>> >>>> I am trying to use the token provided by Facebook on successful login, >>>> with >>>> absolutely no luck. >>>> >>>> What is the recommended way (or is there a guide) on how to do this? >>>> >>>> >>>> >>>> Is there absolutely any compliant way to integrate the iOS Facebook SDK >>>> with Keycloak? Anything at all? I've been working on this for two weeks >>>> and >>>> I'm completely lost and have no idea how to do it. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From sthorger at redhat.com Fri Feb 15 02:31:45 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 15 Feb 2019 08:31:45 +0100 Subject: [keycloak-user] Node.js admin client project Message-ID: The old Node.js admin client ( https://github.com/keycloak/keycloak-admin-client) has for a long time not been maintained. As there is a limit to how many projects the core Keycloak team can maintain we needed some help here. Thanks to developers from Canner and InfuseAI we know have a new Node.js admin client project that also has an active group to maintain the library. Take a look at https://github.com/keycloak/keycloak-nodejs-admin-client. From luca.stancapiano at vige.it Fri Feb 15 04:49:33 2019 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Fri, 15 Feb 2019 10:49:33 +0100 (CET) Subject: [keycloak-user] Filtered users according the logged role In-Reply-To: <1318146878.512808.1546532105901@pim.register.it> References: <1318146878.512808.1546532105901@pim.register.it> Message-ID: <547124583.913105.1550224174500@pim.register.it> In a realm can I filter the list of users according to my covered role? I would like only a few users to come back from the search From kapilkumarjoshi001 at gmail.com Fri Feb 15 07:21:32 2019 From: kapilkumarjoshi001 at gmail.com (kapil joshi) Date: Fri, 15 Feb 2019 17:51:32 +0530 Subject: [keycloak-user] Configuring SMTP settings via rest API In-Reply-To: References: Message-ID: Thanks Felix, but i was looking more from rest api end, as im using javascript adapter of keycloak. Can someone point to the rest API way of saving SMTP settings. Thanks Kapil On Fri, Feb 15, 2019 at 5:50 PM kapil joshi wrote: > Thanks Felix, but i was looking more from rest api end, as im using > javascript adapter of keycloak. > > Can someone point to the rest API way of saving SMTP settings. > > Thanks & regards > Kapil > > On Fri, Feb 15, 2019 at 3:42 PM Felix Knecht > wrote: > >> Hi Kapil >> >> I use something like >> >> Keycloak keycloak = KeycloakBuilder.builder() >> .serverUrl(serverUrl) >> .realm(realm) >> .clientId(clientId) >> .clientSecret(clientSecret) >> .username(username) >> .password(password) >> .build(); >> RealmRepresentation smtpRealm = new RealmRepresentation(); >> Map smtpServer = new HashMap<>(); >> smtpServer.put("host", myHost); >> smtpServer.put("port", myPort); >> smtpServer.put("from", myFrom); >> smtpServer.put("auth", "true"); >> smtpServer.put("user", mySmtpUser); >> smtpServer.put("password", mySmtpPassword); >> smtpRealm.setSmtpServer(smtpServer); >> keycloak.realms().realm(myRealm).update(smtpRealm); >> >> Regards >> Felix >> >> >> > -----Urspr?ngliche Nachricht----- >> > Von: keycloak-user-bounces at lists.jboss.org > > bounces at lists.jboss.org> Im Auftrag von kapil joshi >> > Gesendet: Donnerstag, 14. Februar 2019 19:49 >> > An: keycloak-user at lists.jboss.org >> > Betreff: [keycloak-user] Configuring SMTP settings via rest API >> > >> > Hi all, >> > >> > I wanted one small example of configuring SMTP settings via rest API. >> > >> > We are planning to create one similar UI as like keycloak. But use rest >> API to set it. >> > >> > Also how to test the saved settings, like is it saved or not >> > >> > Thanks >> > Kapil >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From ronald.demneri at amdtia.com Fri Feb 15 07:41:14 2019 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Fri, 15 Feb 2019 12:41:14 +0000 Subject: [keycloak-user] Keycloak gatekeeper issue Message-ID: Hi all, I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows: ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true" The config file is as follows: discovery-url: https://keycloak/auth/realms/master client-id: gatekeeper client-secret: 94779832-40d7-4342-90d6-12ab52eab831 listen: 10.253.6.41:80 enable-refresh-tokens: true enable-logging: true enable-json-logging: true enable-login-handler: true enable-token-header: true enable-metrics: true enable-default-deny: false redirection-url: http://gatekeeper:80 //redirection-url: http://10.253.6.41:3000 encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j secure-cookie: false upstream-url: http://127.0.0.1:80 resources: - uri: /user/test.php - uri: /admin/*.php roles: - admin In the logs I receive the following upon a successful login: {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"} {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"} {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming authorization request from client address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"} {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"} {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable to verify the id token","error":"the access token has expired"} {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"} And of course, I am not redirected back to the requested URL. I have configured the gatekeeper as a confidential client in Keycloak, and have added the redirect_uri http://gatekeeper:80/oauth/callback Any hints? Thanks in advance, Ronald From ronald.demneri at amdtia.com Fri Feb 15 07:58:40 2019 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Fri, 15 Feb 2019 12:58:40 +0000 Subject: [keycloak-user] Keycloak gatekeeper issue In-Reply-To: References: Message-ID: I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it is a compatibility issue, please let me know so that I upgrade Keycloak. Thanks in advance, Ronald -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Ronald Demneri Sent: 15.Feb.2019 1:41 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Keycloak gatekeeper issue Hi all, I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows: ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true" The config file is as follows: discovery-url: https://keycloak/auth/realms/master client-id: gatekeeper client-secret: 94779832-40d7-4342-90d6-12ab52eab831 listen: 10.253.6.41:80 enable-refresh-tokens: true enable-logging: true enable-json-logging: true enable-login-handler: true enable-token-header: true enable-metrics: true enable-default-deny: false redirection-url: http://gatekeeper:80 //redirection-url: http://10.253.6.41:3000 encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j secure-cookie: false upstream-url: http://127.0.0.1:80 resources: - uri: /user/test.php - uri: /admin/*.php roles: - admin In the logs I receive the following upon a successful login: {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"} {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"} {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming authorization request from client address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"} {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"} {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable to verify the id token","error":"the access token has expired"} {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"} And of course, I am not redirected back to the requested URL. I have configured the gatekeeper as a confidential client in Keycloak, and have added the redirect_uri http://gatekeeper:80/oauth/callback Any hints? Thanks in advance, Ronald _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jayblanc at gmail.com Fri Feb 15 11:37:32 2019 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Fri, 15 Feb 2019 17:37:32 +0100 Subject: [keycloak-user] How to set the user login in registration process. Message-ID: Hi all, I would like to know if it possible to start the registration process by fixing the username (a specific email) in some cases (by giving a url param or something like that). In my app I send invitations to member's email and I'de like the user to use the same email during keycloak registration process so I want my app to redirect to registration form with this particular email as a readonly form param. I imagine I can provide a dedicated template allowing the username email readonly in some cases but I can't figure how to access url specific parameters in this template ? Thanks for your help, best regards, J?r?me. From enguerrandd at gmail.com Fri Feb 15 15:31:29 2019 From: enguerrandd at gmail.com (Enguerrand Dibanda) Date: Fri, 15 Feb 2019 15:31:29 -0500 Subject: [keycloak-user] Session idle timeout and KeycloakSecurityContextRequestFilter Message-ID: Hello community, I'am using keycloak to secure an application with the keycloak-spring-security-adapter version 4.8.3.Final. This is not a spring-boot application. I want to display a popup to the user says 5 minutes before the session timeout to give him/her a chance to save his/her work. To do that I use the refreshToken expiration date which match the "session idle timeout" config in Keycloak to compute how long the session is still valid. The issue I'm facing however is that all requests go through the KeycloakSecurityContextRequestFilter which refreshes the access token when it expires but will also get a new refresh token prolonging the session automatically. My workaround was to insert a filter before the KeycloakSecurityContextRequestFilter which will put the same FILTER_APPLIED variable in the request that the KeycloakSecurityContextRequestFilter sets when applied to be able to skip that filter for the session check url. This works but I'm not very happy with that solution because it is not very elegant and rely on private data of the KeycloakSecurityContextRequestFilter. Is there maybe a better way to configure excludedUrls for the KeycloakSecurityContextRequestFilter? Shouldn't the keycloak-spring-security-adapter make that filter automatically skip unsecured urls, i.e urls declared as .antMatcher("/unsecured").permitAll() ? Or maybe I'm not taking the right approach to solve this issue? best regards, From quoct at hotmail.com Fri Feb 15 19:11:41 2019 From: quoct at hotmail.com (Quoc Truong) Date: Sat, 16 Feb 2019 00:11:41 +0000 Subject: [keycloak-user] Does Keycloak support WebSphere 8.5.x? Message-ID: Hello, My enterprise application supports both JBoss EAP 7.x and WebSphere 8.5.x. I'm currently using JAAS for both application servers. I'd like to change my enterprise application to also support Keycloak, but I couldn't find the Keycloak adapter for WebSphere. I'd like to know if there is WebSphere support for Keycloak? If WAS is supported, where can I acquire documentation as well as where to download Keycloak adapter for WAS? Thanks, Quoc From Pavel.Micka at zoomint.com Sat Feb 16 14:17:03 2019 From: Pavel.Micka at zoomint.com (Pavel Micka) Date: Sat, 16 Feb 2019 19:17:03 +0000 Subject: [keycloak-user] Extending "Add User UI" Message-ID: <9e3de709545447c6b92b3ded98d58c37@zoomint.com> Hi, what is the easiest way to extend Keycloak UI? In our scenario the user may have a privilege to manage resources belonging in some group, but not be a member of this group. Our idea how to implement this is to have group selector on "Add User" page, which would either store the data into user attribute or into new JPA entity created for this. The question is, what is the easiest way to extend Keycloak JavaScript. I found in docs how to change the templates, but this is definitely much more in depth. Thanks, Pavel From mart.abel at finestmedia.ee Mon Feb 18 05:11:07 2019 From: mart.abel at finestmedia.ee (Mart Abel) Date: Mon, 18 Feb 2019 10:11:07 +0000 Subject: [keycloak-user] How to ignore access token from external IDP and only look for ID_TOKEN? Message-ID: Hi, I need to integrate external identity provider to Keycloak and in that External Identity provider all the info about the user is forwarded in Identity token. This is what I get back from the /oidc/token endpoint { "access_token": "AT-40-aswvpV85wez9xpZTNsmKnaFlkafmHPe7", "token_type": "bearer", "expires_in": 28800, "id_token": "JWTIDENTITYTOKEN" } JWTIDENDITYTOKEN payload: { "jti": "XXXX", "iss": "XXXX", "aud": "XXXX", "exp": 1550511120, "iat": 1550482320, "nbf": 1550482020, "sub": "ZZZZZ", "profile_attributes": { "date_of_birth": "ZZZ", "family_name": "ZZZ", "given_name": "ZZZ" }, "amr": [ "ZZZ" ], "state": "hkMVY7vjuN7xyLl5", "nonce": "", "at_hash": "ndHD+z4/M/If7NGFUEOOig==" } 1) So as you can see, that Access_token is not in jwt format so that is a problem number 1 because Keycloak will give me a error when it gets it in that format. How to disable it or change it somehow? "Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint." 2) So then I mocked the IDP just to test it and changed Access_token to some jwt formated token and then it told me Invalid paramater, username is missing. How to configure Keycloak like that I could get all the data from ID_token and having Access token in that format would not break the flow? Thanks! ________________________________ Disclaimer: This email and its attachments might contain confidential information. If you are not the intended recipient, then please note that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Please notify the sender immediately by replying if you have received this e-mail by mistake and delete it from your system. Kindly note that although Finestmedia and its subsidiaries have taken reasonable precautions to ensure that no viruses are present in this email, Finestmedia and its subsidiaries cannot accept responsibility for any loss or damage arising from the use of this email or attachments. From vramik at redhat.com Mon Feb 18 06:13:23 2019 From: vramik at redhat.com (Vlasta Ramik) Date: Mon, 18 Feb 2019 12:13:23 +0100 Subject: [keycloak-user] Does Keycloak support WebSphere 8.5.x? In-Reply-To: References: Message-ID: Hello Quoc, there is no specific WebSphere adapter available for keycloak. You can try to look at Servlet Filter Adapter https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter V. On 2/16/19 1:11 AM, Quoc Truong wrote: > Hello, > > My enterprise application supports both JBoss EAP 7.x and WebSphere 8.5.x. I'm currently using JAAS for both application servers. I'd like to change my enterprise application to also support Keycloak, but I couldn't find the Keycloak adapter for WebSphere. > > I'd like to know if there is WebSphere support for Keycloak? If WAS is supported, where can I acquire documentation as well as where to download Keycloak adapter for WAS? > > Thanks, > Quoc > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Ondrej.Scerba at zoomint.com Mon Feb 18 06:48:28 2019 From: Ondrej.Scerba at zoomint.com (Ondrej Scerba) Date: Mon, 18 Feb 2019 11:48:28 +0000 Subject: [keycloak-user] Invalid code error Message-ID: <4306db94674f46cab4927b79cda5d70a@zoomint.com> Hi, I'm trying to integrate Grafana and Keycloak. I'm getting following error when trying to authenticate against Keycloak. type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.80.10.25, error=invalid_code Any idea what could be wrong, or what the error message is indicating? Thanks, Ondrej From luca.stancapiano at vige.it Mon Feb 18 10:51:46 2019 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Mon, 18 Feb 2019 16:51:46 +0100 (CET) Subject: [keycloak-user] Filtered users according the logged role In-Reply-To: <547124583.913105.1550224174500@pim.register.it> References: <1318146878.512808.1546532105901@pim.register.it> <547124583.913105.1550224174500@pim.register.it> Message-ID: <1940968104.982135.1550505106715@pim.register.it> depending on the user used I would like to return a restricted list of users by calling the rest /auth/admin/${domain}/users service . Some idea? > Il 15 febbraio 2019 alle 10.49 Luca Stancapiano ha scritto: > > > In a realm can I filter the list of users according to my covered role? I would like only a few users to come back from the search > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From tim.ward at origamienergy.com Mon Feb 18 10:57:38 2019 From: tim.ward at origamienergy.com (Tim Ward) Date: Mon, 18 Feb 2019 15:57:38 +0000 Subject: [keycloak-user] Changing logging format? Message-ID: We're using Keycloak in Kubernetes using the jboss/keycloak Docker image. We want to import the logs into Elasticsearch, but the default logging format is not useful because the date is missing (only the time is included). How can I change the logging format to include the date? Preferably without having to build a custom Docker image, so by passing command line parameters and/or mounting files into the container? (It would be nice to get rid of the colour codes from the log messages as well, but that's not a big deal because I can strip them off later.) Tim Ward The contents of this email and any attachment are confidential to the intended recipient(s). If you are not an intended recipient: (i) do not use, disclose, distribute, copy or publish this email or its contents; (ii) please contact the sender immediately; and (iii) delete this email. Our privacy policy is available here: https://origamienergy.com/privacy-policy/. Origami Energy Limited (company number 8619644); Origami Storage Limited (company number 10436515) and OSSPV001 Limited (company number 10933403), each registered in England and each with a registered office at: Ashcombe Court, Woolsack Way, Godalming, GU7 1LQ. From ronald.demneri at amdtia.com Mon Feb 18 13:44:56 2019 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Mon, 18 Feb 2019 18:44:56 +0000 Subject: [keycloak-user] Keycloak gatekeeper issue In-Reply-To: References: Message-ID: Hello everyone! Any feedback on the matter? Does anyone use Gatekeeper at the moment? Regards, Ronald -----Original Message----- From: Ronald Demneri Sent: 15.Feb.2019 1:59 PM To: Ronald Demneri ; keycloak-user at lists.jboss.org Subject: RE: Keycloak gatekeeper issue I forgot to mention that I am using Keycloak version 4.5 in my test environment, so if it is a compatibility issue, please let me know so that I upgrade Keycloak. Thanks in advance, Ronald -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Ronald Demneri Sent: 15.Feb.2019 1:41 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Keycloak gatekeeper issue Hi all, I am trying to create an idea on Gatekeeper and have a very simple setup consisting of an upstream server with Apache and PHP. I run the keycloak-gatekeeper as follows: ./keycloak-gatekeeper --config keycloak-gatekeeper.json --verbose=true --resources="uri=/*|white-listed=true" The config file is as follows: discovery-url: https://keycloak/auth/realms/master client-id: gatekeeper client-secret: 94779832-40d7-4342-90d6-12ab52eab831 listen: 10.253.6.41:80 enable-refresh-tokens: true enable-logging: true enable-json-logging: true enable-login-handler: true enable-token-header: true enable-metrics: true enable-default-deny: false redirection-url: http://gatekeeper:80 //redirection-url: http://10.253.6.41:3000 encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j secure-cookie: false upstream-url: http://127.0.0.1:80 resources: - uri: /user/test.php - uri: /admin/*.php roles: - admin In the logs I receive the following upon a successful login: {"level":"error","ts":1550234109.9775908,"caller":"keycloak-gatekeeper/middleware.go:108","msg":"no session found in request, redirecting for authorization","error":"authentication session not found"} {"level":"info","ts":1550234109.9777544,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0002176,"status":307,"bytes":95,"client_ip":"10.253.6.24:60575","method":"GET","path":"/user/test.php"} {"level":"debug","ts":1550234110.0099785,"caller":"keycloak-gatekeeper/handlers.go:88","msg":"incoming authorization request from client address","access_type":"","auth_url":"https://keycloak/auth/realms/master/protocol/openid-connect/auth?client_id=gatekeeper&redirect_uri=http%3A%2F%2Fgatekeeper%3A80%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=0b8a5bf8-e75c-452e-a650-d644c70e7fea","client_ip":"10.253.6.24:60575"} {"level":"info","ts":1550234110.010026,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.0000993,"status":307,"bytes":331,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/authorize"} {"level":"error","ts":1550234127.0692794,"caller":"keycloak-gatekeeper/handlers.go:152","msg":"unable to verify the id token","error":"the access token has expired"} {"level":"info","ts":1550234127.069323,"caller":"keycloak-gatekeeper/middleware.go:90","msg":"client request","latency":0.1995038,"status":403,"bytes":0,"client_ip":"10.253.6.24:60575","method":"GET","path":"/oauth/callback"} And of course, I am not redirected back to the requested URL. I have configured the gatekeeper as a confidential client in Keycloak, and have added the redirect_uri http://gatekeeper:80/oauth/callback Any hints? Thanks in advance, Ronald _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From karsten.honsack at zurich.com Tue Feb 19 02:36:22 2019 From: karsten.honsack at zurich.com (Karsten Honsack) Date: Tue, 19 Feb 2019 07:36:22 +0000 Subject: [keycloak-user] Does Keycloak support WebSphere 8.5.x? In-Reply-To: References: Message-ID: Hi Quoc, there is no official adapter but the OIDC implementation in WebSphere 8.5.5.13 works with Keycloak at least for authentication. There is documentation at IBM on how to configure the OIDC module. You also have to configure a hard coded claim in the attribute section of the client in Keycloak that puts a claim called 'scope' in every Token for the WebSphere application that should be protected by OIDC. Viele Gr??e/Best regards Karsten Honsack -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org Im Auftrag von Vlasta Ramik Gesendet: Montag, 18. Februar 2019 12:13 An: Quoc Truong Cc: keycloak-user Betreff: [EXTERNAL] Re: [keycloak-user] Does Keycloak support WebSphere 8.5.x? Hello Quoc, there is no specific WebSphere adapter available for keycloak. You can try to look at Servlet Filter Adapter https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23-5Fservlet-5Ffilter-5Fadapter&d=DwICAg&c=DgzfCyvE4m33Nb8jT6Zstq7mstX2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=1mrgZCiagKIbcSw_Mx_5TJj_Z5vbuyfTJ0Njc-VBdjI&s=bYuPxbNABkW1e_HxIoqZd-CLUUVEdm3U34Un8A7cTT0&e= V. On 2/16/19 1:11 AM, Quoc Truong wrote: > Hello, > > My enterprise application supports both JBoss EAP 7.x and WebSphere 8.5.x. I'm currently using JAAS for both application servers. I'd like to change my enterprise application to also support Keycloak, but I couldn't find the Keycloak adapter for WebSphere. > > I'd like to know if there is WebSphere support for Keycloak? If WAS is supported, where can I acquire documentation as well as where to download Keycloak adapter for WAS? > > Thanks, > Quoc > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=DgzfCyvE4m33Nb8jT6Zstq7mstX > 2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=1mrgZ > CiagKIbcSw_Mx_5TJj_Z5vbuyfTJ0Njc-VBdjI&s=q1VWtqZSi00EgWwoLDHsu7IygX-Qi > XwoU6YNvqDNXyA&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=DgzfCyvE4m33Nb8jT6Zstq7mstX2IJrYfaJl8Ak-0_8&r=tEV5NbaAf1DsefwaP5VV_SYeWZQslIoxTN6j5CE93Hg&m=1mrgZCiagKIbcSw_Mx_5TJj_Z5vbuyfTJ0Njc-VBdjI&s=q1VWtqZSi00EgWwoLDHsu7IygX-QiXwoU6YNvqDNXyA&e= ************************************** From testoauth55 at gmail.com Tue Feb 19 03:06:36 2019 From: testoauth55 at gmail.com (Bruce Wings) Date: Tue, 19 Feb 2019 13:36:36 +0530 Subject: [keycloak-user] Mapping multiple ldap to groups to existing keycloak group Message-ID: By following the keycloak documentation: https://www.keycloak.org/docs/4.5/server_admin/index.html#_ldap_mappers I created a group mapper like this: [image: enter image description here] But I don't see an option to give the name keycloak group so that the imported ldap group can be mapped to this group. Instead , when I *"Sync LDAP Groups to Keycloak Groups"* , a new group with the name of ldap group is created. Any idea how to map existing ldap groups to a single keycloak group ? Related stackoverflow question: https://stackoverflow.com/questions/54761376/mapping-ldap-groups-to-existing-keycloak-groups From lorenzo.luconi at iit.cnr.it Tue Feb 19 04:52:44 2019 From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi) Date: Tue, 19 Feb 2019 10:52:44 +0100 Subject: [keycloak-user] Docker and Invalid token issuer In-Reply-To: References: Message-ID: <8B0CCE71-BA86-4B90-A8B2-5440104604E2@iit.cnr.it> Hi, I think is a hostname problem not a IP problem. The IP can be private but you should reference your keycloak server using always the same hostname, when you get and when you check the token (your applications do the check). I had a similar problem inside a docker swarm cluster because some applications referenced the keycloak server with an internal name and other with a different or external name. I hope this helps. Lorenzo > Il giorno 14 feb 2019, alle ore 20:03, Svyatoslav Babych ha scritto: > > Good morning everyone, > > Could you please help me with this, I believe, common problem: > I setup keycloak in Docker container, and have second container what communicate with Keycloak through private IP. > I acquire access token through public IP and then send request to this second container. As a result - "Invalid token issuer" exception. > Unfortunately second container cannot use public IP. > Appreciate any help with this ? > > Thank you, > Best regards, > Svyat > > Svyatoslav Babych | Senior Solution Architect, Technical team Lead > s.babych at dataclaritycorp.com > DataClarity Corporation | www.dataclaritycorp.com > Facebook | Twitter | LinkedIn > Confidentiality Notice: The information in this email and any attachments is confidential or proprietary and should be treated and marked as ?Confidential? DataClarity communication. If you are not the intended recipient of this email, any review, disclosure, copying, or distribution of it including any attachments is strictly prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies. Any information contained in this email is subject to the terms and conditions expressed in any applicable agreement. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From chris.smith at cmfirstgroup.com Tue Feb 19 08:21:08 2019 From: chris.smith at cmfirstgroup.com (Chris Smith) Date: Tue, 19 Feb 2019 13:21:08 +0000 Subject: [keycloak-user] Keycloak as OpenID Connect provider for Liferay Portal 6.2 Message-ID: Liferay Portal has an OpenID Connect plugin, configured by a property file with these properties openidconnect.enableOpenIDConnect=true openidconnect.token-location=https:///auth/realms/CMFIRST/protocol/openid-connect/token openidconnect.authorization-location=https:///auth/realms/CMFIRST/protocol/openid-connect/auth openidconnect.profile-uri=https:///auth/realms/CMFIRST/protocol/openid-connect/userinfo openidconnect.issuer=https:///auth/realms/CMFIRST/protocol/openid-connect/certs openidconnect.client-id=Portal openidconnect.secret= openidconnect.scope=openid profile email Property docs at end of email My keycloak Client is an out of the box setup Here are the realm keys. AES OCT 100 aes-generated HS256 OCT 100 hmac-generated RS256 RSA 100 rsa-generated Public key Certificate Liferay does not like the jwt signature 13:09:39,833 WARN [http-bio-8080-exec-10][Liferay62Adapter:46] The token was not valid: -- JWT --__Raw String: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJWTUtfTHpWbDY0T2plZW9NVkppajRTLTFNYTZ3aDU5b1dkWHpycXZ5MDJBIn0.eyJqdGkiOiJmZWY0MzVmMS0wOTI0LTQ5MWUtODk0MS1kMjFhMGRhZWNlY2EiLCJleHAiOjE1NTA1ODIwNzksIm5iZiI6MCwiaWF0IjoxNTUwNTgxNzc5LCJpc3MiOiJodHRwczovL21vYmlsZXBvcnRhbC5jbWZpcnN0dGVjaC5jb206OTI4MC9hdXRoL3JlYWxtcy9DTUZJUlNUIiwiYXVkIjoiUG9ydGFsIiwic3ViIjoiZmYwYmY1MWUtOWFmOS00M2JkLWE0NTQtZGQzZDM5OTM4ZjFhIiwidHlwIjoiSUQiLCJhenAiOiJQb3J0YWwiLCJhdXRoX3RpbWUiOjE1NTA1ODE3NzksInNlc3Npb25fc3RhdGUiOiI1YjE3NzVjZS0xYWZlLTQ3ODItYWM4OC1jOTgwZTg4NTIxOTUiLCJhY3IiOiIxIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJmbXNzdGFmZiJ9.APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__Header: {"typ": "JWT", "alg": "RS256", "cty": "null" , "kid": "VMK_LzVl64OjeeoMVJij4S-1Ma6wh59oWdXzrqvy02A"}__Claims Set: {"iss": "https:///auth/realms/CMFIRST", "sub": "ff0bf51e-9af9-43bd-a454-dd3d39938f1a", "aud": ["Portal"], "exp": 1550582079, "nbf": "0", "iat": 1550581779, "jti": "fef435f1-0924-491e-8941-d21a0daececa", "typ": "ID" }__Signature: APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__--------- [Sanitized] I don't have this problems in my web apps, they use the Tomcat adapter and no issue with the JWT sig. Any suggestions? Property docs Portal properties The following portal properties can be set. They are required unless specified as optional. openidconnect.enableOpenIDConnect Whether to enable the plugin (effectively allowing you to disable the plugin without uninstalling it). Boolean, either 'true' or 'false'. Default is false. openidconnect.authorization-location Complete url to the OpenID Connect Provider's authorization location. Example for Google: https://accounts.google.com/o/oauth2/v2/auth openidconnect.token-location Complete url to the OpenID Connect Provider's token location. Example for Google: https://www.googleapis.com/oauth2/v4/token openidconnect.profile-uri Complete URL to the 'user info' endpoint. Example for Google: https://www.googleapis.com/plus/v1/people/me/openIdConnect openidconnect.sso-logout-uri (Optional) openidconnect.sso-logout-param (Optional) openidconnect.sso-logout-value (Optional) Complete URL to the 'SSO logout' endpoint. Ignored if empty. After redirection to the given URL, the OpenID Connect Provider should redirect to the Lifery Portal home page (or another public after-logout-resource). This target may be included in this URL as a URL parameter or may be configured for the OpenID Connect Provider. openidconnect.issuer The information retrieved from the user info endpoint has to be verified against a preconfigured string, according to the OpenID Connect spec. This 'issuer' claim is used for that. Example for Google: https://accounts.google.com openidconnect.client-id Register your Liferay portal as a 'client app' with the Google developer console, and the resulting client id is the openid connect client id. Non-working example for Google: 7kasuf1-123123adfaafdsflni7me2kr.apps.googleusercontent.com openidconnect.secret Secret of the client, after registration of the Liferay portal, just like the client-id. openidconnect.scope Scope(s) of the access token (space separated), should be the same (or a subset) of the scopes allowed by the provider to the client. Default value: openid profile email openidconnect.provider (Optional) Type of OpenID Connect provider. Supported values: generic (default), azure. For most Provider implementations, the generic provider works. For Azure, use the value azure as this makes slight changes to the fields sent as UserInfo. From sblanc at redhat.com Tue Feb 19 09:00:01 2019 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 19 Feb 2019 15:00:01 +0100 Subject: [keycloak-user] Keycloak as OpenID Connect provider for Liferay Portal 6.2 In-Reply-To: References: Message-ID: I'm not 100% but I think your : openidconnect.issuer=https:///auth/realms/CMFIRST/protocol/openid-connect/certs is not correct, did you tried to point just to your realm ? https:///auth/realms/CMFIRST Also maybe this blog post could help you : https://community.liferay.com/blogs/-/blogs/liferay-keycloak-integration On Tue, Feb 19, 2019 at 2:46 PM Chris Smith wrote: > Liferay Portal has an OpenID Connect plugin, configured by a property file > with these properties > > openidconnect.enableOpenIDConnect=true > openidconnect.token-location=https:// port>/auth/realms/CMFIRST/protocol/openid-connect/token > openidconnect.authorization-location=https:// port>/auth/realms/CMFIRST/protocol/openid-connect/auth > openidconnect.profile-uri=https:// port>/auth/realms/CMFIRST/protocol/openid-connect/userinfo > openidconnect.issuer=https:// port>/auth/realms/CMFIRST/protocol/openid-connect/certs > openidconnect.client-id=Portal > openidconnect.secret= > openidconnect.scope=openid profile email > > Property docs at end of email > > My keycloak Client is an out of the box setup > Here are the realm keys. > > AES > > OCT > > > > 100 > > aes-generated< > https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/aes-generated/b00f30ba-49da-4dfb-8f21-c256b069ec5b > > > > HS256 > > OCT > > > > 100 > > hmac-generated< > https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/hmac-generated/c2362731-7a65-416f-918e-1b8c67ac7cb1 > > > > RS256 > > RSA > > > > 100 > > rsa-generated< > https://mobileportal.cmfirsttech.com:9280/auth/admin/master/console/#/realms/CMFIRST/keys/providers/rsa-generated/e57385c6-e6eb-421c-945e-725a30f189b5 > > > > Public key > > Certificate > > > Liferay does not like the jwt signature > > 13:09:39,833 WARN [http-bio-8080-exec-10][Liferay62Adapter:46] The token > was not valid: -- JWT --__Raw String: > eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJWTUtfTHpWbDY0T2plZW9NVkppajRTLTFNYTZ3aDU5b1dkWHpycXZ5MDJBIn0.eyJqdGkiOiJmZWY0MzVmMS0wOTI0LTQ5MWUtODk0MS1kMjFhMGRhZWNlY2EiLCJleHAiOjE1NTA1ODIwNzksIm5iZiI6MCwiaWF0IjoxNTUwNTgxNzc5LCJpc3MiOiJodHRwczovL21vYmlsZXBvcnRhbC5jbWZpcnN0dGVjaC5jb206OTI4MC9hdXRoL3JlYWxtcy9DTUZJUlNUIiwiYXVkIjoiUG9ydGFsIiwic3ViIjoiZmYwYmY1MWUtOWFmOS00M2JkLWE0NTQtZGQzZDM5OTM4ZjFhIiwidHlwIjoiSUQiLCJhenAiOiJQb3J0YWwiLCJhdXRoX3RpbWUiOjE1NTA1ODE3NzksInNlc3Npb25fc3RhdGUiOiI1YjE3NzVjZS0xYWZlLTQ3ODItYWM4OC1jOTgwZTg4NTIxOTUiLCJhY3IiOiIxIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJmbXNzdGFmZiJ9.APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL! > 3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__Header: > {"typ": "JWT", "alg": "RS256", "cty": "null" , "kid": > "VMK_LzVl64OjeeoMVJij4S-1Ma6wh59oWdXzrqvy02A"}__Claims Set: {"iss": > "https:///auth/realms/CMFIRST", "sub": > "ff0bf51e-9af9-43bd-a454-dd3d39938f1a", "aud": ["Portal"], "exp": > 1550582079, "nbf": "0", "iat": 1550581779, "jti": > "fef435f1-0924-491e-8941-d21a0daececa", "typ": "ID" }__Signature: > APuz2MZkEbk3ADgPw2F4BxaS5ETkIMDeGerMZqmLPEYI-I04l0f8iOBFyxcVDV4C-dGginNcyqgL7Ep459B8kkm8mDwCWj2QqUo3VQF9QyTCRnz22vpqYEaJqsjmgQ5d7Bby6wCYshXECSuSNIUJ3N9ZMQVa_yq1qUM9JWg00FRs41ed4fJGhV1EWNFZGF5hKrJXfXQoICkdB61AjsjCE6Fi84P22hM_3AgDwvuS140USWweG0JA72EL3mdpQtXKB_5GAvG6XLEHGQu7QUGJPSxvyQ94Vr8Z74TobnPFsBamy7uzgNji5SJRnTxOjNsWlxYFIzp4bYHtUgmYoelxLg__--------- > [Sanitized] > > I don't have this problems in my web apps, they use the Tomcat adapter and > no issue with the JWT sig. > Any suggestions? > > Property docs > Portal properties > The following portal properties can be set. They are required unless > specified as optional. > > openidconnect.enableOpenIDConnect > > Whether to enable the plugin (effectively allowing you to disable the > plugin without uninstalling it). Boolean, either 'true' or 'false'. Default > is false. > > openidconnect.authorization-location > > Complete url to the OpenID Connect Provider's authorization location. > Example for Google: https://accounts.google.com/o/oauth2/v2/auth > > openidconnect.token-location > > Complete url to the OpenID Connect Provider's token location. Example for > Google: https://www.googleapis.com/oauth2/v4/token > > openidconnect.profile-uri > > Complete URL to the 'user info' endpoint. Example for Google: > https://www.googleapis.com/plus/v1/people/me/openIdConnect > > openidconnect.sso-logout-uri (Optional) > > openidconnect.sso-logout-param (Optional) > > openidconnect.sso-logout-value (Optional) > > Complete URL to the 'SSO logout' endpoint. Ignored if empty. After > redirection to the given URL, the OpenID Connect Provider should redirect > to the Lifery Portal home page (or another public after-logout-resource). > This target may be included in this URL as a URL parameter or may be > configured for the OpenID Connect Provider. > > openidconnect.issuer > > The information retrieved from the user info endpoint has to be verified > against a preconfigured string, according to the OpenID Connect spec. This > 'issuer' claim is used for that. Example for Google: > https://accounts.google.com > > openidconnect.client-id > > Register your Liferay portal as a 'client app' with the Google developer > console, and the resulting client id is the openid connect client id. > Non-working example for Google: > 7kasuf1-123123adfaafdsflni7me2kr.apps.googleusercontent.com > > openidconnect.secret > > Secret of the client, after registration of the Liferay portal, just like > the client-id. > > openidconnect.scope > > Scope(s) of the access token (space separated), should be the same (or a > subset) of the scopes allowed by the provider to the client. Default value: > openid profile email > > openidconnect.provider (Optional) > > Type of OpenID Connect provider. Supported values: generic (default), > azure. For most Provider implementations, the generic provider works. For > Azure, use the value azure as this makes slight changes to the fields sent > as UserInfo. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kapilkumarjoshi001 at gmail.com Tue Feb 19 09:58:33 2019 From: kapilkumarjoshi001 at gmail.com (kapil joshi) Date: Tue, 19 Feb 2019 20:28:33 +0530 Subject: [keycloak-user] Configuring SMTP settings via rest API In-Reply-To: References: Message-ID: Hi all, Just rechecking, of there is a solution to this issue, please let us know. Kapil On Fri, 15 Feb 2019, 17:51 kapil joshi, wrote: > Thanks Felix, but i was looking more from rest api end, as im using > javascript adapter of keycloak. > > Can someone point to the rest API way of saving SMTP settings. > > Thanks > Kapil > > > On Fri, Feb 15, 2019 at 5:50 PM kapil joshi > wrote: > >> Thanks Felix, but i was looking more from rest api end, as im using >> javascript adapter of keycloak. >> >> Can someone point to the rest API way of saving SMTP settings. >> >> Thanks & regards >> Kapil >> >> On Fri, Feb 15, 2019 at 3:42 PM Felix Knecht >> wrote: >> >>> Hi Kapil >>> >>> I use something like >>> >>> Keycloak keycloak = KeycloakBuilder.builder() >>> .serverUrl(serverUrl) >>> .realm(realm) >>> .clientId(clientId) >>> .clientSecret(clientSecret) >>> .username(username) >>> .password(password) >>> .build(); >>> RealmRepresentation smtpRealm = new RealmRepresentation(); >>> Map smtpServer = new HashMap<>(); >>> smtpServer.put("host", myHost); >>> smtpServer.put("port", myPort); >>> smtpServer.put("from", myFrom); >>> smtpServer.put("auth", "true"); >>> smtpServer.put("user", mySmtpUser); >>> smtpServer.put("password", mySmtpPassword); >>> smtpRealm.setSmtpServer(smtpServer); >>> keycloak.realms().realm(myRealm).update(smtpRealm); >>> >>> Regards >>> Felix >>> >>> >>> > -----Urspr?ngliche Nachricht----- >>> > Von: keycloak-user-bounces at lists.jboss.org >> > bounces at lists.jboss.org> Im Auftrag von kapil joshi >>> > Gesendet: Donnerstag, 14. Februar 2019 19:49 >>> > An: keycloak-user at lists.jboss.org >>> > Betreff: [keycloak-user] Configuring SMTP settings via rest API >>> > >>> > Hi all, >>> > >>> > I wanted one small example of configuring SMTP settings via rest API. >>> > >>> > We are planning to create one similar UI as like keycloak. But use >>> rest API to set it. >>> > >>> > Also how to test the saved settings, like is it saved or not >>> > >>> > Thanks >>> > Kapil >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From Rajib.Mitra at bedag.ch Tue Feb 19 10:16:18 2019 From: Rajib.Mitra at bedag.ch (Mitra Rajib, Bedag) Date: Tue, 19 Feb 2019 15:16:18 +0000 Subject: [keycloak-user] User registration with eMail-address already in use shows internalServerError Message-ID: <6fa04035089e441b895807645d8adf4b@bedag.ch> Dear keycloak-users, I'm not sure if I'm doing something wrong or if it is by design, but I get an 'internalServerError'-message when I'm trying to register a new user with an email-address that is already in use by another Keycloak-user. -Realm-Settings: Email as username: Off Verify email: On Login with email: Off Duplicate email: Off -Keycloak version: 4.8.3.Final -Database: Postgres With Keycloak 3.4.3.Final I was faced with the same issue, but received a different error message. Any pointers would be greatly appreciated! Best, Rajib From s.babych at dataclaritycorp.com Tue Feb 19 11:43:49 2019 From: s.babych at dataclaritycorp.com (Svyatoslav Babych) Date: Tue, 19 Feb 2019 16:43:49 +0000 Subject: [keycloak-user] Docker and Invalid token issuer In-Reply-To: <8B0CCE71-BA86-4B90-A8B2-5440104604E2@iit.cnr.it> References: <8B0CCE71-BA86-4B90-A8B2-5440104604E2@iit.cnr.it> Message-ID: Hi, Thank you very much, I resolve this with nginx proxy, but overall idea is the same. Svyatoslav Babych | Senior Solution Architect, Technical team Lead s.babych at dataclaritycorp.com DataClarity Corporation | www.dataclaritycorp.com Facebook | Twitter | LinkedIn Confidentiality Notice: The information in this email and any attachments is confidential or proprietary and should be treated and marked as ?Confidential? DataClarity communication. If you are not the intended recipient of this email, any review, disclosure, copying, or distribution of it including any attachments is strictly prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies. Any information contained in this email is subject to the terms and conditions expressed in any applicable agreement. -----Original Message----- From: Lorenzo Luconi Trombacchi Sent: Tuesday, February 19, 2019 11:53 AM To: Svyatoslav Babych Cc: keycloak-user Subject: Re: [keycloak-user] Docker and Invalid token issuer Hi, I think is a hostname problem not a IP problem. The IP can be private but you should reference your keycloak server using always the same hostname, when you get and when you check the token (your applications do the check). I had a similar problem inside a docker swarm cluster because some applications referenced the keycloak server with an internal name and other with a different or external name. I hope this helps. Lorenzo > Il giorno 14 feb 2019, alle ore 20:03, Svyatoslav Babych ha scritto: > > Good morning everyone, > > Could you please help me with this, I believe, common problem: > I setup keycloak in Docker container, and have second container what communicate with Keycloak through private IP. > I acquire access token through public IP and then send request to this second container. As a result - "Invalid token issuer" exception. > Unfortunately second container cannot use public IP. > Appreciate any help with this ? > > Thank you, > Best regards, > Svyat > > Svyatoslav Babych | Senior Solution Architect, Technical team Lead > s.babych at dataclaritycorp.com DataClarity Corporation | > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.dataclaritycor > p.com&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=VNF-kfe > JF1TBEB5ARBHS4a_CHCelKPIih8mZZS3xyaQ&m=f87bZIVk8T04HJhKN9IDzMoBKrTaMYU > l9rDGIgPzhUk&s=tScVh8FGabRSioG3CPN6Lsu9p1TNSo-VRp_5ksnSRQ0&e= > Facebook | Twitter | LinkedIn > Confidentiality Notice: The information in this email and any attachments is confidential or proprietary and should be treated and marked as ?Confidential? DataClarity communication. If you are not the intended recipient of this email, any review, disclosure, copying, or distribution of it including any attachments is strictly prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies. Any information contained in this email is subject to the terms and conditions expressed in any applicable agreement. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf > -v5A_CdpgnVfiiMM&r=VNF-kfeJF1TBEB5ARBHS4a_CHCelKPIih8mZZS3xyaQ&m=f87bZ > IVk8T04HJhKN9IDzMoBKrTaMYUl9rDGIgPzhUk&s=roeJIkZ-zJsmlxVDGUTDst3bSqRFl > Y0s7KYfW83V0pA&e= ---------- This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam: https://us1.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1550569975-nBWiCbNv7oYt&r_address=s.babych%40dataclaritycorp.com&report= From andrew.j.alexander at gmail.com Tue Feb 19 12:29:34 2019 From: andrew.j.alexander at gmail.com (Andrew J. Alexander) Date: Tue, 19 Feb 2019 12:29:34 -0500 Subject: [keycloak-user] Client not allowed to exchange Message-ID: I am getting a returned value of "client not allowed to exchange" Feb 19 17:20:39 keycloak-0ea709bc8787a3a29 standalone.sh[1149]: #033[0m#033[33m17:20:39,754 WARN [org.keycloak.events] (default task-21) type=TOKEN_EXCHANGE_ERROR, realmId=master, clientId=client-id-here, userId=null, ipAddress=192.168.1.13, error=not_allowed, reason='client not allowed to exchange subject_issuer', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_issuer=facebookdev, client_auth_method=client-secret What's the problem here? Is it due to an issue with my client-secret (I am guessing this as I'm not currently passing in a value)? Is it due to some setting on the client itself? I've set Access Type to public, direct grants are enabled and the protocol is openid-connect Does anyone have any experience with this? I am attempting to do a token exchange From Shweta.Shetty at Teradata.com Tue Feb 19 14:48:35 2019 From: Shweta.Shetty at Teradata.com (Shetty, Shweta) Date: Tue, 19 Feb 2019 19:48:35 +0000 Subject: [keycloak-user] Client not allowed to exchange In-Reply-To: References: Message-ID: <482EA50A-6EB3-4B48-86FA-8107BFE2672C@teradata.com> You need to set permissions for the client in keycloak inorder to do the exchange. You can follow the instructions her: https://www.keycloak.org/docs/latest/securing_apps/index.html On 2/19/19, 9:29 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Andrew J. Alexander" wrote: [External Email] ________________________________ I am getting a returned value of "client not allowed to exchange" Feb 19 17:20:39 keycloak-0ea709bc8787a3a29 standalone.sh[1149]: #033[0m#033[33m17:20:39,754 WARN [org.keycloak.events] (default task-21) type=TOKEN_EXCHANGE_ERROR, realmId=master, clientId=client-id-here, userId=null, ipAddress=192.168.1.13, error=not_allowed, reason='client not allowed to exchange subject_issuer', auth_method=token_exchange, grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_issuer=facebookdev, client_auth_method=client-secret What's the problem here? Is it due to an issue with my client-secret (I am guessing this as I'm not currently passing in a value)? Is it due to some setting on the client itself? I've set Access Type to public, direct grants are enabled and the protocol is openid-connect Does anyone have any experience with this? I am attempting to do a token exchange _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From david.everson at state.mn.us Tue Feb 19 16:59:58 2019 From: david.everson at state.mn.us (Everson, David (MNIT)) Date: Tue, 19 Feb 2019 21:59:58 +0000 Subject: [keycloak-user] Angular 7 / Keycloak Programmatic Session Timeouts Message-ID: Hello, We are designing an Angular 7 application with Keycloak IDM. What sets this application apart from other Angular/Keycloak applications we designed is this application has a use case for users of a certain group (e.g. support desk users) to have a session timeout of 8 hours while ?normal? users have a 30 minute timeout. Any guidance on implementing such a use case? Thanks! Dave Dave Everson Application Architect | Custom Applications Minnesota IT Services | Partners in Minnesota Department of Health 625 Robert Street North St. Paul, MN 55155 O: 651-201-5216 Information Technology for Minnesota Government?|?mn.gov/mnit [Minnesota IT Services Logo] [Facebook logo][LinkedIn logo][Twitter logo] -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 17451 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190219/42bc652b/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 349 bytes Desc: image002.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190219/42bc652b/attachment-0005.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 829 bytes Desc: image003.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190219/42bc652b/attachment-0006.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 455 bytes Desc: image004.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190219/42bc652b/attachment-0007.png From lorenzo.luconi at iit.cnr.it Wed Feb 20 03:21:22 2019 From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi) Date: Wed, 20 Feb 2019 09:21:22 +0100 Subject: [keycloak-user] Angular 7 / Keycloak Programmatic Session Timeouts In-Reply-To: References: Message-ID: <0A360F3C-C6D4-401F-9D5C-10300AB8BFF7@iit.cnr.it> Token lifespan is per realm setting and you can use multiple realms for different type of users and settings. In a multi realms scenario you may need oauth2 multi-tenant applications or you have to replicate them to work with multiple realms. It?s not easy. You can probably play with refresh-token to keep your access-token fresh (in your angular app). Lorenzo > Il giorno 19 feb 2019, alle ore 22:59, Everson, David (MNIT) ha scritto: > > Hello, > > We are designing an Angular 7 application with Keycloak IDM. What sets this application apart from other Angular/Keycloak applications we designed is this application has a use case for users of a certain group (e.g. support desk users) to have a session timeout of 8 hours while ?normal? users have a 30 minute timeout. > > Any guidance on implementing such a use case? > > Thanks! > Dave > > Dave Everson > Application Architect | Custom Applications > Minnesota IT Services | Partners in Minnesota Department of Health > 625 Robert Street North > St. Paul, MN 55155 > O: 651-201-5216 > Information Technology for Minnesota Government?|?mn.gov/mnit > [Minnesota IT Services Logo] > [Facebook logo][LinkedIn logo][Twitter logo] > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From khaendel at ehotel.de Wed Feb 20 05:11:01 2019 From: khaendel at ehotel.de (Ken Haendel) Date: Wed, 20 Feb 2019 11:11:01 +0100 Subject: [keycloak-user] Tomcat session timeout using spring-security adapter Message-ID: Hello Keycloak users, I want to secure a web-app using tomcat and the spring-security adapter. Since the token timeout values are configured in the Keycloak, 1. to which value should i set the tomcat session timeout to not interfere with the keycloak token timeouts. Currently my settings in web.xml are: ??? ??? ??? ??? ??? -1 ??? ??? ??? ??? ??? true ??? ??? ??? true ??? ??? ??? ??? COOKIE ??? and 2. is there a disadvantage to use indefinite sessions? Thank you in advance and kind regards, Ken -------------- next part -------------- A non-text attachment was scrubbed... Name: khaendel.vcf Type: text/x-vcard Size: 185 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190220/02dc3516/attachment.vcf From sthorger at redhat.com Wed Feb 20 05:36:47 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 20 Feb 2019 11:36:47 +0100 Subject: [keycloak-user] Angular 7 / Keycloak Programmatic Session Timeouts In-Reply-To: <0A360F3C-C6D4-401F-9D5C-10300AB8BFF7@iit.cnr.it> References: <0A360F3C-C6D4-401F-9D5C-10300AB8BFF7@iit.cnr.it> Message-ID: There's also support for requiring re-authentication in apps that shouldn't support long sessions. On Wed, 20 Feb 2019, 09:23 Lorenzo Luconi Trombacchi, < lorenzo.luconi at iit.cnr.it> wrote: > Token lifespan is per realm setting and you can use multiple realms for > different type of users and settings. In a multi realms scenario you may > need oauth2 multi-tenant applications or you have to replicate them to work > with multiple realms. It?s not easy. > You can probably play with refresh-token to keep your access-token fresh > (in your angular app). > > Lorenzo > > > > Il giorno 19 feb 2019, alle ore 22:59, Everson, David (MNIT) < > david.everson at state.mn.us> ha scritto: > > > > Hello, > > > > We are designing an Angular 7 application with Keycloak IDM. What sets > this application apart from other Angular/Keycloak applications we designed > is this application has a use case for users of a certain group (e.g. > support desk users) to have a session timeout of 8 hours while ?normal? > users have a 30 minute timeout. > > > > Any guidance on implementing such a use case? > > > > Thanks! > > Dave > > > > Dave Everson > > Application Architect | Custom Applications > > Minnesota IT Services | Partners in Minnesota Department of Health > > 625 Robert Street North > > St. Paul, MN 55155 > > O: 651-201-5216 > > Information Technology for Minnesota Government | mn.gov/mnit< > http://mn.gov/mnit> > > [Minnesota IT Services Logo] > > [Facebook logo][LinkedIn logo]< > https://www.linkedin.com/company/mn-it-services>[Twitter logo]< > https://twitter.com/mnit_services> > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mohsen.computerscience at gmail.com Wed Feb 20 08:38:49 2019 From: mohsen.computerscience at gmail.com (mohsen fatahi) Date: Wed, 20 Feb 2019 17:08:49 +0330 Subject: [keycloak-user] list all permissions using "keycloak-admin-client" Message-ID: Hi, I am using "keycloak-admin-client" for managing roles and users. I want to get all permissions that are in a client. but there is no API to handle this. There are APIs for create or getByName or getById separately for scope & resource based permissions. I want to list all permissions(scope & resource) and show it to admin. best regards. mohsen From mposolda at redhat.com Thu Feb 21 04:20:44 2019 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 21 Feb 2019 10:20:44 +0100 Subject: [keycloak-user] Removing JaxrsBearerTokenFilter Message-ID: Keycloak team things about removing JaxrsBearerTokenFilter. Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we have in the codebase and which allows to "secure" the JaxRS Application by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented and we don't have any examples/quickstarts of it. Hence it is not considered as officially supported Keycloak feature. And you can probably always secure your application through some other officially supported way (HTTP Servlet filter or any of our other built-in adapters). Anyway, if someone is aware of any reason why to not remove this filter from Keycloak, please let me know, ideally by the Monday Feb 25th. See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" . Thanks, Marek From alistair.doswald at elca.ch Thu Feb 21 04:47:30 2019 From: alistair.doswald at elca.ch (Doswald Alistair) Date: Thu, 21 Feb 2019 09:47:30 +0000 Subject: [keycloak-user] Getting a user's CredentialRepresentation via the REST API Message-ID: <3d68ad5224fc4690a81736fff935c443@elca.ch> Hello, I've been looking to get a user's CredentialRepresentation(s) via the REST API but it doesn't seem possible. Getting the UserRepresentation doesn't get the user's credentials and I haven't found another function (this is with Keycloak 4.8.3.Final). Am I missing something? Or if not is this a bug (credentials should be sent with the UserRepresentation) or a design decision (sending credentials over the REST API would be a security flaw). Best regards, Alistair Doswald From kapilkumarjoshi001 at gmail.com Thu Feb 21 05:30:33 2019 From: kapilkumarjoshi001 at gmail.com (kapil joshi) Date: Thu, 21 Feb 2019 16:00:33 +0530 Subject: [keycloak-user] Is Keycloak ONLY for securing URL based Calls Message-ID: Hi All, Is Keycloak ONLY for securing URL based Calls ? Can we secure a cli login to box via Keycloak. I may sound goofy, but is it possible to authenticate a user login to linux box which has keycloak installed in it, against Keycloak. Thanks & regards Kapil From kapilkumarjoshi001 at gmail.com Thu Feb 21 06:22:31 2019 From: kapilkumarjoshi001 at gmail.com (kapil joshi) Date: Thu, 21 Feb 2019 16:52:31 +0530 Subject: [keycloak-user] Configuring SMTP settings via rest API In-Reply-To: <4aa839177c88432ca59646203a5fe7e9@SL1ACSEXCMB03.acsresource.com> References: <4aa839177c88432ca59646203a5fe7e9@SL1ACSEXCMB03.acsresource.com> Message-ID: Hi Tony, Thanks for this idea, I'm able to save the SMTP alone via this API. But I realised that i should have user with client role of realm-management with manage-realms priviledge. I was hoping kind of avoid assigning this role. Please let me know if you have any solutions to this situation. Thanks again for your help Kapil On Wed, Feb 20, 2019 at 12:18 AM Tony Harris wrote: > There is a GET method GET /admin/realms/{realm} that returns the > RealmRepresentation as a JSON object and a PUT method that takes the > RealmRepresentation and should allow you to do update the SMTP settings. > > See > https://www.keycloak.org/docs-api/3.0/rest-api/index.html#_realms_admin_resource > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] On Behalf Of kapil joshi > Sent: 19 February 2019 14:59 > To: Felix Knecht ; > keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Configuring SMTP settings via rest API > > Hi all, > > Just rechecking, of there is a solution to this issue, please let us know. > > Kapil > > On Fri, 15 Feb 2019, 17:51 kapil joshi, > wrote: > > > Thanks Felix, but i was looking more from rest api end, as im using > > javascript adapter of keycloak. > > > > Can someone point to the rest API way of saving SMTP settings. > > > > Thanks > > Kapil > > > > > > On Fri, Feb 15, 2019 at 5:50 PM kapil joshi > > > > wrote: > > > >> Thanks Felix, but i was looking more from rest api end, as im using > >> javascript adapter of keycloak. > >> > >> Can someone point to the rest API way of saving SMTP settings. > >> > >> Thanks & regards > >> Kapil > >> > >> On Fri, Feb 15, 2019 at 3:42 PM Felix Knecht > >> > >> wrote: > >> > >>> Hi Kapil > >>> > >>> I use something like > >>> > >>> Keycloak keycloak = KeycloakBuilder.builder() > >>> .serverUrl(serverUrl) > >>> .realm(realm) > >>> .clientId(clientId) > >>> .clientSecret(clientSecret) > >>> .username(username) > >>> .password(password) > >>> .build(); > >>> RealmRepresentation smtpRealm = new RealmRepresentation(); > >>> Map smtpServer = new HashMap<>(); > >>> smtpServer.put("host", myHost); > >>> smtpServer.put("port", myPort); > >>> smtpServer.put("from", myFrom); > >>> smtpServer.put("auth", "true"); > >>> smtpServer.put("user", mySmtpUser); > >>> smtpServer.put("password", mySmtpPassword); > >>> smtpRealm.setSmtpServer(smtpServer); > >>> keycloak.realms().realm(myRealm).update(smtpRealm); > >>> > >>> Regards > >>> Felix > >>> > >>> > >>> > -----Urspr?ngliche Nachricht----- > >>> > Von: keycloak-user-bounces at lists.jboss.org >>> > bounces at lists.jboss.org> Im Auftrag von kapil joshi > >>> > Gesendet: Donnerstag, 14. Februar 2019 19:49 > >>> > An: keycloak-user at lists.jboss.org > >>> > Betreff: [keycloak-user] Configuring SMTP settings via rest API > >>> > > >>> > Hi all, > >>> > > >>> > I wanted one small example of configuring SMTP settings via rest API. > >>> > > >>> > We are planning to create one similar UI as like keycloak. But use > >>> rest API to set it. > >>> > > >>> > Also how to test the saved settings, like is it saved or not > >>> > > >>> > Thanks > >>> > Kapil > >>> > _______________________________________________ > >>> > keycloak-user mailing list > >>> > keycloak-user at lists.jboss.org > >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ________________________________ > > Please consider the environment: Think before you print! > > > This message has been scanned for malware by Websense. www.websense.com > From bruno at abstractj.org Thu Feb 21 06:49:54 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 21 Feb 2019 08:49:54 -0300 Subject: [keycloak-user] Is Keycloak ONLY for securing URL based Calls In-Reply-To: References: Message-ID: <20190221114954.GA16035@abstractj.org> I believe you could accomplish this by setting up FreeIPA[1] and later configuring it as User Federation inside keycloak[2]. I hope it helps. [1] - https://help.gnome.org/admin/system-admin-guide/stable/login-enterprise.html.en [2] - https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd On 2019-02-21, kapil joshi wrote: > Hi All, > > Is Keycloak ONLY for securing URL based Calls ? Can we secure a cli login > to box via Keycloak. I may sound goofy, but is it possible to authenticate > a user login to linux box which has keycloak installed in it, against > Keycloak. > > Thanks & regards > Kapil > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From l.lech at ringler.ch Thu Feb 21 08:23:35 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Thu, 21 Feb 2019 13:23:35 +0000 Subject: [keycloak-user] Removing JaxrsBearerTokenFilter In-Reply-To: References: Message-ID: <5E48B917000C984B86B77170F441903A189475DF@exch.ringler.ch> Hello, I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed poorly documented, for example I've found no mention that org.keycloak.adapters.KeycloakConfigResolver must cache org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded from Keycloak Server with every request to our REST channel... If nobody have time and will to document it and fix bugs, what about moving it to separate project instead of deleting it? I haven't seen any alternative for securing jaxrs channels other than writing everything from scratch... Is there any alternative usable project? Best regards, Lukasz Lech -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda Sent: Donnerstag, 21. Februar 2019 10:21 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Removing JaxrsBearerTokenFilter Keycloak team things about removing JaxrsBearerTokenFilter. Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we have in the codebase and which allows to "secure" the JaxRS Application by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented and we don't have any examples/quickstarts of it. Hence it is not considered as officially supported Keycloak feature. And you can probably always secure your application through some other officially supported way (HTTP Servlet filter or any of our other built-in adapters). Anyway, if someone is aware of any reason why to not remove this filter from Keycloak, please let me know, ideally by the Monday Feb 25th. See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" . Thanks, Marek _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From luca.stancapiano at vige.it Thu Feb 21 10:02:38 2019 From: luca.stancapiano at vige.it (Luca Stancapiano) Date: Thu, 21 Feb 2019 16:02:38 +0100 (CET) Subject: [keycloak-user] Add a new entry in the menu to the left of the admin console Message-ID: <1033044693.1092626.1550761358236@pim.register.it> I would like to add a new entry in the menu to the left of the admin console. The item information is on the html templates / menu.html page. I can not however overwrite the templates placed in the templates directory, but only the pages in the resources folder. Is it something wanted? How do I need to overwrite that page or add a new entry? From vikram.eswar at fleetroute.com Thu Feb 21 11:40:53 2019 From: vikram.eswar at fleetroute.com (Vikram) Date: Thu, 21 Feb 2019 17:40:53 +0100 Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy Message-ID: <02c64568-e021-d7df-a891-c57c39a8865e@fleetroute.com> Hi all, OS: Ubuntu 18.04 I am running an https secured apache server as a reverse proxy. Lets say at https://example.com Now, I have a keycloak server running on the same machine, lets say at http://localhost:1234 (note: HTTP) I have set it up such that https://example.com/keycloak points to http://localhost:1234 Now, I have a javascript application which is trying to authenticate with Keycloak using a javascript adapter. In the keycloak.json configuration file, I have the url set up as : url : 'https://example.com/keycloak/auth|'| This does not work. In order to access keycloak for authentication from the outside world, I need this to connect. Anything on this ? I have already looked at this link : https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider I have tried setting the certificate lookup but I am not sure if I am doing it right. I set it within the virtualhost block in the default-ssl.conf file through RequestHeader. Regards, Vikram || From firozpalapra at outlook.com Thu Feb 21 12:48:11 2019 From: firozpalapra at outlook.com (Firoz Ahamed) Date: Thu, 21 Feb 2019 17:48:11 +0000 Subject: [keycloak-user] Getting a user's CredentialRepresentation via the REST API In-Reply-To: <3d68ad5224fc4690a81736fff935c443@elca.ch> References: <3d68ad5224fc4690a81736fff935c443@elca.ch> Message-ID: Hi, I believe the credentials are stored one way hashed in the keycloak DB and cannot be decrypted. Are you trying to get the hashed credential ? I believe the user representation does not return this in the GET calls. Regards, Firoz Sent from Mail for Windows 10 ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Doswald Alistair Sent: Thursday, February 21, 2019 3:17:30 PM To: keycloak-user Subject: [keycloak-user] Getting a user's CredentialRepresentation via the REST API Hello, I've been looking to get a user's CredentialRepresentation(s) via the REST API but it doesn't seem possible. Getting the UserRepresentation doesn't get the user's credentials and I haven't found another function (this is with Keycloak 4.8.3.Final). Am I missing something? Or if not is this a bug (credentials should be sent with the UserRepresentation) or a design decision (sending credentials over the REST API would be a security flaw). Best regards, Alistair Doswald _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From pnalyvayko at agi.com Thu Feb 21 16:11:49 2019 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 21 Feb 2019 21:11:49 +0000 Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy In-Reply-To: <02c64568-e021-d7df-a891-c57c39a8865e@fleetroute.com> References: <02c64568-e021-d7df-a891-c57c39a8865e@fleetroute.com> Message-ID: Vikram, >> https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider The instructions above only apply if you are trying to set up mutual SSL. Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make Hope this helps Regards --Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Vikram [vikram.eswar at fleetroute.com] Sent: Thursday, February 21, 2019 11:40 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy Hi all, OS: Ubuntu 18.04 I am running an https secured apache server as a reverse proxy. Lets say at https://example.com Now, I have a keycloak server running on the same machine, lets say at http://localhost:1234 (note: HTTP) I have set it up such that https://example.com/keycloak points to http://localhost:1234 Now, I have a javascript application which is trying to authenticate with Keycloak using a javascript adapter. In the keycloak.json configuration file, I have the url set up as : url : 'https://example.com/keycloak/auth|'| This does not work. In order to access keycloak for authentication from the outside world, I need this to connect. Anything on this ? I have already looked at this link : https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider I have tried setting the certificate lookup but I am not sure if I am doing it right. I set it within the virtualhost block in the default-ssl.conf file through RequestHeader. Regards, Vikram || _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From pnalyvayko at agi.com Thu Feb 21 16:13:33 2019 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 21 Feb 2019 21:13:33 +0000 Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy In-Reply-To: References: <02c64568-e021-d7df-a891-c57c39a8865e@fleetroute.com>, Message-ID: Here is a link to a more recent docs: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy ________________________________________ From: Nalyvayko, Peter Sent: Thursday, February 21, 2019 4:11 PM To: Vikram; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Running Keycloak behind Apache Reverse Proxy Vikram, >> https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider The instructions above only apply if you are trying to set up mutual SSL. Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make Hope this helps Regards --Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Vikram [vikram.eswar at fleetroute.com] Sent: Thursday, February 21, 2019 11:40 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy Hi all, OS: Ubuntu 18.04 I am running an https secured apache server as a reverse proxy. Lets say at https://example.com Now, I have a keycloak server running on the same machine, lets say at http://localhost:1234 (note: HTTP) I have set it up such that https://example.com/keycloak points to http://localhost:1234 Now, I have a javascript application which is trying to authenticate with Keycloak using a javascript adapter. In the keycloak.json configuration file, I have the url set up as : url : 'https://example.com/keycloak/auth|'| This does not work. In order to access keycloak for authentication from the outside world, I need this to connect. Anything on this ? I have already looked at this link : https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider I have tried setting the certificate lookup but I am not sure if I am doing it right. I set it within the virtualhost block in the default-ssl.conf file through RequestHeader. Regards, Vikram || _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From noah at helios.ai Thu Feb 21 22:27:45 2019 From: noah at helios.ai (Noah Silverman) Date: Fri, 22 Feb 2019 03:27:45 +0000 Subject: [keycloak-user] Help with non-browser authentization flow Message-ID: <0DYOioHzkjJz-5fugmeyRsskMA0tJjonM9OPBuTVRJrrcVgdSVgixNG8X37u7_Y00Da4ml2cJ468on23QGW0m8VYOfxzOHzzXipeYyvefBo=@helios.ai> Hello, I'm building a REST based API for users to access things on our server. The Keycloak browser based authentication workflow is great, and I'd like to offer something similar to someone writing a REST client. i.e.: 1) POST your username and password to the Keycloak server 2) Receive a authorization_code back from Keycloak 3) Call OUR REST endpoint with the Keycloak authorization_code 4) Our software does a "back channel" call to Keycloak server to exchange the authorization_code for access token. 5) We then reply to the user with the JIT as a unique token for access our REST API This is super easy using the browser to visit the Keycloak login page (the standard workflow covers steps 1-3 above).? How can I configure Keycloak to allow the same flow without a browser? Thank You! -- Noah -------------- next part -------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 855 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190222/67505ff9/attachment.bin From sthorger at redhat.com Fri Feb 22 01:36:18 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 22 Feb 2019 07:36:18 +0100 Subject: [keycloak-user] Removing JaxrsBearerTokenFilter In-Reply-To: <5E48B917000C984B86B77170F441903A189475DF@exch.ringler.ch> References: <5E48B917000C984B86B77170F441903A189475DF@exch.ringler.ch> Message-ID: Why not use one of the proper adapters for the container you are deploying to? On Thu, 21 Feb 2019, 14:51 Lukasz Lech, wrote: > Hello, > > I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It > is indeed poorly documented, for example I've found no mention that > org.keycloak.adapters.KeycloakConfigResolver must cache > org.keycloak.adapters.KeycloakDeployment, which resulted in public keys > being downloaded from Keycloak Server with every request to our REST > channel... > > If nobody have time and will to document it and fix bugs, what about > moving it to separate project instead of deleting it? I haven't seen any > alternative for securing jaxrs channels other than writing everything from > scratch... Is there any alternative usable project? > > > > > Best regards, > Lukasz Lech > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda > Sent: Donnerstag, 21. Februar 2019 10:21 > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Removing JaxrsBearerTokenFilter > > Keycloak team things about removing JaxrsBearerTokenFilter. > > Just to add some context, the JaxrsBearerTokenFilter is the "adapter", > which we have in the codebase and which allows to "secure" the JaxRS > Application by adding the JaxrsFilter, which implements our OIDC > adapter.This filter is not documented and we don't have any > examples/quickstarts of it. Hence it is not considered as officially > supported Keycloak feature. And you can probably always secure your > application through some other officially supported way (HTTP Servlet > filter or any of our other built-in adapters). > > Anyway, if someone is aware of any reason why to not remove this filter > from Keycloak, please let me know, ideally by the Monday Feb 25th. > > See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" . > > Thanks, > Marek > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Feb 22 01:38:28 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 22 Feb 2019 07:38:28 +0100 Subject: [keycloak-user] Getting a user's CredentialRepresentation via the REST API In-Reply-To: References: <3d68ad5224fc4690a81736fff935c443@elca.ch> Message-ID: Yes, no credentials are ever returned over the rest api On Thu, 21 Feb 2019, 19:12 Firoz Ahamed, wrote: > Hi, > > > > I believe the credentials are stored one way hashed in the keycloak DB and > cannot be decrypted. > > > > Are you trying to get the hashed credential ? I believe the user > representation does not return this in the GET calls. > > > > Regards, > > Firoz > > > > Sent from Mail for > Windows 10 > > > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> on behalf of Doswald Alistair < > alistair.doswald at elca.ch> > Sent: Thursday, February 21, 2019 3:17:30 PM > To: keycloak-user > Subject: [keycloak-user] Getting a user's CredentialRepresentation via the > REST API > > Hello, > > I've been looking to get a user's CredentialRepresentation(s) via the REST > API but it doesn't seem possible. Getting the UserRepresentation doesn't > get the user's credentials and I haven't found another function (this is > with Keycloak 4.8.3.Final). > > Am I missing something? Or if not is this a bug (credentials should be > sent with the UserRepresentation) or a design decision (sending credentials > over the REST API would be a security flaw). > > Best regards, > > Alistair Doswald > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From l.lech at ringler.ch Fri Feb 22 02:24:01 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Fri, 22 Feb 2019 07:24:01 +0000 Subject: [keycloak-user] Removing JaxrsBearerTokenFilter In-Reply-To: References: <5E48B917000C984B86B77170F441903A189475DF@exch.ringler.ch> Message-ID: <5E48B917000C984B86B77170F441903A189476C6@exch.ringler.ch> Hmm which is a proper adapter for JaxRS then? I?ve found only that one? From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Freitag, 22. Februar 2019 07:36 To: Lukasz Lech Cc: keycloak-user Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter Why not use one of the proper adapters for the container you are deploying to? On Thu, 21 Feb 2019, 14:51 Lukasz Lech, > wrote: Hello, I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed poorly documented, for example I've found no mention that org.keycloak.adapters.KeycloakConfigResolver must cache org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded from Keycloak Server with every request to our REST channel... If nobody have time and will to document it and fix bugs, what about moving it to separate project instead of deleting it? I haven't seen any alternative for securing jaxrs channels other than writing everything from scratch... Is there any alternative usable project? Best regards, Lukasz Lech -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda Sent: Donnerstag, 21. Februar 2019 10:21 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Removing JaxrsBearerTokenFilter Keycloak team things about removing JaxrsBearerTokenFilter. Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we have in the codebase and which allows to "secure" the JaxRS Application by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented and we don't have any examples/quickstarts of it. Hence it is not considered as officially supported Keycloak feature. And you can probably always secure your application through some other officially supported way (HTTP Servlet filter or any of our other built-in adapters). Anyway, if someone is aware of any reason why to not remove this filter from Keycloak, please let me know, ideally by the Monday Feb 25th. See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" . Thanks, Marek _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mariusz at info.nl Fri Feb 22 04:56:25 2019 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Fri, 22 Feb 2019 09:56:25 +0000 Subject: [keycloak-user] How to configure limited user account, that can only manage users Message-ID: Hi. We were using Keycloak 3.4.3 and we had account for customer service, that can manage users. Client roles (for selected realms): impersonation, manage-users, view-users After upgrade to KC 4.8.2, user can login, but when he selects realm, Forbidden message is shown. After assigning ?view-realm? role, it works, but user see too much in menu that we want him to. Left menu contains: Configure (Realm Settings, Roles, User Federation, Authentication) Manage (Users, Groups, Sessions) Isn?t there any way to hide ?Configure? part of menu, and show only ?Manage? ? Regards Mariusz [cid:image001.png at 01D4CA9D.3FE58670] -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 31931 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190222/65a376ce/attachment-0001.png From thesofiane at gmail.com Fri Feb 22 06:07:23 2019 From: thesofiane at gmail.com (So Be) Date: Fri, 22 Feb 2019 12:07:23 +0100 Subject: [keycloak-user] Add terms of use to required actions Message-ID: Hi, I want to add text conatining the terms of use. At the moment the page is empty. Which file (.ftl) should I modify? I am using Keycloak 3.4.0 Thank you. Sofiane. From vramik at redhat.com Fri Feb 22 06:31:28 2019 From: vramik at redhat.com (Vlasta Ramik) Date: Fri, 22 Feb 2019 12:31:28 +0100 Subject: [keycloak-user] Add terms of use to required actions In-Reply-To: References: Message-ID: Hello Sofiane, The default text is located https://github.com/keycloak/keycloak/blob/master/themes/src/main/resources/theme/base/login/messages/messages_en.properties#L44-L46 There is documentation how to create your own theme based on the default one: https://www.keycloak.org/docs/latest/server_development/index.html#_themes V. On 2/22/19 12:07 PM, So Be wrote: > Hi, > > I want to add text conatining the terms of use. At the moment the page is > empty. Which file (.ftl) should I modify? > I am using Keycloak 3.4.0 > > Thank you. > > Sofiane. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vikram.eswar at fleetroute.com Fri Feb 22 06:33:57 2019 From: vikram.eswar at fleetroute.com (Vikram) Date: Fri, 22 Feb 2019 12:33:57 +0100 Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy In-Reply-To: References: <02c64568-e021-d7df-a891-c57c39a8865e@fleetroute.com> Message-ID: <80e0e3c9-c476-0d06-aa9d-e12732c88e58@fleetroute.com> Hi Peter, thanks a lot for your reply. I have followed this link already with no luck. I have set X-forwarded headers in my default-ssl.conf file as : RequestHeader set X-Forwarded-Proto "https" env=HTTPS RequestHeader set X-Forwarded-Port "443" RemoteIPHeader X-Forwarded-For Should I also set RemoteIPTrustedProxy and RemoteIPInternalProxy to 127.0.0.1 ?? because everything is running in the same machine ? or should I add all of this in the security.conf file ? Where am I going wrong ? I am not getting a json response when I test the configuration using /auth/realms/master/.well-known/openid-configuration.. Regards, Vikram On 2/21/2019 10:13 PM, Nalyvayko, Peter wrote: > Here is a link to a more recent docs: > > https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy > ________________________________________ > From: Nalyvayko, Peter > Sent: Thursday, February 21, 2019 4:11 PM > To: Vikram; keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] Running Keycloak behind Apache Reverse Proxy > > Vikram, > > >>> https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider > The instructions above only apply if you are trying to set up mutual SSL. > > Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make > > Hope this helps > Regards > --Peter > > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Vikram [vikram.eswar at fleetroute.com] > Sent: Thursday, February 21, 2019 11:40 AM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy > > Hi all, > > OS: Ubuntu 18.04 > > I am running an https secured apache server as a reverse proxy. Lets say > at https://example.com > > Now, I have a keycloak server running on the same machine, lets say at > http://localhost:1234 (note: HTTP) > > I have set it up such that https://example.com/keycloak points to > http://localhost:1234 > > Now, I have a javascript application which is trying to authenticate > with Keycloak using a javascript adapter. In the keycloak.json > configuration file, I have the url set up as : > > url : 'https://example.com/keycloak/auth|'| > > This does not work. In order to access keycloak for authentication from > the outside world, I need this to connect. > > Anything on this ? > > I have already looked at this link : > > https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider > > > I have tried setting the certificate lookup but I am not sure if I am > doing it right. I set it within the virtualhost block in the > default-ssl.conf file through RequestHeader. > > Regards, > > Vikram > > > || > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From thesofiane at gmail.com Fri Feb 22 08:06:57 2019 From: thesofiane at gmail.com (So Be) Date: Fri, 22 Feb 2019 14:06:57 +0100 Subject: [keycloak-user] Add terms of use to required actions In-Reply-To: References: Message-ID: Thank you Vlasta, It did work. I already created a new theme, but didn't find the messages directory. So, I modified messages_en.properties in "base" since it will be imported in the new theme. On Fri, Feb 22, 2019 at 12:31 PM Vlasta Ramik wrote: > Hello Sofiane, > > The default text is located > > https://github.com/keycloak/keycloak/blob/master/themes/src/main/resources/theme/base/login/messages/messages_en.properties#L44-L46 > > There is documentation how to create your own theme based on the default > one: > https://www.keycloak.org/docs/latest/server_development/index.html#_themes > > V. > > On 2/22/19 12:07 PM, So Be wrote: > > Hi, > > > > I want to add text conatining the terms of use. At the moment the page is > > empty. Which file (.ftl) should I modify? > > I am using Keycloak 3.4.0 > > > > Thank you. > > > > Sofiane. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From vramik at redhat.com Fri Feb 22 08:28:16 2019 From: vramik at redhat.com (Vlasta Ramik) Date: Fri, 22 Feb 2019 14:28:16 +0100 Subject: [keycloak-user] Add terms of use to required actions In-Reply-To: References: Message-ID: <04d8fc1a-0477-c821-1631-cd8d46201d74@redhat.com> It is possible to do when you have possibility to build your own customized keycloak-server but if you don't want to (or can't) edit the code the customized theme is the preferred way. On 2/22/19 2:06 PM, So Be wrote: > Thank you Vlasta, It did work. I already created a new theme, but > didn't find the messages directory. > So, I modified messages_en.properties in "base" since it will be > imported in the new theme. > > > > On Fri, Feb 22, 2019 at 12:31 PM Vlasta Ramik > wrote: > > Hello Sofiane, > > The default text is located > https://github.com/keycloak/keycloak/blob/master/themes/src/main/resources/theme/base/login/messages/messages_en.properties#L44-L46 > > There is documentation how to create your own theme based on the > default > one: > https://www.keycloak.org/docs/latest/server_development/index.html#_themes > > V. > > On 2/22/19 12:07 PM, So Be wrote: > > Hi, > > > > I want to add text conatining the terms of use. At the moment > the page is > > empty. Which file (.ftl) should I modify? > > I am using Keycloak 3.4.0 > > > > Thank you. > > > > Sofiane. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From max.allan+keycloak at surevine.com Fri Feb 22 11:03:19 2019 From: max.allan+keycloak at surevine.com (Max Allan) Date: Fri, 22 Feb 2019 16:03:19 +0000 Subject: [keycloak-user] Requiring 2FA? Message-ID: Hello, I have a client app, and have enabled 2FA (totp) as a required step in it's browser auth flow. What we find is that some new users have been able to get the "reset your password" link, reset their password and somehow access the client WITHOUT 2FA. Most reset their password and are then prompted to setup TOTP 2FA. I assume this is because to reset your password, you gain a valid session, and if you then visit the client URL, keycloak does SSO via a different flow and lets you in. Except when I've tried to make that happen, it doesn't work like that! I have no idea how the users manage to break it... Should I enable 2FA on the "account" client's browser auth flow as well? Will that allow people to reset their passwords normally? Or is there something else I can do to prevent password resets from also being "logins, without 2FA"? I don't quite understand how some of the other flows are supposed to work, if I added TOTP to a flow the user doesn't normally interact with, would it cause confusion? It feels like the wrong thing to do. Thanks, Max From pnalyvayko at agi.com Fri Feb 22 11:50:07 2019 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Fri, 22 Feb 2019 16:50:07 +0000 Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy In-Reply-To: <80e0e3c9-c476-0d06-aa9d-e12732c88e58@fleetroute.com> References: <02c64568-e021-d7df-a891-c57c39a8865e@fleetroute.com> , <80e0e3c9-c476-0d06-aa9d-e12732c88e58@fleetroute.com> Message-ID: Vikram, Make sure your KC instance is internally accessible. I am posting the examples of apache virtual host and the the portion of KC configuration relevant to reverse proxy, where : is the IP address and port respectively your keycloak server is listening on. === .conf === ... ProxyPreserveHost On ProxyRequests Off RequestHeader add "X-forwarded-proto" "https" RequestHeader set x-ssl-client-cert "%{SSL_CLIENT_CERT}s" ProxyPass "/auth" "http://:/auth" ProxyPassReverse "/auth" "http://:/auth" ... ==== standalone.xml ==== ..... ..... Hope this helps Cheers, --Peter _____________________________________ From: Vikram [vikram.eswar at fleetroute.com] Sent: Friday, February 22, 2019 6:33 AM To: Nalyvayko, Peter; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Running Keycloak behind Apache Reverse Proxy Hi Peter, thanks a lot for your reply. I have followed this link already with no luck. I have set X-forwarded headers in my default-ssl.conf file as : RequestHeader set X-Forwarded-Proto "https" env=HTTPS RequestHeader set X-Forwarded-Port "443" RemoteIPHeader X-Forwarded-For Should I also set RemoteIPTrustedProxy and RemoteIPInternalProxy to 127.0.0.1 ? because everything is running in the same machine ? or should I add all of this in the security.conf file ? Where am I going wrong ? I am not getting a json response when I test the configuration using /auth/realms/master/.well-known/openid-configuration.. Regards, Vikram On 2/21/2019 10:13 PM, Nalyvayko, Peter wrote: Here is a link to a more recent docs: https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy ________________________________________ From: Nalyvayko, Peter Sent: Thursday, February 21, 2019 4:11 PM To: Vikram; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Running Keycloak behind Apache Reverse Proxy Vikram, https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider The instructions above only apply if you are trying to set up mutual SSL. Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make Hope this helps Regards --Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Vikram [vikram.eswar at fleetroute.com] Sent: Thursday, February 21, 2019 11:40 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy Hi all, OS: Ubuntu 18.04 I am running an https secured apache server as a reverse proxy. Lets say at https://example.com Now, I have a keycloak server running on the same machine, lets say at http://localhost:1234 (note: HTTP) I have set it up such that https://example.com/keycloak points to http://localhost:1234 Now, I have a javascript application which is trying to authenticate with Keycloak using a javascript adapter. In the keycloak.json configuration file, I have the url set up as : url : 'https://example.com/keycloak/auth|'| This does not work. In order to access keycloak for authentication from the outside world, I need this to connect. Anything on this ? I have already looked at this link : https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider I have tried setting the certificate lookup but I am not sure if I am doing it right. I set it within the virtualhost block in the default-ssl.conf file through RequestHeader. Regards, Vikram || _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ekemokai at gmail.com Fri Feb 22 12:34:02 2019 From: ekemokai at gmail.com (Edmond Kemokai) Date: Fri, 22 Feb 2019 12:34:02 -0500 Subject: [keycloak-user] Error extracting SAML assertion Message-ID: Hi All, I am getting below exception when positing a saml response to /saml consumer endpoint: org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler - Error extracting SAML assertion: null A snippet of the response, I have stripped out the signature information: Portal Portal ek at gmail.com urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport ek at gmail.com developer sysadmin From giannif.libero.it at gmail.com Sat Feb 23 11:46:07 2019 From: giannif.libero.it at gmail.com (Gianni) Date: Sat, 23 Feb 2019 17:46:07 +0100 Subject: [keycloak-user] updating owner of a resource Message-ID: Hi, I was trying to update the owner of an existing resource with resource.setOwner(newOwnerId); getAuthzClient().protection().resource().update(resource); There is no Exception, but it seems that resource still keeps the previous owner... is there a different way to achieve this? Is it possible at all? thanks gianni PS: the server is keycloak 4.8.3Final From s.babych at dataclaritycorp.com Mon Feb 25 04:54:07 2019 From: s.babych at dataclaritycorp.com (Svyatoslav Babych) Date: Mon, 25 Feb 2019 09:54:07 +0000 Subject: [keycloak-user] Securing Microservices Message-ID: Good morning everyone, Would like to ask a pros and cons or a best practice for next approach: In case of microservices architecture to use the same only one bearer-only client for all services. Also in this case what should be in Admin URL ? Thank you in advance, Best regards, Svyat Svyatoslav Babych | Senior Solution Architect, Technical team Lead s.babych at dataclaritycorp.com DataClarity Corporation | www.dataclaritycorp.com Facebook | Twitter | LinkedIn Confidentiality Notice: The information in this email and any attachments is confidential or proprietary and should be treated and marked as ?Confidential? DataClarity communication. If you are not the intended recipient of this email, any review, disclosure, copying, or distribution of it including any attachments is strictly prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies. Any information contained in this email is subject to the terms and conditions expressed in any applicable agreement. From uo67113 at gmail.com Mon Feb 25 05:13:50 2019 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Mon, 25 Feb 2019 11:13:50 +0100 Subject: [keycloak-user] Error extracting SAML assertion In-Reply-To: References: Message-ID: Hello Ekemokai, mmm, at first glance your saml response looks OK to me. Perhaps you could increase the level of logging in org.keycloak.adapters? Also could you provided a bit more details of your setup? For me the below one works: java version "1.8.0_162" --> Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode) keycloak-saml-tomcat8-adapter-4.8.3.Final Server version: Apache Tomcat/9.0.5 CentOS Linux release 7.5.1804 (Core) If you use tomcat as well you can add org.keycloak.adapters.level = FINE Hope it helps, Luis El vie., 22 feb. 2019 a las 22:26, Edmond Kemokai () escribi?: > Hi All, > > I am getting below exception when positing a saml response to /saml > consumer endpoint: > > > org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler > - Error extracting SAML assertion: null > > A snippet of the response, I have stripped out the signature information: > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > ID="SOLVENT_72186bc0-0724-439c-a4a4-d1768907d1a0" > InResponseTo="ID_9c0491da-5a6f-465a-8b66-a9b7784e0eef" > IssueInstant="2019-02-22T17:19:46Z" Version="2.0"> > Portal > > Value="urn:oasis:names:tc:SAML:2.0:status:Success"> > > ID="SOLVENT_93f7919c-c92a-45ab-8d79-380e072b235b" > IssueInstant="2019-02-22T17:19:46Z" Version="2.0"> > Portal > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">ek at gmail.com > > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > InResponseTo="ID_9c0491da-5a6f-465a-8b66-a9b7784e0eef" > NotOnOrAfter="2019-02-22T17:20:46Z"> > > > > > > > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > > > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> > ek at gmail.com > > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> > xsi:type="xs:string">developer > xsi:type="xs:string">sysadmin > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From vikram.eswar at fleetroute.com Mon Feb 25 06:47:08 2019 From: vikram.eswar at fleetroute.com (Vikram) Date: Mon, 25 Feb 2019 12:47:08 +0100 Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy In-Reply-To: References: <02c64568-e021-d7df-a891-c57c39a8865e@fleetroute.com> <80e0e3c9-c476-0d06-aa9d-e12732c88e58@fleetroute.com> Message-ID: <10321646-d4fd-4ebb-5e2e-eaeb6242c454@fleetroute.com> Hi Peter, Thanks a lot again ! it works now. However, there was only one change that did the trick.. I changed this : ProxyPass "/xyz" "http://:/" ProxyPassReverse "/xyz" "http://:/" to : ProxyPass "/xyz" "http://:/auth" ProxyPassReverse "/xyz" "http://:/auth" I did not have "auth" at the end of the url in the reverse proxy settings. Instead, I had it in my keycloak.json file as 'https://example.com/xyz/auth'. I am not sure but I think keycloak redirects any request going to http://:/ to http://:/auth automatically.. or maybe not. I would appreciate a clarification on this if possible. Nevertheless, thanks a lot for your time ! Regards, Vikram On 2/22/2019 5:50 PM, Nalyvayko, Peter wrote: > Vikram, > > Make sure your KC instance is internally accessible. I am posting the examples of apache virtual host and the the portion of KC configuration relevant to reverse proxy, where : is the IP address and port respectively your keycloak server is listening on. > > === .conf === > > > > ... > ProxyPreserveHost On > ProxyRequests Off > RequestHeader add "X-forwarded-proto" "https" > > RequestHeader set x-ssl-client-cert "%{SSL_CLIENT_CERT}s" > > ProxyPass "/auth" "http://:/auth" > ProxyPassReverse "/auth" "http://:/auth" > ... > > > > ==== standalone.xml ==== > > > > > > > ..... > > ..... > > Hope this helps > Cheers, > --Peter > _____________________________________ > From: Vikram [vikram.eswar at fleetroute.com] > Sent: Friday, February 22, 2019 6:33 AM > To: Nalyvayko, Peter; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Running Keycloak behind Apache Reverse Proxy > > Hi Peter, > > thanks a lot for your reply. > > I have followed this link already with no luck. > > I have set X-forwarded headers in my default-ssl.conf file as : > > RequestHeader set X-Forwarded-Proto "https" env=HTTPS > > RequestHeader set X-Forwarded-Port "443" > > RemoteIPHeader X-Forwarded-For > > Should I also set RemoteIPTrustedProxy and RemoteIPInternalProxy to 127.0.0.1 ? because everything is running in the same machine ? or should I add all of this in the security.conf file ? > > Where am I going wrong ? > > I am not getting a json response when I test the configuration using /auth/realms/master/.well-known/openid-configuration.. > > Regards, > > Vikram > > > > On 2/21/2019 10:13 PM, Nalyvayko, Peter wrote: > > Here is a link to a more recent docs: > > https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy > ________________________________________ > From: Nalyvayko, Peter > Sent: Thursday, February 21, 2019 4:11 PM > To: Vikram; keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] Running Keycloak behind Apache Reverse Proxy > > Vikram, > > > > > https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider > > > > The instructions above only apply if you are trying to set up mutual SSL. > > Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make > > Hope this helps > Regards > --Peter > > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Vikram [vikram.eswar at fleetroute.com] > Sent: Thursday, February 21, 2019 11:40 AM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy > > Hi all, > > OS: Ubuntu 18.04 > > I am running an https secured apache server as a reverse proxy. Lets say > at https://example.com > > Now, I have a keycloak server running on the same machine, lets say at > http://localhost:1234 (note: HTTP) > > I have set it up such that https://example.com/keycloak points to > http://localhost:1234 > > Now, I have a javascript application which is trying to authenticate > with Keycloak using a javascript adapter. In the keycloak.json > configuration file, I have the url set up as : > > url : 'https://example.com/keycloak/auth|'| > > This does not work. In order to access keycloak for authentication from > the outside world, I need this to connect. > > Anything on this ? > > I have already looked at this link : > > https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider > > > I have tried setting the certificate lookup but I am not sure if I am > doing it right. I set it within the virtualhost block in the > default-ssl.conf file through RequestHeader. > > Regards, > > Vikram > > > || > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > From max.allan+keycloak at surevine.com Mon Feb 25 07:16:23 2019 From: max.allan+keycloak at surevine.com (Max Allan) Date: Mon, 25 Feb 2019 12:16:23 +0000 Subject: [keycloak-user] Requiring 2FA? In-Reply-To: References: Message-ID: > > I have done some digging and if admin sends out a password reset, it works as I expect, the user resets their password and then prompted to return to the login page, and they login normally. IF they use the self service reset function they reset their password and are logged in to the application, without TOTP prompt. > I looked at the JWT in the reset email and can see that it says "reset-credentials" on self reset and "execute-actions" on a managed reset. So, I looked at the "Reset Credentials" flow. Added the OTP form. With OTP form added, the user is requested to enter their OTP when they click the link. And the button says "Log In". > I can see this causing major confusion in the user community. "Log In? But I've not reset my password yet. Help, what do I do, is there a security breach that it lets me login without a password??" > The OTP form is first in the flow regardless of position in the "Copy of Reset Credentials" flow. I can see the logic behind requiring TOTP before resetting the password, it does validate that the user is who they claim to be, however, "Login" will cause confusion > Raised : https://issues.jboss.org/browse/KEYCLOAK-9648 to cover it. > Max On Fri, 22 Feb 2019 at 16:03, Max Allan wrote: > > Hello, >> I have a client app, and have enabled 2FA (totp) as a required step in >> it's browser auth flow. >> >> What we find is that some new users have been able to get the "reset your >> password" link, reset their password and somehow access the client WITHOUT >> 2FA. >> Most reset their password and are then prompted to setup TOTP 2FA. >> >> From psilva at redhat.com Mon Feb 25 08:40:50 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 25 Feb 2019 10:40:50 -0300 Subject: [keycloak-user] updating owner of a resource In-Reply-To: References: Message-ID: Hi, You can't update the owner. Are you trying to change ownership ? Couldn't you share or set permissions that allow access to some other user ? Regards. Pedro Igor On Sat, Feb 23, 2019 at 1:48 PM Gianni wrote: > Hi, > > I was trying to update the owner of an existing resource with > > resource.setOwner(newOwnerId); > getAuthzClient().protection().resource().update(resource); > > There is no Exception, but it seems that resource still keeps the previous > owner... is there a different way to achieve this? Is it possible at all? > > thanks > gianni > > PS: the server is keycloak 4.8.3Final > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Feb 25 09:32:39 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 25 Feb 2019 15:32:39 +0100 Subject: [keycloak-user] Removing JaxrsBearerTokenFilter In-Reply-To: <5E48B917000C984B86B77170F441903A189476C6@exch.ringler.ch> References: <5E48B917000C984B86B77170F441903A189475DF@exch.ringler.ch> <5E48B917000C984B86B77170F441903A189476C6@exch.ringler.ch> Message-ID: Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc.. On Fri, 22 Feb 2019 at 08:26, Lukasz Lech wrote: > Hmm which is a proper adapter for JaxRS then? I?ve found only that one? > > > From: Stian Thorgersen [mailto:sthorger at redhat.com] > Sent: Freitag, 22. Februar 2019 07:36 > To: Lukasz Lech > Cc: keycloak-user > Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter > > Why not use one of the proper adapters for the container you are deploying > to? > On Thu, 21 Feb 2019, 14:51 Lukasz Lech, l.lech at ringler.ch>> wrote: > Hello, > > I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It > is indeed poorly documented, for example I've found no mention that > org.keycloak.adapters.KeycloakConfigResolver must cache > org.keycloak.adapters.KeycloakDeployment, which resulted in public keys > being downloaded from Keycloak Server with every request to our REST > channel... > > If nobody have time and will to document it and fix bugs, what about > moving it to separate project instead of deleting it? I haven't seen any > alternative for securing jaxrs channels other than writing everything from > scratch... Is there any alternative usable project? > > > > > Best regards, > Lukasz Lech > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org> [mailto: > keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org>] On Behalf Of Marek Posolda > Sent: Donnerstag, 21. Februar 2019 10:21 > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Removing JaxrsBearerTokenFilter > > Keycloak team things about removing JaxrsBearerTokenFilter. > > Just to add some context, the JaxrsBearerTokenFilter is the "adapter", > which we have in the codebase and which allows to "secure" the JaxRS > Application by adding the JaxrsFilter, which implements our OIDC > adapter.This filter is not documented and we don't have any > examples/quickstarts of it. Hence it is not considered as officially > supported Keycloak feature. And you can probably always secure your > application through some other officially supported way (HTTP Servlet > filter or any of our other built-in adapters). > > Anyway, if someone is aware of any reason why to not remove this filter > from Keycloak, please let me know, ideally by the Monday Feb 25th. > > See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" . > > Thanks, > Marek > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From vikram.eswar at fleetroute.com Mon Feb 25 09:39:31 2019 From: vikram.eswar at fleetroute.com (Vikram) Date: Mon, 25 Feb 2019 15:39:31 +0100 Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy In-Reply-To: <10321646-d4fd-4ebb-5e2e-eaeb6242c454@fleetroute.com> References: <02c64568-e021-d7df-a891-c57c39a8865e@fleetroute.com> <80e0e3c9-c476-0d06-aa9d-e12732c88e58@fleetroute.com> <10321646-d4fd-4ebb-5e2e-eaeb6242c454@fleetroute.com> Message-ID: <204eb4ac-6d2f-aea3-0f25-04329672b2d2@fleetroute.com> correction : I changed this : ProxyPass "/xyz" "http://:/" ProxyPassReverse "/xyz" "http://:/" to : ProxyPass "/auth" "http://:/auth" ProxyPassReverse "/auth" "http://:/auth" --Vikram On 2/25/2019 12:47 PM, Vikram wrote: > Hi Peter, > > Thanks a lot again ! > > it works now. However, there was only one change that did the trick.. > > I changed this : > > ProxyPass "/xyz" "http://:/" > ProxyPassReverse "/xyz" "http://:/" > to : > ProxyPass "/xyz" "http://:/auth" > ProxyPassReverse "/xyz" "http://:/auth" > > I did not have "auth" at the end of the url in the reverse proxy settings. Instead, I had it in my keycloak.json file as 'https://example.com/xyz/auth'. I am not sure but I think keycloak redirects any request going to http://:/ to http://:/auth automatically.. or maybe not. I would appreciate a clarification on this if possible. > > Nevertheless, thanks a lot for your time ! > > Regards, > Vikram > > > On 2/22/2019 5:50 PM, Nalyvayko, Peter wrote: > >> Vikram, >> >> Make sure your KC instance is internally accessible. I am posting the examples of apache virtual host and the the portion of KC configuration relevant to reverse proxy, where : is the IP address and port respectively your keycloak server is listening on. >> >> === .conf === >> >> >> >> ... >> ProxyPreserveHost On >> ProxyRequests Off >> RequestHeader add "X-forwarded-proto" "https" >> >> RequestHeader set x-ssl-client-cert "%{SSL_CLIENT_CERT}s" >> >> ProxyPass "/auth" "http://:/auth" >> ProxyPassReverse "/auth" "http://:/auth" >> ... >> >> >> >> ==== standalone.xml ==== >> >> >> >> >> >> >> ..... >> >> ..... >> >> Hope this helps >> Cheers, >> --Peter >> _____________________________________ >> From: Vikram [vikram.eswar at fleetroute.com] >> Sent: Friday, February 22, 2019 6:33 AM >> To: Nalyvayko, Peter; keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Running Keycloak behind Apache Reverse Proxy >> >> Hi Peter, >> >> thanks a lot for your reply. >> >> I have followed this link already with no luck. >> >> I have set X-forwarded headers in my default-ssl.conf file as : >> >> RequestHeader set X-Forwarded-Proto "https" env=HTTPS >> >> RequestHeader set X-Forwarded-Port "443" >> >> RemoteIPHeader X-Forwarded-For >> >> Should I also set RemoteIPTrustedProxy and RemoteIPInternalProxy to 127.0.0.1 ? because everything is running in the same machine ? or should I add all of this in the security.conf file ? >> >> Where am I going wrong ? >> >> I am not getting a json response when I test the configuration using /auth/realms/master/.well-known/openid-configuration.. >> >> Regards, >> >> Vikram >> >> >> >> On 2/21/2019 10:13 PM, Nalyvayko, Peter wrote: >> >> Here is a link to a more recent docs: >> >> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy >> ________________________________________ >> From: Nalyvayko, Peter >> Sent: Thursday, February 21, 2019 4:11 PM >> To: Vikram; keycloak-user at lists.jboss.org >> Subject: RE: [keycloak-user] Running Keycloak behind Apache Reverse Proxy >> >> Vikram, >> >> >> >> >> https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider >> >> >> >> The instructions above only apply if you are trying to set up mutual SSL. >> >> Take a look at https://www.keycloak.org/docs/1.9/server_installation_guide/topics/clustering/load-balancer.html how to set up keycloak behind load balancer, there are a few changes to the keycloak configuration you'll need to make >> >> Hope this helps >> Regards >> --Peter >> >> ________________________________________ >> From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Vikram [vikram.eswar at fleetroute.com] >> Sent: Thursday, February 21, 2019 11:40 AM >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] Running Keycloak behind Apache Reverse Proxy >> >> Hi all, >> >> OS: Ubuntu 18.04 >> >> I am running an https secured apache server as a reverse proxy. Lets say >> at https://example.com >> >> Now, I have a keycloak server running on the same machine, lets say at >> http://localhost:1234 (note: HTTP) >> >> I have set it up such that https://example.com/keycloak points to >> http://localhost:1234 >> >> Now, I have a javascript application which is trying to authenticate >> with Keycloak using a javascript adapter. In the keycloak.json >> configuration file, I have the url set up as : >> >> url : 'https://example.com/keycloak/auth|'| >> >> This does not work. In order to access keycloak for authentication from >> the outside world, I need this to connect. >> >> Anything on this ? >> >> I have already looked at this link : >> >> https://www.keycloak.org/docs/latest/server_admin/#apache-certificate-lookup-provider >> >> >> I have tried setting the certificate lookup but I am not sure if I am >> doing it right. I set it within the virtualhost block in the >> default-ssl.conf file through RequestHeader. >> >> Regards, >> >> Vikram >> >> >> || >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From l.lech at ringler.ch Mon Feb 25 09:49:12 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Mon, 25 Feb 2019 14:49:12 +0000 Subject: [keycloak-user] Removing JaxrsBearerTokenFilter In-Reply-To: References: <5E48B917000C984B86B77170F441903A189475DF@exch.ringler.ch> <5E48B917000C984B86B77170F441903A189476C6@exch.ringler.ch> Message-ID: <5E48B917000C984B86B77170F441903A1894796E@exch.ringler.ch> I?m using jax-rs connector implementation from Eclipse tema (https://github.com/hstaudacher/osgi-jax-rs-connector) and it needs to have validation injected in jax-rs context, and AFAIK this library was the only implementation that provided that. But never mind, I assume I can use current version, if it wasn?t maintained anyway? Best regards, Lukasz Lech From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Montag, 25. Februar 2019 15:33 To: Lukasz Lech Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc.. On Fri, 22 Feb 2019 at 08:26, Lukasz Lech > wrote: Hmm which is a proper adapter for JaxRS then? I?ve found only that one? From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Freitag, 22. Februar 2019 07:36 To: Lukasz Lech > Cc: keycloak-user > Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter Why not use one of the proper adapters for the container you are deploying to? On Thu, 21 Feb 2019, 14:51 Lukasz Lech, >> wrote: Hello, I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed poorly documented, for example I've found no mention that org.keycloak.adapters.KeycloakConfigResolver must cache org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded from Keycloak Server with every request to our REST channel... If nobody have time and will to document it and fix bugs, what about moving it to separate project instead of deleting it? I haven't seen any alternative for securing jaxrs channels other than writing everything from scratch... Is there any alternative usable project? Best regards, Lukasz Lech -----Original Message----- From: keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org>] On Behalf Of Marek Posolda Sent: Donnerstag, 21. Februar 2019 10:21 To: keycloak-user at lists.jboss.org> Subject: [keycloak-user] Removing JaxrsBearerTokenFilter Keycloak team things about removing JaxrsBearerTokenFilter. Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we have in the codebase and which allows to "secure" the JaxRS Application by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented and we don't have any examples/quickstarts of it. Hence it is not considered as officially supported Keycloak feature. And you can probably always secure your application through some other officially supported way (HTTP Servlet filter or any of our other built-in adapters). Anyway, if someone is aware of any reason why to not remove this filter from Keycloak, please let me know, ideally by the Monday Feb 25th. See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" . Thanks, Marek _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From keycloak-user at imber.wien Mon Feb 25 09:53:32 2019 From: keycloak-user at imber.wien (keycloak-user at imber.wien) Date: Mon, 25 Feb 2019 15:53:32 +0100 Subject: [keycloak-user] Performance decrease after upgrade Message-ID: Hi, we're running nightly stress tests against our keycloak dev environment, to monitor maximum throughput rates and average response times of selected endpoints. After upgrading from KC 3.4.3 to 4.8.3, we noticed considerable dents in our curves. For example: Userinfo dropped from ~12k max. Requests per sec to ~7k; response times increased from ~30ms to 45ms Code flow (3 correlated requests): 1.5k -> 1k max. Requests per sec; 100ms -> 150ms response time Password Credentials Grant: 800 -> 600 max. Requests per sec; 300ms -> 500ms response time We have another system running KC 4.5.0, which does not seem to suffer from that performance decrease, so it was probably introduced with > 4.5. Are there any known developments that might be the reason for our observations? Thanks, Mario. From tkyjovsk at redhat.com Mon Feb 25 11:09:03 2019 From: tkyjovsk at redhat.com (Tomas Kyjovsky) Date: Mon, 25 Feb 2019 11:09:03 -0500 (EST) Subject: [keycloak-user] Performance decrease after upgrade In-Reply-To: References: Message-ID: <5333974.5036509.1551110943096.JavaMail.zimbra@redhat.com> Hello Mario, Thanks for letting us know. I will try and have a look into it this week and try to isolate the cause of that regression. Regards, Tomas ----- Original Message ----- > Hi, > > we're running nightly stress tests against our keycloak dev environment, > to monitor maximum throughput rates and average response times of > selected endpoints. > > After upgrading from KC 3.4.3 to 4.8.3, we noticed considerable dents in > our curves. > > For example: > Userinfo dropped from ~12k max. Requests per sec to ~7k; response times > increased from ~30ms to 45ms > Code flow (3 correlated requests): 1.5k -> 1k max. Requests per sec; > 100ms -> 150ms response time > Password Credentials Grant: 800 -> 600 max. Requests per sec; 300ms -> > 500ms response time > > We have another system running KC 4.5.0, which does not seem to suffer > from that performance decrease, so it was probably introduced with > > 4.5. > > Are there any known developments that might be the reason for our > observations? > > Thanks, > Mario. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From giannif.libero.it at gmail.com Tue Feb 26 01:58:26 2019 From: giannif.libero.it at gmail.com (Gianni) Date: Tue, 26 Feb 2019 07:58:26 +0100 Subject: [keycloak-user] updating owner of a resource In-Reply-To: References: Message-ID: <4D2CB9B7-571B-4140-AFA7-33CCC65D4ED8@gmail.com> Thanks for the prompt feedback. Yes, I was trying to change ownership. Allowing access using a policy was my backup plan too :) but it doesn?t fully fit all use-cases, in my view. For example in the case an employee who is the owner of resources leaves the company (or changes department and he?s no longer in charge of those resources) one might want to change ownership. Just out of curiosity, is there any technical constraint not to allow change of ownership? Thanks again and with best regards gianni > On 25 Feb 2019, at 14:40, Pedro Igor Silva wrote: > > Hi, > > You can't update the owner. Are you trying to change ownership ? Couldn't you share or set permissions that allow access to some other user ? > > Regards. > Pedro Igor > > On Sat, Feb 23, 2019 at 1:48 PM Gianni > wrote: > Hi, > > I was trying to update the owner of an existing resource with > > resource.setOwner(newOwnerId); > getAuthzClient().protection().resource().update(resource); > > There is no Exception, but it seems that resource still keeps the previous owner... is there a different way to achieve this? Is it possible at all? > > thanks > gianni > > PS: the server is keycloak 4.8.3Final > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From titorenko at dtg.technology Tue Feb 26 03:26:54 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Tue, 26 Feb 2019 11:26:54 +0300 Subject: [keycloak-user] Token exchange: on-behalf-of + downgrade Message-ID: Hello guys. I would like to ask you help with the following. I?m currently looking at on-behalf-of scenario with Keycloak. In this case we have ?web app? calling ?svc-1?, which in turn calls another service ?svc-2?. That is, we have: web ?> svc-1 ?> svc-2. The idea is to let svc-2 know who is actual initiator of the call chain (end-to-end identity propagation). The question is about how to do that with Keycloak. First, in order to propagate caller identity we could exchange tokens in ?svc-1?. In this case we can have correct audience and, thus, control token usage. Second, we need is to remove any excessive permissions (client roles) that are not related to ?svc-2? call in order to reduce potential harm in case this token is intercepted by someone. And if I know how to exchange tokens, I cannot find how to downgrade the token during the exchange. As I see in documentation, ?scope? parameter is not supported for token exchange. So, my questions are: Is token exchange a right tool for this task? Is it possible to downgrade exchanged token? And how, if so? Thank you, Alexey From tom at spicule.co.uk Tue Feb 26 04:51:54 2019 From: tom at spicule.co.uk (Tom Barber) Date: Tue, 26 Feb 2019 01:51:54 -0800 Subject: [keycloak-user] Node Adapter check logout Message-ID: Hi folks, Trying to figure this one out?. If I login to my NodeJS based web app in a web browser I get prompted to login and do so and the Keycloak adapter seems to initialise itself correctly etc. Then for example, I go to bed but leave the browser window open, after a while, Keycloak will close down the session, as you?d expect. But if you rerun kc.init: kc.init({ onLoad: 'check-sso', token, refreshToken }) .success(authenticated => { if (authenticated) { debugger; SkinStore.kc = kc; store.getState().keycloak = kc; store.dispatch(setCurrentUser(kc)); updateLocalStorage(); ReactDOM.render(, document.getElementById('root')); } else { debugger; console.log('Error to authenticate'); ReactDOM.render(, document.getElementById('root')); } }) It returns authenticated = true, yet I can look in the Keycloak server and see there are no active sessions for that client. Yet I can also see the iframe check to: https://auth.testdomain.co.uk/auth/realms/skinparison/protocol/openid-connect/login-status-iframe.html/init?client_id=skin&origin=http%3A%2F%2Flocalhost%3A5000 returns a 204 and seems happy. What am I missing here? I?m testing in a private chrome window against a test Keycloak server and everything else seems okay, if I shut the tab and open a new one I get prompted to log back in etc Thanks Tom -- Spicule Limited is registered in England & Wales. Company Number: 09954122. Registered office: First Floor, Telecom House, 125-135 Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891. All engagements are subject to Spicule Terms and Conditions of Business. This email and its contents are intended solely for the individual to whom it is addressed and may contain information that is confidential, privileged or otherwise protected from disclosure, distributing or copying. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Spicule Limited. The company accepts no liability for any damage caused by any virus transmitted by this email. If you have received this message in error, please notify us immediately by reply email before deleting it from your system. Service of legal notice cannot be effected on Spicule Limited by email. From tom at spicule.co.uk Tue Feb 26 05:03:39 2019 From: tom at spicule.co.uk (Tom Barber) Date: Tue, 26 Feb 2019 02:03:39 -0800 Subject: [keycloak-user] Node Adapter check logout Message-ID: Hi folks, Trying to figure this one out?. If I login to my NodeJS based web app in a web browser I get prompted to login and do so and the Keycloak adapter seems to initialise itself correctly etc. Then for example, I go to bed but leave the browser window open, after a while, Keycloak will close down the session, as you?d expect. But if you rerun kc.init: kc.init({ onLoad: 'check-sso', token, refreshToken }) .success(authenticated => { if (authenticated) { debugger; SkinStore.kc = kc; store.getState().keycloak = kc; store.dispatch(setCurrentUser(kc)); updateLocalStorage(); ReactDOM.render(, document.getElementById('root')); } else { debugger; console.log('Error to authenticate'); ReactDOM.render(, document.getElementById('root')); } }) It returns authenticated = true, yet I can look in the Keycloak server and see there are no active sessions for that client. Yet I can also see the iframe check to: https://auth.testdomain.co.uk/auth/realms/skinparison/protocol/openid-connect/login-status-iframe.html/init?client_id=skin&origin=http%3A%2F%2Flocalhost%3A5000 returns a 204 and seems happy. What am I missing here? I?m testing in a private chrome window against a test Keycloak server and everything else seems okay, if I shut the tab and open a new one I get prompted to log back in etc Thanks Tom -- Spicule Limited is registered in England & Wales. Company Number: 09954122. Registered office: First Floor, Telecom House, 125-135 Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891. All engagements are subject to Spicule Terms and Conditions of Business. This email and its contents are intended solely for the individual to whom it is addressed and may contain information that is confidential, privileged or otherwise protected from disclosure, distributing or copying. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Spicule Limited. The company accepts no liability for any damage caused by any virus transmitted by this email. If you have received this message in error, please notify us immediately by reply email before deleting it from your system. Service of legal notice cannot be effected on Spicule Limited by email. From Johny.Dee at seznam.cz Tue Feb 26 05:11:52 2019 From: Johny.Dee at seznam.cz (Vaclav Havlik) Date: Tue, 26 Feb 2019 11:11:52 +0100 (CET) Subject: [keycloak-user] role-mappings. Message-ID: Hello, can I ask you again? I would like do assign some specific roles (view-realm, manage-users) on the client realm-management to a user . Via REST API, I cannot, however, even display the role-mappings by doing HTTP GET on /auth/admin/realms/xxx/users/4c0f445a-53e9-45c2-a9c9-a8ac69bb5b48/role- mappings/clients/realm-management (Gives HTTP 404, xxx is my realm). But, if I take my own client, whose name is web_app, then the request /auth/admin/realms/xxx/users/4c0f445a-53e9-45c2-a9c9-a8ac69bb5b48/role- mappings/clients/web_app works (HTTP 200), giving empty array. When doing this, I follow instructions on https://www.keycloak.org/docs-api/4.0/rest-api/index.html#_client_role_ mappings_resource Can you tell me, what the problem is? Thank you, Venca. From amityadavk2 at gmail.com Tue Feb 26 05:43:41 2019 From: amityadavk2 at gmail.com (Amit Yadav) Date: Tue, 26 Feb 2019 16:13:41 +0530 Subject: [keycloak-user] How to generate JWT token in Keycloak? Message-ID: Hi all, There is an Endpoint to a backend server which gives a JSON response on pinging and is protected by an Apigee Edge Proxy. Currently, this endpoint has no security and we want to implement bearer only token authentication for all the clients making the request. Apigee Edge will be used to verify the JWT Token given by the user while the end user makes a request to the API. How do I use Keycloak to generate this JWT token? Also, Apigee needs a "public key" of "the origin of the JWT token" (the server which signed the JWT token, in this case, I believe that is Keycloak). So my second doubt is, while I use Keycloak to generate the JWT token, how to get the public key using which the server will verify if the token is valid? Thank you all for your help in advance. Kind regards, Amit Yadav From davidrodriguez1317 at gmail.com Tue Feb 26 06:27:53 2019 From: davidrodriguez1317 at gmail.com (David Rodriguez) Date: Tue, 26 Feb 2019 12:27:53 +0100 Subject: [keycloak-user] Password in plain text In-Reply-To: References: Message-ID: Hi. I am just implementing keycloak, and taking a look at the calls, I see that the password is shown in text plain in the developer tools. Is that the expected behaviour? [image: keycloak_bug.png] Thanks in advance! -- David Rodr?guez Ortiz -- David Rodr?guez Ortiz -------------- next part -------------- A non-text attachment was scrubbed... Name: keycloak_bug.png Type: image/png Size: 161590 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190226/e3990ec6/attachment-0001.png From davidrodriguez1317 at gmail.com Tue Feb 26 06:56:03 2019 From: davidrodriguez1317 at gmail.com (David Rodriguez) Date: Tue, 26 Feb 2019 12:56:03 +0100 Subject: [keycloak-user] Query string lost on redirection with keycloak as Broker and ADFS as IDP Message-ID: I have integrated keycloak with a web application using the java adapter (no changes on the Angular frontend, just backend) We have several clients in our aplication, and we have the option of chosing among them through a query string on the URL. For example: https://localhost:8443/myapp/#/login?client=TEST-CLIENT If I use Keycloak as an IDP, it works fine, as the query string is kept. But using ADFS as an IDP, the quey string is lost, so I don't get to the correct client (TEST-CLIENT in this case) when redirected. Any idea how to keep the whole url in order to make it work? From mkanis at redhat.com Tue Feb 26 08:18:56 2019 From: mkanis at redhat.com (Martin Kanis) Date: Tue, 26 Feb 2019 14:18:56 +0100 Subject: [keycloak-user] Password in plain text In-Reply-To: References: Message-ID: Hi, this is pretty normal that a dev tool in browser captures all the data. See https://security.stackexchange.com/questions/51186/username-and-password-stored-under-form-data-in-chrome-dev-tools . For production environment you should always set up Keycloak using the https/ssl. See docs for more https://www.keycloak.org/docs/latest/server_installation/index.html#setting-up-https-ssl. In that case all data will be sent over the network encrypted. Martin On Tue, Feb 26, 2019 at 12:34 PM David Rodriguez < davidrodriguez1317 at gmail.com> wrote: > Hi. I am just implementing keycloak, and taking a look at the calls, I see > that the password is shown in text plain in the developer tools. Is that > the expected behaviour? > > > [image: keycloak_bug.png] > > Thanks in advance! > -- > > David Rodr?guez Ortiz > > > -- > > David Rodr?guez Ortiz > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From martin.vietz at retest.de Tue Feb 26 08:21:30 2019 From: martin.vietz at retest.de (Martin Vietz) Date: Tue, 26 Feb 2019 14:21:30 +0100 Subject: [keycloak-user] User teams? Message-ID: <0449e22e-2baf-a024-16cf-5950c82a963e@retest.de> Hi all, we would like to implement typical SaaS service, with keycloak for authentication. The services have users (self registration) and each user is assigned to a team/company (self created or existing joined). Inside of a team most of the data is shared. Some team member have special privileges (e.g. manage the team and update contract details). What is the best way to implement this with keycloak? Currently we would use a group for each team, but afaik we must implement several functions around keycloak that this works well. And also implement in each service the user/team mapping logic. Alternatively we think about a "technical" user for each team. Thanks in advance. Best Regards Martin -- Martin Vietz | Management | ReTest GmbH https://retest.de/ | +49-721-72380106 Haid-und-Neu-Stra?e 7, 76131 Karlsruhe, Germany Commercial register: Amtsgericht Mannheim, HRB 727558 Management board: Dr. Jeremias R??ler, Martin Vietz From mkanis at redhat.com Tue Feb 26 09:15:57 2019 From: mkanis at redhat.com (Martin Kanis) Date: Tue, 26 Feb 2019 15:15:57 +0100 Subject: [keycloak-user] role-mappings. In-Reply-To: References: Message-ID: Hi, first of all the last part of your path should be client's id not name. This might be sometimes confusing. Here is the example of valid path: http://localhost:8080/auth/admin/realms/master/users/be1b9781-336a-4e60-9694-c5be74eac7b3/role-mappings/clients/c9cb881f-4e21-4e4b-8de1-f39897088b61 " Second you have to provide a valid authorization to your request. For example using a bearer token. curl -X GET -H "Content-Type:application/json" -H "Authorization: Bearer " "correct/path/from/above". To obtain an access token using the grant_type password (there are other alternatives as well) you can use: curl -X POST --data "grant_type=password&client_id=admin-cli&username=admin&password=admin" -H "Content-Type: application/x-www-form-urlencoded" " http://localhost:8080/auth/realms/master/protocol/openid-connect/token" Hope this helps, Martin On Tue, Feb 26, 2019 at 11:15 AM Vaclav Havlik wrote: > Hello, > can I ask you again? > > I would like do assign some specific roles (view-realm, manage-users) on > the > client realm-management to a user . > > Via REST API, I cannot, however, even display the role-mappings by doing > HTTP GET on > /auth/admin/realms/xxx/users/4c0f445a-53e9-45c2-a9c9-a8ac69bb5b48/role- > mappings/clients/realm-management > > (Gives HTTP 404, xxx is my realm). > > But, if I take my own client, whose name is web_app, then the request > /auth/admin/realms/xxx/users/4c0f445a-53e9-45c2-a9c9-a8ac69bb5b48/role- > mappings/clients/web_app > > works (HTTP 200), giving empty array. > > When doing this, I follow instructions on > https://www.keycloak.org/docs-api/4.0/rest-api/index.html#_client_role_ > mappings_resource > > Can you tell me, what the problem is? > Thank you, Venca. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Tue Feb 26 09:22:01 2019 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 26 Feb 2019 15:22:01 +0100 Subject: [keycloak-user] Removing JaxrsBearerTokenFilter In-Reply-To: <5E48B917000C984B86B77170F441903A1894796E@exch.ringler.ch> References: <5E48B917000C984B86B77170F441903A189475DF@exch.ringler.ch> <5E48B917000C984B86B77170F441903A189476C6@exch.ringler.ch> <5E48B917000C984B86B77170F441903A1894796E@exch.ringler.ch> Message-ID: <11099e08-b271-9ca4-fdbb-c80b1bec0fa6@redhat.com> It seems we have 3 options: 1) Keep jaxrs filter adapter in the keycloak codebase and start to officially support it. In this case, we will need some better docs and maybe quickstart? 2) Deprecate it in the keycloak codebase and remove in next version (Keycloak 6.X probably?) 3) Remove directly from keycloak codebase In case (2) or (3), it will be nice if you Lukasz (or someone else from community) will maintain Jaxrs filter as an extension. In this case, it can be listed from the extensions page https://www.keycloak.org/extensions.html . Your use-case looks ok, but it seems that we didn't have much other requirements to maintain separate adapter for Jax RS filter. From quickly looking at osgi-jax-rs-connector documentation, it seems that connector still needs to be deployed on top of the servlet container or Http Servlet filter, which Keycloak has adapter for, so you can always secure at that level though. I don't think that we want (1) . My order of preference is 3, 2, 1. Thoughts? Marek On 25/02/2019 15:49, Lukasz Lech wrote: > I?m using jax-rs connector implementation from Eclipse tema (https://github.com/hstaudacher/osgi-jax-rs-connector) and it needs to have validation injected in jax-rs context, and AFAIK this library was the only implementation that provided that. > > But never mind, I assume I can use current version, if it wasn?t maintained anyway? > > Best regards, > Lukasz Lech > > > From: Stian Thorgersen [mailto:sthorger at redhat.com] > Sent: Montag, 25. Februar 2019 15:33 > To: Lukasz Lech > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter > > Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc.. > > On Fri, 22 Feb 2019 at 08:26, Lukasz Lech > wrote: > Hmm which is a proper adapter for JaxRS then? I?ve found only that one? > > > From: Stian Thorgersen [mailto:sthorger at redhat.com] > Sent: Freitag, 22. Februar 2019 07:36 > To: Lukasz Lech > > Cc: keycloak-user > > Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter > > Why not use one of the proper adapters for the container you are deploying to? > On Thu, 21 Feb 2019, 14:51 Lukasz Lech, >> wrote: > Hello, > > I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed poorly documented, for example I've found no mention that org.keycloak.adapters.KeycloakConfigResolver must cache org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded from Keycloak Server with every request to our REST channel... > > If nobody have time and will to document it and fix bugs, what about moving it to separate project instead of deleting it? I haven't seen any alternative for securing jaxrs channels other than writing everything from scratch... Is there any alternative usable project? > > > > > Best regards, > Lukasz Lech > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org>] On Behalf Of Marek Posolda > Sent: Donnerstag, 21. Februar 2019 10:21 > To: keycloak-user at lists.jboss.org> > Subject: [keycloak-user] Removing JaxrsBearerTokenFilter > > Keycloak team things about removing JaxrsBearerTokenFilter. > > Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we have in the codebase and which allows to "secure" the JaxRS Application by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented and we don't have any examples/quickstarts of it. Hence it is not considered as officially supported Keycloak feature. And you can probably always secure your application through some other officially supported way (HTTP Servlet filter or any of our other built-in adapters). > > Anyway, if someone is aware of any reason why to not remove this filter from Keycloak, please let me know, ideally by the Monday Feb 25th. > > See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" . > > Thanks, > Marek > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Feb 26 09:24:19 2019 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 26 Feb 2019 15:24:19 +0100 Subject: [keycloak-user] Password in plain text In-Reply-To: References: Message-ID: <5733370d-ff09-5a96-a466-7282c717d9b0@redhat.com> Yes, with HTTP protocol, password is sent in plain-text to the server in the HTTP Post request. Hence it is shown in plain-text. Not sure if there is any nice way to avoid this? Marek On 26/02/2019 12:27, David Rodriguez wrote: > Hi. I am just implementing keycloak, and taking a look at the calls, I see > that the password is shown in text plain in the developer tools. Is that > the expected behaviour? > > > [image: keycloak_bug.png] > > Thanks in advance! > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Feb 26 09:28:41 2019 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 26 Feb 2019 15:28:41 +0100 Subject: [keycloak-user] Query string lost on redirection with keycloak as Broker and ADFS as IDP In-Reply-To: References: Message-ID: <9d9ff091-d15e-4fdf-20bb-eb24eae90946@redhat.com> Am I understand correctly, that you always use keycloak.js adapter and you always redirect to Keycloak, but in the case (1), you login directly in Keycloak (username + password screen on KC side) and in case (2), the Keycloak redirects to ADFS Idp with the usage of identity brokering? Marek On 26/02/2019 12:56, David Rodriguez wrote: > I have integrated keycloak with a web application using the java adapter > (no changes on the Angular frontend, just backend) We have several clients > in our aplication, and we have the option of chosing among them through a > query string on the URL. For example: > > https://localhost:8443/myapp/#/login?client=TEST-CLIENT > > If I use Keycloak as an IDP, it works fine, as the query string is kept. > But using ADFS as an IDP, the quey string is lost, so I don't get to the > correct client (TEST-CLIENT in this case) when redirected. > > Any idea how to keep the whole url in order to make it work? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From davidrodriguez1317 at gmail.com Tue Feb 26 09:42:50 2019 From: davidrodriguez1317 at gmail.com (David Rodriguez) Date: Tue, 26 Feb 2019 15:42:50 +0100 Subject: [keycloak-user] Query string lost on redirection with keycloak as Broker and ADFS as IDP In-Reply-To: <9d9ff091-d15e-4fdf-20bb-eb24eae90946@redhat.com> References: <9d9ff091-d15e-4fdf-20bb-eb24eae90946@redhat.com> Message-ID: No, sorry. There was an error in doing it. It didn't work with Keycloak as an IDP neither (it seemed to work but it was due to some configuration in my application that messed things). I have been doing more tests and the problem seems to be with the '#'. Regarding the adapter, I am using the java adapter, the front end does not know about keycloak. So in the backend it seems I cannot fix this, because the parsing of the url will consider only https://localhost:8443/myapp/ and discard the rest of the URL I see only one solution if keycloak cannot handle anything after '#': getting the front-end guys to get rid of that '#', although maybe angular js cannot work without it. El mar., 26 feb. 2019 a las 15:28, Marek Posolda () escribi?: > Am I understand correctly, that you always use keycloak.js adapter and > you always redirect to Keycloak, but in the case (1), you login directly > in Keycloak (username + password screen on KC side) and in case (2), the > Keycloak redirects to ADFS Idp with the usage of identity brokering? > > Marek > > On 26/02/2019 12:56, David Rodriguez wrote: > > I have integrated keycloak with a web application using the java adapter > > (no changes on the Angular frontend, just backend) We have several > clients > > in our aplication, and we have the option of chosing among them through a > > query string on the URL. For example: > > > > https://localhost:8443/myapp/#/login?client=TEST-CLIENT > > > > If I use Keycloak as an IDP, it works fine, as the query string is kept. > > But using ADFS as an IDP, the quey string is lost, so I don't get to the > > correct client (TEST-CLIENT in this case) when redirected. > > > > Any idea how to keep the whole url in order to make it work? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- David Rodr?guez Ortiz From l.lech at ringler.ch Tue Feb 26 10:38:23 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Tue, 26 Feb 2019 15:38:23 +0000 Subject: [keycloak-user] Removing JaxrsBearerTokenFilter In-Reply-To: <11099e08-b271-9ca4-fdbb-c80b1bec0fa6@redhat.com> References: <5E48B917000C984B86B77170F441903A189475DF@exch.ringler.ch> <5E48B917000C984B86B77170F441903A189476C6@exch.ringler.ch> <5E48B917000C984B86B77170F441903A1894796E@exch.ringler.ch> <11099e08-b271-9ca4-fdbb-c80b1bec0fa6@redhat.com> Message-ID: <5E48B917000C984B86B77170F441903A18947B49@exch.ringler.ch> Hello, The problem with handling security in external layer is, that the Principal will not be available in SecurityContext of JAX-RS, and the services registered by JAX-RS doesn't have access to this external context, only to JAX-RS context. The best solution would be probably to push the project to separate community-owned repository. It could be marked as deprecated or not officially supported, but it will be still possible to find via search engine, in case someone need it. OSGi is a bit niche technology because of hard learning curve and unsatisfactory documentation, and it will be likely even more niche in the future because of the growth of containerization, which allows to achieve the same goal as OSGi with others means... Best regards, Lukasz Lech -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Dienstag, 26. Februar 2019 15:22 To: Lukasz Lech ; stian at redhat.com Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter It seems we have 3 options: 1) Keep jaxrs filter adapter in the keycloak codebase and start to officially support it. In this case, we will need some better docs and maybe quickstart? 2) Deprecate it in the keycloak codebase and remove in next version (Keycloak 6.X probably?) 3) Remove directly from keycloak codebase In case (2) or (3), it will be nice if you Lukasz (or someone else from community) will maintain Jaxrs filter as an extension. In this case, it can be listed from the extensions page https://www.keycloak.org/extensions.html . Your use-case looks ok, but it seems that we didn't have much other requirements to maintain separate adapter for Jax RS filter. From quickly looking at osgi-jax-rs-connector documentation, it seems that connector still needs to be deployed on top of the servlet container or Http Servlet filter, which Keycloak has adapter for, so you can always secure at that level though. I don't think that we want (1) . My order of preference is 3, 2, 1. Thoughts? Marek On 25/02/2019 15:49, Lukasz Lech wrote: > I?m using jax-rs connector implementation from Eclipse tema (https://github.com/hstaudacher/osgi-jax-rs-connector) and it needs to have validation injected in jax-rs context, and AFAIK this library was the only implementation that provided that. > > But never mind, I assume I can use current version, if it wasn?t > maintained anyway? > > Best regards, > Lukasz Lech > > > From: Stian Thorgersen [mailto:sthorger at redhat.com] > Sent: Montag, 25. Februar 2019 15:33 > To: Lukasz Lech > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter > > Tomcat if you're using Tomcat, WildFly if you're using WildFly, etc.. > > On Fri, 22 Feb 2019 at 08:26, Lukasz Lech > wrote: > Hmm which is a proper adapter for JaxRS then? I?ve found only that > one? > > > From: Stian Thorgersen > [mailto:sthorger at redhat.com] > Sent: Freitag, 22. Februar 2019 07:36 > To: Lukasz Lech > > Cc: keycloak-user > > > Subject: Re: [keycloak-user] Removing JaxrsBearerTokenFilter > > Why not use one of the proper adapters for the container you are deploying to? > On Thu, 21 Feb 2019, 14:51 Lukasz Lech, >> wrote: > Hello, > > I'm one of the users of org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl. It is indeed poorly documented, for example I've found no mention that org.keycloak.adapters.KeycloakConfigResolver must cache org.keycloak.adapters.KeycloakDeployment, which resulted in public keys being downloaded from Keycloak Server with every request to our REST channel... > > If nobody have time and will to document it and fix bugs, what about moving it to separate project instead of deleting it? I haven't seen any alternative for securing jaxrs channels other than writing everything from scratch... Is there any alternative usable project? > > > > > Best regards, > Lukasz Lech > > > -----Original Message----- > From: > keycloak-user-bounces at lists.jboss.org ts.jboss.org> loak-user-bounces at lists.jboss.org>> > [mailto:keycloak-user-bounces at lists.jboss.org nces at lists.jboss.org> lto:keycloak-user-bounces at lists.jboss.org>>] On Behalf Of Marek > Posolda > Sent: Donnerstag, 21. Februar 2019 10:21 > To: > keycloak-user at lists.jboss.org ilto:keycloak-user at lists.jboss.org g>> > Subject: [keycloak-user] Removing JaxrsBearerTokenFilter > > Keycloak team things about removing JaxrsBearerTokenFilter. > > Just to add some context, the JaxrsBearerTokenFilter is the "adapter", which we have in the codebase and which allows to "secure" the JaxRS Application by adding the JaxrsFilter, which implements our OIDC adapter.This filter is not documented and we don't have any examples/quickstarts of it. Hence it is not considered as officially supported Keycloak feature. And you can probably always secure your application through some other officially supported way (HTTP Servlet filter or any of our other built-in adapters). > > Anyway, if someone is aware of any reason why to not remove this filter from Keycloak, please let me know, ideally by the Monday Feb 25th. > > See some details in keycloak-dev thread "Removing JaxrsBearerTokenFilter" . > > Thanks, > Marek > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org ilto:keycloak-user at lists.jboss.org g>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org ilto:keycloak-user at lists.jboss.org g>> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From eric.rath at dbfuhrpark.com Tue Feb 26 10:42:17 2019 From: eric.rath at dbfuhrpark.com (Eric Rath) Date: Tue, 26 Feb 2019 16:42:17 +0100 Subject: [keycloak-user] Call Custom Restendpoint Message-ID: Hello, Implementing a custom rest endpoint in keycloak I used these example: https://github.com/keycloak/keycloak/tree/master/examples/providers/domain-extension/src/main/java/org/keycloak/examples/domainextension/rest After embedding the provider to keycloak it's loaded while keycloak startup. Guess that's fine. In server info I can see the the endpoint as well. Problem: How may I call that endpoint? Do I need to registrate the endpoint or mount it on a client? (If so which settings does the client need (admin rights etc...) What is the URL for calling the endpoint? Thanks, Eric Deutsche Bahn Connect GmbH DB FuhrparkService GmbH Mainzer Landstrasse 169-175, 60327 Frankfurt am Main ----------------------------------------------------------------------------------------------------- Internetauftritt der DB Fuhrparkservice >> http://www.dbfuhrpark.de Sitz der Gesellschaft: Frankfurt am Main Registergericht: Frankfurt am Main, HRB 52 180 USt-IdNr.: DE 813214880 Geschaeftsfuehrer: Juergen Gudd (Vorsitzender), Moritz Rohrschneider -------------- next part -------------- A non-text attachment was scrubbed... Name: pEpkey.asc Type: application/pgp-keys Size: 1749 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190226/7da3bdce/attachment.bin From andyyar66 at gmail.com Tue Feb 26 11:00:47 2019 From: andyyar66 at gmail.com (Andy Yar) Date: Tue, 26 Feb 2019 17:00:47 +0100 Subject: [keycloak-user] User Groups/Roles in an Identity Brokering scheme Message-ID: Hello, I'm not sure how to approach following scheme of identity brokering via OpenID Connect/OAuth2. The idea is having a following scheme: * Running a bunch of different applications build with RBAC in mind having their own Keycloak instance * Employing a hosted central Identity Provider (AWS Cognito, Auth0, etc.) which manage keep the user base + user groups * The application Keycloaks being configured to use the central IdP in a federation. * Each application Keycloak keeping a definition of application specific roles and group -> role mappings The auth flow would go like this: * When accessing an app, user would be redirected to and authenticated by the federated central IdP * The central IdP would somehow (???, custom OAuth2 claims?) provide list of user's groups * Keycloak would map these groups to its local groups and transitively to its roles * The app would perform RBAC authorization based on the mapped roles. So far I wouldn't manage to pass and map the IdP's groups to Keycloak's ones... We want to simply keep and manage the user base + groups in a centralized manner. But use application specific Keycloaks for the role handling. =============== Is this schema viable? Is there a better approach? Would a pure LDAP solution fit better? Would a SAML-based approach provide benefits? Thanks in advance From Edgar at info.nl Tue Feb 26 11:03:53 2019 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Tue, 26 Feb 2019 16:03:53 +0000 Subject: [keycloak-user] Setting custom redirect URI in SAML Identity Provider Message-ID: <3B70702E-520F-40DC-9307-CA97C4A7D354@info.nl> Hi, We use a SAML Identity Provider configuration in Keycloak to broker identities to an external SAML-based Identity Provider. This works fine but now we have the requirement that after authentication the user needs to be redirected first to a reverse-proxy and only then back to us (as in: Keycloak). I.e. we need to configure a custom redirect URI in our SAML Identity Provider in Keycloak.. However this redirect URI seems to be generated on-the-fly in Keycloak and the hostname part seems always set to the host where Keycloak runs on? Our question is: is this redirect URI configurable at all and if not, how could we go about setting it ourselves (the hostname part at least)? I guess that we would need to create our own custom Identity Provider (e.g. extension of the SAMLIdentityProvider and related Java classes) and install this in Keycloak? From mwaki011 at gmail.com Tue Feb 26 11:46:00 2019 From: mwaki011 at gmail.com (Mike Wakim) Date: Tue, 26 Feb 2019 11:46:00 -0500 Subject: [keycloak-user] Controlling Admin Role in Keycloak Message-ID: Hello, We have a use case whereby we would like to create an admin user in keycloak, and we want this admin user to be able to create new users with a specific role. We want this admin user to only be able to manage users that were created by him, we do not want the admin user to be able to manage any other users in the realm. Is this something that can be managed on the keycloak side? Essentially, we'd like to have a more fine-grained version of the manage-users role, limiting which users an admin can manage. Any feedback / guidance on this would be much appreciated! Thanks, Mike From ian.rodgers at digital.ncsc.gov.uk Tue Feb 26 11:48:02 2019 From: ian.rodgers at digital.ncsc.gov.uk (Ian Rodgers) Date: Tue, 26 Feb 2019 16:48:02 +0000 Subject: [keycloak-user] Encouraging users to set up OTP, without enforcing it. Message-ID: In the Keycloak UI/UX is there a recommended way of prompting and regularly reminding users that they should set up OTP on their account? We don't want to remind users on every single log-in, just occasionally. We don't want to remind users who have already set it up. Thanks, Ian R. From Betty.Louie at leidos.com Tue Feb 26 19:28:42 2019 From: Betty.Louie at leidos.com (Louie, Betty) Date: Wed, 27 Feb 2019 00:28:42 +0000 Subject: [keycloak-user] 'User not found' for existing users on login Message-ID: Hello, We?re encountering a weird issue for one of our users where they?re unable to login even though their account exists. We?re able to see their account through the admin console and we?re able to impersonate as the user to access our application but when we attempt to login through the login forms, we get the following error/warning: WARN [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=demoRealm, clientId=demoClient, userId=null, ipAddress=127.0.0.1, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://mydomain.com/demoRealm/#/, code_id=485242e7-bddf-4381-b33d-0e0ab9f56922, username=demoUser Our users are stored in a postgres db and we?re not doing anything special with our authentication flow. So far, this issue is specific to one user and we?d like to understand why this is happening. Has anyone else encountered this issue and was able to resolve it short of deleting their account? Or if anyone has any ideas and could point us in a possible direction, that?d be great! We?re unsure of how a user could even get into a state like this in the first place. Thanks, Betty From pa at pauloangelo.com Tue Feb 26 20:12:32 2019 From: pa at pauloangelo.com (Paulo Angelo) Date: Tue, 26 Feb 2019 22:12:32 -0300 Subject: [keycloak-user] Announce of the GuardianKey extension Message-ID: Hi all, We are glad to announce the first release of the GuardianKey extension for KeyCloak. In the opportunity, we would like to acknowledge that the KeyCloak's community is very active and contributed a lot by providing directions for the problems faced by us in this foray. We give a special thank you for Al?xis Almeida, Dmitry Telegin, Stian Thorgersen, and Thomas Darimont. GuardianKey is a solution to protect systems against authentication attacks. We use Machine Learning to analyze the user's behavior, threat intelligence, and psychometrics (or behavioral biometrics) and provide an attack risk in real-time. The protected system (in the concrete case, KeyCloak, via the extension) sends the events via REST for the GuardianKey on each login attempt and can notify users or even block the high-risk events. Also, there is a panel that presents dashboards about login attempts. We have cloud and product versions. We note that there is a free service for small environments. More info at [1]. The extension is available at [2], in which we also included documentation (docs and video [3]) for its installation, configuration, and use. We appreciate any suggestion or comment. [1] https://guardiankey.io [2] https://github.com/pauloangelo/guardiankey-plugin-keycloak [3] https://youtu.be/R5QFcH4bXuA Once again, thank you! Best regards, Paulo Angelo https://www.linkedin.com/in/reddhatt/ From ekemokai at gmail.com Tue Feb 26 20:37:23 2019 From: ekemokai at gmail.com (Edmond Kemokai) Date: Tue, 26 Feb 2019 20:37:23 -0500 Subject: [keycloak-user] Error extracting SAML assertion In-Reply-To: References: Message-ID: Thanks Luis, I just ended up working from one of the sample responses in the keycloak repo, that solved my problem. On Mon, Feb 25, 2019 at 5:16 AM Luis Rodr?guez Fern?ndez wrote: > Hello Ekemokai, > > mmm, at first glance your saml response looks OK to me. Perhaps you could > increase the level of logging in org.keycloak.adapters? Also could you > provided a bit more details of your setup? For me the below one works: > > java version "1.8.0_162" --> Java HotSpot(TM) 64-Bit Server VM (build > 25.162-b12, mixed mode) > keycloak-saml-tomcat8-adapter-4.8.3.Final > Server version: Apache Tomcat/9.0.5 > CentOS Linux release 7.5.1804 (Core) > > If you use tomcat as well you can add org.keycloak.adapters.level = FINE > > Hope it helps, > > Luis > > > > > > > > > > > > El vie., 22 feb. 2019 a las 22:26, Edmond Kemokai () > escribi?: > > > Hi All, > > > > I am getting below exception when positing a saml response to /saml > > consumer endpoint: > > > > > > > org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler > > - Error extracting SAML assertion: null > > > > A snippet of the response, I have stripped out the signature information: > > > > > > > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > > ID="SOLVENT_72186bc0-0724-439c-a4a4-d1768907d1a0" > > InResponseTo="ID_9c0491da-5a6f-465a-8b66-a9b7784e0eef" > > IssueInstant="2019-02-22T17:19:46Z" Version="2.0"> > > Portal > > > > > Value="urn:oasis:names:tc:SAML:2.0:status:Success"> > > > > xmlns:xsi=" > > http://www.w3.org/2001/XMLSchema-instance" > > ID="SOLVENT_93f7919c-c92a-45ab-8d79-380e072b235b" > > IssueInstant="2019-02-22T17:19:46Z" Version="2.0"> > > Portal > > > > > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> > ek at gmail.com > > > > > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > > > InResponseTo="ID_9c0491da-5a6f-465a-8b66-a9b7784e0eef" > > NotOnOrAfter="2019-02-22T17:20:46Z"> > > > > > > > > > > > > > > > urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport > > > > > > > > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> > > ek at gmail.com > > > > > > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> > > > xsi:type="xs:string">developer > > > xsi:type="xs:string">sysadmin > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Feb 27 03:05:23 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 27 Feb 2019 09:05:23 +0100 Subject: [keycloak-user] Announce of the GuardianKey extension In-Reply-To: References: Message-ID: This is really nice. Congrats. One small improvement I spotted that you can apply to the extension is that you can now include theme resources in the JAR itself. Take a look at https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource. With that users won't have to install the FTL template separately. On Wed, 27 Feb 2019 at 02:18, Paulo Angelo wrote: > Hi all, > > > We are glad to announce the first release of the GuardianKey extension for > KeyCloak. > > In the opportunity, we would like to acknowledge that the KeyCloak's > community is very active and contributed a lot by providing directions for > the problems faced by us in this foray. We give a special thank you for > Al?xis Almeida, Dmitry Telegin, Stian Thorgersen, and Thomas Darimont. > > GuardianKey is a solution to protect systems against authentication > attacks. We use Machine Learning to analyze the user's behavior, threat > intelligence, and psychometrics (or behavioral biometrics) and provide an > attack risk in real-time. The protected system (in the concrete case, > KeyCloak, via the extension) sends the events via REST for the GuardianKey > on each login attempt and can notify users or even block the high-risk > events. Also, there is a panel that presents dashboards about login > attempts. We have cloud and product versions. We note that there is a free > service for small environments. More info at [1]. > > The extension is available at [2], in which we also included documentation > (docs and video [3]) for its installation, configuration, and use. > > We appreciate any suggestion or comment. > > [1] https://guardiankey.io > > [2] https://github.com/pauloangelo/guardiankey-plugin-keycloak > > [3] https://youtu.be/R5QFcH4bXuA > > Once again, thank you! > > Best regards, > > Paulo Angelo > > https://www.linkedin.com/in/reddhatt/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From uo67113 at gmail.com Wed Feb 27 03:19:26 2019 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Wed, 27 Feb 2019 09:19:26 +0100 Subject: [keycloak-user] Setting custom redirect URI in SAML Identity Provider In-Reply-To: <3B70702E-520F-40DC-9307-CA97C4A7D354@info.nl> References: <3B70702E-520F-40DC-9307-CA97C4A7D354@info.nl> Message-ID: Hello Edgar, mmm, perhaps you can specify a different bind address [1] Hope it helps, Luis [1] https://www.keycloak.org/docs/latest/server_installation/index.html#_network El mar., 26 feb. 2019 a las 17:04, Edgar Vonk - Info.nl () escribi?: > Hi, > > We use a SAML Identity Provider configuration in Keycloak to broker > identities to an external SAML-based Identity Provider. This works fine but > now we have the requirement that after authentication the user needs to be > redirected first to a reverse-proxy and only then back to us (as in: > Keycloak). I.e. we need to configure a custom redirect URI in our SAML > Identity Provider in Keycloak.. > > However this redirect URI seems to be generated on-the-fly in Keycloak and > the hostname part seems always set to the host where Keycloak runs on? > > Our question is: is this redirect URI configurable at all and if not, how > could we go about setting it ourselves (the hostname part at least)? I > guess that we would need to create our own custom Identity Provider (e.g. > extension of the SAMLIdentityProvider and related Java classes) and install > this in Keycloak? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From Edgar at info.nl Wed Feb 27 05:25:17 2019 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 27 Feb 2019 10:25:17 +0000 Subject: [keycloak-user] Setting custom redirect URI in SAML Identity Provider In-Reply-To: References: <3B70702E-520F-40DC-9307-CA97C4A7D354@info.nl> Message-ID: Thanks! I now realise that the host name in the redirect URI is simply set using the current request (i.e. the URL in the browser) so it should just work in our reverse-proxy setup without having to change any of the bind addresses. We hope.. ;-) On 27 Feb 2019, at 09:19, Luis Rodr?guez Fern?ndez > wrote: Hello Edgar, mmm, perhaps you can specify a different bind address [1] Hope it helps, Luis [1] https://www.keycloak.org/docs/latest/server_installation/index.html#_network El mar., 26 feb. 2019 a las 17:04, Edgar Vonk - Info.nl (>) escribi?: Hi, We use a SAML Identity Provider configuration in Keycloak to broker identities to an external SAML-based Identity Provider. This works fine but now we have the requirement that after authentication the user needs to be redirected first to a reverse-proxy and only then back to us (as in: Keycloak). I.e. we need to configure a custom redirect URI in our SAML Identity Provider in Keycloak.. However this redirect URI seems to be generated on-the-fly in Keycloak and the hostname part seems always set to the host where Keycloak runs on? Our question is: is this redirect URI configurable at all and if not, how could we go about setting it ourselves (the hostname part at least)? I guess that we would need to create our own custom Identity Provider (e.g. extension of the SAMLIdentityProvider and related Java classes) and install this in Keycloak? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From mart.abel at finestmedia.ee Wed Feb 27 06:17:12 2019 From: mart.abel at finestmedia.ee (Mart Abel) Date: Wed, 27 Feb 2019 11:17:12 +0000 Subject: [keycloak-user] Is it possible to get user info from external OIDC provider and then match it against LDAP provider and get rights from there when using Keycloak? Message-ID: Does anybody know if this is possible? I have setup external OIDC provider and I have setup external LDAP provider. I want the flow to be like this: 1. User has logins using OIDC provider 2. Get a token from OIDC provider and check the "sub" field against LDAP provider 3. If it exists there, then login user and add the rights from LDAP 4. If no LDAP user exists with that sub then login fails. This OIDC contains no rights or anything, just a plain info about person. Is it possible to do with Keycloak? Or it's earier to do something custom myself. ________________________________ Disclaimer: This email and its attachments might contain confidential information. If you are not the intended recipient, then please note that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Please notify the sender immediately by replying if you have received this e-mail by mistake and delete it from your system. Kindly note that although Finestmedia and its subsidiaries have taken reasonable precautions to ensure that no viruses are present in this email, Finestmedia and its subsidiaries cannot accept responsibility for any loss or damage arising from the use of this email or attachments. From Johny.Dee at seznam.cz Wed Feb 27 09:06:32 2019 From: Johny.Dee at seznam.cz (Vaclav Havlik) Date: Wed, 27 Feb 2019 15:06:32 +0100 (CET) Subject: [keycloak-user] role-mappings. References: Message-ID: Thank you. It helped to put clientID instead of clientName . So this helped for HTTP GET. But when I do HTTP POST to assign roles to a user on the? client realm- management (id = 6c168708-18bd-4453-8b1e-8dc36223d5bd), then I get HTTP 404. I am attaching Wireshark communication with first GET (200) and then POST (404). Could you pls tell me again? Venca. ---------- P?vodn? e-mail ---------- Od: Martin Kanis Komu: Vaclav Havlik Datum: 26. 2. 2019 15:31:45 P?edm?t: Re: [keycloak-user] role-mappings. "Hi, first of all the last part of your path should be client's id not name. This might be sometimes confusing. Here is the example of valid path: http://localhost:8080/auth/admin/realms/master/users/be1b9781-336a-4e60-9694 -c5be74eac7b3/role-mappings/clients/c9cb881f-4e21-4e4b-8de1-f39897088b61 " Second you have to provide a valid authorization to your request. For example using a bearer token. curl -X GET -H "Content-Type:application/json" -H "Authorization: Bearer " "correct/path/from/above". To obtain an access token using the grant_type password (there are other alternatives as well) you can use: curl -X POST --data "grant_type=password&client_id=admin-cli&username=admin&password=admin" -H "Content-Type: application/x-www-form-urlencoded" " http://localhost:8080/auth/realms/master/protocol/openid-connect/token" Hope this helps, Martin On Tue, Feb 26, 2019 at 11:15 AM Vaclav Havlik wrote: > Hello, > can I ask you again? > > I would like do assign some specific roles (view-realm, manage-users) on > the > client realm-management to a user . > > Via REST API, I cannot, however, even display the role-mappings by doing > HTTP GET on > /auth/admin/realms/xxx/users/4c0f445a-53e9-45c2-a9c9-a8ac69bb5b48/role- > mappings/clients/realm-management > > (Gives HTTP 404, xxx is my realm). > > But, if I take my own client, whose name is web_app, then the request > /auth/admin/realms/xxx/users/4c0f445a-53e9-45c2-a9c9-a8ac69bb5b48/role- > mappings/clients/web_app > > works (HTTP 200), giving empty array. > > When doing this, I follow instructions on > https://www.keycloak.org/docs-api/4.0/rest-api/index.html#_client_role_ > mappings_resource > > Can you tell me, what the problem is? > Thank you, Venca. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user " -------------- next part -------------- GET /auth/admin/realms/xxxrealm/users/6d117250-e8eb-4b84-a046-4eede0f03698/role-mappings/clients/6c168708-18bd-4453-8b1e-8dc36223d5bd HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Authorization: Bearer eyJhbGciOiJSUzI1NiIsI............ Host: 10.0.206.31:18080 User-Agent: libwww-perl/6.08 HTTP/1.1 200 OK Connection: keep-alive Cache-Control: no-cache Content-Type: application/json Content-Length: 385 Date: Wed, 27 Feb 2019 13:47:24 GMT [] POST /auth/admin/realms/xxxrealm/users/6d117250-e8eb-4b84-a046-4eede0f03698/role-mappings/clients/6c168708-18bd-4453-8b1e-8dc36223d5bd HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Authorization: Bearer eyJhbGciOiJSUzI1NiIsI....... Host: 10.0.206.31:18080 User-Agent: libwww-perl/6.08 Content-Length: 71 Content-Type: application/json [ { "clientRole" : "true", "name" : "view-realm" } ] HTTP/1.1 404 Not Found Connection: keep-alive Content-Length: 0 Date: Wed, 27 Feb 2019 13:47:24 GMT From mehdi.chaabouni at gmail.com Wed Feb 27 09:35:02 2019 From: mehdi.chaabouni at gmail.com (MEHDi CHAABOUNi) Date: Wed, 27 Feb 2019 09:35:02 -0500 Subject: [keycloak-user] Logged user losing roles after adding a new identity provider mapper Message-ID: I have Keycloak (4.8.3 FINAL) setup with Azure Active Directory with groups being mapped to roles. I used to have: GROUP1 mapped to ROLE1 GROUP2 mapped to ROLE2 Everything was working fine until I added a third identity provider mapper: GROUP3 mapped to ROLE2 Now, a logged user will lose their roles after a while. I still haven't figured out when it happens, I enabled events logging in the web console of keycloak but I can't see anything out of the ordinary. Whenever this happens, I have to manually delete the user from keycloak and reload the application. Any ideas? Thanks! From francois.gourrier at libre-logic.fr Wed Feb 27 09:59:33 2019 From: francois.gourrier at libre-logic.fr (=?utf-8?Q?Fran=C3=A7ois?= Gourrier) Date: Wed, 27 Feb 2019 15:59:33 +0100 (CET) Subject: [keycloak-user] Give access to his account to a client Message-ID: <1290766556.136901.1551279572997.JavaMail.zimbra@librelogic.fr> Hello everyone, we are currently using keycloak. We created several clients on a realm. To simplify the management of URIs, we would like to give the management of his account to each client. T he REST API allows to modify the account but it is not necessary that a customer can go to see the configuration of the other customers, which is nevertheless possible if he has the rights of access to the service (unless one can restrict access to a client). Another track would be that a customer connects to his account via the back office. A track to meet the need? Thank you in advance. Fran?ois GOURRIER From muratfair at gmail.com Wed Feb 27 10:27:59 2019 From: muratfair at gmail.com (Murat Doner) Date: Wed, 27 Feb 2019 16:27:59 +0100 Subject: [keycloak-user] Interesting MySQL error creating a Keycloak project on Openshift Message-ID: Hello, I just want to create a Keycloak app on Openshift which is using MySQL. 1- I have created an Openshift project. 2- I created a MySQL instance (as I am not sure if this template automatically create one) with these credentials: user: keycloak password: password db : keycloak 3- Then I have copy this: Openshift-template: https://github.com/jboss-dockerfiles/keycloak/blob/master/openshift-examples/keycloak-https.json But I just changed Keycloak image: "image": "jboss/keycloak:4.8.1.Final" (as keycloak-openshift image deprecated.) And I am getting this error: Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Cannot load connection class because of underlying exception: 'java.lang.NumberFormatException: For input string: "tcp:"'. at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.mysql.jdbc.Util.handleNewInstance(Util.java:425) at com.mysql.jdbc.Util.getInstance(Util.java:408) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:898) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:887) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:861) at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:338) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321) ... 55 more Caused by: java.lang.NumberFormatException: For input string: "tcp:" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.lang.Integer.parseInt(Integer.java:615) at com.mysql.jdbc.NonRegisteringDriver.port(NonRegisteringDriver.java:825) at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330) ... 56 more (Note: S.o.f link: https://stackoverflow.com/questions/54907901/interesting-mysql-error-creating-a-keycloak-project-on-openshift ) From psilva at redhat.com Wed Feb 27 10:50:51 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Feb 2019 12:50:51 -0300 Subject: [keycloak-user] Token exchange: on-behalf-of + downgrade In-Reply-To: References: Message-ID: Hi, The token exchange should be the right tool. Are you trying to downgrade scopes or just remove the client roles that are not related with svc-2 ? Regards. Pedro Igor On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko wrote: > Hello guys. > > I would like to ask you help with the following. I?m currently looking at > on-behalf-of scenario with Keycloak. In this case we have ?web app? calling > ?svc-1?, which in turn calls another service ?svc-2?. That is, we have: > web ?> svc-1 ?> svc-2. > > The idea is to let svc-2 know who is actual initiator of the call chain > (end-to-end identity propagation). The question is about how to do that > with Keycloak. > > First, in order to propagate caller identity we could exchange tokens in > ?svc-1?. In this case we can have correct audience and, thus, control token > usage. Second, we need is to remove any excessive permissions (client > roles) that are not related to ?svc-2? call in order to reduce potential > harm in case this token is intercepted by someone. > > And if I know how to exchange tokens, I cannot find how to downgrade the > token during the exchange. As I see in documentation, ?scope? parameter is > not supported for token exchange. > > > So, my questions are: > Is token exchange a right tool for this task? > Is it possible to downgrade exchanged token? And how, if so? > > > Thank you, > Alexey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From titorenko at dtg.technology Wed Feb 27 10:59:37 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Wed, 27 Feb 2019 18:59:37 +0300 Subject: [keycloak-user] Token exchange: on-behalf-of + downgrade In-Reply-To: References: Message-ID: <45CAC7A6-2E97-49E9-B24F-B600DF2E3B52@dtg.technology> Hi Pedro! Thank you for answer! I?m would like to be able to control all aspects: audience, scope and roles. Today I also found that exchanged token may contain more roles than it is defined through on Scope tab for svc-1, if caller has some additional roles. So, after token echange svc-1 can have more rights than it would be possible without token exchange. Alexey. > On 27 Feb 2019, at 18:50, Pedro Igor Silva wrote: > > Hi, > > The token exchange should be the right tool. Are you trying to downgrade scopes or just remove the client roles that are not related with svc-2 ? > > Regards. > Pedro Igor > > On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko wrote: > Hello guys. > > I would like to ask you help with the following. I?m currently looking at on-behalf-of scenario with Keycloak. In this case we have ?web app? calling ?svc-1?, which in turn calls another service ?svc-2?. That is, we have: web ?> svc-1 ?> svc-2. > > The idea is to let svc-2 know who is actual initiator of the call chain (end-to-end identity propagation). The question is about how to do that with Keycloak. > > First, in order to propagate caller identity we could exchange tokens in ?svc-1?. In this case we can have correct audience and, thus, control token usage. Second, we need is to remove any excessive permissions (client roles) that are not related to ?svc-2? call in order to reduce potential harm in case this token is intercepted by someone. > > And if I know how to exchange tokens, I cannot find how to downgrade the token during the exchange. As I see in documentation, ?scope? parameter is not supported for token exchange. > > > So, my questions are: > Is token exchange a right tool for this task? > Is it possible to downgrade exchanged token? And how, if so? > > > Thank you, > Alexey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ieugen at netdava.com Wed Feb 27 11:15:06 2019 From: ieugen at netdava.com (Eugen Stan) Date: Wed, 27 Feb 2019 18:15:06 +0200 Subject: [keycloak-user] keycloak authorization services (enforcer) with RPC API - GraphQL or GRPC Message-ID: Hello, I'm trying to figure out how to work with the Authorization Services and a RPC style API. For reference, I'm using spring boot, graphql-java and graphql-java-tools and keycloak spring security adapter. I wish to know how can I call the enforcer pragmatically in my graphql resolvers. Since I am not using http paths I need to build the authorization request depending on which resolver is called. Some of the API requests are public - they don't require user authentication. Some are private and require user authentication and authorization.? *Background* We have a GraphQL based API that we would like to expose. It's also multi-tenant and a User (in Keycloak) can be a member of? multiple tenants. What I am trying to achieve is to secure access to resource like /{org_id}/project/{id} (complex version) or /account/{org_id} - (simple version) I would like to call the enforcer at the begining of each resolver and build the authorization request there - also providing the tenant id for authorization. *Example* I managed to make the integration work and I can get the AccessToken : How can I make the authorization call and provide the tenant ID to the policy as a claim? I know about [cip-spi], just not clear how to make things happen. I imagine I have to build a resource like /{org_id}/project/{id} and provide the tenant_id and id values. public class QueryResolver implements GraphQLQueryResolver { ? public CompletableFuture getProject(Long id, Long tenanID, DataFetchingEnvironment dfe) { HttpServletRequest req = ??????? ((GraphQLContext) dfe.getExecutionContext().getContext()) ??????????? .getHttpServletRequest() ??????????? .orElseThrow(() -> new IllegalStateException("Request object is missing")); ??? KeycloakAuthenticationToken authToken = (KeycloakAuthenticationToken) req.getUserPrincipal(); ??? if (authToken != null) { ????? // we have authenticated user ????? KeycloakPrincipal principal = (KeycloakPrincipal) authToken.getPrincipal(); ????? AccessToken accessToken = principal.getKeycloakSecurityContext().getToken(); ????? log.info("Authenticated with {}", accessToken.getEmail()); ??? } else { ????? log.info("User not authenticated "); ??? } ? } Thanks, Eugen [1] https://www.keycloak.org/docs/4.8/authorization_services/#claim-information-provider-spi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190227/b6d979c9/attachment.bin From psilva at redhat.com Wed Feb 27 11:22:26 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Feb 2019 13:22:26 -0300 Subject: [keycloak-user] Token exchange: on-behalf-of + downgrade In-Reply-To: <45CAC7A6-2E97-49E9-B24F-B600DF2E3B52@dtg.technology> References: <45CAC7A6-2E97-49E9-B24F-B600DF2E3B52@dtg.technology> Message-ID: IIRC, you can use a scope parameter when doing a token exchange. Other aspects could be managed by setting up client scopes to your client applications, did you try that ? On Wed, Feb 27, 2019 at 12:59 PM Alexey Titorenko wrote: > Hi Pedro! > > Thank you for answer! > > I?m would like to be able to control all aspects: audience, scope and > roles. > > Today I also found that exchanged token may contain more roles than it is > defined through on Scope tab for svc-1, if caller has some additional > roles. So, after token echange svc-1 can have more rights than it would be > possible without token exchange. > > > Alexey. > > On 27 Feb 2019, at 18:50, Pedro Igor Silva wrote: > > Hi, > > The token exchange should be the right tool. Are you trying to downgrade > scopes or just remove the client roles that are not related with svc-2 ? > > Regards. > Pedro Igor > > On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko > wrote: > >> Hello guys. >> >> I would like to ask you help with the following. I?m currently looking at >> on-behalf-of scenario with Keycloak. In this case we have ?web app? calling >> ?svc-1?, which in turn calls another service ?svc-2?. That is, we have: >> web ?> svc-1 ?> svc-2. >> >> The idea is to let svc-2 know who is actual initiator of the call chain >> (end-to-end identity propagation). The question is about how to do that >> with Keycloak. >> >> First, in order to propagate caller identity we could exchange tokens in >> ?svc-1?. In this case we can have correct audience and, thus, control token >> usage. Second, we need is to remove any excessive permissions (client >> roles) that are not related to ?svc-2? call in order to reduce potential >> harm in case this token is intercepted by someone. >> >> And if I know how to exchange tokens, I cannot find how to downgrade the >> token during the exchange. As I see in documentation, ?scope? parameter is >> not supported for token exchange. >> >> >> So, my questions are: >> Is token exchange a right tool for this task? >> Is it possible to downgrade exchanged token? And how, if so? >> >> >> Thank you, >> Alexey >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From psilva at redhat.com Wed Feb 27 11:26:58 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Feb 2019 13:26:58 -0300 Subject: [keycloak-user] keycloak authorization services (enforcer) with RPC API - GraphQL or GRPC In-Reply-To: References: Message-ID: This looks interesting. Have you checked this part of the docs [1] ? In a nutshell, in order to push arbitrary claims to your policies, you use a specific request parameter when sending an authorization request to the token endpoint. The value of this parameter is a JSON in Base64 format. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_pushing_claims On Wed, Feb 27, 2019 at 1:17 PM Eugen Stan wrote: > Hello, > > I'm trying to figure out how to work with the Authorization Services and > a RPC style API. > > For reference, I'm using spring boot, graphql-java and > graphql-java-tools and keycloak spring security adapter. > > I wish to know how can I call the enforcer pragmatically in my graphql > resolvers. > > Since I am not using http paths I need to build the authorization > request depending on which resolver is called. > > Some of the API requests are public - they don't require user > authentication. > > Some are private and require user authentication and authorization. > > *Background* > > We have a GraphQL based API that we would like to expose. It's also > multi-tenant and a User (in Keycloak) can be a member of multiple tenants. > > What I am trying to achieve is to secure access to resource like > /{org_id}/project/{id} (complex version) or /account/{org_id} - (simple > version) > > I would like to call the enforcer at the begining of each resolver and > build the authorization request there - also providing the tenant id for > authorization. > > *Example* > > I managed to make the integration work and I can get the AccessToken : > > How can I make the authorization call and provide the tenant ID to the > policy as a claim? > > I know about [cip-spi], just not clear how to make things happen. > > I imagine I have to build a resource like /{org_id}/project/{id} and > provide the tenant_id and id values. > > > public class QueryResolver implements GraphQLQueryResolver { > > public CompletableFuture getProject(Long id, Long tenanID, > DataFetchingEnvironment dfe) { > HttpServletRequest req = > ((GraphQLContext) dfe.getExecutionContext().getContext()) > .getHttpServletRequest() > .orElseThrow(() -> new IllegalStateException("Request object > is missing")); > KeycloakAuthenticationToken authToken = > (KeycloakAuthenticationToken) req.getUserPrincipal(); > if (authToken != null) { > // we have authenticated user > KeycloakPrincipal principal = (KeycloakPrincipal) > authToken.getPrincipal(); > AccessToken accessToken = > principal.getKeycloakSecurityContext().getToken(); > log.info("Authenticated with {}", accessToken.getEmail()); > } else { > log.info("User not authenticated "); > } > } > > > Thanks, > > Eugen > > > [1] > > https://www.keycloak.org/docs/4.8/authorization_services/#claim-information-provider-spi > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From max.allan+keycloak at surevine.com Wed Feb 27 11:46:33 2019 From: max.allan+keycloak at surevine.com (Max Allan) Date: Wed, 27 Feb 2019 16:46:33 +0000 Subject: [keycloak-user] Can I query for users with "Reset password" action outstanding Message-ID: Hello, Is there a way to query for users with "password reset" actions against their accounts? We would like to send people a nudge that they need to reset before the link expires. (I'm guessing I'll need a SQL query?) Thanks, Max From pa at pauloangelo.com Wed Feb 27 13:54:24 2019 From: pa at pauloangelo.com (Paulo Angelo) Date: Wed, 27 Feb 2019 15:54:24 -0300 Subject: [keycloak-user] Announce of the GuardianKey extension In-Reply-To: References: Message-ID: Hi Stian, Thank you for the tip. We are going to include this in our roadmap. []'s Paulo Angelo On Wed, Feb 27, 2019 at 5:05 AM Stian Thorgersen wrote: > This is really nice. Congrats. > > One small improvement I spotted that you can apply to the extension is > that you can now include theme resources in the JAR itself. Take a look at > https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource. > With that users won't have to install the FTL template separately. > > On Wed, 27 Feb 2019 at 02:18, Paulo Angelo wrote: > >> Hi all, >> >> >> We are glad to announce the first release of the GuardianKey extension for >> KeyCloak. >> >> In the opportunity, we would like to acknowledge that the KeyCloak's >> community is very active and contributed a lot by providing directions for >> the problems faced by us in this foray. We give a special thank you for >> Al?xis Almeida, Dmitry Telegin, Stian Thorgersen, and Thomas Darimont. >> >> GuardianKey is a solution to protect systems against authentication >> attacks. We use Machine Learning to analyze the user's behavior, threat >> intelligence, and psychometrics (or behavioral biometrics) and provide an >> attack risk in real-time. The protected system (in the concrete case, >> KeyCloak, via the extension) sends the events via REST for the GuardianKey >> on each login attempt and can notify users or even block the high-risk >> events. Also, there is a panel that presents dashboards about login >> attempts. We have cloud and product versions. We note that there is a free >> service for small environments. More info at [1]. >> >> The extension is available at [2], in which we also included documentation >> (docs and video [3]) for its installation, configuration, and use. >> >> We appreciate any suggestion or comment. >> >> [1] https://guardiankey.io >> >> [2] https://github.com/pauloangelo/guardiankey-plugin-keycloak >> >> [3] https://youtu.be/R5QFcH4bXuA >> >> Once again, thank you! >> >> Best regards, >> >> Paulo Angelo >> >> https://www.linkedin.com/in/reddhatt/ >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Att, Paulo Angelo From psilva at redhat.com Wed Feb 27 13:02:44 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Feb 2019 15:02:44 -0300 Subject: [keycloak-user] Announce of the GuardianKey extension In-Reply-To: References: Message-ID: Do you have any plans to also take into account authorization events? Regards. Pedro Igor On Wed, Feb 27, 2019 at 2:57 PM Paulo Angelo wrote: > Hi Stian, > > Thank you for the tip. We are going to include this in our roadmap. > > []'s > > Paulo Angelo > > On Wed, Feb 27, 2019 at 5:05 AM Stian Thorgersen > wrote: > > > This is really nice. Congrats. > > > > One small improvement I spotted that you can apply to the extension is > > that you can now include theme resources in the JAR itself. Take a look > at > > > https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource > . > > With that users won't have to install the FTL template separately. > > > > On Wed, 27 Feb 2019 at 02:18, Paulo Angelo wrote: > > > >> Hi all, > >> > >> > >> We are glad to announce the first release of the GuardianKey extension > for > >> KeyCloak. > >> > >> In the opportunity, we would like to acknowledge that the KeyCloak's > >> community is very active and contributed a lot by providing directions > for > >> the problems faced by us in this foray. We give a special thank you for > >> Al?xis Almeida, Dmitry Telegin, Stian Thorgersen, and Thomas Darimont. > >> > >> GuardianKey is a solution to protect systems against authentication > >> attacks. We use Machine Learning to analyze the user's behavior, threat > >> intelligence, and psychometrics (or behavioral biometrics) and provide > an > >> attack risk in real-time. The protected system (in the concrete case, > >> KeyCloak, via the extension) sends the events via REST for the > GuardianKey > >> on each login attempt and can notify users or even block the high-risk > >> events. Also, there is a panel that presents dashboards about login > >> attempts. We have cloud and product versions. We note that there is a > free > >> service for small environments. More info at [1]. > >> > >> The extension is available at [2], in which we also included > documentation > >> (docs and video [3]) for its installation, configuration, and use. > >> > >> We appreciate any suggestion or comment. > >> > >> [1] https://guardiankey.io > >> > >> [2] https://github.com/pauloangelo/guardiankey-plugin-keycloak > >> > >> [3] https://youtu.be/R5QFcH4bXuA > >> > >> Once again, thank you! > >> > >> Best regards, > >> > >> Paulo Angelo > >> > >> https://www.linkedin.com/in/reddhatt/ > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > Att, > > Paulo Angelo > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pa at pauloangelo.com Wed Feb 27 15:04:26 2019 From: pa at pauloangelo.com (Paulo Angelo) Date: Wed, 27 Feb 2019 17:04:26 -0300 Subject: [keycloak-user] Announce of the GuardianKey extension In-Reply-To: References: Message-ID: Hi Pedro Igor, Currently, GuardianKey supports Authentication and Registration events. We have in our roadmap the Authorization and Profile Changing events. We can also do customized events, depending on the project. In the KeyCloak's extension, we implemented only the Authentication events. But I believe that the other events will be useful too. I'm going to add them to the extension's roadmap. Thank you. []'s Paulo Angelo On Wed, Feb 27, 2019 at 3:02 PM Pedro Igor Silva wrote: > Do you have any plans to also take into account authorization events? > > Regards. > Pedro Igor > > On Wed, Feb 27, 2019 at 2:57 PM Paulo Angelo wrote: > >> Hi Stian, >> >> Thank you for the tip. We are going to include this in our roadmap. >> >> []'s >> >> Paulo Angelo >> >> On Wed, Feb 27, 2019 at 5:05 AM Stian Thorgersen >> wrote: >> >> > This is really nice. Congrats. >> > >> > One small improvement I spotted that you can apply to the extension is >> > that you can now include theme resources in the JAR itself. Take a look >> at >> > >> https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource >> . >> > With that users won't have to install the FTL template separately. >> > >> > On Wed, 27 Feb 2019 at 02:18, Paulo Angelo wrote: >> > >> >> Hi all, >> >> >> >> >> >> We are glad to announce the first release of the GuardianKey extension >> for >> >> KeyCloak. >> >> >> >> In the opportunity, we would like to acknowledge that the KeyCloak's >> >> community is very active and contributed a lot by providing directions >> for >> >> the problems faced by us in this foray. We give a special thank you for >> >> Al?xis Almeida, Dmitry Telegin, Stian Thorgersen, and Thomas Darimont. >> >> >> >> GuardianKey is a solution to protect systems against authentication >> >> attacks. We use Machine Learning to analyze the user's behavior, threat >> >> intelligence, and psychometrics (or behavioral biometrics) and provide >> an >> >> attack risk in real-time. The protected system (in the concrete case, >> >> KeyCloak, via the extension) sends the events via REST for the >> GuardianKey >> >> on each login attempt and can notify users or even block the high-risk >> >> events. Also, there is a panel that presents dashboards about login >> >> attempts. We have cloud and product versions. We note that there is a >> free >> >> service for small environments. More info at [1]. >> >> >> >> The extension is available at [2], in which we also included >> documentation >> >> (docs and video [3]) for its installation, configuration, and use. >> >> >> >> We appreciate any suggestion or comment. >> >> >> >> [1] https://guardiankey.io >> >> >> >> [2] https://github.com/pauloangelo/guardiankey-plugin-keycloak >> >> >> >> [3] https://youtu.be/R5QFcH4bXuA >> >> >> >> Once again, thank you! >> >> >> >> Best regards, >> >> >> >> Paulo Angelo >> >> >> >> https://www.linkedin.com/in/reddhatt/ >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> >> -- >> >> Att, >> >> Paulo Angelo >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Att, Paulo Angelo From psilva at redhat.com Wed Feb 27 19:27:58 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 27 Feb 2019 21:27:58 -0300 Subject: [keycloak-user] Announce of the GuardianKey extension In-Reply-To: References: Message-ID: Nice and congrats for your work. On Wed, Feb 27, 2019 at 4:04 PM Paulo Angelo wrote: > Hi Pedro Igor, > > Currently, GuardianKey supports Authentication and Registration events. We > have in our roadmap the Authorization and Profile Changing events. We can > also do customized events, depending on the project. > > In the KeyCloak's extension, we implemented only the Authentication > events. But I believe that the other events will be useful too. I'm going > to add them to the extension's roadmap. > > > Thank you. > > []'s > > Paulo Angelo > > On Wed, Feb 27, 2019 at 3:02 PM Pedro Igor Silva > wrote: > >> Do you have any plans to also take into account authorization events? >> >> Regards. >> Pedro Igor >> >> On Wed, Feb 27, 2019 at 2:57 PM Paulo Angelo wrote: >> >>> Hi Stian, >>> >>> Thank you for the tip. We are going to include this in our roadmap. >>> >>> []'s >>> >>> Paulo Angelo >>> >>> On Wed, Feb 27, 2019 at 5:05 AM Stian Thorgersen >>> wrote: >>> >>> > This is really nice. Congrats. >>> > >>> > One small improvement I spotted that you can apply to the extension is >>> > that you can now include theme resources in the JAR itself. Take a >>> look at >>> > >>> https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource >>> . >>> > With that users won't have to install the FTL template separately. >>> > >>> > On Wed, 27 Feb 2019 at 02:18, Paulo Angelo wrote: >>> > >>> >> Hi all, >>> >> >>> >> >>> >> We are glad to announce the first release of the GuardianKey >>> extension for >>> >> KeyCloak. >>> >> >>> >> In the opportunity, we would like to acknowledge that the KeyCloak's >>> >> community is very active and contributed a lot by providing >>> directions for >>> >> the problems faced by us in this foray. We give a special thank you >>> for >>> >> Al?xis Almeida, Dmitry Telegin, Stian Thorgersen, and Thomas Darimont. >>> >> >>> >> GuardianKey is a solution to protect systems against authentication >>> >> attacks. We use Machine Learning to analyze the user's behavior, >>> threat >>> >> intelligence, and psychometrics (or behavioral biometrics) and >>> provide an >>> >> attack risk in real-time. The protected system (in the concrete case, >>> >> KeyCloak, via the extension) sends the events via REST for the >>> GuardianKey >>> >> on each login attempt and can notify users or even block the high-risk >>> >> events. Also, there is a panel that presents dashboards about login >>> >> attempts. We have cloud and product versions. We note that there is a >>> free >>> >> service for small environments. More info at [1]. >>> >> >>> >> The extension is available at [2], in which we also included >>> documentation >>> >> (docs and video [3]) for its installation, configuration, and use. >>> >> >>> >> We appreciate any suggestion or comment. >>> >> >>> >> [1] https://guardiankey.io >>> >> >>> >> [2] https://github.com/pauloangelo/guardiankey-plugin-keycloak >>> >> >>> >> [3] https://youtu.be/R5QFcH4bXuA >>> >> >>> >> Once again, thank you! >>> >> >>> >> Best regards, >>> >> >>> >> Paulo Angelo >>> >> >>> >> https://www.linkedin.com/in/reddhatt/ >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user at lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> > >>> >>> -- >>> >>> Att, >>> >>> Paulo Angelo >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > -- > > Att, > > Paulo Angelo > From r.neziri at sdplus.ch Thu Feb 28 04:11:56 2019 From: r.neziri at sdplus.ch (Neziri Rexhi) Date: Thu, 28 Feb 2019 09:11:56 +0000 Subject: [keycloak-user] IDX10501: Signature validation failed. Unable to match 'kid' Message-ID: Hi, I have post my question here : https://stackoverflow.com/questions/54909343/idx10501-signature-validation-failed-unable-to-match-kid Can someone give me some help please ?? Best regards Rexhi Neziri Collaborateur technique sittel consulting sa Rue de Lausanne 15 1950 Sion T?l : +41 27 205 44 27 www.sittel.ch Une soci?t? du groupe sdplus Suivez-nous sur Linkedin, Twitter et Instagram From titorenko at dtg.technology Thu Feb 28 04:21:01 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Thu, 28 Feb 2019 12:21:01 +0300 Subject: [keycloak-user] Token exchange: on-behalf-of + downgrade In-Reply-To: References: <45CAC7A6-2E97-49E9-B24F-B600DF2E3B52@dtg.technology> Message-ID: Yes, I tried. It seems, that scope parameter is ignored and this is also said in the documentation (https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange): scope NOT IMPLEMENTED. This parameter represents the target set of OAuth and OpenID Connect scopes the client is requesting. It is not implemented at this time but will be once Keycloak has better support for scopes in general. Other settings for client applications do not work. Below are tokens which I got for calling client and after token exchange in my test application. It has a bit more complex structure than I described before. It is: user ?> jsp-web-app ?> docs-svc ?> facade-svc ?> svc-1 ?> svc-2 Token exchange happens when facade-svc calls svc-2. Below are two tokens: First is a token which is used to call from jsp-web-app to facade-svc Second is a token which I have after token exchange in facade-svc to call svc-2. For this test I configured facade-svc so that it cannot call ?svc-2? at all (svc-2 is absent in Scope and Client Scope tabs). But after token exchange ?svc-2? is successfully called. Note, how wide scope, roles and audience of the exchanged token are. facade-svc is only allowed to call ?svc-1?. Also, in the exchanged token I see audiences and scopes which were not present in the original caller?s token. { "jti": "863d8801-dd28-4314-8b50-4ddefe97c380", "exp": 1551344900, "nbf": 0, "iat": 1551344600, "iss": "http://localhost:8180/auth/realms/DTGOpenIDDemoApp", "aud": [ "facade-svc", "docs-svc" ], "sub": "6d312ba3-aa9e-4646-af57-95a9e965b8a9", "typ": "Bearer", "azp": "jsp-web-app", "auth_time": 1551343339, "session_state": "3606845e-9f85-4dc7-8edb-41ce3ab67268", "acr": "0", "allowed-origins": [ "http://localhost:8080" ], "resource_access": { "facade-svc": { "roles": [ "user" ] }, "docs-svc": { "roles": [ "user" ] } }, "scope": "openid profile email", "email_verified": false, "organization": "Org-1", "preferred_username": "user" } { "jti": "cef6ae27-0e98-491d-9ef2-69850b664766", "exp": 1551341466, "nbf": 0, "iat": 1551341166, "iss": "http://localhost:8180/auth/realms/DTGOpenIDDemoApp", "aud": [ "facade-svc", "docs-svc", "account", "svc-2" ], "sub": "6d312ba3-aa9e-4646-af57-95a9e965b8a9", "typ": "Bearer", "azp": "facade-svc", "auth_time": 1551341150, "session_state": "dcfa21cc-57a2-4302-a459-d772b5f79f13", "acr": "1", "realm_access": { "roles": [ "offline_access", "uma_authorization", "user" ] }, "resource_access": { "facade-svc": { "roles": [ "user" ] }, "docs-svc": { "roles": [ "user" ] }, "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] }, "svc-2": { "roles": [ "user" ] } }, "scope": "openid profile email", "email_verified": false, "preferred_username": "user" } > On 27 Feb 2019, at 19:22, Pedro Igor Silva wrote: > > IIRC, you can use a scope parameter when doing a token exchange. Other aspects could be managed by setting up client scopes to your client applications, did you try that ? > > On Wed, Feb 27, 2019 at 12:59 PM Alexey Titorenko wrote: > Hi Pedro! > > Thank you for answer! > > I?m would like to be able to control all aspects: audience, scope and roles. > > Today I also found that exchanged token may contain more roles than it is defined through on Scope tab for svc-1, if caller has some additional roles. So, after token echange svc-1 can have more rights than it would be possible without token exchange. > > > Alexey. > >> On 27 Feb 2019, at 18:50, Pedro Igor Silva > wrote: >> >> Hi, >> >> The token exchange should be the right tool. Are you trying to downgrade scopes or just remove the client roles that are not related with svc-2 ? >> >> Regards. >> Pedro Igor >> >> On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko > wrote: >> Hello guys. >> >> I would like to ask you help with the following. I?m currently looking at on-behalf-of scenario with Keycloak. In this case we have ?web app? calling ?svc-1?, which in turn calls another service ?svc-2?. That is, we have: web ?> svc-1 ?> svc-2. >> >> The idea is to let svc-2 know who is actual initiator of the call chain (end-to-end identity propagation). The question is about how to do that with Keycloak. >> >> First, in order to propagate caller identity we could exchange tokens in ?svc-1?. In this case we can have correct audience and, thus, control token usage. Second, we need is to remove any excessive permissions (client roles) that are not related to ?svc-2? call in order to reduce potential harm in case this token is intercepted by someone. >> >> And if I know how to exchange tokens, I cannot find how to downgrade the token during the exchange. As I see in documentation, ?scope? parameter is not supported for token exchange. >> >> >> So, my questions are: >> Is token exchange a right tool for this task? >> Is it possible to downgrade exchanged token? And how, if so? >> >> >> Thank you, >> Alexey >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Thu Feb 28 08:16:51 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 28 Feb 2019 10:16:51 -0300 Subject: [keycloak-user] Token exchange: on-behalf-of + downgrade In-Reply-To: References: <45CAC7A6-2E97-49E9-B24F-B600DF2E3B52@dtg.technology> Message-ID: The wider scope may be related on how the protocol mappers are being run, especially those associated with the client scopes you are using by default (or for a particular client). For instance, you have all those audiences because your user is granted with roles to those clients and the mapper is just include any of these clients in the audience. I need to look at this in more details. I will not say that you are using a wrong setting because if even you are, I don't think documentation is clear enough to get it right. Do you mind creating a JIRA to track this? Regards. Pedro Igor On Thu, Feb 28, 2019 at 6:21 AM Alexey Titorenko wrote: > Yes, I tried. It seems, that scope parameter is ignored and this is also > said in the documentation ( > https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange > ): > > scope > NOT IMPLEMENTED. This parameter represents the target set of OAuth and > OpenID Connect scopes the client is requesting. It is not implemented at > this time but will be once Keycloak has better support for scopes in > general. > > > Other settings for client applications do not work. Below are tokens which > I got for calling client and after token exchange in my test application. > It has a bit more complex structure than I described before. It is: > > user ?> jsp-web-app ?> docs-svc > ?> facade-svc ?> svc-1 > ?> svc-2 > > Token exchange happens when facade-svc calls svc-2. Below are two tokens: > > 1. First is a token which is used to call from jsp-web-app to > facade-svc > 2. Second is a token which I have after token exchange in facade-svc > to call svc-2. > > > For this test I configured facade-svc so that it cannot call ?svc-2? at > all (svc-2 is absent in Scope and Client Scope tabs). But after token > exchange ?svc-2? is successfully called. Note, how wide scope, roles and > audience of the exchanged token are. facade-svc is only allowed to call ? > svc-1?. Also, in the exchanged token I see audiences and scopes which > were not present in the original caller?s token. > > { > "jti": "863d8801-dd28-4314-8b50-4ddefe97c380", > "exp": 1551344900, > "nbf": 0, > "iat": 1551344600, > "iss": "http://localhost:8180/auth/realms/DTGOpenIDDemoApp", > "aud": [ > "facade-svc", > "docs-svc" > ], > "sub": "6d312ba3-aa9e-4646-af57-95a9e965b8a9", > "typ": "Bearer", > "azp": "jsp-web-app", > "auth_time": 1551343339, > "session_state": "3606845e-9f85-4dc7-8edb-41ce3ab67268", > "acr": "0", > "allowed-origins": [ > "http://localhost:8080" > ], > "resource_access": { > "facade-svc": { > "roles": [ > "user" > ] > }, > "docs-svc": { > "roles": [ > "user" > ] > } > }, > "scope": "openid profile email", > "email_verified": false, > "organization": "Org-1", > "preferred_username": "user" > } > > > { > "jti": "cef6ae27-0e98-491d-9ef2-69850b664766", > "exp": 1551341466, > "nbf": 0, > "iat": 1551341166, > "iss": "http://localhost:8180/auth/realms/DTGOpenIDDemoApp", > "aud": [ > "facade-svc", > "docs-svc", > "account", > "svc-2" > ], > "sub": "6d312ba3-aa9e-4646-af57-95a9e965b8a9", > "typ": "Bearer", > "azp": "facade-svc", > "auth_time": 1551341150, > "session_state": "dcfa21cc-57a2-4302-a459-d772b5f79f13", > "acr": "1", > "realm_access": { > "roles": [ > "offline_access", > "uma_authorization", > "user" > ] > }, > "resource_access": { > "facade-svc": { > "roles": [ > "user" > ] > }, > "docs-svc": { > "roles": [ > "user" > ] > }, > "account": { > "roles": [ > "manage-account", > "manage-account-links", > "view-profile" > ] > }, > "svc-2": { > "roles": [ > "user" > ] > } > }, > "scope": "openid profile email", > "email_verified": false, > "preferred_username": "user" > } > > > > > > > On 27 Feb 2019, at 19:22, Pedro Igor Silva wrote: > > IIRC, you can use a scope parameter when doing a token exchange. Other > aspects could be managed by setting up client scopes to your client > applications, did you try that ? > > On Wed, Feb 27, 2019 at 12:59 PM Alexey Titorenko < > titorenko at dtg.technology> wrote: > >> Hi Pedro! >> >> Thank you for answer! >> >> I?m would like to be able to control all aspects: audience, scope and >> roles. >> >> Today I also found that exchanged token may contain more roles than it is >> defined through on Scope tab for svc-1, if caller has some additional >> roles. So, after token echange svc-1 can have more rights than it would be >> possible without token exchange. >> >> >> Alexey. >> >> On 27 Feb 2019, at 18:50, Pedro Igor Silva wrote: >> >> Hi, >> >> The token exchange should be the right tool. Are you trying to downgrade >> scopes or just remove the client roles that are not related with svc-2 ? >> >> Regards. >> Pedro Igor >> >> On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko < >> titorenko at dtg.technology> wrote: >> >>> Hello guys. >>> >>> I would like to ask you help with the following. I?m currently looking >>> at on-behalf-of scenario with Keycloak. In this case we have ?web app? >>> calling ?svc-1?, which in turn calls another service ?svc-2?. That is, we >>> have: web ?> svc-1 ?> svc-2. >>> >>> The idea is to let svc-2 know who is actual initiator of the call chain >>> (end-to-end identity propagation). The question is about how to do that >>> with Keycloak. >>> >>> First, in order to propagate caller identity we could exchange tokens in >>> ?svc-1?. In this case we can have correct audience and, thus, control token >>> usage. Second, we need is to remove any excessive permissions (client >>> roles) that are not related to ?svc-2? call in order to reduce potential >>> harm in case this token is intercepted by someone. >>> >>> And if I know how to exchange tokens, I cannot find how to downgrade the >>> token during the exchange. As I see in documentation, ?scope? parameter is >>> not supported for token exchange. >>> >>> >>> So, my questions are: >>> Is token exchange a right tool for this task? >>> Is it possible to downgrade exchanged token? And how, if so? >>> >>> >>> Thank you, >>> Alexey >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > From titorenko at dtg.technology Thu Feb 28 08:23:34 2019 From: titorenko at dtg.technology (Alexey Titorenko) Date: Thu, 28 Feb 2019 16:23:34 +0300 Subject: [keycloak-user] Token exchange: on-behalf-of + downgrade In-Reply-To: References: <45CAC7A6-2E97-49E9-B24F-B600DF2E3B52@dtg.technology> Message-ID: <11EA4F8A-EEA0-41C2-8162-56FD434E5E58@dtg.technology> Hi! I will look more carefully on how mappers work in this case. I can create JIRA case if this can help. I?m not sure that this is a bug. I?m just trying to understand how much flexibility I have in this case. Do you think it make sence? Creating JIRA? > On 28 Feb 2019, at 16:16, Pedro Igor Silva wrote: > > The wider scope may be related on how the protocol mappers are being run, especially those associated with the client scopes you are using by default (or for a particular client). For instance, you have all those audiences because your user is granted with roles to those clients and the mapper is just include any of these clients in the audience. > > I need to look at this in more details. I will not say that you are using a wrong setting because if even you are, I don't think documentation is clear enough to get it right. > > Do you mind creating a JIRA to track this? > > Regards. > Pedro Igor > > On Thu, Feb 28, 2019 at 6:21 AM Alexey Titorenko wrote: > Yes, I tried. It seems, that scope parameter is ignored and this is also said in the documentation (https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange ): > > scope > NOT IMPLEMENTED. This parameter represents the target set of OAuth and OpenID Connect scopes the client is requesting. It is not implemented at this time but will be once Keycloak has better support for scopes in general. > > > Other settings for client applications do not work. Below are tokens which I got for calling client and after token exchange in my test application. It has a bit more complex structure than I described before. It is: > > user ?> jsp-web-app ?> docs-svc > ?> facade-svc ?> svc-1 > ?> svc-2 > > > Token exchange happens when facade-svc calls svc-2. Below are two tokens: > First is a token which is used to call from jsp-web-app to facade-svc > Second is a token which I have after token exchange in facade-svc to call svc-2. > > For this test I configured facade-svc so that it cannot call ?svc-2? at all (svc-2 is absent in Scope and Client Scope tabs). But after token exchange ?svc-2? is successfully called. Note, how wide scope, roles and audience of the exchanged token are. facade-svc is only allowed to call ?svc-1?. Also, in the exchanged token I see audiences and scopes which were not present in the original caller?s token. > { > "jti": "863d8801-dd28-4314-8b50-4ddefe97c380", > "exp": 1551344900, > "nbf": 0, > "iat": 1551344600, > "iss": "http://localhost:8180/auth/realms/DTGOpenIDDemoApp ", > "aud": [ > "facade-svc", > "docs-svc" > ], > "sub": "6d312ba3-aa9e-4646-af57-95a9e965b8a9", > "typ": "Bearer", > "azp": "jsp-web-app", > "auth_time": 1551343339, > "session_state": "3606845e-9f85-4dc7-8edb-41ce3ab67268", > "acr": "0", > "allowed-origins": [ > "http://localhost:8080 " > ], > "resource_access": { > "facade-svc": { > "roles": [ > "user" > ] > }, > "docs-svc": { > "roles": [ > "user" > ] > } > }, > "scope": "openid profile email", > "email_verified": false, > "organization": "Org-1", > "preferred_username": "user" > } > > { > "jti": "cef6ae27-0e98-491d-9ef2-69850b664766", > "exp": 1551341466, > "nbf": 0, > "iat": 1551341166, > "iss": "http://localhost:8180/auth/realms/DTGOpenIDDemoApp ", > "aud": [ > "facade-svc", > "docs-svc", > "account", > "svc-2" > ], > "sub": "6d312ba3-aa9e-4646-af57-95a9e965b8a9", > "typ": "Bearer", > "azp": "facade-svc", > "auth_time": 1551341150, > "session_state": "dcfa21cc-57a2-4302-a459-d772b5f79f13", > "acr": "1", > "realm_access": { > "roles": [ > "offline_access", > "uma_authorization", > "user" > ] > }, > "resource_access": { > "facade-svc": { > "roles": [ > "user" > ] > }, > "docs-svc": { > "roles": [ > "user" > ] > }, > "account": { > "roles": [ > "manage-account", > "manage-account-links", > "view-profile" > ] > }, > "svc-2": { > "roles": [ > "user" > ] > } > }, > "scope": "openid profile email", > "email_verified": false, > "preferred_username": "user" > } > > > > > >> On 27 Feb 2019, at 19:22, Pedro Igor Silva > wrote: >> >> IIRC, you can use a scope parameter when doing a token exchange. Other aspects could be managed by setting up client scopes to your client applications, did you try that ? >> >> On Wed, Feb 27, 2019 at 12:59 PM Alexey Titorenko > wrote: >> Hi Pedro! >> >> Thank you for answer! >> >> I?m would like to be able to control all aspects: audience, scope and roles. >> >> Today I also found that exchanged token may contain more roles than it is defined through on Scope tab for svc-1, if caller has some additional roles. So, after token echange svc-1 can have more rights than it would be possible without token exchange. >> >> >> Alexey. >> >>> On 27 Feb 2019, at 18:50, Pedro Igor Silva > wrote: >>> >>> Hi, >>> >>> The token exchange should be the right tool. Are you trying to downgrade scopes or just remove the client roles that are not related with svc-2 ? >>> >>> Regards. >>> Pedro Igor >>> >>> On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko > wrote: >>> Hello guys. >>> >>> I would like to ask you help with the following. I?m currently looking at on-behalf-of scenario with Keycloak. In this case we have ?web app? calling ?svc-1?, which in turn calls another service ?svc-2?. That is, we have: web ?> svc-1 ?> svc-2. >>> >>> The idea is to let svc-2 know who is actual initiator of the call chain (end-to-end identity propagation). The question is about how to do that with Keycloak. >>> >>> First, in order to propagate caller identity we could exchange tokens in ?svc-1?. In this case we can have correct audience and, thus, control token usage. Second, we need is to remove any excessive permissions (client roles) that are not related to ?svc-2? call in order to reduce potential harm in case this token is intercepted by someone. >>> >>> And if I know how to exchange tokens, I cannot find how to downgrade the token during the exchange. As I see in documentation, ?scope? parameter is not supported for token exchange. >>> >>> >>> So, my questions are: >>> Is token exchange a right tool for this task? >>> Is it possible to downgrade exchanged token? And how, if so? >>> >>> >>> Thank you, >>> Alexey >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Thu Feb 28 08:29:12 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 28 Feb 2019 10:29:12 -0300 Subject: [keycloak-user] Token exchange: on-behalf-of + downgrade In-Reply-To: <11EA4F8A-EEA0-41C2-8162-56FD434E5E58@dtg.technology> References: <45CAC7A6-2E97-49E9-B24F-B600DF2E3B52@dtg.technology> <11EA4F8A-EEA0-41C2-8162-56FD434E5E58@dtg.technology> Message-ID: It has been a while since I'm trying to look more closely on how we are doing the token exchange. Considering that this thread started a good discussion with a good example of how people are using it, I would say that a JIRA will help us to not forget about this. There are things in the specs that we don't yet support as well new functionality such as client scopes that I'm not sure if are fully integrated with the token exchange. If you want to investigate by yourself and share your findings with the community, I appreciate. So we don't need a JIRA. Thanks. Pedro Igor On Thu, Feb 28, 2019 at 10:23 AM Alexey Titorenko wrote: > Hi! > > I will look more carefully on how mappers work in this case. > > I can create JIRA case if this can help. I?m not sure that this is a bug. > I?m just trying to understand how much flexibility I have in this case. Do > you think it make sence? Creating JIRA? > > > On 28 Feb 2019, at 16:16, Pedro Igor Silva wrote: > > The wider scope may be related on how the protocol mappers are being run, > especially those associated with the client scopes you are using by default > (or for a particular client). For instance, you have all those audiences > because your user is granted with roles to those clients and the mapper is > just include any of these clients in the audience. > > I need to look at this in more details. I will not say that you are using > a wrong setting because if even you are, I don't think documentation is > clear enough to get it right. > > Do you mind creating a JIRA to track this? > > Regards. > Pedro Igor > > On Thu, Feb 28, 2019 at 6:21 AM Alexey Titorenko > wrote: > >> Yes, I tried. It seems, that scope parameter is ignored and this is also >> said in the documentation ( >> https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange >> ): >> >> scope >> NOT IMPLEMENTED. This parameter represents the target set of OAuth and >> OpenID Connect scopes the client is requesting. It is not implemented at >> this time but will be once Keycloak has better support for scopes in >> general. >> >> >> Other settings for client applications do not work. Below are tokens >> which I got for calling client and after token exchange in my test >> application. It has a bit more complex structure than I described before. >> It is: >> >> user ?> jsp-web-app ?> docs-svc >> ?> facade-svc ?> svc-1 >> ?> svc-2 >> >> Token exchange happens when facade-svc calls svc-2. Below are two tokens: >> >> 1. First is a token which is used to call from jsp-web-app to >> facade-svc >> 2. Second is a token which I have after token exchange in facade-svc >> to call svc-2. >> >> >> For this test I configured facade-svc so that it cannot call ?svc-2? at >> all (svc-2 is absent in Scope and Client Scope tabs). But after token >> exchange ?svc-2? is successfully called. Note, how wide scope, roles and >> audience of the exchanged token are. facade-svc is only allowed to call ? >> svc-1?. Also, in the exchanged token I see audiences and scopes which >> were not present in the original caller?s token. >> >> { >> "jti": "863d8801-dd28-4314-8b50-4ddefe97c380", >> "exp": 1551344900, >> "nbf": 0, >> "iat": 1551344600, >> "iss": "http://localhost:8180/auth/realms/DTGOpenIDDemoApp", >> "aud": [ >> "facade-svc", >> "docs-svc" >> ], >> "sub": "6d312ba3-aa9e-4646-af57-95a9e965b8a9", >> "typ": "Bearer", >> "azp": "jsp-web-app", >> "auth_time": 1551343339, >> "session_state": "3606845e-9f85-4dc7-8edb-41ce3ab67268", >> "acr": "0", >> "allowed-origins": [ >> "http://localhost:8080" >> ], >> "resource_access": { >> "facade-svc": { >> "roles": [ >> "user" >> ] >> }, >> "docs-svc": { >> "roles": [ >> "user" >> ] >> } >> }, >> "scope": "openid profile email", >> "email_verified": false, >> "organization": "Org-1", >> "preferred_username": "user" >> } >> >> >> { >> "jti": "cef6ae27-0e98-491d-9ef2-69850b664766", >> "exp": 1551341466, >> "nbf": 0, >> "iat": 1551341166, >> "iss": "http://localhost:8180/auth/realms/DTGOpenIDDemoApp", >> "aud": [ >> "facade-svc", >> "docs-svc", >> "account", >> "svc-2" >> ], >> "sub": "6d312ba3-aa9e-4646-af57-95a9e965b8a9", >> "typ": "Bearer", >> "azp": "facade-svc", >> "auth_time": 1551341150, >> "session_state": "dcfa21cc-57a2-4302-a459-d772b5f79f13", >> "acr": "1", >> "realm_access": { >> "roles": [ >> "offline_access", >> "uma_authorization", >> "user" >> ] >> }, >> "resource_access": { >> "facade-svc": { >> "roles": [ >> "user" >> ] >> }, >> "docs-svc": { >> "roles": [ >> "user" >> ] >> }, >> "account": { >> "roles": [ >> "manage-account", >> "manage-account-links", >> "view-profile" >> ] >> }, >> "svc-2": { >> "roles": [ >> "user" >> ] >> } >> }, >> "scope": "openid profile email", >> "email_verified": false, >> "preferred_username": "user" >> } >> >> >> >> >> >> >> On 27 Feb 2019, at 19:22, Pedro Igor Silva wrote: >> >> IIRC, you can use a scope parameter when doing a token exchange. Other >> aspects could be managed by setting up client scopes to your client >> applications, did you try that ? >> >> On Wed, Feb 27, 2019 at 12:59 PM Alexey Titorenko < >> titorenko at dtg.technology> wrote: >> >>> Hi Pedro! >>> >>> Thank you for answer! >>> >>> I?m would like to be able to control all aspects: audience, scope and >>> roles. >>> >>> Today I also found that exchanged token may contain more roles than it >>> is defined through on Scope tab for svc-1, if caller has some additional >>> roles. So, after token echange svc-1 can have more rights than it would be >>> possible without token exchange. >>> >>> >>> Alexey. >>> >>> On 27 Feb 2019, at 18:50, Pedro Igor Silva wrote: >>> >>> Hi, >>> >>> The token exchange should be the right tool. Are you trying to downgrade >>> scopes or just remove the client roles that are not related with svc-2 ? >>> >>> Regards. >>> Pedro Igor >>> >>> On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko < >>> titorenko at dtg.technology> wrote: >>> >>>> Hello guys. >>>> >>>> I would like to ask you help with the following. I?m currently looking >>>> at on-behalf-of scenario with Keycloak. In this case we have ?web app? >>>> calling ?svc-1?, which in turn calls another service ?svc-2?. That is, we >>>> have: web ?> svc-1 ?> svc-2. >>>> >>>> The idea is to let svc-2 know who is actual initiator of the call chain >>>> (end-to-end identity propagation). The question is about how to do that >>>> with Keycloak. >>>> >>>> First, in order to propagate caller identity we could exchange tokens >>>> in ?svc-1?. In this case we can have correct audience and, thus, control >>>> token usage. Second, we need is to remove any excessive permissions (client >>>> roles) that are not related to ?svc-2? call in order to reduce potential >>>> harm in case this token is intercepted by someone. >>>> >>>> And if I know how to exchange tokens, I cannot find how to downgrade >>>> the token during the exchange. As I see in documentation, ?scope? parameter >>>> is not supported for token exchange. >>>> >>>> >>>> So, my questions are: >>>> Is token exchange a right tool for this task? >>>> Is it possible to downgrade exchanged token? And how, if so? >>>> >>>> >>>> Thank you, >>>> Alexey >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> > From manuel.waltschek at prisma-solutions.at Thu Feb 28 12:53:49 2019 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Thu, 28 Feb 2019 17:53:49 +0000 Subject: [keycloak-user] Stuck configuring IdP broker Message-ID: Dear KC Community, me and my team are stuck configuring a simple SAML service provider with Keycloak for at least half a year now. Our use case is a simple SP initiated login and both idp and sp initiated logout. We deploy on wildfly10 and we tried to use the wildfly-saml-adapter only, since keycloak server as a broker forces a first login flow, which we tried to skip. Unfortunately we couldn't get the keycloak login module get triggered and therefore we cannot obtain a login on ejb tier. We made a workaround for this and managed to finally login. After that, we found out, that the logout does not work as expected. HttpRequest.logout() and setting request param to ?GLO=true does not work alone, since we have to combine it to get the logout-request sent to the external idp, but then we keep the session cookie in the sp alive and we cannot process the success message from the idp. So we finally decided to try out the keycloak server, since we might be missing something. Unfortunately we just can't get it to work. We are using nginx as a reverse proxy and configured the following: location ^~ /auth/ { proxy_pass http://127.0.0.1:8180/auth; proxy_set_header Host $host:$server_port; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } We also configured standalone.xml of keycloak as follows: But we are stuck, since we cannot access the management/admin console of keycloak over the nginx, since it redirects to localhost:8180/auth/admin (we are using a port offset) Why does it do this? It might be the auth-server-url configuration of the master realm: {"realm":"master","auth-server-url":"http://localhost:8180/auth","ssl-required":"external","resource":"security-admin-console","public-client":true,"confidential-port":0} When I access the console over ssh tunnel, the redirect works as expected (to localhost:8181) But how could we change that confusing behaviour? We really need to login over the proxy, since we need to configure an IDP which redirect-uri binds to the uri of the request in the browser (which is really confusing too). Please help us, we decided to use keycloak and we really had a lot of trouble with it. Regards, [Logo] Manuel Waltschek BSc. manuel.waltschek at prisma-solutions.at https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 M?dling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6418 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190228/90243d3a/attachment.png From Niranjan.Tungatkar at arris.com Thu Feb 28 13:30:54 2019 From: Niranjan.Tungatkar at arris.com (Tungatkar, Niranjan) Date: Thu, 28 Feb 2019 18:30:54 +0000 Subject: [keycloak-user] Admin rest api - PUT - client update 500 internal server error Message-ID: Hi, I am trying to update my client through the following curl request. I am to enable implicit flow. I also tried updating webOrigins and redirectUris but everytime I get 500 Internal server error. curl -ivk -X PUT -H "Authorization: bearer $access_token" -H "Content-Type: application/json" https://$KC_FQDN:$KC_PORT/auth/admin/realms/TEST/clients/$client_id -d '{ "implicitFlowEnabled": true }' Error in keycloak logs ? 00:41:53,557 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException at org.keycloak.services.resources.admin.ClientResource.updateClientFromRep(ClientResource.java:584) at org.keycloak.services.resources.admin.ClientResource.update(ClientResource.java:152) I checked the Admin rest api PUT request spec here - https://www.keycloak.org/docs-api/3.4/rest-api/index.html#_clients_resource The client representation from here - https://www.keycloak.org/docs-api/3.4/rest-api/index.html#_clientrepresentation The representation suggests all attributes are optional Keycloak version: 3.4.3.Final Keycloak image: docker.io/jboss/keycloak-openshift:3.4.3.Final How can I update the client through admin rest api. -- Niranjan From janik-keycloak at familie-krallmann.de Thu Feb 28 14:53:01 2019 From: janik-keycloak at familie-krallmann.de (Janik) Date: Thu, 28 Feb 2019 20:53:01 +0100 Subject: [keycloak-user] Authentication with Kerberos and login screen fallback Message-ID: <886a1380-8a9f-cdfb-1382-6bfb8cd82791@familie-krallmann.de> Hello guys, I have an web application where I'd like to use Keycloak for authentication. If possible the user should login via Kerberos. If not use login screen. On my computer I have a valid Kerberos ticket and the login works fine. If I try to login for example from another device I always get the error-code 401. I expected to get the login screen instead. If I configure the trusted-uris on these device the login screen appears.? I successfully configured an LDAP User Federation provider with Kerberos integration. I used this instructions (https://www.keycloak.org/docs/2.5/server_admin/topics/authentication/kerberos.html) to create the authentication flows. Is it possible to use Kerberos authentication from known devices and use the login screen from unknown devices where I can't configure trusted-uris? One example could be my mobile phone where I'm not able to configure something. Thanks in advance. From fabulous.rag at googlemail.com Thu Feb 28 15:20:37 2019 From: fabulous.rag at googlemail.com (Raggy Fab) Date: Thu, 28 Feb 2019 21:20:37 +0100 Subject: [keycloak-user] User Propagation (on behalf of flow) in REST/OIDC+OAuth2 Message-ID: Hi Keycloak users! At my old company, when using SOAP, we were using Standards like WS-Trust including a Security Token Service to authenticate SAML Token for our users (incl. audience-uri-specific claims/role). We used the WS-Federation Standard to let users authenticate and use WS-Trust to propagate the user's saml token across multiple applications/webservice hops. (onBehalfOf Flow). We did use SAML token issued from service accounts for backend2backend communication. Now my question is: Which of these use cases are supported (out of the box or partly supported) based on which protocol/flows in the keycloak REST/OIDC/OAuth2/JWT World? I had trouble finding input specifically how to implement a onBehalfOf Flow online. We also have a use case where an external provider sends us a jwt token signed by his STS (which are valid users in our world we can map) which we would like to "federate" (sign by our STS and translate his claims) and was wondering what the best way would be to achieve such a token "translation" and if there is a standard for that. If you can point me to a specific flow which is supported by keycloak or how to give me hints how achieve a similar use case (or let me know if there is no standard for a certain use case) that would be awesome! greetings Raggy From Kevin.Fox at pnnl.gov Thu Feb 28 15:42:17 2019 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Thu, 28 Feb 2019 20:42:17 +0000 Subject: [keycloak-user] Authentication with Kerberos and login screen fallback In-Reply-To: <886a1380-8a9f-cdfb-1382-6bfb8cd82791@familie-krallmann.de> References: <886a1380-8a9f-cdfb-1382-6bfb8cd82791@familie-krallmann.de> Message-ID: <1A3C52DFCD06494D8528644858247BF01C2BAF5E@EX10MBOX03.pnnl.gov> Its unfortunately part of the spnego protocol: https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/cwlp_spnego.html The server responds with a 401 and then the browser tries authenticating with Kerberos. The server has no idea if the client trusts it for Kerberos or not until after the 401 and then a negotiation is started. Best bet would be to somehow configure it as one possible login button that a user could chose. Thanks, Kevin ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Janik [janik-keycloak at familie-krallmann.de] Sent: Thursday, February 28, 2019 11:53 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Authentication with Kerberos and login screen fallback Hello guys, I have an web application where I'd like to use Keycloak for authentication. If possible the user should login via Kerberos. If not use login screen. On my computer I have a valid Kerberos ticket and the login works fine. If I try to login for example from another device I always get the error-code 401. I expected to get the login screen instead. If I configure the trusted-uris on these device the login screen appears. I successfully configured an LDAP User Federation provider with Kerberos integration. I used this instructions (https://www.keycloak.org/docs/2.5/server_admin/topics/authentication/kerberos.html) to create the authentication flows. Is it possible to use Kerberos authentication from known devices and use the login screen from unknown devices where I can't configure trusted-uris? One example could be my mobile phone where I'm not able to configure something. Thanks in advance. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From khaendel at ehotel.de Tue Feb 19 12:19:58 2019 From: khaendel at ehotel.de (Ken Haendel) Date: Tue, 19 Feb 2019 17:19:58 -0000 Subject: [keycloak-user] Tomcat session timeout using spring-security adapter Message-ID: <4279da27-457b-e231-d7bd-889027f11684@ehotel.de> Hello Keycloak users, I want to secure a web-app using tomcat and the spring-security adapter. Since the token timeout values are configured in the Keycloak, 1. to which value should i set the tomcat session timeout to not interfere with the keycloak token timeouts. Currently my settings in web.xml are: ??? ??? ??? ??? ??? -1 ??? ??? ??? ??? ??? true ??? ??? ??? true ??? ??? ??? ??? COOKIE ??? and 2. is there a disadvantage to use indefinite sessions? Thank you in advance and kind regards, Ken -------------- next part -------------- A non-text attachment was scrubbed... Name: khaendel.vcf Type: text/x-vcard Size: 185 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190219/e6103dfc/attachment-0001.vcf