From uo67113 at gmail.com  Tue Jan  1 06:42:56 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Tue, 1 Jan 2019 12:42:56 +0100
Subject: [keycloak-user] SSL connection to Keycloak Server
In-Reply-To: <CAE5MKW95S_DND-xo-o7rDwZSoLX3GkHkC4YSrvfFm7qb8e9kGw@mail.gmail.com>
References: <CAE5MKW95S_DND-xo-o7rDwZSoLX3GkHkC4YSrvfFm7qb8e9kGw@mail.gmail.com>
Message-ID: <CACp70Mm8vtpfbyP0tb9VmjQuNDq_mpZoY1rJDHNP7YXMn6tWxA@mail.gmail.com>

Hello Kunal,

Both sides, keycloak server and application need SSL.

The SSL configuration depends on your setup. May I ask you to provide more
details about it?

Cheers,

Luis









El jue., 27 dic. 2018 a las 12:25, Kunal Kumar (<wolfbro92 at gmail.com>)
escribi?:

> Hi guys,
>
> I have 5 web apps that use Keycloak for authentication. But none of them
> are using SSL yet. How is the practice done? Do i need to set SSL on the
> Keycloak server for the Keycloak authentication page to have the secured
> lock symbol? Or is setting SSL to my web apps enough?
> I am not very clear about Keycloak and its SSL implementation, I hope
> someone can help explain to me.
>
> Regards,
> Kunal
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From david_christian.herrmann at daimler.com  Wed Jan  2 04:25:24 2019
From: david_christian.herrmann at daimler.com (david_christian.herrmann at daimler.com)
Date: Wed, 02 Jan 2019 09:25:24 +0000
Subject: [keycloak-user] Cross Realm authorization
In-Reply-To: <1545908863.4245.1.camel@acutus.pro>
References: <e1769d883ecf4963931cf3f6100685d0@DE36S004EXC0R.wp.corpintra.net>
	<1545019731.12250.12.camel@acutus.pro>
	<26fbf1d833364509a912caf8aa5a2e04@DE36S004EXC0R.wp.corpintra.net>
	<18fdc6499b1140678e5ef2a73aa2338d@DE36S004EXC0R.wp.corpintra.net>
	<1545095418.13723.1.camel@acutus.pro>
	<60c6b91504684c73920c4432b85a1af7@DE36S004EXC0R.wp.corpintra.net>
	<7e3e119126e5493a93cb57cd51902e3d@DE36S004EXC0R.wp.corpintra.net>
	<1545908863.4245.1.camel@acutus.pro>
Message-ID: <b7b1670c54b744d385414cbd78701314@DE36S004EXC0R.wp.corpintra.net>

Hi Dmitry,

I set the realm in session to the issuer in the access token and then it works. Thanks!

Hope you had a pleasant Christmas and a good start in the new year. : )

Mit freundlichen Gr??en / With kind regards

David Herrmann
RD/UIA
Team Rising Stars


Daimler AG
HPC G464
70546 Stuttgart
Mobil: +49 176 309 369 87

What3Words Address:
entfalten.j?ngste.nehmen
choppy.impact.moisture
E-Mail: david_christian.herrmann at daimler.com


Daimler AG
Sitz und Registergericht / Domicile and Court of Registry: Stuttgart; HRB-Nr. / Commercial Register No. 19360
Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
Vorstand / Board of Management: Dieter Zetsche (Vorsitzender / Chairman),
Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber

-----Urspr?ngliche Nachricht-----
Von: Dmitry Telegin [mailto:dt at acutus.pro]
Gesendet: Donnerstag, 27. Dezember 2018 12:08
An: Herrmann, David Christian (059) <david_christian.herrmann at daimler.com>; keycloak-user at lists.jboss.org
Cc: fabian.loewner at freiheit.com; Scheuermann, Marco (059) <marco.scheuermann at daimler.com>
Betreff: Re: AW: [keycloak-user] Cross Realm authorization

Hello David,

Thanks a lot for your extensive research! Indeed, in recent Keycloak the internal authentication logic has changed. Particularly, session.context.realm has to be set to user's realm in order for authentication to succeed. As a consequence, custom REST resources can no longer rely on session.getContext().getRealm() for realm resolution.

I've updated BeerCloak in GitHub, so please test it and let me know of the results. As the next major update (hopefully January) I'm planning to make the code more aligned to what we have in Keycloak (particularly org.keycloak.services.resources.admin.AdminRoot) and maybe implement fine-grained permissions.

Merry Christmas and a Happy New Year to you and all the Keycloakers :)

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-12-19 at 10:57 +0000, david_christian.herrmann at daimler.com wrote:
> Hi Dmitry,
>
> I setup remote debugging for Keycloak and had a look what happens in Keycloak 4.8.0 Final.
>
> authenticateBearerToken(session, realm) (or to be more precise verifyIdentiyToken( ....)) returns null in my testing because:
>
> -  at
> https://github.com/keycloak/keycloak/blob/master/services/src/main/jav
> a/org/keycloak/services/managers/AuthenticationManager.java  :1153
> there is an exception in verifier(kid)
>
> - this happens because in
> https://github.com/keycloak/keycloak/blob/master/services/src/main/jav
> a/org/keycloak/keys/DefaultKeyManager.java  :106 the first part of the
> if-statement in method getKey(RealmModel realm, String kid, KeyUse
> use, String algorithm) does not become true
>
> - I think this happens because here getKey(...) is called with session.getContext().getRealm() --> The realm from the session --> The realm where the requested resource is. But kid is taken from token which is created for the realm where the technical user is.
>         - Call to getKey() is in
> https://github.com/keycloak/keycloak/blob/master/services/src/main/jav
> a/org/keycloak/crypto/ServerAsymmetricSignatureVerifierContext.java
> :29
>         - kid is taken in
> https://github.com/keycloak/keycloak/blob/master/services/src/main/jav
> a/org/keycloak/services/managers/AuthenticationManager.java :1145-1150
>
> I hope this information is useful for you.
>
> Mit freundlichen Gr??en / With kind regards David HerrmannRD/UIA Team
> Rising Stars Daimler AG HPC G464
> 70546 Stuttgart
> Mobil: +49 176 309 369 87
>
> What3Words Address:
> entfalten.j?ngste.nehmen
> choppy.impact.moistureE-Mail: david_christian.herrmann at daimler.com
>
>
> Daimler AG
> Sitz und Registergericht / Domicile and Court of Registry: Stuttgart;
> HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats
> / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board
> of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang
> Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta
> Seeger, Hubertus Troska, Bodo Uebber
>
>
> -----Urspr?ngliche Nachricht-----
> > Von: keycloak-user-bounces at lists.jboss.org
> > [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von
> > david_christian.herrmann at daimler.com
> Gesendet: Mittwoch, 19. Dezember 2018 08:24
> > An: dt at acutus.pro; keycloak-user at lists.jboss.org
> Betreff: Re: [keycloak-user] Cross Realm authorization
>
> Hi Dmitry,
>
> in the meanwhile I tested with Keycloak 3.4.3 Final. Here I do not have the problem with the unauthorized.
>
> Mit freundlichen Gr??en / With kind regards
>
> David Herrmann
> RD/UIA
> Team Rising Stars
>
>
> Daimler AG
> HPC G464
> 70546 Stuttgart
> Mobil: +49 176 309 369 87
>
> What3Words Address:
> entfalten.j?ngste.nehmen
> choppy.impact.moisture
> E-Mail: david_christian.herrmann at daimler.com
>
>
> Daimler AG
> Sitz und Registergericht / Domicile and Court of Registry: Stuttgart;
> HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats
> / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board
> of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang
> Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta
> Seeger, Hubertus Troska, Bodo Uebber
>
> -----Urspr?ngliche Nachricht-----
> Von: Herrmann, David Christian (059)
> Gesendet: Dienstag, 18. Dezember 2018 09:24
> > An: 'Dmitry Telegin' <dt at acutus.pro>; keycloak-user at lists.jboss.org
> Betreff: AW: AW: [keycloak-user] Cross Realm authorization
>
> Hi Dmitry,
>
> I used Keycloak 4.5.0.Final to test the implementation.
>
> Mit freundlichen Gr??en / With kind regards
>
> David Herrmann
> RD/UIA
> Team Rising Stars
>
>
> Daimler AG
> HPC G464
> 70546 Stuttgart
> Mobil: +49 176 309 369 87
>
> What3Words Address:
> entfalten.j?ngste.nehmen
> choppy.impact.moisture
> E-Mail: david_christian.herrmann at daimler.com
>
>
> Daimler AG
> Sitz und Registergericht / Domicile and Court of Registry: Stuttgart;
> HRB-Nr. / Commercial Register No. 19360 Vorsitzender des Aufsichtsrats
> / Chairman of the Supervisory Board: Manfred Bischoff Vorstand / Board
> of Management: Dieter Zetsche (Vorsitzender / Chairman), Wolfgang
> Bernhard, Renata Jungo Br?ngger, Ola K?llenius, Wilfried Porth, Britta
> Seeger, Hubertus Troska, Bodo Uebber
>
>
> -----Urspr?ngliche Nachricht-----
> > Von: Dmitry Telegin [mailto:dt at acutus.pro]
> Gesendet: Dienstag, 18. Dezember 2018 02:10
> An: Herrmann, David Christian (059)
> <david_christian.herrmann at daimler.com>; keycloak-user at lists.jboss.org
> Betreff: Re: AW: [keycloak-user] Cross Realm authorization
>
> David,
>
> Which version of Keycloak are you using?
>
> The authorization subsystem undergoes changes from release to release, so I'm going to double check the BeerCloak works with the recent Keycloak versions and update it if necessary.
>
> Cheers,
> Dmitry
>
> On Mon, 2018-12-17 at 13:09 +0000, david_christian.herrmann at daimler.com wrote:
> > Hi Dmitry,
> >
> > I implemented it based on beercloak.
> >
> > Here in AbstractAdminRessource.java:
> > AuthenticationManager.AuthResult authResult =
> > authManager.authenticateBearerToken(session, realm);
> >
> > if (authResult == null) {
> >     throw new NotAuthorizedException("Bearer"); }
> >
> > Still results in Unauthorized.
> >
> > I tried it with an user in master realm, that has "view-users" for the user realm and an admin user from the master realm. Both resulted in an 401 at the mentioned code point.
> >
> > The realm is set to master realm and the session seems to be injected ... Any ideas?
> >
> > Mit freundlichen Gr??en / With kind regards
> >
> > David Herrmann
> > RD/UIA
> > Team Rising Stars
> >
> >
> > Daimler AG
> > HPC G464
> > 70546 Stuttgart
> > Mobil: +49 176 309 369 87
> >
> > What3Words Address:
> > entfalten.j?ngste.nehmen
> > choppy.impact.moisture
> > E-Mail: david_christian.herrmann at daimler.com
> >
> >
> > Daimler AG
> > Sitz und Registergericht / Domicile and Court of Registry:
> > Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des
> > Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
> > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender /
> > Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius,
> > Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber
> >
> >
> > -----Urspr?ngliche Nachricht-----
> > > Von: keycloak-user-bounces at lists.jboss.org
> > > > [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von
> > > david_christian.herrmann at daimler.com
> > Gesendet: Montag, 17. Dezember 2018 08:29
> > > > An: dt at acutus.pro; keycloak-user at lists.jboss.org
> > Betreff: Re: [keycloak-user] Cross Realm authorization
> >
> > Hi Dmitry,
> >
> > thanks for your answer and the link to your project! I will try this out.
> >
> > Mit freundlichen Gr??en / With kind regards
> >
> > David Herrmann
> > RD/UIA
> > Team Rising Stars
> >
> >
> > Daimler AG
> > HPC G464
> > 70546 Stuttgart
> > Mobil: +49 176 309 369 87
> >
> > What3Words Address:
> > entfalten.j?ngste.nehmen
> > choppy.impact.moisture
> > E-Mail: david_christian.herrmann at daimler.com
> >
> >
> > Daimler AG
> > Sitz und Registergericht / Domicile and Court of Registry:
> > Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender des
> > Aufsichtsrats / Chairman of the Supervisory Board: Manfred Bischoff
> > Vorstand / Board of Management: Dieter Zetsche (Vorsitzender /
> > Chairman), Wolfgang Bernhard, Renata Jungo Br?ngger, Ola K?llenius,
> > Wilfried Porth, Britta Seeger, Hubertus Troska, Bodo Uebber
> >
> >
> > -----Urspr?ngliche Nachricht-----
> > > > Von: Dmitry Telegin [mailto:dt at acutus.pro]
> > Gesendet: Montag, 17. Dezember 2018 05:09
> > An: Herrmann, David Christian (059)
> > > <david_christian.herrmann at daimler.com>;
> > > keycloak-user at lists.jboss.org
> > Betreff: Re: [keycloak-user] Cross Realm authorization
> >
> > Hello David,
> >
> > Please take a look at how it is done in BeerCloak:
> > https://github.com/dteleguin/beercloak/tree/master/beercloak-module/
> > sr
> > c/main/java/beercloak/resources
> >
> > All the heavy lifting is done in AbstractAdminResource, and you can use it in your project verbatim (you should only provide your own AdminAuth implementation). The whole purpose of this is to allow master realm users to administer objects in non-master realms.
> >
> > (Some musings: I dream of having AdminRealmResourceProvider with all
> > that stuff OOTB; the idea has been around for years, but I'm afraid
> > we won't have it in Keycloak anytime soon. Luckily, this can be done
> > at a low price of introducing some boilerplate code into your
> > project.)
> >
> > Good luck,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> >
> > On Fri, 2018-12-14 at 07:32 +0000, david_christian.herrmann at daimler.com wrote:
> > > Hello,
> > >
> > > we implemented a custom REST endpoint using RealmResourceProvider to search for users by their attributes. We then secured the endpoint by using:
> > >
> > > AuthenticationManager.AuthResult authResult =
> > >       authManager.authenticateBearerToken(session);
> > >
> > > if (authResult == null) {
> > >    throw new NotAuthorizedException("Bearer token required"); }
> > >
> > > And
> > >
> > >
> > > if(!auth.hasClientRole(client,"view-users")){
> > >    throw new NotAuthorizedException("Necessary permission not
> > >available"); }
> > >
> > > We now have the problem, that we want to access the endpoint with technical users which are in the master realm to separate them from the real end-users.
> > >
> > > So the technical users get their access token from the master realm (which contains the necessary resource permissions for the user realm) and then access the endpoint in the user realm.
> > >
> > > Here
> > >
> > > AuthenticationManager.AuthResult authResult =
> > >       authManager.authenticateBearerToken(session);
> > >
> > > if (authResult == null) {
> > >    throw new NotAuthorizedException("Bearer token required"); }
> > >
> > > Always results in unauthorized.
> > >
> > > Looking at the code and testing I think with authenticateBearerToken() cross realm authentication is not possible. Correct? Do you have a suggestion how to achieve our goal?
> > >
> > > Mit freundlichen Gr??en / With kind regards
> > >
> > >
> > >
> > > David Herrmann
> > >
> > > RD/UIA
> > > Team Rising Stars
> > > [Computergenerierter Alternativtext: RDIU]
> > >
> > > Daimler AG
> > > HPC G464
> > > 70546 Stuttgart
> > > Mobil: +49 176 309 369 87
> > >
> > > What3Words Address:
> > > ellbogen.spr?che.anf?nge
> > >
> > > > E-Mail:
> > > > > david_christian.herrmann at daimler.com<mailto:david_christian.he
> > > > > rrma
> > > > nn
> > > > @daimler.com>
> > >
> > >
> > > Daimler AG
> > > Sitz und Registergericht / Domicile and Court of Registry:
> > > Stuttgart; HRB-Nr. / Commercial Register No. 19360 Vorsitzender
> > > des Aufsichtsrats / Chairman of the Supervisory Board: Manfred
> > > Bischoff Vorstand / Board of Management: Dieter Zetsche
> > > (Vorsitzender / Chairman), Wolfgang Bernhard, Renata Jungo
> > > Br?ngger, Ola K?llenius, Wilfried Porth, Britta Seeger, Hubertus
> > > Troska, Bodo Uebber
> > >
> > >
> > > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
> >
>
> If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
>

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.



From sthorger at redhat.com  Wed Jan  2 05:13:25 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 2 Jan 2019 11:13:25 +0100
Subject: [keycloak-user] Keycloak 4.8.0.Final released
In-Reply-To: <CAHzT=q86VGa=2Q2XOnaswPiQ4dh7y==8PwvPyE4sCR5d1-8XKg@mail.gmail.com>
References: <CAJgngAeOAQMEO32P8aUfjX3rN1QovhcY0VMqcfQQU3N_M2c7+Q@mail.gmail.com>
	<CAHzT=q86VGa=2Q2XOnaswPiQ4dh7y==8PwvPyE4sCR5d1-8XKg@mail.gmail.com>
Message-ID: <CAJgngAfa9ZXcB2gXrKXWApjNxohVyUUvJrSHbJ8GNF8SY_LbcQ@mail.gmail.com>

In the past we didn't disable preview features (or make it obvious that
they where preview) in the Keycloak releases. In RH-SSO releases we did
make all these preview. To make it consistent and also to better
communicate with the community what may not be fully production ready we
decided to make it consistent.

Preview doesn't mean it is buggy, but rather that the feature may be
incomplete and may be drastically changed in the future (even completely
removed) and that there are no guarantees for a seamless upgrade between
releases if you use tech preview features.

On Mon, 17 Dec 2018 at 13:21, Geoffrey Cleaves <geoff at opticks.io> wrote:

> Thanks for the update. I see more and more features being labeled as tech
> preview and disabled by default. I guess that this means the features have
> bugs or negatively impact performance? Any further insight would be
> appreciated.
>
> On Mon, 17 Dec 2018 at 12:59, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> To download the release go to the Keycloak homepage
>> <http://www.keycloak.org/downloads>.
>>
>> For details on what is included in the release check out the Release notes
>> <https://www.keycloak.org/docs/latest/release_notes/index.html>
>>
>> The full list of resolved issues is available in JIRA
>> <
>> https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%204.8.0.Final
>> >
>> .
>>
>> Before you upgrade remember to backup your database and check the upgrade
>> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
>> anything that may have changed.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
>
> Regards,
> Geoffrey Cleaves
>
>
>
>
>
>

From erlend at hamnaberg.net  Wed Jan  2 05:21:01 2019
From: erlend at hamnaberg.net (Erlend Hamnaberg)
Date: Wed, 2 Jan 2019 11:21:01 +0100
Subject: [keycloak-user] Keycloak logout API not working properly
In-Reply-To: <CAN2cN6cpfBX69jqCME47HEnEzLpWP2=L4QDAuPxOH_uk=hzdkg@mail.gmail.com>
References: <CAN2cN6cpfBX69jqCME47HEnEzLpWP2=L4QDAuPxOH_uk=hzdkg@mail.gmail.com>
Message-ID: <CAGuwm8W7rroRsynzswcKuRBjt8vsN9pZPZopR0XbBOTX7bobuw@mail.gmail.com>

You can't revoke access tokens. Make sure they have a sufficiently short
timeout.

/Erlend

On Mon, Dec 24, 2018 at 2:11 PM Shubham Akodiya <sakodiya at grepruby.com>
wrote:

> Hi,
>
> I'm using the log out API(
>
> https://localhost:8080/auth/realms/my-realm-name/protocol/openid-connect/logout
> )
> and sending all the required parameters i.r refresh_token, client_id and
> client_secret. The API working properly but the user can still able to use
> the access_token to access the APIs. How to revoke that access_token?
>
> Thanks,
> Shubham Akodiya
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From francois.gourrier at libre-logic.fr  Wed Jan  2 05:57:47 2019
From: francois.gourrier at libre-logic.fr (=?utf-8?Q?Fran=C3=A7ois?= Gourrier)
Date: Wed, 2 Jan 2019 11:57:47 +0100 (CET)
Subject: [keycloak-user] account creation process with email verification :
 problem or normal behavior ?
Message-ID: <945022280.45531.1546426667402.JavaMail.zimbra@librelogic.fr>

hello to everyone and very happy new year, 

I am faced with the following problem: 

I want to enable email verification when creating an account 

I ticked the "default action" box for "Verify Email" in "authentication". 
the observed behavior is as follows: 
- when a user creates an account via a public form, he receives an email with a link with the following structure: 
HOST /realms/connect/login-actions/action-token? = XXXXXXclient_id = XXXX XXXX = & tab_id 
- when he clicks on the link, it is sent back to his account (HOST / realms / connect / account /) and is therefore connected 

That's not at all the behavior I was expecting 

Another scenario: 
- when a user creates an account, he receives an email with a link with the following structure: 
HOST /realms/connect/login-actions/action-token?Key = XXXXXXclient_id = XXXX XXXX = & tab_id 
- when he takes this link and the copy in another browser than the one used to create the account, it is sent to a page with the message "Confirm the validity of the email address XXXX" with a button "Click here" 
- if the user clicks on the button, the account is created and he has to authenticate to connect 

This second scenario is the one expected. 

Have I forgotten something in understanding the features? Obviously, a cookie is created and associated with the account during its creation which explains that it is already identified when it is returned to its account 

Thank you in advance for your lights. 

I'am using Keyclaok 4.5.0 


FGOURRIER 



	
	


From psilva at redhat.com  Wed Jan  2 08:22:07 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 2 Jan 2019 11:22:07 -0200
Subject: [keycloak-user] Incorrect UMA Policy Evaluation
In-Reply-To: <360F7E39-62E0-429B-A19A-A9432E69A274@sap.com>
References: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com>
	<CAHzT=q-jyuVAAafDru6_O9mtd=Oqp9FbJHBGW1sHqSKKg9-_dg@mail.gmail.com>
	<CAHzT=q_6EWeLvDnMhn_Wb72yWMBsAMFgEawhm8qxqjw6KzLaNw@mail.gmail.com>
	<13D64F2F-4665-41ED-92DA-A744FBB4C8A8@sap.com>
	<CAHzT=q_9xV4jQYo-hN3PyaAZ_809-Lnkk4TPbiXMKUB-CTxYSw@mail.gmail.com>
	<360F7E39-62E0-429B-A19A-A9432E69A274@sap.com>
Message-ID: <CAJrcDBcNRtRhjZnBk-u=nt_BCJNab8MHCTDCG4BB6Gvpprj=6g@mail.gmail.com>

Hi Marco,

For user-managed resources and permissions, we are currently returning any
permission granted regardless the scopes being requested. What is causing
this unexpected response when using the "decision" permission mode.

To align the behaviour when not using UMA resources/permissions I've
changed the policy engine to only return the requested scopes, as you
pointed out.

Regarding docs, created https://issues.jboss.org/browse/KEYCLOAK-9186.

Regards.
Pedro Igor

On Thu, Dec 13, 2018 at 5:20 PM Lamina, Marco <marco.lamina at sap.com> wrote:

> I?ve used regular policies / permissions at first, but found that the way
> they are evaluated showed inconsistencies. Unfortunately, neither the
> documentation nor the community were able to give an explanation as to how
> the policy evaluation actually works. I switched to using only UMA
> policies, hoping that this would simplify things. This approach seemed to
> work fine at first, but the results are just as confusing and unpredictable
> as everything I?ve tried before.
>
> The documentation does a good job at explaining how to use Keycloak?s
> authorization services, but the evaluation engine seems to be a magic black
> box. It would be great to have a piece of documentation that explains in
> more detail how the evaluation results I see can be traced back to the
> permissions that I create in Keycloak.
>
>
> From: Geoffrey Cleaves <geoff at opticks.io>
> Date: Thursday, December 13, 2018 at 10:29 AM
> To: "Lamina, Marco" <marco.lamina at sap.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation
>
> Perhaps it's a bug introduced in the release that came out a few days ago.
> Not that many people use it, and I get the impression that not many people
> use Uma policy evaluation.
>
> On Thu, Dec 13, 2018, 18:36 Lamina, Marco <marco.lamina at sap.com<mailto:
> marco.lamina at sap.com> wrote:
> Just to be 100% certain, I created a test resource with its own resource
> type and tried again. It shows the same behavior. Keycloak?s policy
> enforcement mode is set to ?enforcing?.
> I will create a ticket. However, if it ends up being a bug, wouldn?t that
> be a fairly substantial flaw in the policy evaluation engine that should be
> causing problems all over the place in Keycloak systems out there? I?m a
> bit puzzled.
>
>
> From: Geoffrey Cleaves <geoff at opticks.io<mailto:geoff at opticks.io>>
> Date: Wednesday, December 12, 2018 at 11:32 PM
> To: "Lamina, Marco" <marco.lamina at sap.com<mailto:marco.lamina at sap.com>>
> Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:
> keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation
>
> Also, if you have a resource level permission which grants access, I think
> that includes all scopes, so look into that.
>
> On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff at opticks.io<mailto:
> geoff at opticks.io> wrote:
> From your description it sounds like a bug. I believe there's a setting
> where you instruct KC to enforce permissions or not and if you don't select
> enforce, the default is to grant permission. Make sure you've got the
> correct.
>
> You'll need to open a bug report on Jira with clear steps to reproduce the
> problem.
>
> On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina at sap.com<mailto:
> marco.lamina at sap.com> wrote:
> Hi,
> I?m using the protection API to manage UMA policies for my Keycloak
> resources. However, I get false-positive results when requesting
> permissions for a resource via the token endpoint.
>
> Example:
> I have a resource with ID ?dataset-42? and two scopes ?view? and ?delete?.
> I create a UMA policy granting my user ?view? access to this resource. If I
> now call the token endpoint (as suggested in [1]) to obtain permissions for
> the ?delete? scope by setting:
>
> response_mode=permissions
> permission=dataset-42#delete
>
> , I get the following (confusing) result:
>
> [{
>         "scopes": ["view"],
>         "rsid": "dataset-42",
>         "rsname": "urn:atlas-api:resources:dataset:42"
>     }]
>
> When setting ?response_mode=decision?, I get:
>
> {
>     "result": true
> }
>
> There is no policy that gives my user access to the ?delete? scope
> anywhere, so shouldn?t I get a negative result here?
>
> Links:
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions
>
> Thanks,
> Marco
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From bruno at abstractj.org  Wed Jan  2 08:34:07 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 2 Jan 2019 11:34:07 -0200
Subject: [keycloak-user] kcinit status
In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C26A178@EX10MBOX03.pnnl.gov>
References: <1A3C52DFCD06494D8528644858247BF01C26A178@EX10MBOX03.pnnl.gov>
Message-ID: <20190102133407.GA22163@abstractj.org>

Hi Kevin, did you file Jiras for the bugs you mentioned? If not please
do, and also make sure to add all the details needed to reproduce the
issue.


On 2018-12-21, Fox, Kevin M wrote:
> Not much has happened with kcinit in a long time and it has a few outstanding bugs in the way of working for us. What is the status of the project?
> 
> Thanks,
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From sthorger at redhat.com  Wed Jan  2 09:18:26 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 2 Jan 2019 15:18:26 +0100
Subject: [keycloak-user] kcinit status
In-Reply-To: <20190102133407.GA22163@abstractj.org>
References: <1A3C52DFCD06494D8528644858247BF01C26A178@EX10MBOX03.pnnl.gov>
	<20190102133407.GA22163@abstractj.org>
Message-ID: <CAJgngAcZQPNcGFE7UyquaYV84o16JPRHfSaQc+2SkkPkWOmjYA@mail.gmail.com>

kcinit is in a prototype stage and is not released or documented as it's
not ready for use. From our priorities lists it's doubtful that much will
happen with this tool this year.

On Wed, 2 Jan 2019 at 14:41, Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Kevin, did you file Jiras for the bugs you mentioned? If not please
> do, and also make sure to add all the details needed to reproduce the
> issue.
>
>
> On 2018-12-21, Fox, Kevin M wrote:
> > Not much has happened with kcinit in a long time and it has a few
> outstanding bugs in the way of working for us. What is the status of the
> project?
> >
> > Thanks,
> > Kevin
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Kevin.Fox at pnnl.gov  Wed Jan  2 12:19:00 2019
From: Kevin.Fox at pnnl.gov (Fox, Kevin M)
Date: Wed, 2 Jan 2019 17:19:00 +0000
Subject: [keycloak-user] kcinit status
In-Reply-To: <CAJgngAcZQPNcGFE7UyquaYV84o16JPRHfSaQc+2SkkPkWOmjYA@mail.gmail.com>
References: <1A3C52DFCD06494D8528644858247BF01C26A178@EX10MBOX03.pnnl.gov>
	<20190102133407.GA22163@abstractj.org>,
	<CAJgngAcZQPNcGFE7UyquaYV84o16JPRHfSaQc+2SkkPkWOmjYA@mail.gmail.com>
Message-ID: <1A3C52DFCD06494D8528644858247BF01C26EB64@EX10MBOX03.pnnl.gov>

Yes I filed jira tickets. they have been sitting around for a while.

kcinit does seem quite important if you want to use keycloak for kubernetes authentication and want to support the command line. It is troubling to hear it is not going to be a focus for a year. Maybe its because openshift would use it in a slightly different way then vanilla k8s would. But since keycloak is trying to become part of the cncf, that would be an important thing to support I think. I am trying to use keycloak with a vanilla kubernetes and support both the cli and the web ui securely.

I might be willing to contribute to it too if that would help move things along. Its been unclear though that such contributions would be welcome?

Thanks,
Kevin

________________________________
From: Stian Thorgersen [sthorger at redhat.com]
Sent: Wednesday, January 02, 2019 6:18 AM
To: Bruno Oliveira
Cc: Fox, Kevin M; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] kcinit status

kcinit is in a prototype stage and is not released or documented as it's not ready for use. From our priorities lists it's doubtful that much will happen with this tool this year.

On Wed, 2 Jan 2019 at 14:41, Bruno Oliveira <bruno at abstractj.org<mailto:bruno at abstractj.org>> wrote:
Hi Kevin, did you file Jiras for the bugs you mentioned? If not please
do, and also make sure to add all the details needed to reproduce the
issue.


On 2018-12-21, Fox, Kevin M wrote:
> Not much has happened with kcinit in a long time and it has a few outstanding bugs in the way of working for us. What is the status of the project?
>
> Thanks,
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From uabhstest2 at gmail.com  Wed Jan  2 12:20:48 2019
From: uabhstest2 at gmail.com (work test)
Date: Wed, 2 Jan 2019 11:20:48 -0600
Subject: [keycloak-user] Keycloak with ADFS
Message-ID: <CAKpYy-hOaJ_rk2gV8f3cLPc2W1gNbN8wZstJr8vG3ZcgijtyYg@mail.gmail.com>

Hi folks,

I set up my keycloak instance with ADFS using the article
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html

After configuring my confidential client application using oidc protocol, I
get to the login page and login using my ADFS credentials, but after login,
I get redirected back to the Keycloak login page and not to my application.
I don't see any errors even using the Chrome saml tools.
What am I missing?

My goal is to have several applications using the single signon realm
configured with ADFS and have Keycloak be the broker so that the
applications only have to deal with Oauth2 + OIDC and not the saml.

Thanks for your help.

Hskc

From marco.lamina at sap.com  Wed Jan  2 15:39:25 2019
From: marco.lamina at sap.com (Lamina, Marco)
Date: Wed, 2 Jan 2019 20:39:25 +0000
Subject: [keycloak-user] Incorrect UMA Policy Evaluation
In-Reply-To: <CAJrcDBcNRtRhjZnBk-u=nt_BCJNab8MHCTDCG4BB6Gvpprj=6g@mail.gmail.com>
References: <29412C74-5B6C-46B4-9E5F-220653EBFB2E@sap.com>
	<CAHzT=q-jyuVAAafDru6_O9mtd=Oqp9FbJHBGW1sHqSKKg9-_dg@mail.gmail.com>
	<CAHzT=q_6EWeLvDnMhn_Wb72yWMBsAMFgEawhm8qxqjw6KzLaNw@mail.gmail.com>
	<13D64F2F-4665-41ED-92DA-A744FBB4C8A8@sap.com>
	<CAHzT=q_9xV4jQYo-hN3PyaAZ_809-Lnkk4TPbiXMKUB-CTxYSw@mail.gmail.com>
	<360F7E39-62E0-429B-A19A-A9432E69A274@sap.com>
	<CAJrcDBcNRtRhjZnBk-u=nt_BCJNab8MHCTDCG4BB6Gvpprj=6g@mail.gmail.com>
Message-ID: <6303B0CC-C753-4A82-8C7F-22DEA9E3B50F@sap.com>

Awesome, thanks Pedro!


From: Pedro Igor Silva <psilva at redhat.com>
Date: Wednesday, January 2, 2019 at 5:23 AM
To: "Lamina, Marco" <marco.lamina at sap.com>
Cc: Geoffrey Cleaves <geoff at opticks.io>, keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation

Hi Marco,

For user-managed resources and permissions, we are currently returning any permission granted regardless the scopes being requested. What is causing this unexpected response when using the "decision" permission mode.

To align the behaviour when not using UMA resources/permissions I've changed the policy engine to only return the requested scopes, as you pointed out.

Regarding docs, created https://issues.jboss.org/browse/KEYCLOAK-9186.

Regards.
Pedro Igor

On Thu, Dec 13, 2018 at 5:20 PM Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
I?ve used regular policies / permissions at first, but found that the way they are evaluated showed inconsistencies. Unfortunately, neither the documentation nor the community were able to give an explanation as to how the policy evaluation actually works. I switched to using only UMA policies, hoping that this would simplify things. This approach seemed to work fine at first, but the results are just as confusing and unpredictable as everything I?ve tried before.

The documentation does a good job at explaining how to use Keycloak?s authorization services, but the evaluation engine seems to be a magic black box. It would be great to have a piece of documentation that explains in more detail how the evaluation results I see can be traced back to the permissions that I create in Keycloak.


From: Geoffrey Cleaves <geoff at opticks.io<mailto:geoff at opticks.io>>
Date: Thursday, December 13, 2018 at 10:29 AM
To: "Lamina, Marco" <marco.lamina at sap.com<mailto:marco.lamina at sap.com>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation

Perhaps it's a bug introduced in the release that came out a few days ago. Not that many people use it, and I get the impression that not many people use Uma policy evaluation.

On Thu, Dec 13, 2018, 18:36 Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com><mailto:marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
Just to be 100% certain, I created a test resource with its own resource type and tried again. It shows the same behavior. Keycloak?s policy enforcement mode is set to ?enforcing?.
I will create a ticket. However, if it ends up being a bug, wouldn?t that be a fairly substantial flaw in the policy evaluation engine that should be causing problems all over the place in Keycloak systems out there? I?m a bit puzzled.


From: Geoffrey Cleaves <geoff at opticks.io<mailto:geoff at opticks.io><mailto:geoff at opticks.io<mailto:geoff at opticks.io>>>
Date: Wednesday, December 12, 2018 at 11:32 PM
To: "Lamina, Marco" <marco.lamina at sap.com<mailto:marco.lamina at sap.com><mailto:marco.lamina at sap.com<mailto:marco.lamina at sap.com>>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>>
Subject: Re: [keycloak-user] Incorrect UMA Policy Evaluation

Also, if you have a resource level permission which grants access, I think that includes all scopes, so look into that.

On Thu, Dec 13, 2018, 08:29 Geoffrey Cleaves <geoff at opticks.io<mailto:geoff at opticks.io><mailto:geoff at opticks.io<mailto:geoff at opticks.io>> wrote:
From your description it sounds like a bug. I believe there's a setting where you instruct KC to enforce permissions or not and if you don't select enforce, the default is to grant permission. Make sure you've got the correct.

You'll need to open a bug report on Jira with clear steps to reproduce the problem.

On Thu, Dec 13, 2018, 01:26 Lamina, Marco <marco.lamina at sap.com<mailto:marco.lamina at sap.com><mailto:marco.lamina at sap.com<mailto:marco.lamina at sap.com>> wrote:
Hi,
I?m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint.

Example:
I have a resource with ID ?dataset-42? and two scopes ?view? and ?delete?. I create a UMA policy granting my user ?view? access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the ?delete? scope by setting:

response_mode=permissions
permission=dataset-42#delete

, I get the following (confusing) result:

[{
        "scopes": ["view"],
        "rsid": "dataset-42",
        "rsname": "urn:atlas-api:resources:dataset:42"
    }]

When setting ?response_mode=decision?, I get:

{
    "result": true
}

There is no policy that gives my user access to the ?delete? scope anywhere, so shouldn?t I get a negative result here?

Links:
[1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions

Thanks,
Marco

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From ntle at castortech.com  Wed Jan  2 16:05:08 2019
From: ntle at castortech.com (Nhut Thai Le)
Date: Wed, 2 Jan 2019 16:05:08 -0500
Subject: [keycloak-user] Keycloak Admin Client: Unrecognized field
	"access_token"
Message-ID: <CAJVRZt9wGhH_mPgcWsFr6jwSJQDEXJdG0poq18Mf_vkrKotZAQ@mail.gmail.com>

Hello,

I'm using keycloak admin-client 4.6.0.Final to manage keycloak server. I'm
getting this error when trying to remove a session:

javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException: java.io.IOException:
java.security.PrivilegedActionException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "access_token" (class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
(10 known properties: "tokenType", "notBeforePolicy", "otherClaims",
"token", "sessionState", "refreshExpiresIn", "scope", "expiresIn",
"refreshToken", "idToken"])
 at [Source:
(org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper);
line: 1, column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])

Here is my code (similar to
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/AdminClientUtil.java
)
SSLContext ssl = null;
File trustore = new File("pathToKS.keystore");
ssl = getSSLContextWithTrustore(trustore, "ksPassword");
System.setProperty("javax.net.ssl.trustStore", trustore.getAbsolutePath());

ResteasyJackson2Provider jacksonProvider = null;
jacksonProvider = new ResteasyJackson2Provider() {};
ObjectMapper objectMapper = new ObjectMapper();
jacksonProvider.setMapper(objectMapper);

Keycloak connection = Keycloak.getInstance("https://kc.com:8543/auth",
"master", "admin", "admin", "admin-cli", null, ssl, jacksonProvider);
RealmResource realm = connection.realm(realmName);
realm.deleteSession(kcSessionId);

I did some search on google and mostly found that the issue is related to
resteasy-jackson-provider being used instead of resteasy-jackson2-provider
but as you can see from my code, i'm already using
resteasy-jackson2-provider so i'm not sure what else could cause this. Here
is the full stacktrace:
javax.ws.rs.WebApplicationException: Cannot logout user wuth session
cede2747-424c-405f-a4a2-c4d804ef5883
at
com.castortech.util.keycloak.KeycloakAdminBroker.lambda$129(KeycloakAdminBroker.java:3729)
at
com.castortech.util.keycloak.KeycloakAdminBroker.ensureCL(KeycloakAdminBroker.java:3136)
at
com.castortech.util.keycloak.KeycloakAdminBroker.logout(KeycloakAdminBroker.java:3732)
at
com.castortech.iris.ba.webviewer.richlet.AppRichletHelper.service(AppRichletHelper.java:137)
at
com.castortech.iris.ba.webviewer.richlet.AppRichlet.service(AppRichlet.java:13)
at org.zkoss.zk.ui.impl.UiEngineImpl.execNewPage0(UiEngineImpl.java:514)
at org.zkoss.zk.ui.impl.UiEngineImpl.execNewPage(UiEngineImpl.java:365)
at
org.zkoss.zk.ui.http.DHtmlLayoutServlet.process(DHtmlLayoutServlet.java:205)
at
org.zkoss.zk.ui.http.DHtmlLayoutServlet.doGet(DHtmlLayoutServlet.java:140)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
com.castortech.iris.ba.webviewer.internal.ZkLayoutServlet.lambda$1(ZkLayoutServlet.java:59)
at
com.castortech.util.threading.ThreadingUtils.runWithContextClassLoader(ThreadingUtils.java:72)
at
com.castortech.iris.ba.webviewer.internal.ZkLayoutServlet.service(ZkLayoutServlet.java:58)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:857)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
at
com.castortech.iris.ba.webviewer.servletfilter.HeadersFilter.doFilter(HeadersFilter.java:67)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
com.castortech.iris.ba.web.filters.KeycloakSessionFilter.doFilter(KeycloakSessionFilter.java:78)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
org.keycloak.adapters.servlet.KeycloakOIDCFilter.doFilter(KeycloakOIDCFilter.java:206)
at
com.castortech.iris.ba.web.filters.AuthenticationFilterForWebViewer.doFilter(AuthenticationFilterForWebViewer.java:61)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
at
org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:71)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
at
org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:293)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at
org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:503)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
at
org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException: java.io.IOException:
java.security.PrivilegedActionException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "access_token" (class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
(10 known properties: "tokenType", "notBeforePolicy", "otherClaims",
"token", "sessionState", "refreshExpiresIn", "scope", "expiresIn",
"refreshToken", "idToken"])
 at [Source:
(org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper);
line: 1, column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:156)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:150)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy46.grantToken(Unknown Source)
at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.filterRequest(ClientInvocation.java:587)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invokeSync(ClientInvoker.java:148)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:112)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
at com.sun.proxy.$Proxy51.deleteSession(Unknown Source)
at
com.castortech.util.keycloak.KeycloakAdminBroker.lambda$129(KeycloakAdminBroker.java:3724)
... 58 more
Caused by: javax.ws.rs.ProcessingException: java.io.IOException:
java.security.PrivilegedActionException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "access_token" (class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
(10 known properties: "tokenType", "notBeforePolicy", "otherClaims",
"token", "sessionState", "refreshExpiresIn", "scope", "expiresIn",
"refreshToken", "idToken"])
 at [Source:
(org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper);
line: 1, column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:368)
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:261)
at
org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:231)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:120)
... 74 more
Caused by: java.io.IOException: java.security.PrivilegedActionException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "access_token" (class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
(10 known properties: "tokenType", "notBeforePolicy", "otherClaims",
"token", "sessionState", "refreshExpiresIn", "scope", "expiresIn",
"refreshToken", "idToken"])
 at [Source:
(org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper);
line: 1, column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
at
org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:145)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:66)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:56)
at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:334)
... 77 more
Caused by: java.security.PrivilegedActionException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "access_token" (class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
(10 known properties: "tokenType", "notBeforePolicy", "otherClaims",
"token", "sessionState", "refreshExpiresIn", "scope", "expiresIn",
"refreshToken", "idToken"])
 at [Source:
(org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper);
line: 1, column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
at java.security.AccessController.doPrivileged(Native Method)
at
org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:137)
... 80 more
Caused by:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "access_token" (class
org.keycloak.representations.AccessTokenResponse), not marked as ignorable
(10 known properties: "tokenType", "notBeforePolicy", "otherClaims",
"token", "sessionState", "refreshExpiresIn", "scope", "expiresIn",
"refreshToken", "idToken"])
 at [Source:
(org.jboss.resteasy.client.jaxrs.internal.ClientResponse$InputStreamWrapper);
line: 1, column: 18] (through reference chain:
org.keycloak.representations.AccessTokenResponse["access_token"])
at
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61)
at
com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:822)
at
com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:1152)
at
com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1582)
at
com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(BeanDeserializerBase.java:1560)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:294)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:151)
at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1574)
at
com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:965)
at
org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider$1.run(ResteasyJackson2Provider.java:140)
... 82 more

Hope to get some hint.

Thai Le

From keycloak-user at mattevans.email  Wed Jan  2 19:26:12 2019
From: keycloak-user at mattevans.email (Matt Evans)
Date: Thu, 3 Jan 2019 11:26:12 +1100
Subject: [keycloak-user] Version endpoint removal
Message-ID: <CAEBpjQZ0LJT7ikxOFjH9hzQJ1oOUbqC5gNeK8Ar83sVQsiYtvA@mail.gmail.com>

Hi

I was wondering why the /auth/version endpoint was removed in 4.0.0?

Thanks

Matt

From hariprasad.n at ramyamlab.com  Thu Jan  3 01:53:10 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Thu, 3 Jan 2019 12:23:10 +0530
Subject: [keycloak-user] Authorization in Angular
Message-ID: <CAAx=Gt9mNPvZS2sLrM3x62xw0LrtkYoEnWkK-vUWNf_u+FB8nQ@mail.gmail.com>

Hi All,

I am using keycloak-angular to integrate our Angular App to keycloak.
Authentication is working fine but authorization not working with angular.
Authorization working fine with spring boot and normal java webapps.
Please help to resolve authorization problem with angular.


Regards
Hari Prasad N

-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

From hariprasad.n at ramyamlab.com  Thu Jan  3 07:38:43 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Thu, 3 Jan 2019 18:08:43 +0530
Subject: [keycloak-user] Get Authorization Permissions with Bearer Token
Message-ID: <CAAx=Gt-Topi4C+vhptXRp-dyo_kK48sy=D=8RhqsfJ8Y0hK7pQ@mail.gmail.com>

Hi All,

I have a client with authorization enabled. I am able to get Bearer token.
My requirement is how can i get all authorization permissions with Java or
JS or Angular.
Is there any endpoint to get authorization permissions with  Bearer token.


-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

From hariprasad.n at ramyamlab.com  Thu Jan  3 07:43:38 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Thu, 3 Jan 2019 18:13:38 +0530
Subject: [keycloak-user] Realm Custom Attributes
Message-ID: <CAAx=Gt-8tba_ErJ5qjW6KWxUW78ARLkPDBFMC-1H+WSogSRFKA@mail.gmail.com>

Hi All,

Can we add realm level custom attributes.

-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

From Chris.Brandhorst at topicus.nl  Thu Jan  3 09:35:35 2019
From: Chris.Brandhorst at topicus.nl (Chris Brandhorst)
Date: Thu, 3 Jan 2019 14:35:35 +0000
Subject: [keycloak-user] Java 11 (Docker container base)
Message-ID: <A2769845-42BF-4E72-B253-B4156519FD63@topicus.nl>

Sebastian,

The link [1] only shows support on RHEL and Windows environments. Do you mean to say the 2023 date is also valid for OpenJDK running in the Docker-version of Keycloak, regardless of underlying architecture?

[1] https://access.redhat.com/articles/1299013

Chris

> >From the support perspective, Red Hat offers extended support till June
> 2023 [1].
> 
> Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess we
> still have plenty of time to do the switch, so I wouldn't rush things too
> much.
> 
> BTW, why do you need JDK11, especially in the container?
> 
> [1] https://access.redhat.com/articles/1299013
> 
>> On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka <Pavel.Micka at zoomint.com> wrote:
>> 
>> Sorry, end of january (my fault):
>> https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java
>> and OpenJDK will most probably start to diverge, as OpenJDK will not have
>> access to Oracle repos (afaik). So the speed of security fixes will depend
>> on willigness of community to fix the upcomming issues.
>> 
>> Pavel
>> 
>> 
>> From: Meissa M'baye Sakho <msakho at redhat.com>
>> Sent: Tuesday, October 23, 2018 11:04 AM
>> To: Pavel Micka <Pavel.Micka at zoomint.com>
>> Cc: keycloak-user <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] Java 11 (Docker container base)
>> 
>> Hello,
>> Pavel, where did you get the information that the official Java 8 support
>> will cease at the end of december?
>> https://access.redhat.com/articles/1299013
>> https://www.oracle.com/technetwork/java/javase/eol-135779.html
>> Meissa
>> 
>> Le lun. 22 oct. 2018 ? 16:33, Pavel Micka <Pavel.Micka at zoomint.com<mailto:
>> Pavel.Micka at zoomint.com>> a ?crit :
>> Hello everyone,
>> 
>> What is the plan for Java 11 support? The point is that current versions
>> of Docker containers are based on OpenJDK 8, but the official Java 8
>> support will cease at the end of December. Will Keycloak use Java 11 by
>> that time or will it rely on updates provided by the community.
>> 
>> This is important to us, as Keycloak is important part of our app security.
>> 
>> Thanks,
>> 
>> Pavel
>> 
>> // I have found this ticket in Jira, but it does not provide too many
>> details: https://issues.jboss.org/browse/KEYCLOAK-7811
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sthorger at redhat.com  Thu Jan  3 10:51:24 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 3 Jan 2019 16:51:24 +0100
Subject: [keycloak-user] Java 11 (Docker container base)
In-Reply-To: <A2769845-42BF-4E72-B253-B4156519FD63@topicus.nl>
References: <A2769845-42BF-4E72-B253-B4156519FD63@topicus.nl>
Message-ID: <CAJgngAe5906K8-EjaFT4S=58xLaCvMOw8OAoJge-3W5rQe1Bhw@mail.gmail.com>

Keycloak server is only tested and supported on JDK8 today, we are planning
to move to JDK11 soon. That will probably be shortly after we upgrade to
WildFly 15. I can't say exactly when, but it will be relatively soon.

On Thu, 3 Jan 2019 at 15:38, Chris Brandhorst <Chris.Brandhorst at topicus.nl>
wrote:

> Sebastian,
>
> The link [1] only shows support on RHEL and Windows environments. Do you
> mean to say the 2023 date is also valid for OpenJDK running in the
> Docker-version of Keycloak, regardless of underlying architecture?
>
> [1] https://access.redhat.com/articles/1299013
>
> Chris
>
> > >From the support perspective, Red Hat offers extended support till June
> > 2023 [1].
> >
> > Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess
> we
> > still have plenty of time to do the switch, so I wouldn't rush things too
> > much.
> >
> > BTW, why do you need JDK11, especially in the container?
> >
> > [1] https://access.redhat.com/articles/1299013
> >
> >> On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka <Pavel.Micka at zoomint.com>
> wrote:
> >>
> >> Sorry, end of january (my fault):
> >> https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle
> Java
> >> and OpenJDK will most probably start to diverge, as OpenJDK will not
> have
> >> access to Oracle repos (afaik). So the speed of security fixes will
> depend
> >> on willigness of community to fix the upcomming issues.
> >>
> >> Pavel
> >>
> >>
> >> From: Meissa M'baye Sakho <msakho at redhat.com>
> >> Sent: Tuesday, October 23, 2018 11:04 AM
> >> To: Pavel Micka <Pavel.Micka at zoomint.com>
> >> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> >> Subject: Re: [keycloak-user] Java 11 (Docker container base)
> >>
> >> Hello,
> >> Pavel, where did you get the information that the official Java 8
> support
> >> will cease at the end of december?
> >> https://access.redhat.com/articles/1299013
> >> https://www.oracle.com/technetwork/java/javase/eol-135779.html
> >> Meissa
> >>
> >> Le lun. 22 oct. 2018 ? 16:33, Pavel Micka <Pavel.Micka at zoomint.com
> <mailto:
> >> Pavel.Micka at zoomint.com>> a ?crit :
> >> Hello everyone,
> >>
> >> What is the plan for Java 11 support? The point is that current versions
> >> of Docker containers are based on OpenJDK 8, but the official Java 8
> >> support will cease at the end of December. Will Keycloak use Java 11 by
> >> that time or will it rely on updates provided by the community.
> >>
> >> This is important to us, as Keycloak is important part of our app
> security.
> >>
> >> Thanks,
> >>
> >> Pavel
> >>
> >> // I have found this ticket in Jira, but it does not provide too many
> >> details: https://issues.jboss.org/browse/KEYCLOAK-7811
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org<mailto:keycloak-user at
> lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Thu Jan  3 10:57:58 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 3 Jan 2019 16:57:58 +0100
Subject: [keycloak-user] kcinit status
In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C26EB64@EX10MBOX03.pnnl.gov>
References: <1A3C52DFCD06494D8528644858247BF01C26A178@EX10MBOX03.pnnl.gov>
	<20190102133407.GA22163@abstractj.org>
	<CAJgngAcZQPNcGFE7UyquaYV84o16JPRHfSaQc+2SkkPkWOmjYA@mail.gmail.com>
	<1A3C52DFCD06494D8528644858247BF01C26EB64@EX10MBOX03.pnnl.gov>
Message-ID: <CAJgngAdzFzNMBpxbZ9fTwMrOVjBS3Ks6cekiCrSy-O7Lq=SF3g@mail.gmail.com>

It's not a priority due to it not being a useful tool, but rather other
higher priority tasks.

The engineer that developed the kcinit prototype has left the team and we
are now in a situation where no one knows it well. Further, there are
design issues in it that I'm not convinced about.

For it to become a supported tool there are at least a few things that
needs to be done:

* Remove Java based testing from keycloak/keycloak and add testing to Go
repo itself. As well as review test coverage
* Review design and consider if anything needs to change
  - Storage of tokens
  - How its used by multiple clients. I'm far from keen on it using token
exchange as it does today
* Review and resolve outstanding bugs
* Review code
* Documentation

Contributions would be more than welcome. Bug fixes including tests are
obvious candidates, design/functionality changes should be discussed on the
dev mailing list first ideally.


On Wed, 2 Jan 2019 at 18:19, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:

> Yes I filed jira tickets. they have been sitting around for a while.
>
> kcinit does seem quite important if you want to use keycloak for
> kubernetes authentication and want to support the command line. It is
> troubling to hear it is not going to be a focus for a year. Maybe its
> because openshift would use it in a slightly different way then vanilla k8s
> would. But since keycloak is trying to become part of the cncf, that would
> be an important thing to support I think. I am trying to use keycloak with
> a vanilla kubernetes and support both the cli and the web ui securely.
>
> I might be willing to contribute to it too if that would help move things
> along. Its been unclear though that such contributions would be welcome?
>
> Thanks,
> Kevin
>
> ------------------------------
> *From:* Stian Thorgersen [sthorger at redhat.com]
> *Sent:* Wednesday, January 02, 2019 6:18 AM
> *To:* Bruno Oliveira
> *Cc:* Fox, Kevin M; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] kcinit status
>
> kcinit is in a prototype stage and is not released or documented as it's
> not ready for use. From our priorities lists it's doubtful that much will
> happen with this tool this year.
>
> On Wed, 2 Jan 2019 at 14:41, Bruno Oliveira <bruno at abstractj.org> wrote:
>
>> Hi Kevin, did you file Jiras for the bugs you mentioned? If not please
>> do, and also make sure to add all the details needed to reproduce the
>> issue.
>>
>>
>> On 2018-12-21, Fox, Kevin M wrote:
>> > Not much has happened with kcinit in a long time and it has a few
>> outstanding bugs in the way of working for us. What is the status of the
>> project?
>> >
>> > Thanks,
>> > Kevin
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>>
>> abstractj
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From sthorger at redhat.com  Thu Jan  3 10:58:26 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 3 Jan 2019 16:58:26 +0100
Subject: [keycloak-user] kcinit status
In-Reply-To: <CAJgngAdzFzNMBpxbZ9fTwMrOVjBS3Ks6cekiCrSy-O7Lq=SF3g@mail.gmail.com>
References: <1A3C52DFCD06494D8528644858247BF01C26A178@EX10MBOX03.pnnl.gov>
	<20190102133407.GA22163@abstractj.org>
	<CAJgngAcZQPNcGFE7UyquaYV84o16JPRHfSaQc+2SkkPkWOmjYA@mail.gmail.com>
	<1A3C52DFCD06494D8528644858247BF01C26EB64@EX10MBOX03.pnnl.gov>
	<CAJgngAdzFzNMBpxbZ9fTwMrOVjBS3Ks6cekiCrSy-O7Lq=SF3g@mail.gmail.com>
Message-ID: <CAJgngAf1jC4J2Mk_wwZ6U-z8ANV=s8DJp9gJPZ79bSxnE2Vqhg@mail.gmail.com>

On Thu, 3 Jan 2019 at 16:57, Stian Thorgersen <sthorger at redhat.com> wrote:

> It's not a priority due to it not being a useful tool, but rather other
> higher priority tasks.
>

... not because it's not a useful tool...


>
> The engineer that developed the kcinit prototype has left the team and we
> are now in a situation where no one knows it well. Further, there are
> design issues in it that I'm not convinced about.
>
> For it to become a supported tool there are at least a few things that
> needs to be done:
>
> * Remove Java based testing from keycloak/keycloak and add testing to Go
> repo itself. As well as review test coverage
> * Review design and consider if anything needs to change
>   - Storage of tokens
>   - How its used by multiple clients. I'm far from keen on it using token
> exchange as it does today
> * Review and resolve outstanding bugs
> * Review code
> * Documentation
>
> Contributions would be more than welcome. Bug fixes including tests are
> obvious candidates, design/functionality changes should be discussed on the
> dev mailing list first ideally.
>
>
> On Wed, 2 Jan 2019 at 18:19, Fox, Kevin M <Kevin.Fox at pnnl.gov> wrote:
>
>> Yes I filed jira tickets. they have been sitting around for a while.
>>
>> kcinit does seem quite important if you want to use keycloak for
>> kubernetes authentication and want to support the command line. It is
>> troubling to hear it is not going to be a focus for a year. Maybe its
>> because openshift would use it in a slightly different way then vanilla k8s
>> would. But since keycloak is trying to become part of the cncf, that would
>> be an important thing to support I think. I am trying to use keycloak with
>> a vanilla kubernetes and support both the cli and the web ui securely.
>>
>> I might be willing to contribute to it too if that would help move things
>> along. Its been unclear though that such contributions would be welcome?
>>
>> Thanks,
>> Kevin
>>
>> ------------------------------
>> *From:* Stian Thorgersen [sthorger at redhat.com]
>> *Sent:* Wednesday, January 02, 2019 6:18 AM
>> *To:* Bruno Oliveira
>> *Cc:* Fox, Kevin M; keycloak-user at lists.jboss.org
>> *Subject:* Re: [keycloak-user] kcinit status
>>
>> kcinit is in a prototype stage and is not released or documented as it's
>> not ready for use. From our priorities lists it's doubtful that much will
>> happen with this tool this year.
>>
>> On Wed, 2 Jan 2019 at 14:41, Bruno Oliveira <bruno at abstractj.org> wrote:
>>
>>> Hi Kevin, did you file Jiras for the bugs you mentioned? If not please
>>> do, and also make sure to add all the details needed to reproduce the
>>> issue.
>>>
>>>
>>> On 2018-12-21, Fox, Kevin M wrote:
>>> > Not much has happened with kcinit in a long time and it has a few
>>> outstanding bugs in the way of working for us. What is the status of the
>>> project?
>>> >
>>> > Thanks,
>>> > Kevin
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>>
>>> abstractj
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From sthorger at redhat.com  Thu Jan  3 11:01:35 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 3 Jan 2019 17:01:35 +0100
Subject: [keycloak-user] Version endpoint removal
In-Reply-To: <CAEBpjQZ0LJT7ikxOFjH9hzQJ1oOUbqC5gNeK8Ar83sVQsiYtvA@mail.gmail.com>
References: <CAEBpjQZ0LJT7ikxOFjH9hzQJ1oOUbqC5gNeK8Ar83sVQsiYtvA@mail.gmail.com>
Message-ID: <CAJgngAd0agJa_hWfUqieRETNw_qcW-0F5y2mWz6XpXu6C7DQ6g@mail.gmail.com>

It should never have been there in the first place. It is not good practice
to make the version of a software public available.

On Thu, 3 Jan 2019 at 01:30, Matt Evans <keycloak-user at mattevans.email>
wrote:

> Hi
>
> I was wondering why the /auth/version endpoint was removed in 4.0.0?
>
> Thanks
>
> Matt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From luca.stancapiano at vige.it  Thu Jan  3 11:15:05 2019
From: luca.stancapiano at vige.it (Luca Stancapiano)
Date: Thu, 3 Jan 2019 17:15:05 +0100 (CET)
Subject: [keycloak-user] Filtered users according the logged role
In-Reply-To: <CAJgngAd0agJa_hWfUqieRETNw_qcW-0F5y2mWz6XpXu6C7DQ6g@mail.gmail.com>
References: <CAEBpjQZ0LJT7ikxOFjH9hzQJ1oOUbqC5gNeK8Ar83sVQsiYtvA@mail.gmail.com>
	<CAJgngAd0agJa_hWfUqieRETNw_qcW-0F5y2mWz6XpXu6C7DQ6g@mail.gmail.com>
Message-ID: <1318146878.512808.1546532105901@pim.register.it>

In a realm can I filter the list of users according to my role covered? I would like only a few users to come back from the search

From or at myobligo.com  Thu Jan  3 11:24:10 2019
From: or at myobligo.com (Or Harary)
Date: Thu, 3 Jan 2019 18:24:10 +0200
Subject: [keycloak-user] Can't request resource permissions by resource name
 by service account client and not user
Message-ID: <CAJ=iV3pyo-b+AXOAjWFvbRFt384xKER1t-RNSR6gLuRqD7v6Qw@mail.gmail.com>

Hey,

I'm using version 4.8.1 and i'm trying to check resource permissions on
another client with the token endpoint, by the resource name, with a
client's access token, and i'm getting "Resource with id [{resourceId}]
does not exist".

I have a service account client "foobarservice". I want this service
account client, to check his permissions on a "foobaresource" resource from
another client "otherservice".

myrealm
-- "foobarservice" Service Account Client
-- -- foobar resource (with always grant policy and permission)
-- "otherservice" Service Account Client

I did "client_credentials" login with the "foobarservice" and got an
access_token. With that token, I tried:

curl -X POST
http://keyclok:8080/auth/realms/myrealm/protocol/openid-connect/token \
-H "Authorization: Bearer {foobarservice_access_token}" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=otherservice&permission=foobaresource&response_mode=permissions"

And got 400 bad request with the not found error.

When i'm doing the same request with some user's token, it works well.

I looked into the code (my knowledge of JAVA is very basic) and it seems to
be because of this:
https://github.com/keycloak/keycloak/blob/f4f68438870768ac6cc18012cfae278f9ac1e163/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L421

Is this the expected behavior? or a bug? Because when I used version 3.4 it
did work

Thanks,
Or

From pulkitsrivastavajd at gmail.com  Thu Jan  3 13:29:07 2019
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Thu, 3 Jan 2019 23:59:07 +0530
Subject: [keycloak-user] Request parameter in idp url
Message-ID: <CAA-7KZ_0Z6KNRSmk_KCTrukq9587Ug9S-n4CBJpjQeZbWOjskg@mail.gmail.com>

Need your help for some issue.
I have configured an IDP in keycloak, i am sending a request parameter in
single sign on url field in IDP as:

url?ab=cd

Issue i am facing is sometimes keycloak appends this parameter to the
redirect url but sometimes it does not. Any idea as to why this is
happening?

Any help would be appreciated. Thanks in advance.

Thanks,
Pulkit

From alex.chatziparaskewas at trapezegroup.com  Fri Jan  4 01:22:44 2019
From: alex.chatziparaskewas at trapezegroup.com (Alex Chatziparaskewas)
Date: Fri, 4 Jan 2019 06:22:44 +0000
Subject: [keycloak-user] How to update a 'remember me' session?
Message-ID: <9177b8d05968423e9f5fc2daf72ac85c@VOL-SLO-EXCH3.vgnet.volgrp.com>

Hi All,

We are using the keycloak javascript adapter. In the same way as the token and refresh token can be updated gracefully in the background using its updateToken method, is there any means by which the same can be done to a 'remember me' session?

Thanks & Regards,
Alex



From hariprasad.n at ramyamlab.com  Fri Jan  4 01:30:55 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Fri, 4 Jan 2019 12:00:55 +0530
Subject: [keycloak-user] Authorization with javascript adapter
Message-ID: <CAAx=Gt_d6_g34=3ZzfrLJ+w8SAT-GnUykqm=Vt+TQBA057OBLQ@mail.gmail.com>

Hi Alex Chatziparaskewas,

*i know you are using javascript adapter for authentication(for login), can
we use javascript adapter for authorization also like resource protection.*


-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

From alex.chatziparaskewas at trapezegroup.com  Fri Jan  4 01:48:09 2019
From: alex.chatziparaskewas at trapezegroup.com (Alex Chatziparaskewas)
Date: Fri, 4 Jan 2019 06:48:09 +0000
Subject: [keycloak-user] Authorization with javascript adapter
In-Reply-To: <CAAx=Gt_d6_g34=3ZzfrLJ+w8SAT-GnUykqm=Vt+TQBA057OBLQ@mail.gmail.com>
References: <CAAx=Gt_d6_g34=3ZzfrLJ+w8SAT-GnUykqm=Vt+TQBA057OBLQ@mail.gmail.com>
Message-ID: <32ae2da0c47f4774ba02153beea7baa9@VOL-SLO-EXCH3.vgnet.volgrp.com>

Hi Hari,

On the server side the resources are protected by a keycloak gatekeeper proxy instance, e.g. our server (at this time) is unaware of security aspects. On the client side the login process goes past keycloak?s login and registration pages, i.e. the javascript adapter initialises, attempts authentication (redirects to login page if unsuccessful) and then does a periodic updateToken.

Thanks & Regards,
Alex



Hi Alex Chatziparaskewas,

i know you are using javascript adapter for authentication(for login), can we use javascript adapter for authorization also like resource protection.


--
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: hariprasad.n at ramyamlab.co<http://ramyamlab.co>m
www.ramyamlab.com<http://www.ramyamlab.com/>

From hariprasad.n at ramyamlab.com  Fri Jan  4 02:06:01 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Fri, 4 Jan 2019 12:36:01 +0530
Subject: [keycloak-user] Authorization with javascript adapter
In-Reply-To: <32ae2da0c47f4774ba02153beea7baa9@VOL-SLO-EXCH3.vgnet.volgrp.com>
References: <CAAx=Gt_d6_g34=3ZzfrLJ+w8SAT-GnUykqm=Vt+TQBA057OBLQ@mail.gmail.com>
	<32ae2da0c47f4774ba02153beea7baa9@VOL-SLO-EXCH3.vgnet.volgrp.com>
Message-ID: <CAAx=Gt_2QPvR2r-aU6EwX5z2_3VYzG6UxHic3hJyXoWfN4c-Zg@mail.gmail.com>

Hi Alex Chatziparaskewas,

Thanks for your reply.
I am not asking about authentication part, in am asking about authorization
part.
*For example i want to enable access for a URI(mypoject/test-resource**) to
users who have ROLE 'TEST' ,in the keycloak i can do that in Authorization
tab*
*of a myclient.*

That means when a user is logged in he can access URI '
*mypoject/test-resource*' only if he has ROLE 'TEST' other wise will be
given error saying access denied.

This settings working fine with backend applications like java
webapps/springboot apps, but not working with javascript/Angular apps. If
you know how to make it work or have sample project let me know.


On Fri, Jan 4, 2019 at 12:18 PM Alex Chatziparaskewas <
alex.chatziparaskewas at trapezegroup.com> wrote:

> Hi Hari,
>
>
>
> On the server side the resources are protected by a keycloak gatekeeper
> proxy instance, e.g. our server (at this time) is unaware of security
> aspects. On the client side the login process goes past keycloak?s login
> and registration pages, i.e. the javascript adapter initialises, attempts
> authentication (redirects to login page if unsuccessful) and then does a
> periodic updateToken.
>
>
>
> Thanks & Regards,
>
> Alex
>
>
>
>
>
>
>
> Hi *Alex Chatziparaskewas,*
>
>
>
> *i know you are using javascript adapter for authentication(for login),
> can we use javascript adapter for authorization also like resource
> protection.*
>
>
>
>
>
> --
>
> Thanks & Regards,
>
>
>
> Hari Prasad N
> Senior Software Engineer
> -------------------------------------------------
> Ramyam Intelligence Lab Pvt. Ltd.,
> Part of Arvato
> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
> Bangalore ? 560001, Karnataka, India.
>
> Phone: +91 80 67269266
> Mobile: +91 7022156319
> E-Mail: *hariprasad.n**@ramyamlab.co <http://ramyamlab.co>m*
>
> *www.ramyamlab.com* <http://www.ramyamlab.com/>
>


-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

From alex.chatziparaskewas at trapezegroup.com  Fri Jan  4 04:05:39 2019
From: alex.chatziparaskewas at trapezegroup.com (Alex Chatziparaskewas)
Date: Fri, 4 Jan 2019 09:05:39 +0000
Subject: [keycloak-user] Authorization with javascript adapter
In-Reply-To: <CAAx=Gt_2QPvR2r-aU6EwX5z2_3VYzG6UxHic3hJyXoWfN4c-Zg@mail.gmail.com>
References: <CAAx=Gt_d6_g34=3ZzfrLJ+w8SAT-GnUykqm=Vt+TQBA057OBLQ@mail.gmail.com>
	<32ae2da0c47f4774ba02153beea7baa9@VOL-SLO-EXCH3.vgnet.volgrp.com>
	<CAAx=Gt_2QPvR2r-aU6EwX5z2_3VYzG6UxHic3hJyXoWfN4c-Zg@mail.gmail.com>
Message-ID: <1a141d08df0349e88fe21373043eaef1@VOL-SLO-EXCH3.vgnet.volgrp.com>

Hi Hari,

Nope, we are not using roles. Once a user is authenticated he is as well fully authorised. Anyhow, although we have not gone down that path yet, check the ?tokenParsed? attribute of the keycloak instance object (just log them for starters). It shows some information about access/resource roles associated with the current user.

Question from my side: has this anything to do with my original question about updating the ?remember me? session?

Thanks & Regards,
Alex



Hi Alex Chatziparaskewas,

Thanks for your reply.
I am not asking about authentication part, in am asking about authorization part.
For example i want to enable access for a URI(mypoject/test-resource) to users who have ROLE 'TEST' ,in the keycloak i can do that in Authorization tab
of a myclient.

That means when a user is logged in he can access URI 'mypoject/test-resource' only if he has ROLE 'TEST' other wise will be given error saying access denied.

This settings working fine with backend applications like java webapps/springboot apps, but not working with javascript/Angular apps. If you know how to make it work or have sample project let me know.


On Fri, Jan 4, 2019 at 12:18 PM Alex Chatziparaskewas <alex.chatziparaskewas at trapezegroup.com<mailto:alex.chatziparaskewas at trapezegroup.com>> wrote:
Hi Hari,

On the server side the resources are protected by a keycloak gatekeeper proxy instance, e.g. our server (at this time) is unaware of security aspects. On the client side the login process goes past keycloak?s login and registration pages, i.e. the javascript adapter initialises, attempts authentication (redirects to login page if unsuccessful) and then does a periodic updateToken.

Thanks & Regards,
Alex



Hi Alex Chatziparaskewas,

i know you are using javascript adapter for authentication(for login), can we use javascript adapter for authorization also like resource protection.


--
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: hariprasad.n at ramyamlab.co<http://ramyamlab.co>m
www.ramyamlab.com<http://www.ramyamlab.com/>


--
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: hariprasad.n at ramyamlab.co<http://ramyamlab.co>m
www.ramyamlab.com<http://www.ramyamlab.com/>

From hariprasad.n at ramyamlab.com  Fri Jan  4 04:15:16 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Fri, 4 Jan 2019 14:45:16 +0530
Subject: [keycloak-user] Authorization with javascript adapter
In-Reply-To: <1a141d08df0349e88fe21373043eaef1@VOL-SLO-EXCH3.vgnet.volgrp.com>
References: <CAAx=Gt_d6_g34=3ZzfrLJ+w8SAT-GnUykqm=Vt+TQBA057OBLQ@mail.gmail.com>
	<32ae2da0c47f4774ba02153beea7baa9@VOL-SLO-EXCH3.vgnet.volgrp.com>
	<CAAx=Gt_2QPvR2r-aU6EwX5z2_3VYzG6UxHic3hJyXoWfN4c-Zg@mail.gmail.com>
	<1a141d08df0349e88fe21373043eaef1@VOL-SLO-EXCH3.vgnet.volgrp.com>
Message-ID: <CAAx=Gt8w7p0iLuNm5f6kn++UQbhSEHW8Sd=Rk72nnKBZBCjCiQ@mail.gmail.com>

No, it is not related to  remember me.
When i saw you question I thought you already working on javascript adapter
and can help me.

On Fri, Jan 4, 2019 at 2:35 PM Alex Chatziparaskewas <
alex.chatziparaskewas at trapezegroup.com> wrote:

> Hi Hari,
>
>
>
> Nope, we are not using roles. Once a user is authenticated he is as well
> fully authorised. Anyhow, although we have not gone down that path yet,
> check the ?tokenParsed? attribute of the keycloak instance object (just log
> them for starters). It shows some information about access/resource roles
> associated with the current user.
>
>
>
> Question from my side: has this anything to do with my original question
> about updating the ?remember me? session?
>
> Thanks & Regards,
>
> Alex
>
>
>
>
>
>
>
> Hi *Alex Chatziparaskewas,*
>
>
>
> *Thanks for your reply.*
>
> *I am not asking about authentication part, in am asking about
> authorization part.*
>
> *For example i want to enable access for a URI(mypoject/test-resource) to
> users who have ROLE 'TEST' ,in the keycloak i can do that in Authorization
> tab*
>
> *of a myclient.*
>
>
>
> That means when a user is logged in he can access URI '
> *mypoject/test-resource*' only if he has ROLE 'TEST' other wise will be
> given error saying access denied.
>
>
>
> This settings working fine with backend applications like java
> webapps/springboot apps, but not working with javascript/Angular apps. If
> you know how to make it work or have sample project let me know.
>
>
>
>
>
> On Fri, Jan 4, 2019 at 12:18 PM Alex Chatziparaskewas <
> alex.chatziparaskewas at trapezegroup.com> wrote:
>
> Hi Hari,
>
>
>
> On the server side the resources are protected by a keycloak gatekeeper
> proxy instance, e.g. our server (at this time) is unaware of security
> aspects. On the client side the login process goes past keycloak?s login
> and registration pages, i.e. the javascript adapter initialises, attempts
> authentication (redirects to login page if unsuccessful) and then does a
> periodic updateToken.
>
>
>
> Thanks & Regards,
>
> Alex
>
>
>
>
>
>
>
> Hi *Alex Chatziparaskewas,*
>
>
>
> *i know you are using javascript adapter for authentication(for login),
> can we use javascript adapter for authorization also like resource
> protection.*
>
>
>
>
>
> --
>
> Thanks & Regards,
>
>
>
> Hari Prasad N
> Senior Software Engineer
> -------------------------------------------------
> Ramyam Intelligence Lab Pvt. Ltd.,
> Part of Arvato
> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
> Bangalore ? 560001, Karnataka, India.
>
> Phone: +91 80 67269266
> Mobile: +91 7022156319
> E-Mail: *hariprasad.n**@ramyamlab.co <http://ramyamlab.co>m*
>
> *www.ramyamlab.com* <http://www.ramyamlab.com/>
>
>
>
>
> --
>
> Thanks & Regards,
>
>
>
> Hari Prasad N
> Senior Software Engineer
> -------------------------------------------------
> Ramyam Intelligence Lab Pvt. Ltd.,
> Part of Arvato
> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
> Bangalore ? 560001, Karnataka, India.
>
> Phone: +91 80 67269266
> Mobile: +91 7022156319
> E-Mail: *hariprasad.n**@ramyamlab.co <http://ramyamlab.co>m*
>
> *www.ramyamlab.com* <http://www.ramyamlab.com/>
>


-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

From alex.chatziparaskewas at trapezegroup.com  Fri Jan  4 04:23:37 2019
From: alex.chatziparaskewas at trapezegroup.com (Alex Chatziparaskewas)
Date: Fri, 4 Jan 2019 09:23:37 +0000
Subject: [keycloak-user] Authorization with javascript adapter
In-Reply-To: <CAAx=Gt8w7p0iLuNm5f6kn++UQbhSEHW8Sd=Rk72nnKBZBCjCiQ@mail.gmail.com>
References: <CAAx=Gt_d6_g34=3ZzfrLJ+w8SAT-GnUykqm=Vt+TQBA057OBLQ@mail.gmail.com>
	<32ae2da0c47f4774ba02153beea7baa9@VOL-SLO-EXCH3.vgnet.volgrp.com>
	<CAAx=Gt_2QPvR2r-aU6EwX5z2_3VYzG6UxHic3hJyXoWfN4c-Zg@mail.gmail.com>
	<1a141d08df0349e88fe21373043eaef1@VOL-SLO-EXCH3.vgnet.volgrp.com>
	<CAAx=Gt8w7p0iLuNm5f6kn++UQbhSEHW8Sd=Rk72nnKBZBCjCiQ@mail.gmail.com>
Message-ID: <72dddf9c25f74e75b5ca9e663de1c35b@VOL-SLO-EXCH3.vgnet.volgrp.com>

Hi Hari,

So, have a look into the ?tokenParsed? attribute and let me know if it helped you (we might need the same at some point in time).

Thanks & Regards,
Alex



No, it is not related to  remember me.
When i saw you question I thought you already working on javascript adapter and can help me.

On Fri, Jan 4, 2019 at 2:35 PM Alex Chatziparaskewas <alex.chatziparaskewas at trapezegroup.com<mailto:alex.chatziparaskewas at trapezegroup.com>> wrote:
Hi Hari,

Nope, we are not using roles. Once a user is authenticated he is as well fully authorised. Anyhow, although we have not gone down that path yet, check the ?tokenParsed? attribute of the keycloak instance object (just log them for starters). It shows some information about access/resource roles associated with the current user.

Question from my side: has this anything to do with my original question about updating the ?remember me? session?

Thanks & Regards,
Alex



Hi Alex Chatziparaskewas,

Thanks for your reply.
I am not asking about authentication part, in am asking about authorization part.
For example i want to enable access for a URI(mypoject/test-resource) to users who have ROLE 'TEST' ,in the keycloak i can do that in Authorization tab
of a myclient.

That means when a user is logged in he can access URI 'mypoject/test-resource' only if he has ROLE 'TEST' other wise will be given error saying access denied.

This settings working fine with backend applications like java webapps/springboot apps, but not working with javascript/Angular apps. If you know how to make it work or have sample project let me know.


On Fri, Jan 4, 2019 at 12:18 PM Alex Chatziparaskewas <alex.chatziparaskewas at trapezegroup.com<mailto:alex.chatziparaskewas at trapezegroup.com>> wrote:
Hi Hari,

On the server side the resources are protected by a keycloak gatekeeper proxy instance, e.g. our server (at this time) is unaware of security aspects. On the client side the login process goes past keycloak?s login and registration pages, i.e. the javascript adapter initialises, attempts authentication (redirects to login page if unsuccessful) and then does a periodic updateToken.

Thanks & Regards,
Alex



Hi Alex Chatziparaskewas,

i know you are using javascript adapter for authentication(for login), can we use javascript adapter for authorization also like resource protection.


--
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: hariprasad.n at ramyamlab.co<http://ramyamlab.co>m
www.ramyamlab.com<http://www.ramyamlab.com/>


--
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: hariprasad.n at ramyamlab.co<http://ramyamlab.co>m
www.ramyamlab.com<http://www.ramyamlab.com/>


--
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: hariprasad.n at ramyamlab.co<http://ramyamlab.co>m
www.ramyamlab.com<http://www.ramyamlab.com/>

From hariprasad.n at ramyamlab.com  Fri Jan  4 05:04:19 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Fri, 4 Jan 2019 15:34:19 +0530
Subject: [keycloak-user] Authorization with javascript adapter
In-Reply-To: <72dddf9c25f74e75b5ca9e663de1c35b@VOL-SLO-EXCH3.vgnet.volgrp.com>
References: <CAAx=Gt_d6_g34=3ZzfrLJ+w8SAT-GnUykqm=Vt+TQBA057OBLQ@mail.gmail.com>
	<32ae2da0c47f4774ba02153beea7baa9@VOL-SLO-EXCH3.vgnet.volgrp.com>
	<CAAx=Gt_2QPvR2r-aU6EwX5z2_3VYzG6UxHic3hJyXoWfN4c-Zg@mail.gmail.com>
	<1a141d08df0349e88fe21373043eaef1@VOL-SLO-EXCH3.vgnet.volgrp.com>
	<CAAx=Gt8w7p0iLuNm5f6kn++UQbhSEHW8Sd=Rk72nnKBZBCjCiQ@mail.gmail.com>
	<72dddf9c25f74e75b5ca9e663de1c35b@VOL-SLO-EXCH3.vgnet.volgrp.com>
Message-ID: <CAAx=Gt_ZKGhc-84zRqjEWago6HDUJu1Kj0g=7tdijSkfnihD5A@mail.gmail.com>

tokenParsed can help upto some extent, but in keycloak autorization we can
create different kind of policies like Role,Javascript, Client, Time, User,
Aggregated, Group. A policy is a condition if it evaluates to true access
allowed. If we implement this conditions at client side it requires lot of
efforts and
these conditions are hard coded, if i want to change the condition again i
need to do code change and deploy again. but in keycloak I can go to admin
console and change the rule, so whenever token is refreshed new condition
can be applied.

On Fri, Jan 4, 2019 at 2:53 PM Alex Chatziparaskewas <
alex.chatziparaskewas at trapezegroup.com> wrote:

> Hi Hari,
>
>
>
> So, have a look into the ?tokenParsed? attribute and let me know if it
> helped you (we might need the same at some point in time).
>
>
>
> Thanks & Regards,
>
> Alex
>
>
>
>
>
>
>
> No, it is not related to  remember me.
>
> When i saw you question I thought you already working on javascript
> adapter and can help me.
>
>
>
> On Fri, Jan 4, 2019 at 2:35 PM Alex Chatziparaskewas <
> alex.chatziparaskewas at trapezegroup.com> wrote:
>
> Hi Hari,
>
>
>
> Nope, we are not using roles. Once a user is authenticated he is as well
> fully authorised. Anyhow, although we have not gone down that path yet,
> check the ?tokenParsed? attribute of the keycloak instance object (just log
> them for starters). It shows some information about access/resource roles
> associated with the current user.
>
>
>
> Question from my side: has this anything to do with my original question
> about updating the ?remember me? session?
>
> Thanks & Regards,
>
> Alex
>
>
>
>
>
>
>
> Hi *Alex Chatziparaskewas,*
>
>
>
> *Thanks for your reply.*
>
> *I am not asking about authentication part, in am asking about
> authorization part.*
>
> *For example i want to enable access for a URI(mypoject/test-resource) to
> users who have ROLE 'TEST' ,in the keycloak i can do that in Authorization
> tab*
>
> *of a myclient.*
>
>
>
> That means when a user is logged in he can access URI '
> *mypoject/test-resource*' only if he has ROLE 'TEST' other wise will be
> given error saying access denied.
>
>
>
> This settings working fine with backend applications like java
> webapps/springboot apps, but not working with javascript/Angular apps. If
> you know how to make it work or have sample project let me know.
>
>
>
>
>
> On Fri, Jan 4, 2019 at 12:18 PM Alex Chatziparaskewas <
> alex.chatziparaskewas at trapezegroup.com> wrote:
>
> Hi Hari,
>
>
>
> On the server side the resources are protected by a keycloak gatekeeper
> proxy instance, e.g. our server (at this time) is unaware of security
> aspects. On the client side the login process goes past keycloak?s login
> and registration pages, i.e. the javascript adapter initialises, attempts
> authentication (redirects to login page if unsuccessful) and then does a
> periodic updateToken.
>
>
>
> Thanks & Regards,
>
> Alex
>
>
>
>
>
>
>
> Hi *Alex Chatziparaskewas,*
>
>
>
> *i know you are using javascript adapter for authentication(for login),
> can we use javascript adapter for authorization also like resource
> protection.*
>
>
>
>
>
> --
>
> Thanks & Regards,
>
>
>
> Hari Prasad N
> Senior Software Engineer
> -------------------------------------------------
> Ramyam Intelligence Lab Pvt. Ltd.,
> Part of Arvato
> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
> Bangalore ? 560001, Karnataka, India.
>
> Phone: +91 80 67269266
> Mobile: +91 7022156319
> E-Mail: *hariprasad.n**@ramyamlab.co <http://ramyamlab.co>m*
>
> *www.ramyamlab.com* <http://www.ramyamlab.com/>
>
>
>
>
> --
>
> Thanks & Regards,
>
>
>
> Hari Prasad N
> Senior Software Engineer
> -------------------------------------------------
> Ramyam Intelligence Lab Pvt. Ltd.,
> Part of Arvato
> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
> Bangalore ? 560001, Karnataka, India.
>
> Phone: +91 80 67269266
> Mobile: +91 7022156319
> E-Mail: *hariprasad.n**@ramyamlab.co <http://ramyamlab.co>m*
>
> *www.ramyamlab.com* <http://www.ramyamlab.com/>
>
>
>
>
> --
>
> Thanks & Regards,
>
>
>
> Hari Prasad N
> Senior Software Engineer
> -------------------------------------------------
> Ramyam Intelligence Lab Pvt. Ltd.,
> Part of Arvato
> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
> Bangalore ? 560001, Karnataka, India.
>
> Phone: +91 80 67269266
> Mobile: +91 7022156319
> E-Mail: *hariprasad.n**@ramyamlab.co <http://ramyamlab.co>m*
>
> *www.ramyamlab.com* <http://www.ramyamlab.com/>
>


-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

From sthorger at redhat.com  Fri Jan  4 05:55:05 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Jan 2019 11:55:05 +0100
Subject: [keycloak-user] How to update a 'remember me' session?
In-Reply-To: <9177b8d05968423e9f5fc2daf72ac85c@VOL-SLO-EXCH3.vgnet.volgrp.com>
References: <9177b8d05968423e9f5fc2daf72ac85c@VOL-SLO-EXCH3.vgnet.volgrp.com>
Message-ID: <CAJgngAeKSwAohGRgbfSo0piQ=ahJu18DzZrmGFRjko0OUvDsCQ@mail.gmail.com>

I wouldn't recommend on having a background keep alive using the update
token. Rather, just rely on the user performing actions to keep the session
alive and configure the SSO idle timeout accordingly to your needs.

With regards to remember me I don't understand your question as there is no
difference here. Remember me only sets a persisted cookie so session
survives a browser restart as well as recently we've introduce options to
have different SSO idle and max for remember me sessions.

On Fri, 4 Jan 2019 at 07:24, Alex Chatziparaskewas <
alex.chatziparaskewas at trapezegroup.com> wrote:

> Hi All,
>
> We are using the keycloak javascript adapter. In the same way as the token
> and refresh token can be updated gracefully in the background using its
> updateToken method, is there any means by which the same can be done to a
> 'remember me' session?
>
> Thanks & Regards,
> Alex
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From totheocean0402 at gmail.com  Fri Jan  4 06:49:16 2019
From: totheocean0402 at gmail.com (Andreas Lau)
Date: Fri, 4 Jan 2019 12:49:16 +0100
Subject: [keycloak-user] Realm.toRepresentation results in
	com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException
In-Reply-To: <CABQD8sjk8bQ+qFJKD-bNwVZg5jifSRgjmOMYvrHmA_Vd=yJPQA@mail.gmail.com>
References: <CABQD8sgfqQnV+=yJhB9q=Aepkang89cPbe1rW1aqQBcP1N8-Wg@mail.gmail.com>
	<CABQD8sjk8bQ+qFJKD-bNwVZg5jifSRgjmOMYvrHmA_Vd=yJPQA@mail.gmail.com>
Message-ID: <CABQD8sgrOH5=vrYdcou5AFr3W-=G=eHJUQfYp4A2t-ZJJD5GMA@mail.gmail.com>

Hey me again, since nobody seams to be able to help me, I thought, maybe
it's due to the fact I didn't explain well enough what I try to do?
So I try to clarify a bit more in deep what I like achieve.
I'm using the keycloak client API to update some parts of the realm. To do
this I followed the test
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java

There is a simple example "public void renameRealmTest()"  that retrieves a
realm, transforms it to its representation and finally renames and updates
it.  This describes the work flow I try to follow. But doing this I results
in the mentioned exception "UnrecognizedPropertyException" from jackson.

At this point I ask for help because I think the test will be executed
before shipping keycloak by the way I'm using the 4.5 version.

So can you please help me to find the error or give me some hints that help
me to understand why the exception appears?

Thanks

Am Do., 27. Dez. 2018, 12:40 hat Andreas Lau <totheocean0402 at gmail.com>
geschrieben:

> Sorry for bouncing this up again. But I'm a bit stuck Ed on the problem.
> Can anyone help me out? Is this the right list for this?
>
> Thanks
>
> Am Mi., 19. Dez. 2018, 18:04 hat Frank Franz <totheocean0402 at gmail.com>
> geschrieben:
>
>> Hello,
>> I'm using the java admin client to create a realm and some other setting.
>> In this process I like to update the realm (set authentication bindings for
>> registration flow and credential flow) therefore I from my actual knowledge
>> have to transfer the realm to the realm representation.
>>
>> Doing this calling realm.toRepresentation() results in the following
>> error:
>> javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.
>> ProcessingException: com.fasterxml.jackson.databind.exc.
>> UnrecognizedPropertyException: Unrecognized field "
>> offlineSessionMaxLifespanEnabled" (class org.keycloak.representations.idm
>> .RealmRepresentation), not marked as ignorable (101 known properties: "
>> directGrantFlow", "otpPolicyDigits", "identityProviderMappers", "
>> revokeRefreshToken", "identityProviders", "userFederationMappers", "
>> rememberMe", "duplicateEmailsAllowed", "dockerAuthenticationFlow", "
>> otpSupportedApplications", "adminEventsDetailsEnabled", "registrationFlow",
>> "editUsernameAllowed", "clients", "users", "emailTheme", "realm", "
>> actionTokenGeneratedByAdminLifespan", "authenticatorConfig",
>> "components", "certificate", "updateProfileOnInitialSocialLogin", "
>> otpPolicyType", "accessCodeLifespanUserAction", "protocolMappers", "id",
>> "accountTheme", "maxDeltaTimeSeconds", "enabledEventTypes", "verifyEmail",
>> "applications", "waitIncrementSeconds", "eventsListeners", "
>> eventsExpiration", "defaultDefaultClientScopes", "
>> defaultOptionalClientScopes", "passwordPolicy", "clientTemplates", "
>> registrationAllowed", "userManagedAccessAllowed", "notBefore", "
>> otpPolicyAlgorithm", "actionTokenGeneratedByUserLifespan", "
>> permanentLockout", "socialProviders", "otpPolicyInitialCounter"
>> [truncated]])
>>
>> Can you pleas give me a hint how to resolve this?
>> Thanks in advance.
>> Andreas
>>
>

From alex.chatziparaskewas at trapezegroup.com  Fri Jan  4 07:06:41 2019
From: alex.chatziparaskewas at trapezegroup.com (Alex Chatziparaskewas)
Date: Fri, 4 Jan 2019 12:06:41 +0000
Subject: [keycloak-user] How to update a 'remember me' session?
In-Reply-To: <CAJgngAeKSwAohGRgbfSo0piQ=ahJu18DzZrmGFRjko0OUvDsCQ@mail.gmail.com>
References: <9177b8d05968423e9f5fc2daf72ac85c@VOL-SLO-EXCH3.vgnet.volgrp.com>
	<CAJgngAeKSwAohGRgbfSo0piQ=ahJu18DzZrmGFRjko0OUvDsCQ@mail.gmail.com>
Message-ID: <cd76fcfe9aec461ca74c53ca935f8207@VOL-SLO-EXCH3.vgnet.volgrp.com>

Hi Stian,

Thanks for your reply. It is already spawning some now thoughts. I will try to explain the underlying problem a bit more.

Unfortunately, this is a single page web app, which additionally is mostly ?watched? or simply ?looked at? most of the time (can be hours). Of course the idle timeouts (still defaults) could be increased, but somehow it felt strange putting the idle time to something like a day or two (or more). Additionally, the web app opens a websocket to the backend (standard Javascript web socket). Opening the websocket works fine as long as the tokens are valid, however, once the tokens are invalid opening the websocket fails due to security (which in itself is good!). Finally, the web app runs on mobile devices. Switching the app context (in particular on IOS) for even a second triggers a reload of the application (bad enough), but also triggers re-authentication, which without the ?remember me? functionality always goes past the login page.

What a user expects: as long as the web app is running the login page should not be shown; if a network problem occurs (they are running around with their mobile devices) the app has to recover (i.e. re-establish the websocket without the login page); if a user quickly changes the app context the app should basically continue (at least without the login page).

One possible solution I think: increase the idle timeouts for the sessions (normal and remember me) to some very high value (days; which we have tried to avoid so far).

Initially, we tried to use the Keycloak gatekeeper?s ?enable-refresh-tokens? feature to get the token and refresh token updated on the fly with each request (that is our understanding of this feature), however, it did not work. Tokens were never updated (maybe we were doing something wrong or there is a bug; this is another open issue on our side to be followed up). To avoid increasing the idle times to something very long, we are for moment periodically using the updateToken method to explicitly update the tokens, but even then, funny as it is, we have to rewrite the kc-access and kc-state cookies (used by the keycloak gatekeeper) ourselves (not nice as well). Anyhow, in the same way as we found means to programmatically extend the ?lifetime? of the token/updateToken we were thinking on how to programmatically extend the lifetime of the remember me session.

Thanks  & Regards,
Alex


From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: 04 January 2019 11:55
To: Alex Chatziparaskewas <alex.chatziparaskewas at trapezegroup.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to update a 'remember me' session?

I wouldn't recommend on having a background keep alive using the update token. Rather, just rely on the user performing actions to keep the session alive and configure the SSO idle timeout accordingly to your needs.

With regards to remember me I don't understand your question as there is no difference here. Remember me only sets a persisted cookie so session survives a browser restart as well as recently we've introduce options to have different SSO idle and max for remember me sessions.

On Fri, 4 Jan 2019 at 07:24, Alex Chatziparaskewas <alex.chatziparaskewas at trapezegroup.com<mailto:alex.chatziparaskewas at trapezegroup.com>> wrote:
Hi All,

We are using the keycloak javascript adapter. In the same way as the token and refresh token can be updated gracefully in the background using its updateToken method, is there any means by which the same can be done to a 'remember me' session?

Thanks & Regards,
Alex


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Fri Jan  4 09:25:38 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 04 Jan 2019 17:25:38 +0300
Subject: [keycloak-user] Fwd: Multi-tiered Permissions
In-Reply-To: <CAMnwzSRgXquvJp8UYUDtTmWAe9GgLqBu+KgCgK2MgiJqXLYiMQ@mail.gmail.com>
References: <CAMnwzSQsQxLB8CTtjm2xXz-8-H1wCHUzZrxPAVSumQKUOCxLYw@mail.gmail.com>
	<CAMnwzST6-ZvukY+67wYrZwzMmB+D=hekubcik-M6KmUXy-zXbQ@mail.gmail.com>
	<CAJrcDBe4dGVYX5mJv1uhBskeKAFEb33RDwUGbrh9kJ6+nJoPYQ@mail.gmail.com>
	<CAMnwzSTZXhUMxUTD0JUiuofjdyAxzVSpi4WpBo16rZcBXUzH1A@mail.gmail.com>
	<CAMnwzSSt-MNXZJytDRFGoG3q=-EdUdezOXFB5R2QC02zfxh2RQ@mail.gmail.com>
	<CAJrcDBdxo2Kn+wFgGGX08a_w0MztGGiiZRBbOzYWBeSMOunt0g@mail.gmail.com>
	<CAMnwzSRgXquvJp8UYUDtTmWAe9GgLqBu+KgCgK2MgiJqXLYiMQ@mail.gmail.com>
Message-ID: <1546611938.3690.3.camel@acutus.pro>

Hi Warren,

Have you ever thought of implementing stores on the Keycloak side?

Off the top of my head, I can suggest implementing them?either as (hierarchical) groups, or using custom JPA entity [1].

It is not clear if you already have a database with stores or only planning to create and populate it. In the former case you will need to set up proper synchronization of store data to Keycloak; in the latter case the need for an external DB will be eliminated.
In both cases you will have to implement Admin Console GUI additions [2] to manage user-store-scope associations.

The benefits of this approach:
- improved manageability - you manage everything in one place, i.e. Keycloak Admin Console;
- performance - this will eliminate the need to perform calls to an external system per each incoming HTTP request, which might have significant performance impact. Keycloak will already have all the necessary info to evaluate policies.

You can take a look at BeerCloak [3], a complete all-in-one example that contains custom JPA entity, Admin Console customizations and the necessary wiring. I'm already thinking about adding an example authorization policy that would involve custom JPA entities.

To Pedro: I'd also much appreciate your opinion on this approach, so please let me know what you think.

[1] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
[2] https://www.keycloak.org/docs/latest/server_development/index.html#_themes
[3] https://github.com/dteleguin/beercloak

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-12-28 at 19:01 -0500, Warren, Scott wrote:
> Yeah, I made my original example very simple as I was trying to point out
> the multi-tiered permission issue rather than getting bogged down in the
> myriad of scopes. Users can have 1-to-many scopes across several stores.
> It's not as simple as "if primary store grant this scope set, else grant
> that scope set". Life would be a lot easier if it was :)
> It sounds like a CIP service accessing an external DB is the 'correct'
> answer for this scenario. I see no other clean way to tie
> users->stores->scopes.
> Thanks for your help!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From speechkey at gmail.com  Fri Jan  4 09:37:50 2019
From: speechkey at gmail.com (Artem Grebenkin)
Date: Fri, 4 Jan 2019 15:37:50 +0100
Subject: [keycloak-user] Run keycloak at root "/" context, not "/auth"
Message-ID: <CAAcYninUPxZ+x7C1iGzN3=XsfviRQmraJQY3r5PS86cM58qdZQ@mail.gmail.com>

Hi folks,

is it possible to run keycloak at root "/" context, not "/auth"

Kind regards
Artem

From dt at acutus.pro  Fri Jan  4 09:40:51 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 04 Jan 2019 17:40:51 +0300
Subject: [keycloak-user] Realm.toRepresentation results in
 com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException
In-Reply-To: <CABQD8sgrOH5=vrYdcou5AFr3W-=G=eHJUQfYp4A2t-ZJJD5GMA@mail.gmail.com>
References: <CABQD8sgfqQnV+=yJhB9q=Aepkang89cPbe1rW1aqQBcP1N8-Wg@mail.gmail.com>
	<CABQD8sjk8bQ+qFJKD-bNwVZg5jifSRgjmOMYvrHmA_Vd=yJPQA@mail.gmail.com>
	<CABQD8sgrOH5=vrYdcou5AFr3W-=G=eHJUQfYp4A2t-ZJJD5GMA@mail.gmail.com>
Message-ID: <1546612851.3690.5.camel@acutus.pro>

Hello Andreas,

Could it be that you're using older (pre-4.1.0) Java admin client against newer Keycloak? The field "offlineSessionMaxLifespanEnabled" has been introduced in Keycloak 4.1.0.

Please also try the same with kcadm.sh:

bin/kcadm.sh get realms/myrealm > myrealm.json
(edit myrealm.json)
bin/kcadm.sh update realms/myrealm -f myrealm.json

Does that work?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2019-01-04 at 12:49 +0100, Andreas Lau wrote:
> Hey me again, since nobody seams to be able to help me, I thought, maybe
> it's due to the fact I didn't explain well enough what I try to do?
> So I try to clarify a bit more in deep what I like achieve.
> I'm using the keycloak client API to update some parts of the realm. To do
> this I followed the test
> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
> 
> There is a simple example "public void renameRealmTest()"??that retrieves a
> realm, transforms it to its representation and finally renames and updates
> it.??This describes the work flow I try to follow. But doing this I results
> in the mentioned exception "UnrecognizedPropertyException" from jackson.
> 
> At this point I ask for help because I think the test will be executed
> before shipping keycloak by the way I'm using the 4.5 version.
> 
> So can you please help me to find the error or give me some hints that help
> me to understand why the exception appears?
> 
> Thanks
> 
> Am Do., 27. Dez. 2018, 12:40 hat Andreas Lau <totheocean0402 at gmail.com>
> geschrieben:
> 
> > Sorry for bouncing this up again. But I'm a bit stuck Ed on the problem.
> > Can anyone help me out? Is this the right list for this?
> > 
> > Thanks
> > 
> > Am Mi., 19. Dez. 2018, 18:04 hat Frank Franz <totheocean0402 at gmail.com>
> > geschrieben:
> > 
> > > Hello,
> > > I'm using the java admin client to create a realm and some other setting.
> > > In this process I like to update the realm (set authentication bindings for
> > > registration flow and credential flow) therefore I from my actual knowledge
> > > have to transfer the realm to the realm representation.
> > > 
> > > Doing this calling realm.toRepresentation() results in the following
> > > error:
> > > javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.
> > > ProcessingException: com.fasterxml.jackson.databind.exc.
> > > UnrecognizedPropertyException: Unrecognized field "
> > > offlineSessionMaxLifespanEnabled" (class org.keycloak.representations.idm
> > > .RealmRepresentation), not marked as ignorable (101 known properties: "
> > > directGrantFlow", "otpPolicyDigits", "identityProviderMappers", "
> > > revokeRefreshToken", "identityProviders", "userFederationMappers", "
> > > rememberMe", "duplicateEmailsAllowed", "dockerAuthenticationFlow", "
> > > otpSupportedApplications", "adminEventsDetailsEnabled", "registrationFlow",
> > > "editUsernameAllowed", "clients", "users", "emailTheme", "realm", "
> > > actionTokenGeneratedByAdminLifespan", "authenticatorConfig",
> > > "components", "certificate", "updateProfileOnInitialSocialLogin", "
> > > otpPolicyType", "accessCodeLifespanUserAction", "protocolMappers", "id",
> > > "accountTheme", "maxDeltaTimeSeconds", "enabledEventTypes", "verifyEmail",
> > > "applications", "waitIncrementSeconds", "eventsListeners", "
> > > eventsExpiration", "defaultDefaultClientScopes", "
> > > defaultOptionalClientScopes", "passwordPolicy", "clientTemplates", "
> > > registrationAllowed", "userManagedAccessAllowed", "notBefore", "
> > > otpPolicyAlgorithm", "actionTokenGeneratedByUserLifespan", "
> > > permanentLockout", "socialProviders", "otpPolicyInitialCounter"
> > > [truncated]])
> > > 
> > > Can you pleas give me a hint how to resolve this?
> > > Thanks in advance.
> > > Andreas
> > > 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Fri Jan  4 09:48:56 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 4 Jan 2019 12:48:56 -0200
Subject: [keycloak-user] Fwd: Multi-tiered Permissions
In-Reply-To: <1546611938.3690.3.camel@acutus.pro>
References: <CAMnwzSQsQxLB8CTtjm2xXz-8-H1wCHUzZrxPAVSumQKUOCxLYw@mail.gmail.com>
	<CAMnwzST6-ZvukY+67wYrZwzMmB+D=hekubcik-M6KmUXy-zXbQ@mail.gmail.com>
	<CAJrcDBe4dGVYX5mJv1uhBskeKAFEb33RDwUGbrh9kJ6+nJoPYQ@mail.gmail.com>
	<CAMnwzSTZXhUMxUTD0JUiuofjdyAxzVSpi4WpBo16rZcBXUzH1A@mail.gmail.com>
	<CAMnwzSSt-MNXZJytDRFGoG3q=-EdUdezOXFB5R2QC02zfxh2RQ@mail.gmail.com>
	<CAJrcDBdxo2Kn+wFgGGX08a_w0MztGGiiZRBbOzYWBeSMOunt0g@mail.gmail.com>
	<CAMnwzSRgXquvJp8UYUDtTmWAe9GgLqBu+KgCgK2MgiJqXLYiMQ@mail.gmail.com>
	<1546611938.3690.3.camel@acutus.pro>
Message-ID: <CAJrcDBd-bzQ5YHbVTH0xSxHuTEVNn+itrG8ngNbreT_YuvpbwA@mail.gmail.com>

On Fri, Jan 4, 2019 at 12:25 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Warren,
>
> Have you ever thought of implementing stores on the Keycloak side?
>
> Off the top of my head, I can suggest implementing them either as
> (hierarchical) groups, or using custom JPA entity [1].
>
> It is not clear if you already have a database with stores or only
> planning to create and populate it. In the former case you will need to set
> up proper synchronization of store data to Keycloak; in the latter case the
> need for an external DB will be eliminated.
> In both cases you will have to implement Admin Console GUI additions [2]
> to manage user-store-scope associations.
>
> The benefits of this approach:
> - improved manageability - you manage everything in one place, i.e.
> Keycloak Admin Console;
> - performance - this will eliminate the need to perform calls to an
> external system per each incoming HTTP request, which might have
> significant performance impact. Keycloak will already have all the
> necessary info to evaluate policies.
>
> You can take a look at BeerCloak [3], a complete all-in-one example that
> contains custom JPA entity, Admin Console customizations and the necessary
> wiring. I'm already thinking about adding an example authorization policy
> that would involve custom JPA entities.
>
> To Pedro: I'd also much appreciate your opinion on this approach, so
> please let me know what you think.
>

That would be nice and maybe could help us with an RFE still open around a
"Resource SPI". Depending on what you are planning, your proposal could
even be much more powerful as it would imply access to claims not only
specific to resources but anything available from your database.


>
> [1]
> https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
> [2]
> https://www.keycloak.org/docs/latest/server_development/index.html#_themes
> [3] https://github.com/dteleguin/beercloak
>
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-12-28 at 19:01 -0500, Warren, Scott wrote:
> > Yeah, I made my original example very simple as I was trying to point out
> > the multi-tiered permission issue rather than getting bogged down in the
> > myriad of scopes. Users can have 1-to-many scopes across several stores.
> > It's not as simple as "if primary store grant this scope set, else grant
> > that scope set". Life would be a lot easier if it was :)
> > It sounds like a CIP service accessing an external DB is the 'correct'
> > answer for this scenario. I see no other clean way to tie
> > users->stores->scopes.
> > Thanks for your help!
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at acutus.pro  Fri Jan  4 10:08:43 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 04 Jan 2019 18:08:43 +0300
Subject: [keycloak-user] Fwd: Multi-tiered Permissions
In-Reply-To: <CAJrcDBd-bzQ5YHbVTH0xSxHuTEVNn+itrG8ngNbreT_YuvpbwA@mail.gmail.com>
References: <CAMnwzSQsQxLB8CTtjm2xXz-8-H1wCHUzZrxPAVSumQKUOCxLYw@mail.gmail.com>
	<CAMnwzST6-ZvukY+67wYrZwzMmB+D=hekubcik-M6KmUXy-zXbQ@mail.gmail.com>
	<CAJrcDBe4dGVYX5mJv1uhBskeKAFEb33RDwUGbrh9kJ6+nJoPYQ@mail.gmail.com>
	<CAMnwzSTZXhUMxUTD0JUiuofjdyAxzVSpi4WpBo16rZcBXUzH1A@mail.gmail.com>
	<CAMnwzSSt-MNXZJytDRFGoG3q=-EdUdezOXFB5R2QC02zfxh2RQ@mail.gmail.com>
	<CAJrcDBdxo2Kn+wFgGGX08a_w0MztGGiiZRBbOzYWBeSMOunt0g@mail.gmail.com>
	<CAMnwzSRgXquvJp8UYUDtTmWAe9GgLqBu+KgCgK2MgiJqXLYiMQ@mail.gmail.com>
	<1546611938.3690.3.camel@acutus.pro>
	<CAJrcDBd-bzQ5YHbVTH0xSxHuTEVNn+itrG8ngNbreT_YuvpbwA@mail.gmail.com>
Message-ID: <1546614523.3690.7.camel@acutus.pro>

Hi Pedro, thanks for your input,

Is this issue related to the "Resource SPI" you've?mentioned? https://issues.jboss.org/browse/KEYCLOAK-4905

Dmitry

On Fri, 2019-01-04 at 12:48 -0200, Pedro Igor Silva wrote:
> 
> > On Fri, Jan 4, 2019 at 12:25 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Warren,
> > 
> > Have you ever thought of implementing stores on the Keycloak side?
> > 
> > Off the top of my head, I can suggest implementing them?either as (hierarchical) groups, or using custom JPA entity [1].
> > 
> > It is not clear if you already have a database with stores or only planning to create and populate it. In the former case you will need to set up proper synchronization of store data to Keycloak; in the latter case the need for an external DB will be eliminated.
> > In both cases you will have to implement Admin Console GUI additions [2] to manage user-store-scope associations.
> > 
> > The benefits of this approach:
> > - improved manageability - you manage everything in one place, i.e. Keycloak Admin Console;
> > - performance - this will eliminate the need to perform calls to an external system per each incoming HTTP request, which might have significant performance impact. Keycloak will already have all the necessary info to evaluate policies.
> > 
> > You can take a look at BeerCloak [3], a complete all-in-one example that contains custom JPA entity, Admin Console customizations and the necessary wiring. I'm already thinking about adding an example authorization policy that would involve custom JPA entities.
> > 
> > To Pedro: I'd also much appreciate your opinion on this approach, so please let me know what you think.
> 
> That would be nice and maybe could help us with an RFE still open around a "Resource SPI". Depending on what you are planning, your proposal could even be much more powerful as it would imply access to claims not only specific to resources but anything available from your database.
> ?
> > [1] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
> > [2] https://www.keycloak.org/docs/latest/server_development/index.html#_themes
> > [3] https://github.com/dteleguin/beercloak
> > 
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Fri, 2018-12-28 at 19:01 -0500, Warren, Scott wrote:
> > > Yeah, I made my original example very simple as I was trying to point out
> > > the multi-tiered permission issue rather than getting bogged down in the
> > > myriad of scopes. Users can have 1-to-many scopes across several stores.
> > > It's not as simple as "if primary store grant this scope set, else grant
> > > that scope set". Life would be a lot easier if it was :)
> > > It sounds like a CIP service accessing an external DB is the 'correct'
> > > answer for this scenario. I see no other clean way to tie
> > > users->stores->scopes.
> > > Thanks for your help!
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 

From dt at acutus.pro  Fri Jan  4 10:21:43 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 04 Jan 2019 18:21:43 +0300
Subject: [keycloak-user] Run keycloak at root "/" context, not "/auth"
In-Reply-To: <CAAcYninUPxZ+x7C1iGzN3=XsfviRQmraJQY3r5PS86cM58qdZQ@mail.gmail.com>
References: <CAAcYninUPxZ+x7C1iGzN3=XsfviRQmraJQY3r5PS86cM58qdZQ@mail.gmail.com>
Message-ID: <1546615303.3690.9.camel@acutus.pro>

Hello Artem,

Changing context path to a non-empty value, i.e. "/foobar", is fully supported via standalone.xml (look for <web-context> tag under Keycloak subsystem).

However, setting it to "/" results in failure to load theme resources. I'm afraid that's not possible at the moment without the changes to Keycloak codebase (may Keycloak devs correct me if I'm wrong).

Regards,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2019-01-04 at 15:37 +0100, Artem Grebenkin wrote:
> Hi folks,
> 
> is it possible to run keycloak at root "/" context, not "/auth"
> 
> Kind regards
> Artem
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Fri Jan  4 10:28:01 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 04 Jan 2019 18:28:01 +0300
Subject: [keycloak-user] Realm Custom Attributes
In-Reply-To: <CAAx=Gt-8tba_ErJ5qjW6KWxUW78ARLkPDBFMC-1H+WSogSRFKA@mail.gmail.com>
References: <CAAx=Gt-8tba_ErJ5qjW6KWxUW78ARLkPDBFMC-1H+WSogSRFKA@mail.gmail.com>
Message-ID: <1546615681.3690.11.camel@acutus.pro>

Hello Hariprasad,

Keycloak already supports custom realm attributes, it's only that they are not reflected in the GUI. However, you can access them via RealmModel::{get|set}Attribute() methods, or via the REALM_ATTRIBUTE database table.

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2019-01-03 at 18:13 +0530, Hariprasad N wrote:
> Hi All,
> 
> Can we add realm level custom attributes.
> 

From swarren at sumglobal.com  Fri Jan  4 10:28:26 2019
From: swarren at sumglobal.com (Warren, Scott)
Date: Fri, 4 Jan 2019 10:28:26 -0500
Subject: [keycloak-user] Fwd: Multi-tiered Permissions
In-Reply-To: <1546611938.3690.3.camel@acutus.pro>
References: <CAMnwzSQsQxLB8CTtjm2xXz-8-H1wCHUzZrxPAVSumQKUOCxLYw@mail.gmail.com>
	<CAMnwzST6-ZvukY+67wYrZwzMmB+D=hekubcik-M6KmUXy-zXbQ@mail.gmail.com>
	<CAJrcDBe4dGVYX5mJv1uhBskeKAFEb33RDwUGbrh9kJ6+nJoPYQ@mail.gmail.com>
	<CAMnwzSTZXhUMxUTD0JUiuofjdyAxzVSpi4WpBo16rZcBXUzH1A@mail.gmail.com>
	<CAMnwzSSt-MNXZJytDRFGoG3q=-EdUdezOXFB5R2QC02zfxh2RQ@mail.gmail.com>
	<CAJrcDBdxo2Kn+wFgGGX08a_w0MztGGiiZRBbOzYWBeSMOunt0g@mail.gmail.com>
	<CAMnwzSRgXquvJp8UYUDtTmWAe9GgLqBu+KgCgK2MgiJqXLYiMQ@mail.gmail.com>
	<1546611938.3690.3.camel@acutus.pro>
Message-ID: <CAMnwzSRE7i1S+ALEOyRE7c+ZHTYVgRLYg+e6S9+CePn9qJ5OUw@mail.gmail.com>

Hi Dmitry,

I really like that idea. Thanks for the suggestion. I'll give it a try.

Thanks,
Scott

On Fri, Jan 4, 2019 at 9:25 AM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Warren,
>
> Have you ever thought of implementing stores on the Keycloak side?
>
> Off the top of my head, I can suggest implementing them either as
> (hierarchical) groups, or using custom JPA entity [1].
>
> It is not clear if you already have a database with stores or only
> planning to create and populate it. In the former case you will need to set
> up proper synchronization of store data to Keycloak; in the latter case the
> need for an external DB will be eliminated.
> In both cases you will have to implement Admin Console GUI additions [2]
> to manage user-store-scope associations.
>
> The benefits of this approach:
> - improved manageability - you manage everything in one place, i.e.
> Keycloak Admin Console;
> - performance - this will eliminate the need to perform calls to an
> external system per each incoming HTTP request, which might have
> significant performance impact. Keycloak will already have all the
> necessary info to evaluate policies.
>
> You can take a look at BeerCloak [3], a complete all-in-one example that
> contains custom JPA entity, Admin Console customizations and the necessary
> wiring. I'm already thinking about adding an example authorization policy
> that would involve custom JPA entities.
>
> To Pedro: I'd also much appreciate your opinion on this approach, so
> please let me know what you think.
>
> [1]
> https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
> [2]
> https://www.keycloak.org/docs/latest/server_development/index.html#_themes
> [3] https://github.com/dteleguin/beercloak
>
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-12-28 at 19:01 -0500, Warren, Scott wrote:
> > Yeah, I made my original example very simple as I was trying to point out
> > the multi-tiered permission issue rather than getting bogged down in the
> > myriad of scopes. Users can have 1-to-many scopes across several stores.
> > It's not as simple as "if primary store grant this scope set, else grant
> > that scope set". Life would be a lot easier if it was :)
> > It sounds like a CIP service accessing an external DB is the 'correct'
> > answer for this scenario. I see no other clean way to tie
> > users->stores->scopes.
> > Thanks for your help!
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

Scott G. Warren

SUM Global Technology

swarren at sumglobal.com

678.469.3455

From psilva at redhat.com  Fri Jan  4 10:46:25 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 4 Jan 2019 13:46:25 -0200
Subject: [keycloak-user] Fwd: Multi-tiered Permissions
In-Reply-To: <1546614523.3690.7.camel@acutus.pro>
References: <CAMnwzSQsQxLB8CTtjm2xXz-8-H1wCHUzZrxPAVSumQKUOCxLYw@mail.gmail.com>
	<CAMnwzST6-ZvukY+67wYrZwzMmB+D=hekubcik-M6KmUXy-zXbQ@mail.gmail.com>
	<CAJrcDBe4dGVYX5mJv1uhBskeKAFEb33RDwUGbrh9kJ6+nJoPYQ@mail.gmail.com>
	<CAMnwzSTZXhUMxUTD0JUiuofjdyAxzVSpi4WpBo16rZcBXUzH1A@mail.gmail.com>
	<CAMnwzSSt-MNXZJytDRFGoG3q=-EdUdezOXFB5R2QC02zfxh2RQ@mail.gmail.com>
	<CAJrcDBdxo2Kn+wFgGGX08a_w0MztGGiiZRBbOzYWBeSMOunt0g@mail.gmail.com>
	<CAMnwzSRgXquvJp8UYUDtTmWAe9GgLqBu+KgCgK2MgiJqXLYiMQ@mail.gmail.com>
	<1546611938.3690.3.camel@acutus.pro>
	<CAJrcDBd-bzQ5YHbVTH0xSxHuTEVNn+itrG8ngNbreT_YuvpbwA@mail.gmail.com>
	<1546614523.3690.7.camel@acutus.pro>
Message-ID: <CAJrcDBebCYXZJ9nvNB1mmSofT3vJsAuVZsCsjEoBB682VZAy8Q@mail.gmail.com>

Yeah, it is.

On Fri, Jan 4, 2019 at 1:08 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Pedro, thanks for your input,
>
> Is this issue related to the "Resource SPI" you've mentioned?
> https://issues.jboss.org/browse/KEYCLOAK-4905
>
> Dmitry
>
> On Fri, 2019-01-04 at 12:48 -0200, Pedro Igor Silva wrote:
> >
> > > On Fri, Jan 4, 2019 at 12:25 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Warren,
> > >
> > > Have you ever thought of implementing stores on the Keycloak side?
> > >
> > > Off the top of my head, I can suggest implementing them either as
> (hierarchical) groups, or using custom JPA entity [1].
> > >
> > > It is not clear if you already have a database with stores or only
> planning to create and populate it. In the former case you will need to set
> up proper synchronization of store data to Keycloak; in the latter case the
> need for an external DB will be eliminated.
> > > In both cases you will have to implement Admin Console GUI additions
> [2] to manage user-store-scope associations.
> > >
> > > The benefits of this approach:
> > > - improved manageability - you manage everything in one place, i.e.
> Keycloak Admin Console;
> > > - performance - this will eliminate the need to perform calls to an
> external system per each incoming HTTP request, which might have
> significant performance impact. Keycloak will already have all the
> necessary info to evaluate policies.
> > >
> > > You can take a look at BeerCloak [3], a complete all-in-one example
> that contains custom JPA entity, Admin Console customizations and the
> necessary wiring. I'm already thinking about adding an example
> authorization policy that would involve custom JPA entities.
> > >
> > > To Pedro: I'd also much appreciate your opinion on this approach, so
> please let me know what you think.
> >
> > That would be nice and maybe could help us with an RFE still open around
> a "Resource SPI". Depending on what you are planning, your proposal could
> even be much more powerful as it would imply access to claims not only
> specific to resources but anything available from your database.
> >
> > > [1]
> https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
> > > [2]
> https://www.keycloak.org/docs/latest/server_development/index.html#_themes
> > > [3] https://github.com/dteleguin/beercloak
> > >
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Fri, 2018-12-28 at 19:01 -0500, Warren, Scott wrote:
> > > > Yeah, I made my original example very simple as I was trying to
> point out
> > > > the multi-tiered permission issue rather than getting bogged down in
> the
> > > > myriad of scopes. Users can have 1-to-many scopes across several
> stores.
> > > > It's not as simple as "if primary store grant this scope set, else
> grant
> > > > that scope set". Life would be a lot easier if it was :)
> > > > It sounds like a CIP service accessing an external DB is the
> 'correct'
> > > > answer for this scenario. I see no other clean way to tie
> > > > users->stores->scopes.
> > > > Thanks for your help!
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
>

From dt at acutus.pro  Fri Jan  4 10:49:59 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 04 Jan 2019 18:49:59 +0300
Subject: [keycloak-user] Registration page and comboboxes
In-Reply-To: <2137152622.449907.1546081736355@pim.register.it>
References: <2137152622.449907.1546081736355@pim.register.it>
Message-ID: <1546616999.3690.13.camel@acutus.pro>

Hello Luca,

What you're talking about is 100% feasible, but will require some coding.

You will need to implement the following:
- custom JPA entity [1] to store combobox values;
- custom REST resource [2] to enable management via Admin Console + provide the list to the registration page;
- Admin Console additions [3] to implement the management GUI;
- customized registration page (via custom login theme).

I'd also suggest that you take a look at BeerCloak [4], an all-in-one example where all of the above is implemented, except for the last item. I'm planning to do it it maybe in the second half of January. As I see it, the registration page will feature a drop-down with beers for a user to choose a favorite from.

[1] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
[2] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest
[3] https://www.keycloak.org/docs/latest/server_development/index.html#_themes
[4] https://github.com/dteleguin/beercloak

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Sat, 2018-12-29 at 12:08 +0100, Luca Stancapiano wrote:
> I have a registration page in a Keycloak theme where the user has to choose from a list from a combobox. This list is dynamic, meaning it could be changed by an administrator at any time. What is the best way to manage this list with Keycloak? Can I use the administrative console to update this data? If you are on which component?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From or at myobligo.com  Fri Jan  4 11:09:20 2019
From: or at myobligo.com (Or Harary)
Date: Fri, 4 Jan 2019 18:09:20 +0200
Subject: [keycloak-user] Conflicting scopes in permissions always gets deny,
 maybe this should be configurable?
Message-ID: <CAJ=iV3oK4kGRGKebYcbaFuxcFgLfgMBbza79j80E+U=MsN07FQ@mail.gmail.com>

Hey,

Let's say I want to allow creating custom roles with custom permission on
scopes (to allow access to multiple resource types and actions). So per
role, I wanted to create a matching permission with the allowed scopes
(resource-type-foo-create/resource-type-bar-create/etc..) and policies
accordingly (role/client/user/group).

So if I have:
Role A
Allowed: foo-create, foo-read, bar-read
Role B
Allowed: foo-read, bar-read

Because they have conflicting scopes, foo-read always gets denied. So as I
see, it can't be done this way. Maybe there should be a Decision Strategy
to permissions evaluation like in a single permission with policies?

Thanks,
Or

From hariprasad.n at ramyamlab.com  Sat Jan  5 01:35:13 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Sat, 5 Jan 2019 12:05:13 +0530
Subject: [keycloak-user] Realm Custom Attributes
In-Reply-To: <1546615681.3690.11.camel@acutus.pro>
References: <CAAx=Gt-8tba_ErJ5qjW6KWxUW78ARLkPDBFMC-1H+WSogSRFKA@mail.gmail.com>
	<1546615681.3690.11.camel@acutus.pro>
Message-ID: <CAAx=Gt-a6eW2g=x=WYjp3Gwv6SShb2rfV-tXW+rvg7RRv2Bj6Q@mail.gmail.com>

Hi  Dmitry Telegin,

Thanks for reply.

I want to save some custom attributes against each realm in REALM_ATTRIBUTE
table.
I have added one custom attribute by modifying realm-detail.html refer
attached screenshot yellow hi-lighted one. for that custom attribute I
given id 'displayNameTest' but when I save getting response code from
server 400 (Bad request) with error msg '*Unrecognized field
"displayNameTest" (class
org.keycloak.representations.idm.RealmRepresentation), not marked as
ignorable**' *. I think some where you are validating the filednames/id.

As a developer i know about REALM_ATTRIBUTE table but our clients don't
know, they want to add some custom fields in admin console itself.
I we add new Tab(like General, Login, Keys ) say 'Attributes' it would be
better.

Please help me in this.


Regards
Hari Prasad N




On Fri, Jan 4, 2019 at 8:58 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hello Hariprasad,
>
> Keycloak already supports custom realm attributes, it's only that they are
> not reflected in the GUI. However, you can access them via
> RealmModel::{get|set}Attribute() methods, or via the REALM_ATTRIBUTE
> database table.
>
> Good luck,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Thu, 2019-01-03 at 18:13 +0530, Hariprasad N wrote:
> > Hi All,
> >
> > Can we add realm level custom attributes.
> >
>


-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.PNG
Type: image/png
Size: 51162 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190105/ac34bb7d/attachment-0001.png 

From tom at spicule.co.uk  Sat Jan  5 06:26:33 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Sat, 5 Jan 2019 03:26:33 -0800
Subject: [keycloak-user] Mapping in additional user roles
Message-ID: <CADibaRxjcWD4E8ZNebfumc_F0c-Ur+k6Xej2R102E6J243Rkkg@mail.gmail.com>

Hi folks,

This may have a simple answer in which case I apologise.

I?ve been tasked with fronting some web apps with Keycloak connected via
SAML to AD FS as the ID provider.

I found this
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html so
planned to do similar.

The next issue I face is that the AD FS service is hosted by a different
entity and we don?t have the ability to change yet we need to map roles in.

What extension points are there available to us in Keycloak that allows a
user to login but then have us assign roles by looking them up in a
*different* AD server and pulling their roles from there?

Thanks

Tom

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From tom at spicule.co.uk  Sat Jan  5 06:38:50 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Sat, 5 Jan 2019 03:38:50 -0800
Subject: [keycloak-user] Mapping in additional user roles
In-Reply-To: <CADibaRxjcWD4E8ZNebfumc_F0c-Ur+k6Xej2R102E6J243Rkkg@mail.gmail.com>
References: <CADibaRxjcWD4E8ZNebfumc_F0c-Ur+k6Xej2R102E6J243Rkkg@mail.gmail.com>
Message-ID: <CADibaRwRXYcJADDpxDvo_2A=n2bqE_TeDLit620QSiywO44SuQ@mail.gmail.com>

Actually,

Would creating a script mapper, doing an LDAP lookup on the other AD server
and processing the response into the roles work?

IE can you extend the users roles from within a script mapper?

Thanks

Tom


On 5 January 2019 at 11:26:33, Tom Barber (tom at spicule.co.uk) wrote:

Hi folks,

This may have a simple answer in which case I apologise.

I?ve been tasked with fronting some web apps with Keycloak connected via
SAML to AD FS as the ID provider.

I found this
http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html so
planned to do similar.

The next issue I face is that the AD FS service is hosted by a different
entity and we don?t have the ability to change yet we need to map roles in.

What extension points are there available to us in Keycloak that allows a
user to login but then have us assign roles by looking them up in a
*different* AD server and pulling their roles from there?

Thanks

Tom

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From sursma at yahoo.com  Sat Jan  5 08:26:30 2019
From: sursma at yahoo.com (Suresh Mali)
Date: Sat, 5 Jan 2019 13:26:30 +0000 (UTC)
Subject: [keycloak-user] getting resource owner and loggedin (identity) user
 attributes in evaluation context
References: <540021160.6603690.1546694790823.ref@mail.yahoo.com>
Message-ID: <540021160.6603690.1546694790823@mail.yahoo.com>

Each user has one or more resource e.g. 'account'
Each user is assigned one or more? agents.? (agent is different user in the system with role agent)
I have added them in user attributes?e.g?let us say? there is user_a? ?who has account resource
there are users with agent roles? say? 'agent_a', 'agent_b', 'agent_c'
In user_a? is attribute? I have added attribute
allowed_agents =? [ 'agent_a' ,'agent_b']
in agent_a & agent_b? have attibutes?
allowed_users =? ['user_a']?Now in policy evaluation? ?I want to ensure when agent_a & agent_b? try to access resource owned by user_a? they are allowed while agent_c is not allowed
how do I access resource owners? attributes? and? or? identity ownes attributes
I want to write a evaluation like?something like this?
is it possible to get?$permission.resource.owner.attributes["allowed_agent"]to return ['agent_a','agent_b']or?$identity.attributes['allowed_users']??to return ['user_a']? ?so that I can evaluate the match
something like beowrule "Authorize Resource Owner"?
? ? dialect "mvel"?
? ? when?
? ? ? ?$evaluation : Evaluation(?
? ? ? ? ? ?$identity: context.identity,?
? ? ? ? ? ?$permission: permission,?
? ? ? ? ? ?$permission.resource.owner.attribute['allowed_agents'].indexOf($identity.id)
? ? ? ?)?
? ? then?
? ? ? ? $evaluation.grant();?
end?






From dt at acutus.pro  Sat Jan  5 10:28:21 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Sat, 05 Jan 2019 18:28:21 +0300
Subject: [keycloak-user] getting resource owner and loggedin (identity)
 user attributes in evaluation context
In-Reply-To: <540021160.6603690.1546694790823@mail.yahoo.com>
References: <540021160.6603690.1546694790823.ref@mail.yahoo.com>
	<540021160.6603690.1546694790823@mail.yahoo.com>
Message-ID: <1546702101.6385.1.camel@acutus.pro>

Hello Suresh,

I've experimented a bit with JavaScript policy, I hope with Drools things will be similar.

You can obtain a user's custom attributes using the following expression:

	var attrs = $evaluation.realm.getUserAttributes(id);

where id is either $evaluation.context.identity.id (the user being authorized) or $evaluation.permission.resource.owner (UMA resource owner).

Hope this helps,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Sat, 2019-01-05 at 13:26 +0000, Suresh Mali wrote:
> Each user has one or more resource e.g. 'account'
> Each user is assigned one or more? agents.? (agent is different user in the system with role agent)
> I have added them in user attributes?e.g?let us say? there is user_a? ?who has account resource
> there are users with agent roles? say? 'agent_a', 'agent_b', 'agent_c'
> In user_a? is attribute? I have added attribute
> allowed_agents =? [ 'agent_a' ,'agent_b']
> in agent_a & agent_b? have attibutes?
> allowed_users =? ['user_a']?Now in policy evaluation? ?I want to ensure when agent_a & agent_b? try to access resource owned by user_a? they are allowed while agent_c is not allowed
> how do I access resource owners? attributes? and? or? identity ownes attributes
> I want to write a evaluation like?something like this?
> is it possible to get?$permission.resource.owner.attributes["allowed_agent"]to return ['agent_a','agent_b']or?$identity.attributes['allowed_users']??to return ['user_a']? ?so that I can evaluate the match
> something like beowrule "Authorize Resource Owner"?
> ? ? dialect "mvel"?
> ? ? when?
> ? ? ? ?$evaluation : Evaluation(?
> ? ? ? ? ? ?$identity: context.identity,?
> ? ? ? ? ? ?$permission: permission,?
> ? ? ? ? ? ?$permission.resource.owner.attribute['allowed_agents'].indexOf($identity.id)
> ? ? ? ?)?
> ? ? then?
> ? ? ? ? $evaluation.grant();?
> end?
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From or at myobligo.com  Sun Jan  6 08:12:39 2019
From: or at myobligo.com (Or Harary)
Date: Sun, 6 Jan 2019 15:12:39 +0200
Subject: [keycloak-user] Can't request resource permissions by resource
 name by service account client and not user
In-Reply-To: <CAJ=iV3pyo-b+AXOAjWFvbRFt384xKER1t-RNSR6gLuRqD7v6Qw@mail.gmail.com>
References: <CAJ=iV3pyo-b+AXOAjWFvbRFt384xKER1t-RNSR6gLuRqD7v6Qw@mail.gmail.com>
Message-ID: <CAJ=iV3o6VKSQriSuR-J2dOOpBoK8TDOad2EhorbHP3jPzYtcSQ@mail.gmail.com>

Please help anyone? Here is another example:

I have 2 clients - "ClientA" and "ClientB". Both of them are confidential
resource servers.
"ClientA" has "ResourceA", which is owned by "ClientA", and it has a
pemission to grant access to everyone. (script - $evaluation.grant())

I'm getting a bearer token for "ClientB" using client_credentials, and then
i'm trying to check if "ClientB" has permissions to access "ResourceA" in
"ClientA" like this:

curl -X POST
http://keycloak:8080/auth/realms/myrealm/protocol/openid-connect/token \
-H "Authorization: Bearer {access_token}" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=ClientA&permission=ResourceA&response_mode=permissions"

This gives me a resource not found error.

But, if I search by the ID or the resource, in the "permission" param, like
this: "permission={RESOURCE_UUID}", it does work.

Shouldn't it be possible check by the name, if the check by id works?


On Thu, Jan 3, 2019 at 6:24 PM Or Harary <or at myobligo.com> wrote:

> Hey,
>
> I'm using version 4.8.1 and i'm trying to check resource permissions on
> another client with the token endpoint, by the resource name, with a
> client's access token, and i'm getting "Resource with id [{resourceId}]
> does not exist".
>
> I have a service account client "foobarservice". I want this service
> account client, to check his permissions on a "foobaresource" resource from
> another client "otherservice".
>
> myrealm
> -- "foobarservice" Service Account Client
> -- -- foobar resource (with always grant policy and permission)
> -- "otherservice" Service Account Client
>
> I did "client_credentials" login with the "foobarservice" and got an
> access_token. With that token, I tried:
>
> curl -X POST
> http://keyclok:8080/auth/realms/myrealm/protocol/openid-connect/token \
> -H "Authorization: Bearer {foobarservice_access_token}" \
> -H "Content-Type: application/x-www-form-urlencoded" \
> --data
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=otherservice&permission=foobaresource&response_mode=permissions"
>
> And got 400 bad request with the not found error.
>
> When i'm doing the same request with some user's token, it works well.
>
> I looked into the code (my knowledge of JAVA is very basic) and it seems
> to be because of this:
>
> https://github.com/keycloak/keycloak/blob/f4f68438870768ac6cc18012cfae278f9ac1e163/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L421
>
> Is this the expected behavior? or a bug? Because when I used version 3.4
> it did work
>
> Thanks,
> Or
>

From codelkirby at gmail.com  Sun Jan  6 18:15:35 2019
From: codelkirby at gmail.com (Cono D'Elia)
Date: Sun, 6 Jan 2019 18:15:35 -0500
Subject: [keycloak-user] No Default theme - Null Pointer Exception
Message-ID: <CAG0QeD0cuecgzpYsCi6Py0QGxiqesC20EJLPpfh1jbw+Y+rbwA@mail.gmail.com>

Hi All:

My use case was to automatically direct the user to a custom theme
depending on the device they are using e.g: native mobile vs other. The
theme selector will make a decision based on User Agent and direct the
end-user accordingly.

I created a theme selector based on the source code snippets provided from
https://www.keycloak.org/docs/latest/server_development/index.html#_providers.
I basically did a copy and paste. I was able to deploy the theme and it
appeared in the Provider's tab in the Admin console. I copied the base
theme as 'my-theme'. When I restart the Keycloak server it fails to start
throwing an NPE indicating that there is No Default theme.

I was wondering if I needed any other code or configuration that is not
stated in that particular section to get this going? I couldn't find a
working sample online, so if I can be directed to one that would be great.

Thanks a bunch!
Chuck.

From Leigh.Kennedy at qlik.com  Sun Jan  6 21:59:32 2019
From: Leigh.Kennedy at qlik.com (Leigh Kennedy)
Date: Mon, 7 Jan 2019 02:59:32 +0000
Subject: [keycloak-user] keycloak helm chart SSL configuration
Message-ID: <MWHPR1801MB2061C9989FF2679AF46703509D890@MWHPR1801MB2061.namprd18.prod.outlook.com>

Hi,

I have been using keycloak for a while via the helm chart.  IT has been working find using http.  However I am trying to get it to use a certificate.  I have struggled to find any clear documentation on how to do this.  This is what I have at the moment (you can see commented out a few things I have tried.

keycloak:
  username: test
  password: xxx
  service:
    nodePort: 32666
    type: NodePort
  persistence:
    deployPostgres: false
    dbVendor: postgres
    dbName: keycloak
    dbHost: qmi-minikube.local.net
    dbPort: 5432
    dbUser: test
    dbPassword: xxx
  #extraEnv: |
  #  - name: PROXY_ADDRESS_FORWARDING
  #    value: "true"
  ingress:
    enabled: true
  #  annotations:
      #kubernetes.io/ingress.global-static-ip-name: "keycloak-static-ip"
  #    kubernetes.io/ingress.allow-http: "false"
  #    ingress.kubernetes.io/ssl-redirect: "true"
    path: /auth
    hosts:
      - keycloak.elastic.example
    tls:
      - hosts:
        - keycloak.elastic.example
        secretName: elastic-example-tls


Can anyone see what I am doing wrong here?  I know my certificate is ok as I use it in another nginx ingress config (not running while this one is) and It works fine.

Thanks.

Leigh Kennedy



From gperier at gmail.com  Mon Jan  7 03:12:13 2019
From: gperier at gmail.com (Gwenael Perier)
Date: Mon, 7 Jan 2019 09:12:13 +0100
Subject: [keycloak-user] [Api][Configuration]Create user from API rest : 401
	Unauthorized
Message-ID: <CACdPbm+qvAcGfjLvSBrJAasBzYD5UCxnM=zEPKXc=F9HCirZfQ@mail.gmail.com>

Hi everybody,

I tried to create a user from the rest API :
I've got my token from my client :

curl -X POST "
https://mykeycloak.io/auth/realms/myrealkm/protocol/openid-connect/token" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "client_secret=xxxxxxxxxxxxxx" \
 -d 'grant_type=client_credentials' \
 -d 'client_id=myclient-openid'

and i tried to create an user :

curl -X POST
'https://mykeycloak.io/auth/admin/realms/site5.bayardev.com/users' -H
'Authorization: Bearer MYACCESSTOKEN" -H 'Content-Type: application/json'
-d
'{"username":"cjbarker5","enabled":true,"emailVerified":false,"firstName":"CJ","lastName":"Barker","credentials":{"type":"password","value":"newPas1*","temporary":false}}'
-v

And i get only :  HTTP/1.1 401 Unauthorized

I tried to configure my client with roles (manage-users) Full Scope is
Allowed.

I don't know what to do for add the possibility to my client to add user in
keycloak.

Thanks for any advice.

From slaskawi at redhat.com  Mon Jan  7 03:22:22 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 7 Jan 2019 09:22:22 +0100
Subject: [keycloak-user] Java 11 (Docker container base)
In-Reply-To: <A2769845-42BF-4E72-B253-B4156519FD63@topicus.nl>
References: <A2769845-42BF-4E72-B253-B4156519FD63@topicus.nl>
Message-ID: <CAA9R9O7dbya3XNRq1vhKwd48UHh5_9gq9pWg=KP5mBAtu2FnMQ@mail.gmail.com>

It depends what do you mean by saying "underlying architecture". I assume,
you are interested in a situation when you run a Keycloak container on Mac
or Windows and you're not referring to the CPU architecture for example. If
my understanding is correct, yes, everything should work till 2023 (but as
Stian said, it is very likely we will move to JDK11 faster than that).

Here's another link that might explain this thing a little bit:
https://developers.redhat.com/blog/2018/09/24/the-future-of-java-and-openjdk-updates-without-oracle-support/

On Thu, Jan 3, 2019 at 3:40 PM Chris Brandhorst <Chris.Brandhorst at topicus.nl>
wrote:

> Sebastian,
>
> The link [1] only shows support on RHEL and Windows environments. Do you
> mean to say the 2023 date is also valid for OpenJDK running in the
> Docker-version of Keycloak, regardless of underlying architecture?
>
> [1] https://access.redhat.com/articles/1299013
>
> Chris
>
> > >From the support perspective, Red Hat offers extended support till June
> > 2023 [1].
> >
> > Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess
> we
> > still have plenty of time to do the switch, so I wouldn't rush things too
> > much.
> >
> > BTW, why do you need JDK11, especially in the container?
> >
> > [1] https://access.redhat.com/articles/1299013
> >
> >> On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka <Pavel.Micka at zoomint.com>
> wrote:
> >>
> >> Sorry, end of january (my fault):
> >> https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle
> Java
> >> and OpenJDK will most probably start to diverge, as OpenJDK will not
> have
> >> access to Oracle repos (afaik). So the speed of security fixes will
> depend
> >> on willigness of community to fix the upcomming issues.
> >>
> >> Pavel
> >>
> >>
> >> From: Meissa M'baye Sakho <msakho at redhat.com>
> >> Sent: Tuesday, October 23, 2018 11:04 AM
> >> To: Pavel Micka <Pavel.Micka at zoomint.com>
> >> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> >> Subject: Re: [keycloak-user] Java 11 (Docker container base)
> >>
> >> Hello,
> >> Pavel, where did you get the information that the official Java 8
> support
> >> will cease at the end of december?
> >> https://access.redhat.com/articles/1299013
> >> https://www.oracle.com/technetwork/java/javase/eol-135779.html
> >> Meissa
> >>
> >> Le lun. 22 oct. 2018 ? 16:33, Pavel Micka <Pavel.Micka at zoomint.com
> <mailto:
> >> Pavel.Micka at zoomint.com>> a ?crit :
> >> Hello everyone,
> >>
> >> What is the plan for Java 11 support? The point is that current versions
> >> of Docker containers are based on OpenJDK 8, but the official Java 8
> >> support will cease at the end of December. Will Keycloak use Java 11 by
> >> that time or will it rely on updates provided by the community.
> >>
> >> This is important to us, as Keycloak is important part of our app
> security.
> >>
> >> Thanks,
> >>
> >> Pavel
> >>
> >> // I have found this ticket in Jira, but it does not provide too many
> >> details: https://issues.jboss.org/browse/KEYCLOAK-7811
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org<mailto:keycloak-user at
> lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From hariprasad.n at ramyamlab.com  Mon Jan  7 07:03:14 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Mon, 7 Jan 2019 17:33:14 +0530
Subject: [keycloak-user] Common Client among multiple Realm
Message-ID: <CAAx=Gt8NcGskLEQoFTBP6ROzwoT1BZJD4aG09un=AipST8EjvA@mail.gmail.com>

Hi All,

         Can I have common client among multiple realms.
As per our product requirement we have to maintain multiple Tenants hence
multiple Realms, each Realm should have client with id 'enliven-ui' and
same client configuration.
The problem with this approach is when ever there is change in client
config.
examples:
1. Root URL is changed,
2. Redirect URL changed,
3. In Authorization I want to add new Resource/Policy/Permission/Scope.

Then I have to go admin console, then go to each individual realm and
select client 'enliven-ui' do the require changes or using admin REST API
do changes in each Realm programatically. Instead of this can I have common
client.

-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

From slaskawi at redhat.com  Mon Jan  7 09:13:45 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 7 Jan 2019 15:13:45 +0100
Subject: [keycloak-user] Using Self Signed Certificate for SSL with
 Keycloak as authenticator
In-Reply-To: <CAE5MKW97WrZVvcE9cOnEfL89D40OA69ZO3kkzZj2XmTjBeMCvQ@mail.gmail.com>
References: <CAE5MKW97WrZVvcE9cOnEfL89D40OA69ZO3kkzZj2XmTjBeMCvQ@mail.gmail.com>
Message-ID: <CAA9R9O53u=tWiYN2WKUHL=8Opa3NVPjCB9a4Amz_wzLAJcFrHQ@mail.gmail.com>

I'm not sure about your setup but oftentimes, it's the other way around. A
client browser (or an application) initiates a connection to Keycloak (in
order to obtain or verify a token).

This kind of setup requires setting up a Keycloak instance with a keystore.
This two links should show you how to configure it [1].

[1]
https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-EnableSSL
[2] https://www.keycloak.org/docs/latest/server_admin/index.html#_ssl_modes

On Wed, Dec 19, 2018 at 10:11 AM Kunal Kumar <wolfbro92 at gmail.com> wrote:

> Hi all,
>
> I'd like to know if Keycloak is able to be connected to my test web app,
> which is currently running on a self signed certificate instead of an
> officially signed one?
>
> Regards,
> Kunal Kumar
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From gperier at gmail.com  Mon Jan  7 09:37:24 2019
From: gperier at gmail.com (Gwenael Perier)
Date: Mon, 7 Jan 2019 15:37:24 +0100
Subject: [keycloak-user] [Api][Configuration]Create user from API rest :
 401 Unauthorized
In-Reply-To: <CACdPbm+qvAcGfjLvSBrJAasBzYD5UCxnM=zEPKXc=F9HCirZfQ@mail.gmail.com>
References: <CACdPbm+qvAcGfjLvSBrJAasBzYD5UCxnM=zEPKXc=F9HCirZfQ@mail.gmail.com>
Message-ID: <CACdPbmL2=ona-bYNJ3Y4TW5+n4V9-X7svAvTsv+au3aGJyVtPw@mail.gmail.com>

Hi,

I try the basics tutorial and multiple configuration from :
https://github.com/v-ladynev/keycloak-nodejs-example.

I can login into my clients with client_credentials without problems or
login into the admin account with admin-cli client but after i always have
a 401 Unauthorized.
I tried to list  (realms / users) , to create users , etc .....

It's how i intented to do it :

#!/bin/bash

## there are these needed properties:
export KEYCLOAK_ADMIN_USERNAME=admin
export KEYCLOAK_PASSWORD=password

## get admin TKN
echo "* Request for Admin authorization"
export TKN=$(curl -k -X POST
'https://my.keycloak.io/auth/realms/master/protocol/openid-connect/token'
\
-H "Content-Type: application/x-www-form-urlencoded"  \
-d "username=$KEYCLOAK_ADMIN_USERNAME"  \
-d "password=$KEYCLOAK_PASSWORD" \
-d 'grant_type=password'  -d 'client_id=admin-cli' | jq -r '.access_token')
echo $TKN;

realms=`curl -v https://my.keycloak.io/auth/admin/realms/ -H
"Content-Type: application/json" -H "Authorization: Bearer $TKN" | jq
-r ".[].realm"`
echo "* List Realms"
echo $realms


## create user - it won't take the password and IDP's into account
#curl -v -k -X POST 'https://my.keycloak.io/auth/admin/realms/master/users' \
#-H "Accept: application/json" \
#-H "Content-Type:application/json" \
#-H "Authorization: Bearer $TKN_CLIENT" -d '{"username" : "test",
"enabled": true, "email" : "test at test.com", "firstName": "John",
"lastName": "Doe", "realmRoles": [ "offline_access"  ] }' | jq .

## get user ID by username
#userId=$(curl -k -H "Authorization: Bearer $TKN"
'https://my.keycloak.io/auth/admin/realms/master/users' | jq -r '.[] |
select(.username=="admin") | .id')


thanks in advance for your advice.


On Mon, 7 Jan 2019 at 09:12, Gwenael Perier <gperier at gmail.com> wrote:

> Hi everybody,
>
> I tried to create a user from the rest API :
> I've got my token from my client :
>
> curl -X POST "
> https://mykeycloak.io/auth/realms/myrealkm/protocol/openid-connect/token"
> \
>  -H "Content-Type: application/x-www-form-urlencoded" \
>  -d "client_secret=xxxxxxxxxxxxxx" \
>  -d 'grant_type=client_credentials' \
>  -d 'client_id=myclient-openid'
>
> and i tried to create an user :
>
> curl -X POST
> 'https://mykeycloak.io/auth/admin/realms/site5.bayardev.com/users' -H
> 'Authorization: Bearer MYACCESSTOKEN" -H 'Content-Type: application/json'
> -d
> '{"username":"cjbarker5","enabled":true,"emailVerified":false,"firstName":"CJ","lastName":"Barker","credentials":{"type":"password","value":"newPas1*","temporary":false}}'
> -v
>
> And i get only :  HTTP/1.1 401 Unauthorized
>
> I tried to configure my client with roles (manage-users) Full Scope is
> Allowed.
>
> I don't know what to do for add the possibility to my client to add user
> in keycloak.
>
> Thanks for any advice.
>
>

From sursma at yahoo.com  Mon Jan  7 15:11:05 2019
From: sursma at yahoo.com (Suresh Mali)
Date: Mon, 7 Jan 2019 20:11:05 +0000 (UTC)
Subject: [keycloak-user] rest api to get resource permission evalauted
References: <1061957605.7583728.1546891865904.ref@mail.yahoo.com>
Message-ID: <1061957605.7583728.1546891865904@mail.yahoo.com>

I have created resources via api? for a users?{kc-host}:{kc-port}/auth/realms/{realm}/authz/protection/resource_set/

I have created policy which decides based on the relation between the resource owner and identity user
like thisvar identity_user = $evaluation.context.identity.id;var resource_owner = $evaluation.permission.resource.getOwner();
var identity_user_attrs = $evaluation.realm.getUserAttributes(resource_owner) ;var allowed_agents = identity_user_attrs.allowed_agents ;if ( resource_owner == identity_user ){? ? $evaluation.grant();? ??}else if (allowed_agents !== null && allowed_agents[0].indexOf(identity_user) > -1 ) {? ? $evaluation.grant();}
else {? ? $evaluation.deny();}

I am able to evaluate the permission for various users & (agent users) on keycloak admin console in realm->client->autherization->evaluation tab It is evaluating properly
How can I get same permission/ deny from a rest api so that I can call from my client on behalf of identity user with identity users access token as autherization (or other method or autherization)
either simple permitted/deny or ?"permissions": [? ? ? {? ? ? ? "scopes": [? ? ? ? ? "read"? ? ? ? ],? ? ? ? "rsid": "e1617f7c-dffe-42c9-b91f-476e8a810c4a",? ? ? ? "rsname": "kyc1"? ? ? }? ? ]
kind of output is required
I tried  {kc-host}:{kc-port}/auth/realms/{realm}//authz/protection/permission

I get opaque permission ticket, how can I decode this?
thank you Suresh





From uo67113 at gmail.com  Tue Jan  8 03:35:32 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Tue, 8 Jan 2019 09:35:32 +0100
Subject: [keycloak-user] SSL connection to Keycloak Server
In-Reply-To: <CAE5MKW8q8Vy1K2CAAUO0SP9TbsKb+4gsELs8LL8gjA1d0cu0+w@mail.gmail.com>
References: <CAE5MKW8q8Vy1K2CAAUO0SP9TbsKb+4gsELs8LL8gjA1d0cu0+w@mail.gmail.com>
Message-ID: <CACp70M=Uy6jcm+7pc+g6PpTBspXUR83wR4CptwiesAyacKqG+w@mail.gmail.com>

Hello Kunal,

It looks like you have to update the "Valid Redirect URIs" field in your
client application, see [1].

Hope it helps,

Luis

[1] https://www.keycloak.org/docs/latest/server_admin/index.html#_clients






El mi?., 2 ene. 2019 a las 11:28, Kunal Kumar (<wolfbro92 at gmail.com>)
escribi?:

> Hi Luis,
>
> I am trying to configure SSL for Keycloak. I have already followed all the
> steps, configurations in standalone.xml, and also creating and authorizing
> the necessary certificates as well. But when connecting to my web app, it
> has this particular error as in the attached file
>
> Are you familiar with this error?
>
> Regards,
> Kunal
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From nikola.malenic at netsetglobal.rs  Tue Jan  8 04:07:36 2019
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Tue, 8 Jan 2019 10:07:36 +0100
Subject: [keycloak-user] Authorization of action in application (client
	of KC)
In-Reply-To: <1545398995.2097.10.camel@acutus.pro>
References: <01e201d4987c$b8cd83b0$2a688b10$@netsetglobal.rs>	
	<1545398364.2097.8.camel@acutus.pro>
	<1545398995.2097.10.camel@acutus.pro>
Message-ID: <007301d4a731$98fc88b0$caf59a10$@netsetglobal.rs>

Thank you very much, Dmitry. 
It seems that there is no any progress on this still so I'll probably have to implement something myself.
Maybe I should start by defining custom endpoint where users would be redirected to enter the OTP, not leveraging authentication SPI at all, what do you think?

Best regards,
Nikola

-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro] 
Sent: Friday, December 21, 2018 2:30 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Authorization of action in application (client of KC)

Sorry, forgot the link:
https://www.keycloak.org/docs/latest/server_development/index.html#_action_token_spi

Dmitry

On Fri, 2018-12-21 at 16:19 +0300, Dmitry Telegin wrote:
> Hello Nikola,
> 
> On Thu, 2018-12-20 at 16:57 +0100, Nikola Malenic wrote:
> > I have an use case where I have to authorize an action in my 
> > application taken by the user. Here is how it should go:
> > 
> > The user is logged in at KC and using my application. Now, my 
> > application would need to authorize one user action by sending the 
> > user to KC, where he would enter his OTP, and then, my application 
> > would get some kind of proof that user authorized the action (I 
> > don't know what should that be, yet).
> 
> Seems like what you want is "step-up authentication". It's been on the 
> list since 2014, but AFAIK still no progress to the moment:
> https://issues.jboss.org/browse/KEYCLOAK-847
> https://issues.jboss.org/browse/KEYCLOAK-4182
> http://lists.jboss.org/pipermail/keycloak-dev/2017-April/009245.html
> 
> I'm also adding Thomas Darimont to CC: as probably no one knows this 
> topic better than he does.
>  
> > Do you have any idea how this could be achieved using KC? I guess 
> > action SPI would somehow be used.
> 
> If you're talking about Action Token SPI [1], I'm afraid this is not 
> much relevant here. Action tokens are issued by Keycloak and allow 
> users to perform special actions like password reset. OTOH, your case 
> is about conditionally executing a part of authentication flow on the 
> client's request.
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> > 
> >  
> > 
> > Thank you in advance,
> > 
> > Nikola
> > 
> >  
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From craig at baseventure.com  Tue Jan  8 09:27:34 2019
From: craig at baseventure.com (Craig Setera)
Date: Tue, 8 Jan 2019 08:27:34 -0600
Subject: [keycloak-user] Change target after password change?
Message-ID: <CAPVdwjqYwBQ3YxV7ESNxcN6O_3GGBbWKiEoVmR2Vzn-_8B9ccg@mail.gmail.com>

Our current application uses PWM for password management tasks.  We use
their activation flow to set a password and also the forgotten password
flow to change the password.  In each of those cases, it is possible to
specify the page to redirect to once the flow has been completed.  This is
used by us to redirect them back to our application.  Is there anything
similar for Keycloak?  Right now, it seems like all of these flows end up
in the account management interface.

Thanks,
Craig

=================================
*Craig Setera*

*Chief Technology Officer*

From Christian.Sandmeier at vivai.de  Tue Jan  8 11:57:20 2019
From: Christian.Sandmeier at vivai.de (Christian Sandmeier)
Date: Tue, 8 Jan 2019 16:57:20 +0000
Subject: [keycloak-user] UMA Share Resource with a User via AuthZ Client
Message-ID: <409BDDA6-73AD-4D11-800E-E994D0FCD122@vivai.de>

Hi All,

first of all Thanks for the great work. I have been using Keycloak in a
Project for a couple of Months now and really like it.

I started to try out the UMA 2.0 Flow because it would be very nice to be able to share a resource with other Users.

Given the following 4 Steps, i don't understand why the Permissions are not in the RPT token

// Code for Steps 1 and 2 taken from here
// https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
// Code for Steps 3 and 4 taken from here
// https://www.keycloak.org/docs/latest/authorization_services/index.html#obtaining-user-entitlements


1) Creating a Resource "Resource A" with Owner "demo"

ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("demo");
resource.addScope("Scope A");

resource = getAuthzClient().protection().resource().create(resource);


2) Creating the User Permission for User "test"
UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();

newPermission.setName("User-Managed Permission");
newPermission.setDescription("User is allowed to access");
newPermission.addScope("Scope A");
newPermission.addUser("test");

ProtectionResource protection = getAuthzClient().protection("demo", "demo");
UmaPermissionRepresentation permission = protection.policy(resource.getId()).create(newPermission);


3) get a RPT for the User "test" for all Resources

AuthzClient authzClient = AuthzClient.create();
AuthorizationRequest request = new AuthorizationRequest();
AuthorizationResponse response = authzClient.authorization("test", "test").authorize(request);
String rpt = response.getToken();


4) Listing the Permissions
TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt);
System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");

for (Permission granted : requestingPartyToken.getPermissions()) {
   System.out.println(granted);
}


The Resource and Permission are saved correctly, i can correctly read them via the AuthZ Client
but now i would assume that the Permission is in the RPT of the User "test".

Is this Assumption maybe already incorrect and i got a bit lost? Or is there probably a
problem in my Code because the Permission should be listed there?
Btw. if i skip Step 2) and instead share the the Resource with the User in the "Keycloak -> My Account-> My Resources" Page, it works. But not
with the UmaPermissionRepresentation.

Thank you in Advance

Best regards,

Christian Sandmeier

From lahari.guntha at tcs.com  Wed Jan  9 01:00:09 2019
From: lahari.guntha at tcs.com (Lahari  Guntha)
Date: Wed, 9 Jan 2019 06:00:09 +0000
Subject: [keycloak-user] Keycloak with volume Mount
Message-ID: <63a5369243dc4e4eae1f41ba0c1422cd@tcs.com>

Hi All,


I have launched keycloak as a container in a Virtual Machine. I have created Realms and configured clients to have SSO enabled for them.

For some reason I got to restart the Docker in the VM in which  I have this keycloak container. When I restarted docker service all the Configuration that was made earlier like the clients that I have configured are lost.

Can we make it persistent? Can we have any mount point so that we can save the data onto host and then bring up the container with the mount point?


Thanks and Regards,

Lahari G
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you



From jernej.porenta at 3fs.si  Wed Jan  9 03:53:20 2019
From: jernej.porenta at 3fs.si (Jernej Porenta)
Date: Wed, 9 Jan 2019 09:53:20 +0100
Subject: [keycloak-user] Keycloak with volume Mount
In-Reply-To: <63a5369243dc4e4eae1f41ba0c1422cd@tcs.com>
References: <63a5369243dc4e4eae1f41ba0c1422cd@tcs.com>
Message-ID: <784BE309-8B17-4B83-8F53-2C92353CD679@3fs.si>

Hey,

you should use one of the persistent database options, but if you insist on using h2:
https://github.com/jhipster/generator-jhipster/issues/7157#issuecomment-367813386 <https://github.com/jhipster/generator-jhipster/issues/7157#issuecomment-367813386>

br, Jernej

> On 9 Jan 2019, at 07:00, Lahari Guntha <lahari.guntha at tcs.com> wrote:
> 
> Hi All,
> 
> 
> I have launched keycloak as a container in a Virtual Machine. I have created Realms and configured clients to have SSO enabled for them.
> 
> For some reason I got to restart the Docker in the VM in which  I have this keycloak container. When I restarted docker service all the Configuration that was made earlier like the clients that I have configured are lost.
> 
> Can we make it persistent? Can we have any mount point so that we can save the data onto host and then bring up the container with the mount point?
> 
> 
> Thanks and Regards,
> 
> Lahari G
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain 
> confidential or privileged information. If you are 
> not the intended recipient, any dissemination, use, 
> review, distribution, printing or copying of the 
> information contained in this e-mail message 
> and/or attachments to it are strictly prohibited. If 
> you have received this communication in error, 
> please notify us by reply e-mail or telephone and 
> immediately and permanently delete the message 
> and any attachments. Thank you
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3802 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190109/e3fc822f/attachment-0001.bin 

From androidkernelhacker at gmail.com  Wed Jan  9 08:05:33 2019
From: androidkernelhacker at gmail.com (Olga Bon)
Date: Wed, 9 Jan 2019 15:05:33 +0200
Subject: [keycloak-user] Refreshing ID token and sliding session
Message-ID: <CAGDnvkcancp=-1rL-1uK3Y4_UA=VZzgEK9Fe8ark5a=3wvVV9Q@mail.gmail.com>

I am studying Keycloak and related protocols OpenID & OAuth2. Everything is
clear except one thing, how to maintain the sliding session for a logged in
user. Maybe I misunderstand something.

   1. Authorization Flow first of all redirects a user to the keycloak
   login page, after successful login the user is redirected to the redirect
   url with the authorization code.
   2. Using this authorization code, a server side application connects to
   the keycloak server and exchanges the code for the Access token (also
   including client id, secret, etc) and ID token.
   3. Access token is used by the server side application itself in order
   to retrieve details from the keycloak server, like user additional info,
   public key, etc. So the Access token is used by applications only.
   4. The server side applications set a cookie with the received ID token.
   Now user can access protected resources.

All in all we have

   1. Access token stored on the server side and used only by applications
   or services to retrieve additional info from Keycloak.
   2. Refresh token stored on the server side and used only by application
   or services to get new Access token
   3. ID token stored in the user's cookies and used to access protected
   resources of the system.

My question is, how can the ID token be refreshed. Consider the following
case, a user is logged in and doing some actions in the system, but
suddenly toke got expired. How this case should be handled? I have
implemented my own flow called the Sliding session, so the token gets
refreshed if any request is made, however I don't know how to handle this
case with Keycloak.

I would be grateful for any help regarding the matter.

From sursma at yahoo.com  Wed Jan  9 12:19:42 2019
From: sursma at yahoo.com (Suresh Mali)
Date: Wed, 9 Jan 2019 17:19:42 +0000 (UTC)
Subject: [keycloak-user] entitlement api & Authorization API Endpoint not
 working (as documented)
References: <2040604231.8824957.1547054382305.ref@mail.yahoo.com>
Message-ID: <2040604231.8824957.1547054382305@mail.yahoo.com>

Hi? I am trying to trying to get available permissions for a user
I tried? autherization end point? as per the document??
? curl -X POST
    -H "Authorization: Bearer ${AAT}" -d '{
    "ticket" : ${PERMISSION_TICKET}
}' "http://localhost:8080/auth/realms/moneysmart/authz/user_mgt"
I get error?HTTP/1.1 404 Not Found
where $AAT below is users access token, moneysmart is realm and user_mgt is client_id? $PERMISSION ticket obtained from??http://localhost:8080/auth/realms/moneysmart/authz/protection/permission
Not permission ticket api works, 
I tried entitilement API?
curl -X GET \
    -H "Authorization: Bearer ${access_token}" \
    "http://localhost:8080/auth/realms/moneysmart/authz/entitlement/user_mgt"
This also gives error HTTP/1.1 404 Not Found

Is there something else missing in setup or something else?
-Suresh

From testoauth55 at gmail.com  Wed Jan  9 22:34:48 2019
From: testoauth55 at gmail.com (Bruce Wings)
Date: Thu, 10 Jan 2019 09:04:48 +0530
Subject: [keycloak-user] Authorization : Scope cannot be added to
	multiple permission
In-Reply-To: <CANAVTmNEufpW__Zqvi003tiuy_22Ew=Tcohk+os+Qo+UU263Hg@mail.gmail.com>
References: <CANAVTmNEufpW__Zqvi003tiuy_22Ew=Tcohk+os+Qo+UU263Hg@mail.gmail.com>
Message-ID: <CANAVTmNb2TSgT+kUVw6EgP8db3uhemcG3yuL2YRbv30u_T8ang@mail.gmail.com>

Has anyone else faced this issue?

Can someone form keycloak team confirm the behavior?

There is also a JIRA for the same:

https://issues.jboss.org/browse/KEYCLOAK-9176


On Wed, Dec 12, 2018 at 3:50 PM Bruce Wings <testoauth55 at gmail.com> wrote:

> (The configuration discussed below is done under the Authorization tab)
>
> I have created Authorization Scope. When I create 2 scope based
> permissions : *Perm1 and Perm2 *and add this scope to both, *no error is
> shown and scope is successfully added.*
>
> But when I look at the scopes at my client end, I see that only 1
> permission has that scope. (scope gets reflected in whichever permission is
> added at the end. It gets disappeared from previous permission). Is this
> the intended behavior?
>
> The way I checked the scopes is by intercepting request and obtaining
> permission list in my Java client.
>
> *KeycloakSecurityContext keycloakSecurityContext =
> (KeycloakSecurityContext)
> request.getAttribute(KeycloakSecurityContext.class.getName());*
> *AuthorizationContext authzContext =
> keycloakSecurityContext.getAuthorizationContext();*
> *List<Permission> permList = (authzContext==null) ? null :
> authzContext.getPermissions();*
> *for(Permission perm : permList) {*
> *    Set<String> scopeList = perm.getScopes();*
> *        // other stuff*
> *}*
>

From fluffymarkz at gmail.com  Wed Jan  9 23:36:06 2019
From: fluffymarkz at gmail.com (Fluffy Mark Garces)
Date: Thu, 10 Jan 2019 12:36:06 +0800
Subject: [keycloak-user] (no subject)
Message-ID: <CAL_G_Xmxo_ZkAfsErQsPmQayQUpOeZda3ZC0NbTDTaTcy7uQdA@mail.gmail.com>

I would like to have a confirmation and consultant for the usage of
keycloak platform, I am new to this field and I havd been assigned to
provide an SSO solution for our project, after a bunch of research, I
decided to go to this platform hoping to solve the wanted feature:

+ goal: provide SSO solution to various SPs and/or IDPs (like our app can
be plugged in any existing IDP with multiple SP)

+ our application: "App A" would like to be an SP only? and can be proved
to integrate to other IDPs or SPs.

+ protocol to be used: SAML

I just want to know if this can be done with this platform.. any advice or
recommendations can be helpful, I would also like if possible to consult to
some of you guys privately, I hope.

Please help, I am just new to this and need people like you to guide me,

Thanks in advance

From massimo.redaelli at celsiuspro.com  Thu Jan 10 10:08:07 2019
From: massimo.redaelli at celsiuspro.com (Massimo Redaelli)
Date: Thu, 10 Jan 2019 15:08:07 +0000
Subject: [keycloak-user] keycloak-js: token in cookie
Message-ID: <1547132867410.90427@celsiuspro.com>

I read here:

http://lists.jboss.org/pipermail/keycloak-user/2014-December/001389.html


that (if I understood correctly) at the time the javascript adapter didn't support returning the token in a cookie rather than in the response body.


Is that still the case?


I'm writing a SPA and I'm faced with the problem of where to store the token. Most tutorials just put it in local storage, or in a variable in memory, but I read around that it's very susceptible to XSS attacks, while using a secure, httponly cookie is much safer.

What would you recommend?


Thanks


M.

From gareth.western+listman at gmail.com  Thu Jan 10 12:10:16 2019
From: gareth.western+listman at gmail.com (Gareth Western)
Date: Thu, 10 Jan 2019 18:10:16 +0100
Subject: [keycloak-user] Disable HTTP2 in Keycloak 4.6 container?
In-Reply-To: <CADor0XJT2O=VEEKadJQ56Hz47BDFxQvNRhEOD=+9AwpS-bDW1g@mail.gmail.com>
References: <CADor0XJT2O=VEEKadJQ56Hz47BDFxQvNRhEOD=+9AwpS-bDW1g@mail.gmail.com>
Message-ID: <CADor0XKhUTvEmJKTij=PKUovWXUKiV31s=iE50ZP=qpVzKk43Q@mail.gmail.com>

Just to confirm: disabling http2 in the standalone xml did fix the issue
for us.

We were also able to do this with a running instance using the jboss cli.
Thanks to Dmitry T. for the help!

On Wed, 19 Dec 2018, 14:02 Gareth Western <gareth.western+listman at gmail.com
wrote:

> It looks like the wildfly server used for the Keycloak 4.6.0.Final image
> is configured to use HTTP2. Is there an easy way to disable this? I think
> it might be the cause of some strange behaviour in Chrome, similar to as
> described here: https://issues.jboss.org/browse/KEYCLOAK-2656.
>
> The related 'test http2' issue is pending for the Keycloak 5.x release, so
> i assume Keycloak 4.x does not officially support HTTP2, is that correct?
>
> Kind regards,
> Gareth
>

From tom at spicule.co.uk  Thu Jan 10 19:12:30 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Thu, 10 Jan 2019 18:12:30 -0600
Subject: [keycloak-user] Cross client authentication
Message-ID: <CADibaRyM1QtptbehXikOMGQ03h3Nz+uP0FpWSUeT8AB-L1qZRw@mail.gmail.com>

Hi folks

Trying to solve a question for one of my web developers.

We have 2 apps one which authenticates against Keycloak using SAML and then
a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
call to the SAML based client app.

This causes a 401 currently, but as soon as I visit the SAML app and
Keycloak logs in then the rest calls work. What aren?t we passing or config
am I missing?

Thanks

Tom

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From tom at spicule.co.uk  Thu Jan 10 19:33:35 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Fri, 11 Jan 2019 01:33:35 +0100
Subject: [keycloak-user] Cross client authentication
In-Reply-To: <CADibaRyM1QtptbehXikOMGQ03h3Nz+uP0FpWSUeT8AB-L1qZRw@mail.gmail.com>
References: <CADibaRyM1QtptbehXikOMGQ03h3Nz+uP0FpWSUeT8AB-L1qZRw@mail.gmail.com>
Message-ID: <CADibaRyesS1Dp9VW68qE708n357oivE1jKP67=TiRxD0dwLf6Q@mail.gmail.com>

Scrap that! Filter misconfiguration.


On 11 January 2019 at 00:12:30, Tom Barber (tom at spicule.co.uk) wrote:

Hi folks

Trying to solve a question for one of my web developers.

We have 2 apps one which authenticates against Keycloak using SAML and then
a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
call to the SAML based client app.

This causes a 401 currently, but as soon as I visit the SAML app and
Keycloak logs in then the rest calls work. What aren?t we passing or config
am I missing?

Thanks

Tom

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From nikola.malenic at netsetglobal.rs  Fri Jan 11 04:58:05 2019
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Fri, 11 Jan 2019 10:58:05 +0100
Subject: [keycloak-user] Dynamically assign roles to user for single session
Message-ID: <007901d4a994$25d113a0$71733ae0$@netsetglobal.rs>

I have implemented different authenticators which users can choose when they
login.

 

Now, I would like to assign various roles to the user based on
authentication method user has chosen. Those roles would be assigned to the
user only in current session.

 

Is this possible to achieve? I used a mapper to put user's decision on
authentication method in the tokens, but how to map this property (field) to
the specific role/roles?

 

Best regards,

Nikola


From uo67113 at gmail.com  Fri Jan 11 05:06:50 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Fri, 11 Jan 2019 11:06:50 +0100
Subject: [keycloak-user] Cross client authentication
In-Reply-To: <CADibaRyM1QtptbehXikOMGQ03h3Nz+uP0FpWSUeT8AB-L1qZRw@mail.gmail.com>
References: <CADibaRyM1QtptbehXikOMGQ03h3Nz+uP0FpWSUeT8AB-L1qZRw@mail.gmail.com>
Message-ID: <CACp70MnJAGfwrw7Pf=7U008f_m8zpYSBWY6FMKDscg16GAv5yg@mail.gmail.com>

Hello Tom,

Once you visit the SAML app the an user session is created in the app and a
JSESSIONID cookie is store in your browser, that's why it works.

You have different ways of workaround this:

1. You can embed the gui component that makes the request to the SAML app
into an <iframe>. Iframe element can deal the SAML requests and responses.

2. In the past I did develop a "horrible hack" based on a
javax.servlet.Filter and a html page. The idea would be that at the first
request of the OIDC app the filter would generate on the fly a html page
with a link to the SAML app. This triggered the SAML authentication,
creating the user session in the app and storing the JSESSIONID cookie in
the user browser.

3. I recently solved the same issue using
org.keycloak.adapters.saml.servlet.SamlFilter. The idea would be to create
a your custom cookie and using it to make the cross-context requests. You
can have a look at the code in this gist [1]

Keep in mind that all of the above are workarounds. The cleanest way would
be not to use SAML for protecting the resources/API of your second
application. Probably OAUTH2/OIDC would work better, but I imagine that you
are dealing with some legacy code and you do not have too many options :)

Hope it helps,

Luis

[1] https://gist.github.com/lurodrig/83319a623692f573c4d2f91e16176fca




















El vie., 11 ene. 2019 a las 9:47, Tom Barber (<tom at spicule.co.uk>) escribi?:

> Hi folks
>
> Trying to solve a question for one of my web developers.
>
> We have 2 apps one which authenticates against Keycloak using SAML and then
> a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
> call to the SAML based client app.
>
> This causes a 401 currently, but as soon as I visit the SAML app and
> Keycloak logs in then the rest calls work. What aren?t we passing or config
> am I missing?
>
> Thanks
>
> Tom
>
> --
>
>
> Spicule Limited is registered in England & Wales. Company Number:
> 09954122. Registered office: First Floor, Telecom House, 125-135 Preston
> Road, Brighton, England, BN1 6AF. VAT No. 251478891.
>
>
>
>
> All engagements
> are subject to Spicule Terms and Conditions of Business. This email and
> its
> contents are intended solely for the individual to whom it is addressed
> and
> may contain information that is confidential, privileged or otherwise
> protected from disclosure, distributing or copying. Any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Spicule Limited. The company accepts no
> liability for any damage caused by any virus transmitted by this email. If
> you have received this message in error, please notify us immediately by
> reply email before deleting it from your system. Service of legal notice
> cannot be effected on Spicule Limited by email.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From hariprasad.n at ramyamlab.com  Fri Jan 11 05:25:30 2019
From: hariprasad.n at ramyamlab.com (Hariprasad N)
Date: Fri, 11 Jan 2019 15:55:30 +0530
Subject: [keycloak-user] Common Clients, Client scopes,
	Roles among multi Realm
Message-ID: <CAAx=Gt8KSXBOM6DmHGNi+cfKM9pjVKWjiv3zVMZGJvVWeQnSmQ@mail.gmail.com>

Hi All,

Please let me know is there any way to share Clients, Client Scopes, Roles
among multiple Realm.
Because I want use single Clients configurations and Role configurations
among multiple Realm.

-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore ? 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

From nhariprasad2018.2 at gmail.com  Fri Jan 11 05:28:51 2019
From: nhariprasad2018.2 at gmail.com (Hari Prasad)
Date: Fri, 11 Jan 2019 15:58:51 +0530
Subject: [keycloak-user] Common Clients, Client scopes,
	Roles among multi Realm
Message-ID: <CAPtTC61E7=0r+22HOejJRL=e0owSdeBTDwAKKNX-hMp8dZj_Hw@mail.gmail.com>

Hi All,

Please let me know is there any way to share Clients, Client Scopes, Roles
among multiple Realm.
Because I want use single Clients configurations and Role configurations
among multiple Realm.

Regards
Hari Prasad

From Christian.Sandmeier at vivai.de  Fri Jan 11 05:55:03 2019
From: Christian.Sandmeier at vivai.de (Christian Sandmeier)
Date: Fri, 11 Jan 2019 10:55:03 +0000
Subject: [keycloak-user] UMA Share Resource with a User via AuthZ Client
In-Reply-To: <409BDDA6-73AD-4D11-800E-E994D0FCD122@vivai.de>
References: <409BDDA6-73AD-4D11-800E-E994D0FCD122@vivai.de>
Message-ID: <1B34BEEE-0CFC-4FCF-9B46-A3012A385FFC@vivai.de>

Hi all,

as soon as i add concrete Resources to the AuthorizationRequest it works.

So in Step 3 i added

AuthorizationRequest request = new AuthorizationRequest();
request.addPermission(?resource id x?)
request.addPermission(?resource id y?)

Then the Permission for these Resources are shown in the RPT.

Best regards,

Christian

Am 08.01.2019 um 17:57 schrieb Christian Sandmeier <Christian.Sandmeier at vivai.de<mailto:Christian.Sandmeier at vivai.de>>:

Hi All,

first of all Thanks for the great work. I have been using Keycloak in a
Project for a couple of Months now and really like it.

I started to try out the UMA 2.0 Flow because it would be very nice to be able to share a resource with other Users.

Given the following 4 Steps, i don't understand why the Permissions are not in the RPT token

// Code for Steps 1 and 2 taken from here
// https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
// Code for Steps 3 and 4 taken from here
// https://www.keycloak.org/docs/latest/authorization_services/index.html#obtaining-user-entitlements


1) Creating a Resource "Resource A" with Owner "demo"

ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("demo");
resource.addScope("Scope A");

resource = getAuthzClient().protection().resource().create(resource);


2) Creating the User Permission for User "test"
UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();

newPermission.setName("User-Managed Permission");
newPermission.setDescription("User is allowed to access");
newPermission.addScope("Scope A");
newPermission.addUser("test");

ProtectionResource protection = getAuthzClient().protection("demo", "demo");
UmaPermissionRepresentation permission = protection.policy(resource.getId()).create(newPermission);


3) get a RPT for the User "test" for all Resources

AuthzClient authzClient = AuthzClient.create();
AuthorizationRequest request = new AuthorizationRequest();
AuthorizationResponse response = authzClient.authorization("test", "test").authorize(request);
String rpt = response.getToken();


4) Listing the Permissions
TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt);
System.out.println("Token status is: " + requestingPartyToken.getActive());
System.out.println("Permissions granted by the server: ");

for (Permission granted : requestingPartyToken.getPermissions()) {
  System.out.println(granted);
}


The Resource and Permission are saved correctly, i can correctly read them via the AuthZ Client
but now i would assume that the Permission is in the RPT of the User "test".

Is this Assumption maybe already incorrect and i got a bit lost? Or is there probably a
problem in my Code because the Permission should be listed there?
Btw. if i skip Step 2) and instead share the the Resource with the User in the "Keycloak -> My Account-> My Resources" Page, it works. But not
with the UmaPermissionRepresentation.

Thank you in Advance

Best regards,

Christian Sandmeier
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Fri Jan 11 06:52:42 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 11 Jan 2019 09:52:42 -0200
Subject: [keycloak-user] UMA Share Resource with a User via AuthZ Client
In-Reply-To: <1B34BEEE-0CFC-4FCF-9B46-A3012A385FFC@vivai.de>
References: <409BDDA6-73AD-4D11-800E-E994D0FCD122@vivai.de>
	<1B34BEEE-0CFC-4FCF-9B46-A3012A385FFC@vivai.de>
Message-ID: <CAJrcDBeKk5A69WP1sQ_SJDMAbUqeyrTshD67q7cWSRnzpVV2MQ@mail.gmail.com>

Hi,

Glad you got it working. I should probably update docs with that too, but
when doing UMA and requesting access to resources where the owner is not
the user you need to pass the resource ID. The reason is that resources can
have the same name if they belong to different owners, so you need to
explicitly inform the resource you want to access. If the owner is the
identity making the request, you can use names ....

On Fri, Jan 11, 2019 at 9:00 AM Christian Sandmeier <
Christian.Sandmeier at vivai.de> wrote:

> Hi all,
>
> as soon as i add concrete Resources to the AuthorizationRequest it works.
>
> So in Step 3 i added
>
> AuthorizationRequest request = new AuthorizationRequest();
> request.addPermission(?resource id x?)
> request.addPermission(?resource id y?)
>
> Then the Permission for these Resources are shown in the RPT.
>
> Best regards,
>
> Christian
>
> Am 08.01.2019 um 17:57 schrieb Christian Sandmeier <
> Christian.Sandmeier at vivai.de<mailto:Christian.Sandmeier at vivai.de>>:
>
> Hi All,
>
> first of all Thanks for the great work. I have been using Keycloak in a
> Project for a couple of Months now and really like it.
>
> I started to try out the UMA 2.0 Flow because it would be very nice to be
> able to share a resource with other Users.
>
> Given the following 4 Steps, i don't understand why the Permissions are
> not in the RPT token
>
> // Code for Steps 1 and 2 taken from here
> //
> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
> // Code for Steps 3 and 4 taken from here
> //
> https://www.keycloak.org/docs/latest/authorization_services/index.html#obtaining-user-entitlements
>
>
> 1) Creating a Resource "Resource A" with Owner "demo"
>
> ResourceRepresentation resource = new ResourceRepresentation();
> resource.setName("Resource A");
> resource.setOwnerManagedAccess(true);
> resource.setOwner("demo");
> resource.addScope("Scope A");
>
> resource = getAuthzClient().protection().resource().create(resource);
>
>
> 2) Creating the User Permission for User "test"
> UmaPermissionRepresentation newPermission = new
> UmaPermissionRepresentation();
>
> newPermission.setName("User-Managed Permission");
> newPermission.setDescription("User is allowed to access");
> newPermission.addScope("Scope A");
> newPermission.addUser("test");
>
> ProtectionResource protection = getAuthzClient().protection("demo",
> "demo");
> UmaPermissionRepresentation permission =
> protection.policy(resource.getId()).create(newPermission);
>
>
> 3) get a RPT for the User "test" for all Resources
>
> AuthzClient authzClient = AuthzClient.create();
> AuthorizationRequest request = new AuthorizationRequest();
> AuthorizationResponse response = authzClient.authorization("test",
> "test").authorize(request);
> String rpt = response.getToken();
>
>
> 4) Listing the Permissions
> TokenIntrospectionResponse requestingPartyToken =
> authzClient.protection().introspectRequestingPartyToken(rpt);
> System.out.println("Token status is: " + requestingPartyToken.getActive());
> System.out.println("Permissions granted by the server: ");
>
> for (Permission granted : requestingPartyToken.getPermissions()) {
>   System.out.println(granted);
> }
>
>
> The Resource and Permission are saved correctly, i can correctly read them
> via the AuthZ Client
> but now i would assume that the Permission is in the RPT of the User
> "test".
>
> Is this Assumption maybe already incorrect and i got a bit lost? Or is
> there probably a
> problem in my Code because the Permission should be listed there?
> Btw. if i skip Step 2) and instead share the the Resource with the User in
> the "Keycloak -> My Account-> My Resources" Page, it works. But not
> with the UmaPermissionRepresentation.
>
> Thank you in Advance
>
> Best regards,
>
> Christian Sandmeier
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From uo67113 at gmail.com  Fri Jan 11 10:15:24 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Fri, 11 Jan 2019 16:15:24 +0100
Subject: [keycloak-user] Cross client authentication
In-Reply-To: <CADibaRyesS1Dp9VW68qE708n357oivE1jKP67=TiRxD0dwLf6Q@mail.gmail.com>
References: <CADibaRyM1QtptbehXikOMGQ03h3Nz+uP0FpWSUeT8AB-L1qZRw@mail.gmail.com>
	<CADibaRyesS1Dp9VW68qE708n357oivE1jKP67=TiRxD0dwLf6Q@mail.gmail.com>
Message-ID: <CACp70MkQDqsj67JfXeG7QU1STNH6_fvWV=yeO8M=vYNB_eUVog@mail.gmail.com>

Hello Tom,

What do you mean with filter misconfiguration? The web.xml fragment is the
declaration of my filter CustomKeycloakSamlFilter. I forgot to mention that
it extends org.keycloak.adapters.saml.servlet.SamlFilter

Cheers,

Luis





El vie., 11 ene. 2019 a las 14:47, Tom Barber (<tom at spicule.co.uk>)
escribi?:

> Scrap that! Filter misconfiguration.
>
>
> On 11 January 2019 at 00:12:30, Tom Barber (tom at spicule.co.uk) wrote:
>
> Hi folks
>
> Trying to solve a question for one of my web developers.
>
> We have 2 apps one which authenticates against Keycloak using SAML and then
> a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
> call to the SAML based client app.
>
> This causes a 401 currently, but as soon as I visit the SAML app and
> Keycloak logs in then the rest calls work. What aren?t we passing or config
> am I missing?
>
> Thanks
>
> Tom
>
> --
>
>
> Spicule Limited is registered in England & Wales. Company Number:
> 09954122. Registered office: First Floor, Telecom House, 125-135 Preston
> Road, Brighton, England, BN1 6AF. VAT No. 251478891.
>
>
>
>
> All engagements
> are subject to Spicule Terms and Conditions of Business. This email and
> its
> contents are intended solely for the individual to whom it is addressed
> and
> may contain information that is confidential, privileged or otherwise
> protected from disclosure, distributing or copying. Any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Spicule Limited. The company accepts no
> liability for any damage caused by any virus transmitted by this email. If
> you have received this message in error, please notify us immediately by
> reply email before deleting it from your system. Service of legal notice
> cannot be effected on Spicule Limited by email.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From vineet.reynolds at gmail.com  Fri Jan 11 14:24:01 2019
From: vineet.reynolds at gmail.com (Vineet Reynolds)
Date: Sat, 12 Jan 2019 00:54:01 +0530
Subject: [keycloak-user] Keycloak events related to token/session expiry
Message-ID: <CAONaNYLsKyn_WQDVZ5RDEZNpzYvWFeetDfWqZnDLExLrCqx5sg@mail.gmail.com>

My goal is to implement the event listener SPI to listen for logout
and session expiration events so that I could update a custom
attribute in the user model.

Does Keycloak generate any events that can be listened to, in order to
detect if the token or associated session has expired?

I've looked at the events listed in the EventType enumeration, and
none of them seem to be related to the specific expiration event. I
also enabled event logging, and no events related to expiry seemed to
appear in the Keycloak administration console; logout events were
generated when users signed out of the client app, but no event
appeared to generated on expiry.

I'm using Keycloak 3.4.3, but I suppose an answer for Keycloak 4.8
will be good enough for me.

Thanks,
Vineet

From wolfbro92 at gmail.com  Sat Jan 12 00:13:24 2019
From: wolfbro92 at gmail.com (Kunal Kumar)
Date: Sat, 12 Jan 2019 13:13:24 +0800
Subject: [keycloak-user] Error! Failed to send email
Message-ID: <CAE5MKW_PsNO4SprHb93OcSz1B6RERiatXnFH36yTHtCBHQ7QBA@mail.gmail.com>

Hi,

I am trying to use the Forgot Password function for my Keycloak
authentication. So I have already set On for the Forgot Password in the
Login section. And I have tried to set up a the configurations under Realm
> Email, where I put

Host : smtp.gmail.com
Port : 587

But when testing the connection, I keep getting the error *"Error! Failed
to send email".*

What could be the reason for this?

Regards,
Kunal

From vineet.reynolds at gmail.com  Sat Jan 12 07:40:22 2019
From: vineet.reynolds at gmail.com (Vineet Reynolds)
Date: Sat, 12 Jan 2019 18:10:22 +0530
Subject: [keycloak-user] Error! Failed to send email
In-Reply-To: <CAE5MKW_PsNO4SprHb93OcSz1B6RERiatXnFH36yTHtCBHQ7QBA@mail.gmail.com>
References: <CAE5MKW_PsNO4SprHb93OcSz1B6RERiatXnFH36yTHtCBHQ7QBA@mail.gmail.com>
Message-ID: <CAONaNYJhVrpAzbx4e4vP0Khom=Shc=zjBmwY=zq0giTEvfexRg@mail.gmail.com>

On Sat, Jan 12, 2019 at 10:44 AM Kunal Kumar <wolfbro92 at gmail.com> wrote:
>
> Hi,
>
> I am trying to use the Forgot Password function for my Keycloak
> authentication. So I have already set On for the Forgot Password in the
> Login section. And I have tried to set up a the configurations under Realm
> > Email, where I put
>
> Host : smtp.gmail.com
> Port : 587

Those settings look insufficient given that Google SMTP server uses
authentication, so you need to also supply a username and password.
Also, port 587 is for STARTTLS, so you are required to enable that as
well, but that's kind of irrelevant when you cannot supply auth
details.
>From what I see in the DefaultEmailSenderProvider, there is no option
to provide such settings through Keycloak's UI and use them when
connecting to an SMTP server.
You would have to implement your own EmailSenderProvider, and deploy
this as a module, to send mails via Google's SMTP servers.

>
> But when testing the connection, I keep getting the error *"Error! Failed
> to send email".*
>
> What could be the reason for this?
>
> Regards,
> Kunal
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vagelis.savvas at gmail.com  Sun Jan 13 05:29:43 2019
From: vagelis.savvas at gmail.com (Vagelis Savvas)
Date: Sun, 13 Jan 2019 12:29:43 +0200
Subject: [keycloak-user] Add dynamically resolved token claim
Message-ID: <bfd499d8-0e9f-0d9c-348a-b30502a5ae2c@gmail.com>

Hello,
I have an authenticator script and a mapper script and I would like to 
attach a piece of information
during login in the authenticator script then retrieve it in the mapper 
script and set it as a token claim.
(background: this piece of information originates from an extra input 
field of a custom login page and
I want it to appear in the user's access token in order to differentiate 
users based on it).

So, I can't use the user object to attach my info because its not fully 
reliable.
What would work best is to use an object that is unique per 
authentication session and available in both scripts.
The user object is both unique and available but is also a singleton.

Thus I've tried via keycloakSession.setAttribute('myInfo', value) in 
auth script and then keycloakSession.getAttribute('myInfo')
in mapper script? but it doesn't work (why isn't the keycloakSession 
object the same in the two scripts?).
I've also tried in auth script 
authenticationSession.setUserSessionNote('myInfo',value) and then 
userSession.getNote('myInfo')
in mapper script? but it doesn't work as well.
Any further ideas on how to solve this in a reliable way?

Cheers,
Vagelis

From wolfbro92 at gmail.com  Mon Jan 14 03:46:43 2019
From: wolfbro92 at gmail.com (Kunal Kumar)
Date: Mon, 14 Jan 2019 16:46:43 +0800
Subject: [keycloak-user] Custom Email Attribute
Message-ID: <CAE5MKW8ngSJPs5YPf95pGRbvXX=3bvM8jmQcHgcVn28s8rCeKQ@mail.gmail.com>

Hi,

There are some users from department in my company that uses the one SAME
EMAIL for all its users, eventhough they all have their own user IDs.
But Keycloak doesn't allow for different users to have the same email
address.

Is there any workaround for this? Lets say if I create a custom email
attribute that connects to the mail LDAP attribute, how do I make Keycloak
to recognise this custom email attribute as THE EMAIL ATTRIBUTE?

Regards,
Kunal

From l.lech at ringler.ch  Mon Jan 14 09:10:47 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Mon, 14 Jan 2019 14:10:47 +0000
Subject: [keycloak-user] Docker image http connection pool
Message-ID: <5E48B917000C984B86B77170F441903A188F6EF7@exch.ringler.ch>

Hello,

Maybe it's a trivial question, but I've failed to find an answer....

What is the default http connection pool size in keycloak docker image, and how can I configure it?

My keycloak instance fails by large number of requests, although it has enough CPU and RAM resources... so I suppose the connection pool size is too little...


Best regards,
Lukasz Lech

From chris.smith at cmfirstgroup.com  Mon Jan 14 12:19:05 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Mon, 14 Jan 2019 17:19:05 +0000
Subject: [keycloak-user] Suppression of basic challenge on login of Web App?
Message-ID: <CY4PR22MB02480955610822E5BB87B97A98800@CY4PR22MB0248.namprd22.prod.outlook.com>

I have a web app secured by KC.  It authenticates against out Active Directory and that appears to be working.

I'm developing using Tomcat as my web app server.

When on a Windows client of a machine that is a member of my Active Directory, and Windows Internet options are set, Both Chrome and Internet Explorer do not put up the Browser challenge or forward to the KC login page.

I have a requirement that a browser on a client that is not in my Active Directory log in with the users Active Directory user id and password.

After a successful login, everything is great.

My issue is that when running from a browser on a client that is not a member of the Active Directory domain, First the browser presents a Basic Challenge.  Then regardless of what is entered or if the challenge is dismissed, the browser forwards as expected to the KC login page.

How can the Basic Challenge Be suppressed?

My web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://xmlns.jcp.org/xml/ns/javaee"
	xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
	id="WebApp_ID" version="3.1">
	<display-name>SSO-Example</display-name>
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.jsp</welcome-file>
		<welcome-file>default.html</welcome-file>
		<welcome-file>default.htm</welcome-file>
		<welcome-file>default.jsp</welcome-file>
	</welcome-file-list>
	<login-config>
		<auth-method>KEYCLOAK</auth-method>
		<realm-name> MYREALM </realm-name>
	</login-config>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>SSO-Example</web-resource-name>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>user</role-name>
		</auth-constraint>
	</security-constraint>
	<security-role>
		<role-name>user</role-name>
	</security-role>
</web-app>

My keycloak.json

{
  "realm": "MYREALM",
  "auth-server-url": "https://my.keycloak:8443/auth",
  "ssl-required": "external",
  "resource": "MYCLIENT",
  "verify-token-audience": true,
  "credentials": {
    "secret": "my secret"
  },
   "disable-trust-manager": true,
   "allow-any-hostname" : true,
  "use-resource-role-mappings": true,
  "confidential-port": 0
}


From chris.smith at cmfirstgroup.com  Mon Jan 14 12:41:41 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Mon, 14 Jan 2019 17:41:41 +0000
Subject: [keycloak-user] Kerberos Credential Delagation
Message-ID: <CY4PR22MB024891734969259A2F93C54398800@CY4PR22MB0248.namprd22.prod.outlook.com>

I have a web app that is secured by KC and uses Active Directory to authenticate users.
I have a requirement to get a Kerberos ticket (GSSCredential) to connect to an IBM i Server.
SSO/EIM is successfully setup on the IBM i.

My Web app is following the instructions at 
https://www.keycloak.org/docs/latest/server_admin/index.html#credential-delegation

My servlet code
			KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
			AccessToken at = kcp.getKeycloakSecurityContext().getToken();
			String username = at.getPreferredUsername();
			System.out.println(at.getName());
			wtr.append("Windows User: ").append(username).append('\n');
			
			// Retrieve kerberos credential from accessToken and deserialize it
			Map<String, Object> otherClaims = at.getOtherClaims();
			String otherClaim = (String)otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
			GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(otherClaim);

The otherClaims  map is always empty.

KerberosSerializationUtils.deserializeCredential(otherClaim); throws this exception since otherClaim is null;

org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null credential given as input. Did you enable kerberos credential delegation for your web browser and mapping of gss credential to access token?, Java version: 1.8.0_192, runtime version: 1.8.0_192-b12, vendor: Oracle Corporation, os: 6.2
	at org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
	at testing.LogIn.doGet(LogIn.java:71)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
	at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:604)
	at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1152)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Kerbos delegation is enabled in the browser and mapping of gss credential to access token 

What am I missing?




From nikola.malenic at netsetglobal.rs  Mon Jan 14 13:19:09 2019
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Mon, 14 Jan 2019 19:19:09 +0100
Subject: [keycloak-user] Fine Authorization on User Account Service
Message-ID: <003b01d4ac35$a49ec620$eddc5260$@netsetglobal.rs>

I am trying to disable access to the account service to all users by using
js policy (I have a reason for this).

So what I tried is to put just $evaluation.deny(); in the body of the
policy, to restrict access to all users.

In Evaluate tab I can see that this policy is denying access but when I
access account service application via browser I get access.

 

Anyone has an idea what could be wrong?

 

Here is my  Authorization config exported:

{

  "allowRemoteResourceManagement": false,

  "policyEnforcementMode": "ENFORCING",

  "resources": [

    {

      "name": "account_resource",

      "type": "urn:account:resources:accountresource",

      "ownerManagedAccess": false,

      "displayName": "account_resource",

      "attributes": {},

      "_id": "778c2a62-4415-4cf1-a057-a60f0beeb0a4",

      "uris": [

        "/*"

      ]

    }

  ],

  "policies": [

    {

      "id": "4de5145d-4d34-411f-9b2a-d99cc361a08c",

      "name": "auth_method_policy",

      "description": "Policy based on authentication method used",

      "type": "js",

      "logic": "POSITIVE",

      "decisionStrategy": "UNANIMOUS",

      "config": {

        "code": "// var context = $evaluation.getContext();\r\n// var
identity = context.getIdentity();\r\n// var attributes =
identity.getAttributes();\r\n\r\n// if
(attributes.getValue(\"chosen_authenticator\").asString(0).endsWith('userpas
s')) {\r\n//     $evaluation.deny();\r\n// } else {\r\n//
$evaluation.deny();\r\n// }\r\n"

      }

    },

    {

      "id": "e2567a26-aa46-4f0f-aba7-421e35b90615",

      "name": "auth_based_permission",

      "type": "resource",

      "logic": "POSITIVE",

      "decisionStrategy": "UNANIMOUS",

      "config": {

        "resources": "[\"account_resource\"]",

        "applyPolicies": "[\"auth_method_policy\"]"

      }

    }

  ],

  "scopes": []

}


From psilva at redhat.com  Mon Jan 14 13:48:09 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 14 Jan 2019 16:48:09 -0200
Subject: [keycloak-user] Fine Authorization on User Account Service
In-Reply-To: <003b01d4ac35$a49ec620$eddc5260$@netsetglobal.rs>
References: <003b01d4ac35$a49ec620$eddc5260$@netsetglobal.rs>
Message-ID: <CAJrcDBcRofkChw1wYbt41MB-pNKZACzG=32rvBYV1jK04CytRw@mail.gmail.com>

The problem is that we don't enforce permissions when users are accessing
the account service. I think we should disable authorization settings to
account client and avoid confusion.

On Mon, Jan 14, 2019 at 4:32 PM Nikola Malenic <
nikola.malenic at netsetglobal.rs> wrote:

> I am trying to disable access to the account service to all users by using
> js policy (I have a reason for this).
>
> So what I tried is to put just $evaluation.deny(); in the body of the
> policy, to restrict access to all users.
>
> In Evaluate tab I can see that this policy is denying access but when I
> access account service application via browser I get access.
>
>
>
> Anyone has an idea what could be wrong?
>
>
>
> Here is my  Authorization config exported:
>
> {
>
>   "allowRemoteResourceManagement": false,
>
>   "policyEnforcementMode": "ENFORCING",
>
>   "resources": [
>
>     {
>
>       "name": "account_resource",
>
>       "type": "urn:account:resources:accountresource",
>
>       "ownerManagedAccess": false,
>
>       "displayName": "account_resource",
>
>       "attributes": {},
>
>       "_id": "778c2a62-4415-4cf1-a057-a60f0beeb0a4",
>
>       "uris": [
>
>         "/*"
>
>       ]
>
>     }
>
>   ],
>
>   "policies": [
>
>     {
>
>       "id": "4de5145d-4d34-411f-9b2a-d99cc361a08c",
>
>       "name": "auth_method_policy",
>
>       "description": "Policy based on authentication method used",
>
>       "type": "js",
>
>       "logic": "POSITIVE",
>
>       "decisionStrategy": "UNANIMOUS",
>
>       "config": {
>
>         "code": "// var context = $evaluation.getContext();\r\n// var
> identity = context.getIdentity();\r\n// var attributes =
> identity.getAttributes();\r\n\r\n// if
>
> (attributes.getValue(\"chosen_authenticator\").asString(0).endsWith('userpas
> s')) {\r\n//     $evaluation.deny();\r\n// } else {\r\n//
> $evaluation.deny();\r\n// }\r\n"
>
>       }
>
>     },
>
>     {
>
>       "id": "e2567a26-aa46-4f0f-aba7-421e35b90615",
>
>       "name": "auth_based_permission",
>
>       "type": "resource",
>
>       "logic": "POSITIVE",
>
>       "decisionStrategy": "UNANIMOUS",
>
>       "config": {
>
>         "resources": "[\"account_resource\"]",
>
>         "applyPolicies": "[\"auth_method_policy\"]"
>
>       }
>
>     }
>
>   ],
>
>   "scopes": []
>
> }
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From l.lech at ringler.ch  Tue Jan 15 03:21:22 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Tue, 15 Jan 2019 08:21:22 +0000
Subject: [keycloak-user] Kubernetes: found IPv4 multicast address in an IPv6
	stack
Message-ID: <5E48B917000C984B86B77170F441903A18900512@exch.ringler.ch>

Hello,

I was succesfully running Keycloak as docker image (4.8.1), however, when I try to run in Kubernetes, I'm getting the following error:

07:53:34,742 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 52) MSC000001: Failed to start service org.wildfly.clustering.jgroups.channel.ee: org.jboss.msc.service.StartException in service org.wildfly.clustering.jgroups.channel.ee: java.lang.IllegalStateException: java.lang.Exception: found IPv4 multicast address /230.0.0.4 in an IPv6 stack
at org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:70)
at org.wildfly.clustering.service.AsyncServiceConfigurator$AsyncService.lambda$start$0(AsyncServiceConfigurator.java:117)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.lang.IllegalStateException: java.lang.Exception: found IPv4 multicast address /230.0.0.4 in an IPv6 stack
at org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:116)
at org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:58)
at org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:67)
... 7 more
Caused by: java.lang.Exception: found IPv4 multicast address /230.0.0.4 in an IPv6 stack
at org.jgroups.stack.Configurator.setDefaultValues(Configurator.java:137)
at org.jgroups.stack.ProtocolStack.init(ProtocolStack.java:829)
at org.jgroups.JChannel.<init>(JChannel.java:200)
at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:116)
at org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:96)
... 9 more

Server seems to listen, going to / returns redirect to /auth, but going to /auth results in 404, no further error lands in logs...

Anyone has any idea what it can be?


Best regards,
Lukasz Lech


From slaskawi at redhat.com  Tue Jan 15 03:52:20 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Tue, 15 Jan 2019 09:52:20 +0100
Subject: [keycloak-user] Kubernetes: found IPv4 multicast address in an
 IPv6 stack
In-Reply-To: <5E48B917000C984B86B77170F441903A18900512@exch.ringler.ch>
References: <5E48B917000C984B86B77170F441903A18900512@exch.ringler.ch>
Message-ID: <CAA9R9O6HDKhAREFPm6v96BkqSUKhFTq5ML843LfZhZkWx9MAeg@mail.gmail.com>

Hey Lukasz,

The clustering probably won't work in your setup. In other words, if you'd
like to add another Keycloak node to ensure HA or balance the load, that
won't work.

I guess, you're using IPv4 network in your datacenter, aren't you? If so,
please add -Djava.net.preferIPv4Stack=true switch to Keycloak to ensure,
JGroups use IPv4.

Thanks,
Sebastian

On Tue, Jan 15, 2019 at 9:22 AM Lukasz Lech <l.lech at ringler.ch> wrote:

> Hello,
>
> I was succesfully running Keycloak as docker image (4.8.1), however, when
> I try to run in Kubernetes, I'm getting the following error:
>
> 07:53:34,742 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> -- 52) MSC000001: Failed to start service
> org.wildfly.clustering.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service
> org.wildfly.clustering.jgroups.channel.ee:
> java.lang.IllegalStateException: java.lang.Exception: found IPv4 multicast
> address /230.0.0.4 in an IPv6 stack
> at
> org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:70)
> at
> org.wildfly.clustering.service.AsyncServiceConfigurator$AsyncService.lambda$start$0(AsyncServiceConfigurator.java:117)
> at
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.lang.Thread.run(Thread.java:748)
> at org.jboss.threads.JBossThread.run(JBossThread.java:485)
> Caused by: java.lang.IllegalStateException: java.lang.Exception: found
> IPv4 multicast address /230.0.0.4 in an IPv6 stack
> at
> org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:116)
> at
> org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:58)
> at
> org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:67)
> ... 7 more
> Caused by: java.lang.Exception: found IPv4 multicast address /230.0.0.4
> in an IPv6 stack
> at org.jgroups.stack.Configurator.setDefaultValues(Configurator.java:137)
> at org.jgroups.stack.ProtocolStack.init(ProtocolStack.java:829)
> at org.jgroups.JChannel.<init>(JChannel.java:200)
> at
> org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:116)
> at
> org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:96)
> ... 9 more
>
> Server seems to listen, going to / returns redirect to /auth, but going to
> /auth results in 404, no further error lands in logs...
>
> Anyone has any idea what it can be?
>
>
> Best regards,
> Lukasz Lech
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From l.lech at ringler.ch  Tue Jan 15 04:08:21 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Tue, 15 Jan 2019 09:08:21 +0000
Subject: [keycloak-user] Kubernetes: found IPv4 multicast address in an
 IPv6 stack
In-Reply-To: <CAA9R9O6HDKhAREFPm6v96BkqSUKhFTq5ML843LfZhZkWx9MAeg@mail.gmail.com>
References: <5E48B917000C984B86B77170F441903A18900512@exch.ringler.ch>
	<CAA9R9O6HDKhAREFPm6v96BkqSUKhFTq5ML843LfZhZkWx9MAeg@mail.gmail.com>
Message-ID: <5E48B917000C984B86B77170F441903A18904559@exch.ringler.ch>

Hello,

Thanks for the help, that flag was actually missing and it had to be done manually?

I don?t know how is it expected to work without it? Docker generally supports no IPv6 AFAIK?

From: Sebastian Laskawiec [mailto:slaskawi at redhat.com]
Sent: Dienstag, 15. Januar 2019 09:52
To: Lukasz Lech <l.lech at ringler.ch>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Kubernetes: found IPv4 multicast address in an IPv6 stack

Hey Lukasz,

The clustering probably won't work in your setup. In other words, if you'd like to add another Keycloak node to ensure HA or balance the load, that won't work.

I guess, you're using IPv4 network in your datacenter, aren't you? If so, please add -Djava.net.preferIPv4Stack=true switch to Keycloak to ensure, JGroups use IPv4.

Thanks,
Sebastian

On Tue, Jan 15, 2019 at 9:22 AM Lukasz Lech <l.lech at ringler.ch<mailto:l.lech at ringler.ch>> wrote:
Hello,

I was succesfully running Keycloak as docker image (4.8.1), however, when I try to run in Kubernetes, I'm getting the following error:

07:53:34,742 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 52) MSC000001: Failed to start service org.wildfly.clustering.jgroups.channel.ee<http://org.wildfly.clustering.jgroups.channel.ee>: org.jboss.msc.service.StartException in service org.wildfly.clustering.jgroups.channel.ee<http://org.wildfly.clustering.jgroups.channel.ee>: java.lang.IllegalStateException: java.lang.Exception: found IPv4 multicast address /230.0.0.4<http://230.0.0.4> in an IPv6 stack
at org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:70)
at org.wildfly.clustering.service.AsyncServiceConfigurator$AsyncService.lambda$start$0(AsyncServiceConfigurator.java:117)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:485)
Caused by: java.lang.IllegalStateException: java.lang.Exception: found IPv4 multicast address /230.0.0.4<http://230.0.0.4> in an IPv6 stack
at org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:116)
at org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:58)
at org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:67)
... 7 more
Caused by: java.lang.Exception: found IPv4 multicast address /230.0.0.4<http://230.0.0.4> in an IPv6 stack
at org.jgroups.stack.Configurator.setDefaultValues(Configurator.java:137)
at org.jgroups.stack.ProtocolStack.init(ProtocolStack.java:829)
at org.jgroups.JChannel.<init>(JChannel.java:200)
at org.jboss.as.clustering.jgroups.JChannelFactory.createChannel(JChannelFactory.java:116)
at org.jboss.as.clustering.jgroups.subsystem.ChannelServiceConfigurator.get(ChannelServiceConfigurator.java:96)
... 9 more

Server seems to listen, going to / returns redirect to /auth, but going to /auth results in 404, no further error lands in logs...

Anyone has any idea what it can be?


Best regards,
Lukasz Lech

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

From thomas.darimont at googlemail.com  Tue Jan 15 06:32:10 2019
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Tue, 15 Jan 2019 12:32:10 +0100
Subject: [keycloak-user] User federation via AD/LDAP - how to handle deleted
	users?
Message-ID: <CAK-7U1jB0N+rVhDCxyCGyTEpcMst9RgrMKCDW8h_qOqWHeHk6g@mail.gmail.com>

Hello,

currently, Keycloak (up to 4.8.2) does not handle the case where a user is
deleted in the federated user-store when the built-in LDAP / AD federation
provider is used.

The relevant code is located within the LDAPStorageProviderFactory:
https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9547a554a3/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java#L430

There is a TODO which reads:
// TODO: Remove all existing Keycloak users, which have federation links,
but are not in LDAP. Perhaps don't check users, which were just added or
updated during this sync?

I wonder what would be the right thing to do in this case..
If the federated user-store dictates the truth, then IMHO the right thing
to do would be to also delete the user that is associated with the
user-storage provider federation link in Keycloak, if the linked AD / LDAP
user was deleted.

How do you handle this situation in your systems?

Cheers,
Thomas

From dharlaftis at ekt.gr  Tue Jan 15 06:48:33 2019
From: dharlaftis at ekt.gr (Dimitris Charlaftis)
Date: Tue, 15 Jan 2019 13:48:33 +0200
Subject: [keycloak-user] use keycloak security proxy to proxy to external url
Message-ID: <a584ab57-6635-4378-f6c1-fd3872b3bf59@ekt.gr>

Hello,

I am using the following scheme in docker containers

I use keycloak security proxy to proxy a test application (step 5) to an 
external url, which lies outside the host machine where the keycloak 
server and keycloak proxy lie. Keycloak uses ldap federation.

Keykloak proxy.json is the following

{

"target-url": "yyyyy.yyyyyy (url of external application",
"bind-address": "0.0.0.0",
"send-access-token": true,
"http-port": "8180",
"https-port": "8443",
"applications": [

{

"base-path": "/",
"adapter-config": {

"realm": "internal_applications",
"auth-server-url": "xxxxxx (url of keycloak auth server ",
"resource": "test_app",
"ssl-required": "external",
"credentials": {

"secret": "xxxxxxxxxxxxxxxxx"

}

},
"constraints": [

{

"pattern": "/*",
"authenticate": true

}

],
"proxy-address-forwarding": true

}

]

}

inside the keycloak server, i have set up a client such that (look the 
image beow)



this means that i want to proxy to www.google.com


The problem is that after a successful login, user is redirected to the 
test application BUT in the browser address bar remains the host machine 
domain name and NOT the external url.... strange...

if i change the "bind-address" parameter from 0.0.0.0 to the external IP 
or domain name where i want to proxy, the site is unavailable...


Note that inside the proxy docker container i can curl 
http://www.google.com with success.

I would be grateful for any help provided...

Regards,

Dimitris






-- 
_____________________________

Dimitris Charlaftis
Software Engineer

National Documentation Center
email: dharlaftis at ekt.gr
_____________________________



---
This email has been checked for viruses by AVG.
https://www.avg.com

From slaskawi at redhat.com  Tue Jan 15 07:36:27 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Tue, 15 Jan 2019 13:36:27 +0100
Subject: [keycloak-user] Docker image http connection pool
In-Reply-To: <5E48B917000C984B86B77170F441903A188F6EF7@exch.ringler.ch>
References: <5E48B917000C984B86B77170F441903A188F6EF7@exch.ringler.ch>
Message-ID: <CAA9R9O5ZYAbVdoyX2cyie5i5OVHfJyzpizD9eh0e4dptyM4-RQ@mail.gmail.com>

Hey Lukasz,

Keycloak uses Wildfly, which in turn uses Undertow as a web server. You
might try to find some resources on Undertow/Wildfly performance tuning in
the web. I'm definitely not an expert in this field but you could start by
checking this links:
-
https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration
-
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/performance_tuning_guide/undertow_tuning
-
http://www.mastertheboss.com/jboss-server/jboss-performance/wildfly-performance-tuning

Thanks,
Sebastian

On Mon, Jan 14, 2019 at 3:22 PM Lukasz Lech <l.lech at ringler.ch> wrote:

> Hello,
>
> Maybe it's a trivial question, but I've failed to find an answer....
>
> What is the default http connection pool size in keycloak docker image,
> and how can I configure it?
>
> My keycloak instance fails by large number of requests, although it has
> enough CPU and RAM resources... so I suppose the connection pool size is
> too little...
>
>
> Best regards,
> Lukasz Lech
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mareklindner at neomailbox.ch  Tue Jan 15 10:47:56 2019
From: mareklindner at neomailbox.ch (Marek Lindner)
Date: Tue, 15 Jan 2019 23:47:56 +0800
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
Message-ID: <2122907.Eh5HuVOojU@rousseau>

Hi,

I am working on a keycloak setup trying to replicate the photoz example. The 
'test' realm is configured as follows:

* UMA enabled
* has a client 'photoz' with Authorization enabled
* 2 authorization scopes: album:view & album:modify
* each scope has a scope-based 'only owner' permission associated (Javascript)
* 2 users: alice and bob

Alice creates a new album resouce with the following request:

POST /auth/realms/test/authz/protection/resource_set
{"name": "Amazing sunsets", "owner": "alice", "ownerManagedAccess": "true", 
"uri": "/albums/100", "type": "album", "resource_scopes": ["album:view", 
"album:modify"]}

Simulating Bob accessing album "Amazing sunsets" using the authorization 
evaluation tab, returns permission denied for both scopes (view & modify) as 
expected.

Now, Alice shares "Amazing sunsets" via the account management interface but 
limits the scope to 'view' by sharing 'album:view' only. 

Back to evaluating Bob's access:
* Scope album:view on "Amazing sunsets" is granted (yay!).
* Scope album:modify on "Amazing sunsets" also is granted ??

Why would Bob get full access if Alice only shared album:view ? The evaluation 
output even states that the granted album:view access was the reason why 
access to album:modify is granted too (see attached screenshot for details).  

Does anybody have a suggestion what I am missing here ?

Thanks,
Marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: permission_evaluation_bob.png
Type: image/png
Size: 38115 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190115/0d6d206c/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190115/0d6d206c/attachment-0001.bin 

From james.pridmore at ontexglobal.com  Tue Jan 15 11:51:42 2019
From: james.pridmore at ontexglobal.com (James Pridmore)
Date: Tue, 15 Jan 2019 16:51:42 +0000
Subject: [keycloak-user] Multi Tenancy
Message-ID: <VI1PR07MB4239CA4B6EB98E5D8D7C799492810@VI1PR07MB4239.eurprd07.prod.outlook.com>

Hi,

I wonder if you could offer some advice. We 're writing a React application and we are going to use keycloak for the security.

We have no prior experience using keycloak and we need to figure out the best way of representing our security model.

We have users and contracts, users might need to access different contracts and have different levels of security in each contract.

At the minute, we've set up each contract as a client, and granted a user permissions in each contract. When we log in, a user receives all permissions from every client in the JWT. I switched on Client Scope for each contract, and now we only get permissions for the individual client whose client_id I pass in when logging in. I'm having trouble switching between clients without having to re-log in (I was hoping to use the refresh token endpoint with a different client_ id for this).

I'd like to avoid sending all the permissions down in the token if possible.

Is there a better way of going about this, a better way of modelling out data within keycloak, what would you recommend?

Kind regards,

James


From marco.lamina at sap.com  Tue Jan 15 11:54:43 2019
From: marco.lamina at sap.com (Lamina, Marco)
Date: Tue, 15 Jan 2019 16:54:43 +0000
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <2122907.Eh5HuVOojU@rousseau>
References: <2122907.Eh5HuVOojU@rousseau>
Message-ID: <95C8CCE5-51F8-4842-AD10-17437B5B7F0F@sap.com>

I've had a similar problem, it might be related to this:

https://issues.jboss.org/browse/KEYCLOAK-9093
 

?On 1/15/19, 7:53 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Marek Lindner" <keycloak-user-bounces at lists.jboss.org on behalf of mareklindner at neomailbox.ch> wrote:

    Hi,
    
    I am working on a keycloak setup trying to replicate the photoz example. The 
    'test' realm is configured as follows:
    
    * UMA enabled
    * has a client 'photoz' with Authorization enabled
    * 2 authorization scopes: album:view & album:modify
    * each scope has a scope-based 'only owner' permission associated (Javascript)
    * 2 users: alice and bob
    
    Alice creates a new album resouce with the following request:
    
    POST /auth/realms/test/authz/protection/resource_set
    {"name": "Amazing sunsets", "owner": "alice", "ownerManagedAccess": "true", 
    "uri": "/albums/100", "type": "album", "resource_scopes": ["album:view", 
    "album:modify"]}
    
    Simulating Bob accessing album "Amazing sunsets" using the authorization 
    evaluation tab, returns permission denied for both scopes (view & modify) as 
    expected.
    
    Now, Alice shares "Amazing sunsets" via the account management interface but 
    limits the scope to 'view' by sharing 'album:view' only. 
    
    Back to evaluating Bob's access:
    * Scope album:view on "Amazing sunsets" is granted (yay!).
    * Scope album:modify on "Amazing sunsets" also is granted ??
    
    Why would Bob get full access if Alice only shared album:view ? The evaluation 
    output even states that the granted album:view access was the reason why 
    access to album:modify is granted too (see attached screenshot for details).  
    
    Does anybody have a suggestion what I am missing here ?
    
    Thanks,
    Marek
    



From mposolda at redhat.com  Tue Jan 15 13:47:46 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 15 Jan 2019 19:47:46 +0100
Subject: [keycloak-user] User federation via AD/LDAP - how to handle
 deleted users?
In-Reply-To: <CAK-7U1jB0N+rVhDCxyCGyTEpcMst9RgrMKCDW8h_qOqWHeHk6g@mail.gmail.com>
References: <CAK-7U1jB0N+rVhDCxyCGyTEpcMst9RgrMKCDW8h_qOqWHeHk6g@mail.gmail.com>
Message-ID: <852a51cb-56a2-a32b-8877-bfcd2b9cea07@redhat.com>

Hi Thomas,

On 15/01/2019 12:32, Thomas Darimont wrote:
> Hello,
>
> currently, Keycloak (up to 4.8.2) does not handle the case where a user is
> deleted in the federated user-store when the built-in LDAP / AD federation
> provider is used.
>
> The relevant code is located within the LDAPStorageProviderFactory:
> https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9547a554a3/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java#L430
>
> There is a TODO which reads:
> // TODO: Remove all existing Keycloak users, which have federation links,
> but are not in LDAP. Perhaps don't check users, which were just added or
> updated during this sync?
>
> I wonder what would be the right thing to do in this case..
> If the federated user-store dictates the truth, then IMHO the right thing
> to do would be to also delete the user that is associated with the
> user-storage provider federation link in Keycloak, if the linked AD / LDAP
> user was deleted.

yes, when you click the "Sync users" button, the users, which were 
deleted in LDAP, won't be directly deleted in Keycloak. However when you 
do any action in Keycloak related to that particular user (EG. attempt 
to login as that user or search the user from admin console), then user 
will be deleted from Keycloak DB and can't be seen in Keycloak anymore. 
See UserStorageManager.importValidation and LDAPStorageProvider.validate 
methods.

Marek

>
> How do you handle this situation in your systems?
>
> Cheers,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From tkyjovsk at redhat.com  Tue Jan 15 14:18:37 2019
From: tkyjovsk at redhat.com (Tomas Kyjovsky)
Date: Tue, 15 Jan 2019 14:18:37 -0500 (EST)
Subject: [keycloak-user] Keycloak events related to token/session expiry
In-Reply-To: <CAONaNYLsKyn_WQDVZ5RDEZNpzYvWFeetDfWqZnDLExLrCqx5sg@mail.gmail.com>
References: <CAONaNYLsKyn_WQDVZ5RDEZNpzYvWFeetDfWqZnDLExLrCqx5sg@mail.gmail.com>
Message-ID: <1856578220.50657230.1547579917161.JavaMail.zimbra@redhat.com>

Hello Vineet,

Unfortunatelly Keycloak doesn't support generating token/session expiration events at this time, only for direct user-initiated logout.

I'm not sure what category this event would fall into. The login events are related to user-initiated actions (EventType.LOGOUT), and the admin events are specific to administrative operations.
This type of event isn't initiated by any user. It would have to be generated by a periodic task such as the one which removes the expired user sessions once in a while (ClearExpiredUserSessions.java in keycloak/services module).

Perhaps the best way is to create a feature request in the project's issue tracker so that the developers can consider how/if this can be solved.

https://issues.jboss.org/projects/KEYCLOAK/


Regards,
Tomas

----- Original Message -----
> My goal is to implement the event listener SPI to listen for logout
> and session expiration events so that I could update a custom
> attribute in the user model.
> 
> Does Keycloak generate any events that can be listened to, in order to
> detect if the token or associated session has expired?
> 
> I've looked at the events listed in the EventType enumeration, and
> none of them seem to be related to the specific expiration event. I
> also enabled event logging, and no events related to expiry seemed to
> appear in the Keycloak administration console; logout events were
> generated when users signed out of the client app, but no event
> appeared to generated on expiry.
> 
> I'm using Keycloak 3.4.3, but I suppose an answer for Keycloak 4.8
> will be good enough for me.
> 
> Thanks,
> Vineet
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From jpcampb2 at ncsu.edu  Tue Jan 15 16:00:26 2019
From: jpcampb2 at ncsu.edu (James Campbell)
Date: Tue, 15 Jan 2019 16:00:26 -0500
Subject: [keycloak-user] Use a docker secret in wildfly config
Message-ID: <CA+CEYa7gL4Wt7B6=Bxfa2cY_6KRsZ6W1cJqOJOfm5GExdwHJXw@mail.gmail.com>

Hi all--

Is it possible to use a docker secret (i.e. contents of a file mounted in
/run/secrets) in the wildfly/standalone.xml config to store a database
password? I saw the vault option, but if there's another way to take care
of that, it seemed preferable.

James

From Nithin.Chandrashekhar at Teradata.com  Tue Jan 15 16:22:48 2019
From: Nithin.Chandrashekhar at Teradata.com (Chandrashekhar, Nithin)
Date: Tue, 15 Jan 2019 21:22:48 +0000
Subject: [keycloak-user] How can I disable the user caching?
Message-ID: <7032EE22-1651-4A98-AE43-D502E45B73EC@teradata.com>

Hello,

Keycloak version: 4.8.0.Final
Login as user ?X? who belongs to 10 groups in openldap. I can see that user with 10 groups in the keycloak dashboard.
I make this user part of one more group in openldap server. But in the keycloak dashboard, I don?t see this new group getting added for the user.

I know that the new group not getting updated behavior is due to the caching. When I tried to invalidate the cache using Cache Policy under User Federation,
I see that groups for the user ?X? gets updated but in the overall groups, the new group gets duplicated.

I saw some posts online where I can disable user cache by setting userCache attribute in standalone.xml to false and restarting keycloak (using ./jboss-cli.sh --connect and reload).
But when I try to reload keycloak, I see Failed to establish connection in 6033ms. So I am not very sure if keycloak reloaded and the changes I made had any effect or not.

Please advise me on how I can disable user caching or if I am doing something wrong.

Thanks
Nithin

From marc at autonomic.ai  Tue Jan 15 18:28:01 2019
From: marc at autonomic.ai (Marc Spehlmann)
Date: Tue, 15 Jan 2019 15:28:01 -0800
Subject: [keycloak-user] RestEasy Client doesn't support logging in as a
	service account
Message-ID: <EBDAE160-F2DE-4054-8F05-1F57BCB4F05C@autonomic.ai>

I have tried to configure the RestEasy client to use a service account for one of my confidential clients. The Java code to configure the client looks like:

```
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.KeycloakBuilder;

class Scratch {

    public static void main(String[] args) {
        final String server = "localhost:8082";
        final String realm = "master";
        final String clientSecret = "00000000-0000-0000-0000-000000000000";
        final String clientId = "MyClient";

        Keycloak keycloak = KeycloakBuilder.builder()
                .serverUrl(server)
                .realm(realm)
                .clientId(clientId)
                .clientSecret(clientSecret)
                .build();

        keycloak.realm("master")
                .clients()
                .findAll();
    }
}
```

This will fail with the exception:

```
Exception in thread "main" java.lang.IllegalStateException: username required
	at org.keycloak.admin.client.KeycloakBuilder.build(KeycloakBuilder.java:131)
	at Scratch.main(scratch_41.java:17)
```

I have a workaround, but my question is, is there any plan to support service-accounts with the keycloak client?




From jprouty at cctus.com  Tue Jan 15 18:39:39 2019
From: jprouty at cctus.com (Jason Prouty)
Date: Tue, 15 Jan 2019 23:39:39 +0000
Subject: [keycloak-user] OTP only option Question
Message-ID: <TY2PR01MB321133975C7B7F9111D328BCB8810@TY2PR01MB3211.jpnprd01.prod.outlook.com>

I have my radius working to Keycloak with Username/PW.

I would like to use OTP only.

When configure the OTP settings I still get prompted for password then the OTP.

is it possilble to do OTP only and no password.



From mareklindner at neomailbox.ch  Tue Jan 15 21:19:31 2019
From: mareklindner at neomailbox.ch (Marek Lindner)
Date: Wed, 16 Jan 2019 10:19:31 +0800
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <95C8CCE5-51F8-4842-AD10-17437B5B7F0F@sap.com>
References: <2122907.Eh5HuVOojU@rousseau>
	<95C8CCE5-51F8-4842-AD10-17437B5B7F0F@sap.com>
Message-ID: <3230029.UJrOCytZat@rousseau>

On Wednesday, 16 January 2019 00:54:43 HKT Lamina, Marco wrote:
> I've had a similar problem, it might be related to this:
> 
> https://issues.jboss.org/browse/KEYCLOAK-9093

It may be related but I am not 100% sure yet. 

What do your policies & permissions look like ? If you compare your evaluation 
screenshot and mine you can see that my keycloak has a policy installed which 
forbids non-owners to access the resource. That DENY policy is overruled due 
to some unrelated scope.

In your case there seems to be no DENY at all. Could be you have an 'allow 
everybody' policy in place. Keycloak comes with such default policies you may 
want to look into.

Cheers,
Marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/0ec0fd1a/attachment.bin 

From henning.waack at codecentric.de  Wed Jan 16 02:37:00 2019
From: henning.waack at codecentric.de (Henning Waack)
Date: Wed, 16 Jan 2019 08:37:00 +0100
Subject: [keycloak-user] RestEasy Client doesn't support logging in as a
 service account
In-Reply-To: <EBDAE160-F2DE-4054-8F05-1F57BCB4F05C@autonomic.ai>
References: <EBDAE160-F2DE-4054-8F05-1F57BCB4F05C@autonomic.ai>
Message-ID: <CAGqTYaykBQF5b0hASOuGeg_xiNiwYXFZLRdkCh5qOg4FJSbz8Q@mail.gmail.com>

Hi Marc.

Try setting the grantType:

KeycloakBuilder builder = KeycloakBuilder.builder() //
        .realm(kcRealm) //
        .serverUrl(kcServerUrl)//
        .clientId(kcResource) //
        .clientSecret(kcClientSecret) //
        .grantType(OAuth2Constants.CLIENT_CREDENTIALS);


Hth, greetings

Henning

Am Mi., 16. Jan. 2019 um 00:29 Uhr schrieb Marc Spehlmann <marc at autonomic.ai
>:

> I have tried to configure the RestEasy client to use a service account for
> one of my confidential clients. The Java code to configure the client looks
> like:
>
> ```
> import org.keycloak.admin.client.Keycloak;
> import org.keycloak.admin.client.KeycloakBuilder;
>
> class Scratch {
>
>     public static void main(String[] args) {
>         final String server = "localhost:8082";
>         final String realm = "master";
>         final String clientSecret = "00000000-0000-0000-0000-000000000000";
>         final String clientId = "MyClient";
>
>         Keycloak keycloak = KeycloakBuilder.builder()
>                 .serverUrl(server)
>                 .realm(realm)
>                 .clientId(clientId)
>                 .clientSecret(clientSecret)
>                 .build();
>
>         keycloak.realm("master")
>                 .clients()
>                 .findAll();
>     }
> }
> ```
>
> This will fail with the exception:
>
> ```
> Exception in thread "main" java.lang.IllegalStateException: username
> required
>         at
> org.keycloak.admin.client.KeycloakBuilder.build(KeycloakBuilder.java:131)
>         at Scratch.main(scratch_41.java:17)
> ```
>
> I have a workaround, but my question is, is there any plan to support
> service-accounts with the keycloak client?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

Henning Waack | IT Consultant


codecentric AG | Hochstra?e 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>


tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz

Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

From psilva at redhat.com  Wed Jan 16 06:25:24 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 16 Jan 2019 09:25:24 -0200
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <3230029.UJrOCytZat@rousseau>
References: <2122907.Eh5HuVOojU@rousseau>
	<95C8CCE5-51F8-4842-AD10-17437B5B7F0F@sap.com>
	<3230029.UJrOCytZat@rousseau>
Message-ID: <CAJrcDBc6dnvQqWEa=dfX1vEGUsSz_6BnA2s3MrLcJe4zuGiQzQ@mail.gmail.com>

Hi Marek,

Which version of Keycloak are you using?

I tried to reproduce the problem using upstream and the evaluation tool
looks correct by reporting only album:view. The same goes if obtaining an
RPT from the token endpoint.

On Wed, Jan 16, 2019 at 12:21 AM Marek Lindner <mareklindner at neomailbox.ch>
wrote:

> On Wednesday, 16 January 2019 00:54:43 HKT Lamina, Marco wrote:
> > I've had a similar problem, it might be related to this:
> >
> > https://issues.jboss.org/browse/KEYCLOAK-9093
>
> It may be related but I am not 100% sure yet.
>
> What do your policies & permissions look like ? If you compare your
> evaluation
> screenshot and mine you can see that my keycloak has a policy installed
> which
> forbids non-owners to access the resource. That DENY policy is overruled
> due
> to some unrelated scope.
>
> In your case there seems to be no DENY at all. Could be you have an 'allow
> everybody' policy in place. Keycloak comes with such default policies you
> may
> want to look into.
>
> Cheers,
> Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mareklindner at neomailbox.ch  Wed Jan 16 06:29:51 2019
From: mareklindner at neomailbox.ch (Marek Lindner)
Date: Wed, 16 Jan 2019 19:29:51 +0800
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <CAJrcDBc6dnvQqWEa=dfX1vEGUsSz_6BnA2s3MrLcJe4zuGiQzQ@mail.gmail.com>
References: <2122907.Eh5HuVOojU@rousseau> <3230029.UJrOCytZat@rousseau>
	<CAJrcDBc6dnvQqWEa=dfX1vEGUsSz_6BnA2s3MrLcJe4zuGiQzQ@mail.gmail.com>
Message-ID: <2439245.UX8uyKWrdV@rousseau>

Hi Pedro,

> Which version of Keycloak are you using?

I am using 4.8.2 Final (see attached screenshot).


> I tried to reproduce the problem using upstream and the evaluation tool
> looks correct by reporting only album:view. The same goes if obtaining an
> RPT from the token endpoint.

Can you share a screenshot of your evaluation tool result ? Does it correctly 
DENY access ?

I can also share my server config json if this helps.

Thanks,
Marek

-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak_info.png
Type: image/png
Size: 12060 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/c1b9ebb3/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/c1b9ebb3/attachment-0001.bin 

From psilva at redhat.com  Wed Jan 16 06:38:45 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 16 Jan 2019 09:38:45 -0200
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <2439245.UX8uyKWrdV@rousseau>
References: <2122907.Eh5HuVOojU@rousseau> <3230029.UJrOCytZat@rousseau>
	<CAJrcDBc6dnvQqWEa=dfX1vEGUsSz_6BnA2s3MrLcJe4zuGiQzQ@mail.gmail.com>
	<2439245.UX8uyKWrdV@rousseau>
Message-ID: <CAJrcDBf-chXq31oFsDFd9J=dQFBwcCrf41voCx_Uznb1NcvgjA@mail.gmail.com>

Here it is.

On Wed, Jan 16, 2019 at 9:30 AM Marek Lindner <mareklindner at neomailbox.ch>
wrote:

> Hi Pedro,
>
> > Which version of Keycloak are you using?
>
> I am using 4.8.2 Final (see attached screenshot).
>
>
> > I tried to reproduce the problem using upstream and the evaluation tool
> > looks correct by reporting only album:view. The same goes if obtaining an
> > RPT from the token endpoint.
>
> Can you share a screenshot of your evaluation tool result ? Does it
> correctly
> DENY access ?
>
> I can also share my server config json if this helps.
>
> Thanks,
> Marek
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: evaluation_result.png
Type: image/png
Size: 39779 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/3303876c/attachment-0001.png 

From psilva at redhat.com  Wed Jan 16 06:40:27 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 16 Jan 2019 09:40:27 -0200
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <CAJrcDBf-chXq31oFsDFd9J=dQFBwcCrf41voCx_Uznb1NcvgjA@mail.gmail.com>
References: <2122907.Eh5HuVOojU@rousseau> <3230029.UJrOCytZat@rousseau>
	<CAJrcDBc6dnvQqWEa=dfX1vEGUsSz_6BnA2s3MrLcJe4zuGiQzQ@mail.gmail.com>
	<2439245.UX8uyKWrdV@rousseau>
	<CAJrcDBf-chXq31oFsDFd9J=dQFBwcCrf41voCx_Uznb1NcvgjA@mail.gmail.com>
Message-ID: <CAJrcDBdnBqs2BQRDUmdbYpd6XS0H4WBGwcNQHsCR5hFyUDahCQ@mail.gmail.com>

Basically, I imported the "photoz" realm from that quickstart and removed
everything except the scopes and policies. Then I followed your steps to
reproduce the issue.

On Wed, Jan 16, 2019 at 9:38 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Here it is.
>
> On Wed, Jan 16, 2019 at 9:30 AM Marek Lindner <mareklindner at neomailbox.ch>
> wrote:
>
>> Hi Pedro,
>>
>> > Which version of Keycloak are you using?
>>
>> I am using 4.8.2 Final (see attached screenshot).
>>
>>
>> > I tried to reproduce the problem using upstream and the evaluation tool
>> > looks correct by reporting only album:view. The same goes if obtaining
>> an
>> > RPT from the token endpoint.
>>
>> Can you share a screenshot of your evaluation tool result ? Does it
>> correctly
>> DENY access ?
>>
>> I can also share my server config json if this helps.
>>
>> Thanks,
>> Marek
>>
>>

From puneethmi at gmail.com  Wed Jan 16 06:43:12 2019
From: puneethmi at gmail.com (Puneeth M I)
Date: Wed, 16 Jan 2019 17:13:12 +0530
Subject: [keycloak-user] Create initial access token from command line
Message-ID: <CACv+PfdZKy2HEdXxKa-phJvTPFBJR1cp3pny-MQCpz8GX7JV3g@mail.gmail.com>

Hi,

I want to create an initial access token with expiration=60 seconds and
count=1 from command line using admin-cli through kcadm.sh script or a curl
command and share with the clients to register(create clients) themselves
at keycloak. I am using the following curl command as per the keycloak
document but I am getting 401 unauthorized error. I am create an Initial
access token from admin console but I don't want to expose it. *Please let
me know on how to generate InitialAccessToken from CLI to register a
client. *



*# curl -i -H 'Content-Type: application/json' -X
POST http://<keycloak-IP>:<port>/auth/admin/realms/master/clients-initial-access
<http://10.91.96.30:8665/auth/admin/realms/master/clients-initial-access> -d
"client_id=admin-cli&grant_type=password&username=admin&password=admin"*
HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Length: 0
Date: Tue, 15 Jan 2019 09:16:07 GMT



*I am able to register a client using the access token obtained from below
command but I cannot control it for number of client registrations.*

# *curl -i -H 'Content-Type: application/x-www-form-urlencoded' -X
POST http://<keycloak-ip>:<port>/auth/realms/master/protocol/openid-connect/token
<http://10.91.96.30:8665/auth/realms/master/protocol/openid-connect/token> -d
"client_id=admin-cli&grant_type=password&username=admin&password=admin"*

   1. HTTP/1.1 200 OK
   Connection: keep-alive
   Cache-Control: no-store
   Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10
   GMT; Max-Age=0; Path=/auth/realms/master/; HttpOnly
   Pragma: no-cache
   Content-Type: application/json
   Content-Length: 1848
   Date: Tue, 15 Jan 2019 06:37:47 GMT

{"access_token":"eyJhbGciOiJSUzI1NiIs....","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOi.....","token_type":"bearer","not-before-policy":0,"session_state":"7af01cbb-f268-4263-bed2-c11a14008949","scope":"email
profile"}

I am using Keycloak - Version *4.5.0* in standalone-HA mode.

Regards,
Puneeth

From mareklindner at neomailbox.ch  Wed Jan 16 06:51:03 2019
From: mareklindner at neomailbox.ch (Marek Lindner)
Date: Wed, 16 Jan 2019 19:51:03 +0800
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <CAJrcDBf-chXq31oFsDFd9J=dQFBwcCrf41voCx_Uznb1NcvgjA@mail.gmail.com>
References: <2122907.Eh5HuVOojU@rousseau> <2439245.UX8uyKWrdV@rousseau>
	<CAJrcDBf-chXq31oFsDFd9J=dQFBwcCrf41voCx_Uznb1NcvgjA@mail.gmail.com>
Message-ID: <6147278.qha3vkqHrA@rousseau>

On Wednesday, 16 January 2019 19:38:45 HKT Pedro Igor Silva wrote:
> Here it is.

Thanks! The difference between your evaluation test and mine appears to be 
that you tested the shared scope.

To summarize:
a) Alice does allow Bob to perform album:view.
b) Alice does not allow Bob to perform album:modify. 

When Bob tries to access album:view I'd expect PERMIT whereas when 
album:modify is attempted DENY should be the result. Do we agree ?

I attached screenshots for both evaluation attempts. Both (view and modify) 
yield PERMIT. That should not be the case or am I missing something ?

Regards,
Marek

-------------- next part --------------
A non-text attachment was scrubbed...
Name: bob_album_modify.png
Type: image/png
Size: 38115 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/6c3d92dc/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bob_album_view.png
Type: image/png
Size: 40756 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/6c3d92dc/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/6c3d92dc/attachment-0001.bin 

From psilva at redhat.com  Wed Jan 16 06:58:30 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 16 Jan 2019 09:58:30 -0200
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <6147278.qha3vkqHrA@rousseau>
References: <2122907.Eh5HuVOojU@rousseau> <2439245.UX8uyKWrdV@rousseau>
	<CAJrcDBf-chXq31oFsDFd9J=dQFBwcCrf41voCx_Uznb1NcvgjA@mail.gmail.com>
	<6147278.qha3vkqHrA@rousseau>
Message-ID: <CAJrcDBdavx4UKkEeSuHsTg_gGBQbrYsSM1vgym2=__=wf8Rpig@mail.gmail.com>

Now I see. The result is giving a false-positive but the set of granted
permissions should be correct.

To check that, could you click "Show Authorization Data" link on the top of
the result page and see how the permissions look like in the generated
token? You should see:

"authorization": {
    "permissions": [
      {
        "scopes": [
          "album:view"
        ],
        "rsid": "7e1ae12b-e733-4090-9f84-8242f9192288",
        "rsname": "Amazing sunsets"
      }
    ]
  },

On Wed, Jan 16, 2019 at 9:51 AM Marek Lindner <mareklindner at neomailbox.ch>
wrote:

> On Wednesday, 16 January 2019 19:38:45 HKT Pedro Igor Silva wrote:
> > Here it is.
>
> Thanks! The difference between your evaluation test and mine appears to be
> that you tested the shared scope.
>
> To summarize:
> a) Alice does allow Bob to perform album:view.
> b) Alice does not allow Bob to perform album:modify.
>
> When Bob tries to access album:view I'd expect PERMIT whereas when
> album:modify is attempted DENY should be the result. Do we agree ?
>
> I attached screenshots for both evaluation attempts. Both (view and
> modify)
> yield PERMIT. That should not be the case or am I missing something ?
>
> Regards,
> Marek
>
>

From mareklindner at neomailbox.ch  Wed Jan 16 07:01:56 2019
From: mareklindner at neomailbox.ch (Marek Lindner)
Date: Wed, 16 Jan 2019 20:01:56 +0800
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <CAJrcDBdavx4UKkEeSuHsTg_gGBQbrYsSM1vgym2=__=wf8Rpig@mail.gmail.com>
References: <2122907.Eh5HuVOojU@rousseau> <6147278.qha3vkqHrA@rousseau>
	<CAJrcDBdavx4UKkEeSuHsTg_gGBQbrYsSM1vgym2=__=wf8Rpig@mail.gmail.com>
Message-ID: <3547362.3auZNeVte6@rousseau>

On Wednesday, 16 January 2019 19:58:30 HKT Pedro Igor Silva wrote:
> Now I see. The result is giving a false-positive but the set of granted
> permissions should be correct.
> 
> To check that, could you click "Show Authorization Data" link on the top of
> the result page and see how the permissions look like in the generated
> token? You should see:
> 
> "authorization": {
>     "permissions": [
>       {
>         "scopes": [
>           "album:view"
>         ],
>         "rsid": "7e1ae12b-e733-4090-9f84-8242f9192288",
>         "rsname": "Amazing sunsets"
>       }
>     ]
>   },

Bob's album:view:

  "authorization": {
    "permissions": [
      {
        "scopes": [
          "album:view"
        ],
        "rsid": "2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b",
        "rsname": "Amazing sunsets"
      }
    ]
  }

Bob's album:modify (false-positive):

 "authorization": {
    "permissions": [
      {
        "scopes": [
          "album:view"
        ],
        "rsid": "2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b",
        "rsname": "Amazing sunsets"
      }
    ]
  }

Regards,
Marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/668b5fe9/attachment.bin 

From psilva at redhat.com  Wed Jan 16 07:13:56 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 16 Jan 2019 10:13:56 -0200
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <3547362.3auZNeVte6@rousseau>
References: <2122907.Eh5HuVOojU@rousseau> <6147278.qha3vkqHrA@rousseau>
	<CAJrcDBdavx4UKkEeSuHsTg_gGBQbrYsSM1vgym2=__=wf8Rpig@mail.gmail.com>
	<3547362.3auZNeVte6@rousseau>
Message-ID: <CAJrcDBcBw8_gPiXYGcLevdoU5YvL4_yfvCoHqJCo-KS+rcEO0A@mail.gmail.com>

Thanks. I think we are on the same page then. Created
https://issues.jboss.org/browse/KEYCLOAK-9337.

Please, for now, ignore that result and consider the set of the actual
granted permissions.

Regards.
Pedro Igor

On Wed, Jan 16, 2019 at 10:02 AM Marek Lindner <mareklindner at neomailbox.ch>
wrote:

> On Wednesday, 16 January 2019 19:58:30 HKT Pedro Igor Silva wrote:
> > Now I see. The result is giving a false-positive but the set of granted
> > permissions should be correct.
> >
> > To check that, could you click "Show Authorization Data" link on the top
> of
> > the result page and see how the permissions look like in the generated
> > token? You should see:
> >
> > "authorization": {
> >     "permissions": [
> >       {
> >         "scopes": [
> >           "album:view"
> >         ],
> >         "rsid": "7e1ae12b-e733-4090-9f84-8242f9192288",
> >         "rsname": "Amazing sunsets"
> >       }
> >     ]
> >   },
>
> Bob's album:view:
>
>   "authorization": {
>     "permissions": [
>       {
>         "scopes": [
>           "album:view"
>         ],
>         "rsid": "2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b",
>         "rsname": "Amazing sunsets"
>       }
>     ]
>   }
>
> Bob's album:modify (false-positive):
>
>  "authorization": {
>     "permissions": [
>       {
>         "scopes": [
>           "album:view"
>         ],
>         "rsid": "2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b",
>         "rsname": "Amazing sunsets"
>       }
>     ]
>   }
>
> Regards,
> Marek
>

From mareklindner at neomailbox.ch  Wed Jan 16 07:31:14 2019
From: mareklindner at neomailbox.ch (Marek Lindner)
Date: Wed, 16 Jan 2019 20:31:14 +0800
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <CAJrcDBcBw8_gPiXYGcLevdoU5YvL4_yfvCoHqJCo-KS+rcEO0A@mail.gmail.com>
References: <2122907.Eh5HuVOojU@rousseau> <3547362.3auZNeVte6@rousseau>
	<CAJrcDBcBw8_gPiXYGcLevdoU5YvL4_yfvCoHqJCo-KS+rcEO0A@mail.gmail.com>
Message-ID: <3846154.t6rrfbgVF5@rousseau>

On Wednesday, 16 January 2019 20:13:56 HKT Pedro Igor Silva wrote:
> Thanks. I think we are on the same page then. Created
> https://issues.jboss.org/browse/KEYCLOAK-9337.
> 
> Please, for now, ignore that result and consider the set of the actual
> granted permissions.

Thanks for opening that bug. However, let me point out that this issue is not 
limited to the evaluation tool. The UMA policy API evaluation is affected too. 
Here the call for checking permissions:

POST /auth/realms/test/protocol/openid-connect/token
grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
&permission=2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b#album:modify
&audience=photoz&response_mode=decision

returns: {"result":true}

Haven't tested RPT tickets but it is somewhat reasonable to assume those
are affected too. Looks like the policy logic is fine with any scope shared
to grant permission for all scopes.

Regards,
Marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/360b7a1b/attachment.bin 

From psilva at redhat.com  Wed Jan 16 07:37:18 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 16 Jan 2019 10:37:18 -0200
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <3846154.t6rrfbgVF5@rousseau>
References: <2122907.Eh5HuVOojU@rousseau> <3547362.3auZNeVte6@rousseau>
	<CAJrcDBcBw8_gPiXYGcLevdoU5YvL4_yfvCoHqJCo-KS+rcEO0A@mail.gmail.com>
	<3846154.t6rrfbgVF5@rousseau>
Message-ID: <CAJrcDBe9gsjVuFsMuT1D9kY5xMFCxpm+MYdW0YSO_g5t1+=DGA@mail.gmail.com>

Now you are talking about https://github.com/keycloak/keycloak/pull/5833.
Which is related to the "decision" response mode returning a
false-positive. However, both RPT and "permissions" response mode returns
the correct permissions.

On Wed, Jan 16, 2019 at 10:31 AM Marek Lindner <mareklindner at neomailbox.ch>
wrote:

> On Wednesday, 16 January 2019 20:13:56 HKT Pedro Igor Silva wrote:
> > Thanks. I think we are on the same page then. Created
> > https://issues.jboss.org/browse/KEYCLOAK-9337.
> >
> > Please, for now, ignore that result and consider the set of the actual
> > granted permissions.
>
> Thanks for opening that bug. However, let me point out that this issue is
> not
> limited to the evaluation tool. The UMA policy API evaluation is affected
> too.
> Here the call for checking permissions:
>
> POST /auth/realms/test/protocol/openid-connect/token
> grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
> &permission=2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b#album:modify
> &audience=photoz&response_mode=decision
>
> returns: {"result":true}
>
> Haven't tested RPT tickets but it is somewhat reasonable to assume those
> are affected too. Looks like the policy logic is fine with any scope shared
> to grant permission for all scopes.
>
> Regards,
> Marek
>

From geoff at opticks.io  Wed Jan 16 07:38:21 2019
From: geoff at opticks.io (Geoffrey Cleaves)
Date: Wed, 16 Jan 2019 13:38:21 +0100
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <3846154.t6rrfbgVF5@rousseau>
References: <2122907.Eh5HuVOojU@rousseau> <3547362.3auZNeVte6@rousseau>
	<CAJrcDBcBw8_gPiXYGcLevdoU5YvL4_yfvCoHqJCo-KS+rcEO0A@mail.gmail.com>
	<3846154.t6rrfbgVF5@rousseau>
Message-ID: <CAHzT=q82W1oknPpoJXpQuH7XVQmQ+UCOibW5zVyyxAhYCZdwWQ@mail.gmail.com>

Due to the bugs you and Marco are discussing, you should not use
response_mode=decision but instead need to examine the scopes that are
returned in the token.

On Wed, 16 Jan 2019 at 13:36, Marek Lindner <mareklindner at neomailbox.ch>
wrote:

> On Wednesday, 16 January 2019 20:13:56 HKT Pedro Igor Silva wrote:
> > Thanks. I think we are on the same page then. Created
> > https://issues.jboss.org/browse/KEYCLOAK-9337.
> >
> > Please, for now, ignore that result and consider the set of the actual
> > granted permissions.
>
> Thanks for opening that bug. However, let me point out that this issue is
> not
> limited to the evaluation tool. The UMA policy API evaluation is affected
> too.
> Here the call for checking permissions:
>
> POST /auth/realms/test/protocol/openid-connect/token
> grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
> &permission=2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b#album:modify
> &audience=photoz&response_mode=decision
>
> returns: {"result":true}
>
> Haven't tested RPT tickets but it is somewhat reasonable to assume those
> are affected too. Looks like the policy logic is fine with any scope shared
> to grant permission for all scopes.
>
> Regards,
> Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

Regards,
Geoffrey Cleaves

From psilva at redhat.com  Wed Jan 16 07:40:43 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 16 Jan 2019 10:40:43 -0200
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <CAHzT=q82W1oknPpoJXpQuH7XVQmQ+UCOibW5zVyyxAhYCZdwWQ@mail.gmail.com>
References: <2122907.Eh5HuVOojU@rousseau> <3547362.3auZNeVte6@rousseau>
	<CAJrcDBcBw8_gPiXYGcLevdoU5YvL4_yfvCoHqJCo-KS+rcEO0A@mail.gmail.com>
	<3846154.t6rrfbgVF5@rousseau>
	<CAHzT=q82W1oknPpoJXpQuH7XVQmQ+UCOibW5zVyyxAhYCZdwWQ@mail.gmail.com>
Message-ID: <CAJrcDBddfZ74y=T9DK3KEfZxt-hEWD6ZxT=EO=AOEt_Ec58pJQ@mail.gmail.com>

+1. Or just use the "permissions" response mode while that PR is not merged.

On Wed, Jan 16, 2019 at 10:38 AM Geoffrey Cleaves <geoff at opticks.io> wrote:

> Due to the bugs you and Marco are discussing, you should not use
> response_mode=decision but instead need to examine the scopes that are
> returned in the token.
>
> On Wed, 16 Jan 2019 at 13:36, Marek Lindner <mareklindner at neomailbox.ch>
> wrote:
>
>> On Wednesday, 16 January 2019 20:13:56 HKT Pedro Igor Silva wrote:
>> > Thanks. I think we are on the same page then. Created
>> > https://issues.jboss.org/browse/KEYCLOAK-9337.
>> >
>> > Please, for now, ignore that result and consider the set of the actual
>> > granted permissions.
>>
>> Thanks for opening that bug. However, let me point out that this issue is
>> not
>> limited to the evaluation tool. The UMA policy API evaluation is affected
>> too.
>> Here the call for checking permissions:
>>
>> POST /auth/realms/test/protocol/openid-connect/token
>> grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
>> &permission=2e93c0ea-d5e3-4538-bdf1-47f3c5c67e9b#album:modify
>> &audience=photoz&response_mode=decision
>>
>> returns: {"result":true}
>>
>> Haven't tested RPT tickets but it is somewhat reasonable to assume those
>> are affected too. Looks like the policy logic is fine with any scope
>> shared
>> to grant permission for all scopes.
>>
>> Regards,
>> Marek
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> Regards,
> Geoffrey Cleaves
>
>
>
>
>
>

From mareklindner at neomailbox.ch  Wed Jan 16 09:29:41 2019
From: mareklindner at neomailbox.ch (Marek Lindner)
Date: Wed, 16 Jan 2019 22:29:41 +0800
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <CAJrcDBddfZ74y=T9DK3KEfZxt-hEWD6ZxT=EO=AOEt_Ec58pJQ@mail.gmail.com>
References: <2122907.Eh5HuVOojU@rousseau>
	<CAHzT=q82W1oknPpoJXpQuH7XVQmQ+UCOibW5zVyyxAhYCZdwWQ@mail.gmail.com>
	<CAJrcDBddfZ74y=T9DK3KEfZxt-hEWD6ZxT=EO=AOEt_Ec58pJQ@mail.gmail.com>
Message-ID: <1671782.eHEKpiHKN3@rousseau>

On Wednesday, 16 January 2019 20:40:43 HKT Pedro Igor Silva wrote:
> +1. Or just use the "permissions" response mode while that PR is not merged.

What's the permission response mode you are referring to ?

Regards,
Marek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190116/93b95441/attachment-0001.bin 

From psilva at redhat.com  Wed Jan 16 09:41:43 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 16 Jan 2019 12:41:43 -0200
Subject: [keycloak-user] shared UMA 2.0 resource & scope based policies
In-Reply-To: <1671782.eHEKpiHKN3@rousseau>
References: <2122907.Eh5HuVOojU@rousseau>
	<CAHzT=q82W1oknPpoJXpQuH7XVQmQ+UCOibW5zVyyxAhYCZdwWQ@mail.gmail.com>
	<CAJrcDBddfZ74y=T9DK3KEfZxt-hEWD6ZxT=EO=AOEt_Ec58pJQ@mail.gmail.com>
	<1671782.eHEKpiHKN3@rousseau>
Message-ID: <CAJrcDBe+k4ugC2G7P1=yH6hQbgFPN+6XMWUNoS_oeLyuE-sUVg@mail.gmail.com>

The "response_mode" request parameter that you can set to authorization
requests you send to token endpoint. If the value is "permissions" you will
get a JSON array with the granted permissions as a response.

On Wed, Jan 16, 2019 at 12:30 PM Marek Lindner <mareklindner at neomailbox.ch>
wrote:

> On Wednesday, 16 January 2019 20:40:43 HKT Pedro Igor Silva wrote:
> > +1. Or just use the "permissions" response mode while that PR is not
> merged.
>
> What's the permission response mode you are referring to ?
>
> Regards,
> Marek
>

From scott.thibault at multiscalehn.com  Wed Jan 16 14:12:28 2019
From: scott.thibault at multiscalehn.com (Scott Thibault)
Date: Wed, 16 Jan 2019 14:12:28 -0500
Subject: [keycloak-user] Google login without automatic user registration
Message-ID: <CALWScZPDZYWGEpP4HYdyonbdnJps2jZGumcF8oNvd2JAXKLNbQ@mail.gmail.com>

Out-of-the-box, the First Broker Login flow automatically registers
non-existing users authenticated by an identity provider.  I would not like
anyone with a valid Google account to be able to login, but only those with
existing accounts.  However, any attempt to create a custom flow without
the "Create User If Unique" item leads to an error=invalid_user_credentials.

Is there some solution that would allow me to prevent users without an
existing account to login via the Google identity provider?

From dt at acutus.pro  Wed Jan 16 17:52:45 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 17 Jan 2019 01:52:45 +0300
Subject: [keycloak-user] Google login without automatic user registration
In-Reply-To: <CALWScZPDZYWGEpP4HYdyonbdnJps2jZGumcF8oNvd2JAXKLNbQ@mail.gmail.com>
References: <CALWScZPDZYWGEpP4HYdyonbdnJps2jZGumcF8oNvd2JAXKLNbQ@mail.gmail.com>
Message-ID: <1547679165.4393.16.camel@acutus.pro>

Hi Scott,

I think Geoffrey Cleaves has done this with the help of custom authenticator, please check out this thread: http://lists.jboss.org/pipermail/keycloak-user/2018-December/016703.html

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-16 at 14:12 -0500, Scott Thibault wrote:
> Out-of-the-box, the First Broker Login flow automatically registers
> non-existing users authenticated by an identity provider.??I would not like
> anyone with a valid Google account to be able to login, but only those with
> existing accounts.??However, any attempt to create a custom flow without
> the "Create User If Unique" item leads to an error=invalid_user_credentials.
> 
> Is there some solution that would allow me to prevent users without an
> existing account to login via the Google identity provider?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From keycloak-user at mattevans.email  Wed Jan 16 23:27:22 2019
From: keycloak-user at mattevans.email (Matt Evans)
Date: Thu, 17 Jan 2019 15:27:22 +1100
Subject: [keycloak-user] kcadm update client seems to ignore
	defaultClientScopes
Message-ID: <CAEBpjQai-y5mOgJjiSHsCZU0OKkGXDd9vAuhxZLp-0+ZKX2rsw@mail.gmail.com>

Has anyone noticed that updating a client using kcadm seems to ignore the
defaultClientScopes property?

/opt/keycloak/bin/kcadm.sh update
clients/366b5cb2-f4ac-4b81-9ccb-1e8198fec9f9 -r therealm -s
'defaultClientScopes=["web-origins"]' -s name=changedName --no-config
--server http://localhost:8080/auth --realm master --user admin --client
admin-cli --password xxxx

We can update other properties ok, e.g. name, client id, redirectUris all
update ok, but defaultClientScopes doesn't change. Also I think
optionalClientScopes doesn't change either.

From sthorger at redhat.com  Thu Jan 17 02:55:20 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Jan 2019 08:55:20 +0100
Subject: [keycloak-user] Switching to Native JavaScript promise by default
Message-ID: <CAJgngAekhwKAa24cNgEY_vgq2HZsbM3tUog0z0FnvkSmTa35KA@mail.gmail.com>

I would like to switch the JavaScript adapter to use Native promises by
default and deprecate the legacy promise with the aim to remove it in the
future.

This would result in users that want to continue to use the legacy promise
having to explicitly enable this in the config.

I see this as the best path to eventually remove the legacy promises.

From Wei.He at cegeka.de  Thu Jan 17 03:17:36 2019
From: Wei.He at cegeka.de (Wei He)
Date: Thu, 17 Jan 2019 08:17:36 +0000
Subject: [keycloak-user] Download and import X.509 client certificate from
	Keycloak
Message-ID: <E411B8A4-B921-488F-82D0-F0998FE1981A@cegeka.de>

Hello dear all,

A question about the process to get the client X.509 certification:

I set up the Keycloak 4.8.2-Final on my localhost and enabled the SSL as described in the documenthttps://www.keycloak.org/docs/latest/server_admin/index.html#_x509.

The server could start but I could not open the server page on the localhost:8443 (openssl s_client -connect 127.0.0.1:8443) due to the SSL error code 42 (4566025836:error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/ssl/ssl_pkt.c:1205:SSL alert number 42), which means that the client certificate problem. But my imagination was that the server should redirect me to the login page. After I logged in, the server should generate the client certificate and ask me to download the certification and import it to my browser. After that I should be able to connect to the server without any further authentication, because I already had the client certificate trusted by the Keycloak.

What did I do wrong? Or this process is not supported by the current keycloak yet?

Thanks a lot!

Wei He

From mposolda at redhat.com  Thu Jan 17 06:20:49 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 17 Jan 2019 12:20:49 +0100
Subject: [keycloak-user] kcadm update client seems to ignore
 defaultClientScopes
In-Reply-To: <CAEBpjQai-y5mOgJjiSHsCZU0OKkGXDd9vAuhxZLp-0+ZKX2rsw@mail.gmail.com>
References: <CAEBpjQai-y5mOgJjiSHsCZU0OKkGXDd9vAuhxZLp-0+ZKX2rsw@mail.gmail.com>
Message-ID: <5b1cd4b2-13e0-6962-2481-c297214c83b8@redhat.com>

There are separate REST API operations for add/remove default client 
scope or optional client scope. I suggest to try admin console with 
browser and inspect the REST request, which admin console is doing for 
add/remove client scopes for client. This may show you how the REST 
request looks like and you should be able to "translate" this into 
proper format for kcadm then.

Marek

On 17/01/2019 05:27, Matt Evans wrote:
> Has anyone noticed that updating a client using kcadm seems to ignore the
> defaultClientScopes property?
>
> /opt/keycloak/bin/kcadm.sh update
> clients/366b5cb2-f4ac-4b81-9ccb-1e8198fec9f9 -r therealm -s
> 'defaultClientScopes=["web-origins"]' -s name=changedName --no-config
> --server http://localhost:8080/auth --realm master --user admin --client
> admin-cli --password xxxx
>
> We can update other properties ok, e.g. name, client id, redirectUris all
> update ok, but defaultClientScopes doesn't change. Also I think
> optionalClientScopes doesn't change either.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From denis.danov at dreamix.eu  Thu Jan 17 07:11:35 2019
From: denis.danov at dreamix.eu (Denis Danov)
Date: Thu, 17 Jan 2019 14:11:35 +0200
Subject: [keycloak-user] Retrieve all accessible applications for the logged
	user
Message-ID: <CAHOVys3Z+pUOdmax+PY-OP0tjvx0D=X7t67nOTHUa396jOz_pg@mail.gmail.com>

Hi Keycloak members,

I am excited writing to you and I hope someone will answer.
I am working on an application that should be registered and secured in
Keycloak. Once the user is authenticated we want to show list of all other
applications that the user has access to.
Can this information be retrieved via REST API as I can see that it is
already available from Keycloak UI for user's account under section
applications
https://www.keycloak.org/docs/3.3/server_admin/topics/account.html

Regards,
Denis Danov

From dharlaftis at ekt.gr  Thu Jan 17 08:57:36 2019
From: dharlaftis at ekt.gr (Dimitris Charlaftis)
Date: Thu, 17 Jan 2019 15:57:36 +0200
Subject: [keycloak-user] keycloak security proxy does not proxy to external
	application url
Message-ID: <4acfbcc9-14a9-ed0a-66c6-4027b6683e23@ekt.gr>

Hello,

I have built the architecture shown in the attached image.

Step 1. A client authentication request reaches the keycloak security 
proxy docker container

Step 2. Proxy asks the actual keycloak server docker container

Step 3. Keycloak Server asks an external LDAP for user credentials

Step 4. Keycloak server replies OK

Step 5. Keycloak proxy replies OK and passes control to the external 
application url.


THE PROBLEM IS that after successful authentication, the url of the host 
server (i.e. where the keycloak proxy container and keyclak 
authentication container lie) appears on the address bar of the browser 
instead of the actual external application url.

For example, if the host machine where the keycloak containers lie is 
keycloak.containers.gr, and the external application domain name is 
www.external.application.gr, then, after a SUCCESSFUL login to the 
keycloak SSO login page, the url in the address bar appears to 
behttp://keycloak.containers.gr <http://keycloak.containers.gr/>instead 
ofhttp://www.external.application.gr 
<http://www.external.application.gr/>. This fact destroys all the 
relative css, js scripts, etc, attached to the site 
www.external.application.gr.


  KEYCLOAK SECURITY PROXY CONFIGURATION

{
 ??? "target-url": "http://www.external.application.gr",
 ??? "bind-address": "0.0.0.0",
 ??? "send-access-token": true,
 ??? "http-port": "8180",
 ??? "https-port": "8443",
 ??? "applications": [{
 ??? ??? "base-path": "/",
 ??? ??? "adapter-config": {
 ??? ??? ??? "realm": "internal_applications",
 ??? ??? ??? "auth-server-url": "http://keycloak.containers.gr:8202/auth",
 ??? ??? ??? "resource": "test_app",
 ??? ??? ??? "ssl-required": "external",
 ??? ??? ??? "credentials": {
 ??? ??? ??? ??? "secret": "xxxxx-xxx-xxx-xxxx-xxxxxxxxxxx"
 ??? ??? ??? }
 ??? ??? },
 ??? ??? "constraints": [{
 ??? ??? ??? "pattern": "/*",
 ??? ??? ??? "authenticate": true
 ??? ??? }],
 ??? ??? "proxy-address-forwarding": true
 ??? }]
}

I use a proxy.json for the keycloak security proxy configuration


NOTE: I have tried to change the "bind-address": "0.0.0.0" parameter, 
from 0.0.0.0 to the IP of the www.external.application.gr but with no 
luck...

please... any help??

Thank you!!

Dimitris

-- 
_____________________________

Dimitris Charlaftis
Software Engineer

National Documentation Center
email: dharlaftis at ekt.gr
_____________________________

-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak.PNG
Type: image/png
Size: 42868 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190117/f23a19db/attachment-0001.png 

From chris.smith at cmfirstgroup.com  Thu Jan 17 12:43:36 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Thu, 17 Jan 2019 17:43:36 +0000
Subject: [keycloak-user] Kerberos Credential Delagation
In-Reply-To: <CY4PR22MB024891734969259A2F93C54398800@CY4PR22MB0248.namprd22.prod.outlook.com>
References: <CY4PR22MB024891734969259A2F93C54398800@CY4PR22MB0248.namprd22.prod.outlook.com>
Message-ID: <CY4PR22MB0248C4129C09A2E6827C8D9298830@CY4PR22MB0248.namprd22.prod.outlook.com>

No one has suggestions?

-----Original Message-----
From: Chris Smith 
Sent: Monday, January 14, 2019 11:42 AM
To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
Subject: Kerberos Credential Delagation

I have a web app that is secured by KC and uses Active Directory to authenticate users.
I have a requirement to get a Kerberos ticket (GSSCredential) to connect to an IBM i Server.
SSO/EIM is successfully setup on the IBM i.

My Web app is following the instructions at https://www.keycloak.org/docs/latest/server_admin/index.html#credential-delegation

My servlet code
			KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
			AccessToken at = kcp.getKeycloakSecurityContext().getToken();
			String username = at.getPreferredUsername();
			System.out.println(at.getName());
			wtr.append("Windows User: ").append(username).append('\n');
			
			// Retrieve kerberos credential from accessToken and deserialize it
			Map<String, Object> otherClaims = at.getOtherClaims();
			String otherClaim = (String)otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
			GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(otherClaim);

The otherClaims  map is always empty.

KerberosSerializationUtils.deserializeCredential(otherClaim); throws this exception since otherClaim is null;

org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null credential given as input. Did you enable kerberos credential delegation for your web browser and mapping of gss credential to access token?, Java version: 1.8.0_192, runtime version: 1.8.0_192-b12, vendor: Oracle Corporation, os: 6.2
	at org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
	at testing.LogIn.doGet(LogIn.java:71)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
	at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:604)
	at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1152)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Kerbos delegation is enabled in the browser and mapping of gss credential to access token 

What am I missing?




From ssilvert at redhat.com  Thu Jan 17 14:39:48 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 17 Jan 2019 14:39:48 -0500
Subject: [keycloak-user] Retrieve all accessible applications for the
 logged user
In-Reply-To: <CAHOVys3Z+pUOdmax+PY-OP0tjvx0D=X7t67nOTHUa396jOz_pg@mail.gmail.com>
References: <CAHOVys3Z+pUOdmax+PY-OP0tjvx0D=X7t67nOTHUa396jOz_pg@mail.gmail.com>
Message-ID: <39fac639-6b77-d15f-cf53-a04934a50d79@redhat.com>

Soon there will be a REST API to get that information.? This is part of 
the rewrite of the account management console.? Everything you see now 
in the account management console will be available via REST endpoint.

It's hard to say exactly when it will be available, but I'd say the code 
for it will be merged by the middle of the year.

On 1/17/2019 7:11 AM, Denis Danov wrote:
> Hi Keycloak members,
>
> I am excited writing to you and I hope someone will answer.
> I am working on an application that should be registered and secured in
> Keycloak. Once the user is authenticated we want to show list of all other
> applications that the user has access to.
> Can this information be retrieved via REST API as I can see that it is
> already available from Keycloak UI for user's account under section
> applications
> https://www.keycloak.org/docs/3.3/server_admin/topics/account.html
>
> Regards,
> Denis Danov
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From bruno at abstractj.org  Thu Jan 17 15:16:56 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 17 Jan 2019 18:16:56 -0200
Subject: [keycloak-user] Switching to Native JavaScript promise by
	default
In-Reply-To: <CAJgngAekhwKAa24cNgEY_vgq2HZsbM3tUog0z0FnvkSmTa35KA@mail.gmail.com>
References: <CAJgngAekhwKAa24cNgEY_vgq2HZsbM3tUog0z0FnvkSmTa35KA@mail.gmail.com>
Message-ID: <CAM5SUC5UPT2BH0O3haJJS3+Lba12YTqQyAExMbjAS_RM9BO+KA@mail.gmail.com>

+1

On Thu, Jan 17, 2019 at 5:55 AM Stian Thorgersen <sthorger at redhat.com> wrote:
>
> I would like to switch the JavaScript adapter to use Native promises by
> default and deprecate the legacy promise with the aim to remove it in the
> future.
>
> This would result in users that want to continue to use the legacy promise
> having to explicitly enable this in the config.
>
> I see this as the best path to eventually remove the legacy promises.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

From deruere.julien at gmail.com  Thu Jan 17 15:35:59 2019
From: deruere.julien at gmail.com (Julien Deruere)
Date: Thu, 17 Jan 2019 15:35:59 -0500
Subject: [keycloak-user] Missing permissions
Message-ID: <CAOPHCg9saL3r7qYxR8W=VWO1762-v4K-aOBQCoRJoBqSnYiPrA@mail.gmail.com>

I'm getting permissions from this request:

curl -X POST \
  http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
  -H "Authorization: Bearer ${access_token}" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience={resource_server_client_id}" \  --data
"response_mode=permissions"

Which give me the good results when I use Keycloak UI to share a resource.

Then if I give permission user the Policy API:

curl -X POST \
  http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id}
\
  -H 'Authorization: Bearer '$access_token \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/json' \
  -d '{
        "name": "Any people manager",
        "description": "Allow access to any people manager",
        "scopes": ["read"],
        "groups": ["/Managers/People Managers"]
}'


It works and I can see it in the Keycloak User panel or in the evaluate
permission page, but first request does not I mention does not include this
permission in the response.

Any idea?

From mposolda at redhat.com  Thu Jan 17 16:08:52 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 17 Jan 2019 22:08:52 +0100
Subject: [keycloak-user] Kerberos Credential Delagation
In-Reply-To: <CY4PR22MB0248C4129C09A2E6827C8D9298830@CY4PR22MB0248.namprd22.prod.outlook.com>
References: <CY4PR22MB024891734969259A2F93C54398800@CY4PR22MB0248.namprd22.prod.outlook.com>
	<CY4PR22MB0248C4129C09A2E6827C8D9298830@CY4PR22MB0248.namprd22.prod.outlook.com>
Message-ID: <86d87106-f599-8a67-26fb-a9e320e83e99@redhat.com>

|There are few tricky things here. You need to ensure that client ( 
/etc/krb5.conf ) is configured to request forwardable tickets (flag 
"forwardable" . See krb5 docs for more details).

Then also browser needs to be properly configured. For example FF needs 
to have property "network.negotiate-auth.delegation-uris" to contain the 
proper URI.


Once you have both those, I suggest to enable DEBUG logging for class 
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator and see that 
after authentication, you have the kerberos ticket with "credDelegState" 
set to true. If not, something is missing in the kerberos setup. If yes, 
you just need to configure mapper on KC side. For details about mapper, 
see docs and also see the example from keycloak-examples distribution, 
which uses kerberos credentials delegation: 
https://github.com/keycloak/keycloak/tree/master/examples/kerberos

Marek|
|
|
On 17/01/2019 18:43, Chris Smith wrote:
> No one has suggestions?
>
> -----Original Message-----
> From: Chris Smith
> Sent: Monday, January 14, 2019 11:42 AM
> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
> Subject: Kerberos Credential Delagation
>
> I have a web app that is secured by KC and uses Active Directory to authenticate users.
> I have a requirement to get a Kerberos ticket (GSSCredential) to connect to an IBM i Server.
> SSO/EIM is successfully setup on the IBM i.
>
> My Web app is following the instructions at https://www.keycloak.org/docs/latest/server_admin/index.html#credential-delegation
>
> My servlet code
> 			KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
> 			AccessToken at = kcp.getKeycloakSecurityContext().getToken();
> 			String username = at.getPreferredUsername();
> 			System.out.println(at.getName());
> 			wtr.append("Windows User: ").append(username).append('\n');
> 			
> 			// Retrieve kerberos credential from accessToken and deserialize it
> 			Map<String, Object> otherClaims = at.getOtherClaims();
> 			String otherClaim = (String)otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
> 			GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(otherClaim);
>
> The otherClaims  map is always empty.
>
> KerberosSerializationUtils.deserializeCredential(otherClaim); throws this exception since otherClaim is null;
>
> org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null credential given as input. Did you enable kerberos credential delegation for your web browser and mapping of gss credential to access token?, Java version: 1.8.0_192, runtime version: 1.8.0_192-b12, vendor: Oracle Corporation, os: 6.2
> 	at org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
> 	at testing.LogIn.doGet(LogIn.java:71)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
> 	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
> 	at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67)
> 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:604)
> 	at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
> 	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
> 	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1152)
> 	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
> 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
> 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> 	at java.lang.Thread.run(Thread.java:748)
>
> Kerbos delegation is enabled in the browser and mapping of gss credential to access token
>
> What am I missing?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From cshuman at repay.com  Thu Jan 17 20:17:51 2019
From: cshuman at repay.com (Clint Shuman)
Date: Fri, 18 Jan 2019 01:17:51 +0000
Subject: [keycloak-user] gatekeeper and multiple realms per subdomain
Message-ID: <EEA2C72B-2D19-468F-A0E2-B06BBCB21F91@repay.com>

I have a multi-tenant application that has a keycloak realm per subdomain. Is there a recommended way to configure keycloak-gatekeeper for such a setup? Is there an interface that I could implement to dynamically select a keycloak realm given the subdomain of the origin?


               
Thanks,
Director of Systems Architecture
REPAY
Telephone:404.637.1680
Customer Service: 
877.607.5468
Email:cshuman at repay.com
Web:www.repay.com
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image809197.jpg
Type: image/jpeg
Size: 41199 bytes
Desc: image809197.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190118/14f4eccf/attachment-0001.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image714738.png
Type: image/png
Size: 35284 bytes
Desc: image714738.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190118/14f4eccf/attachment-0001.png 

From dt at acutus.pro  Thu Jan 17 23:25:33 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 18 Jan 2019 07:25:33 +0300
Subject: [keycloak-user] Retrieve all accessible applications for the
 logged user
In-Reply-To: <CAHOVys3Z+pUOdmax+PY-OP0tjvx0D=X7t67nOTHUa396jOz_pg@mail.gmail.com>
References: <CAHOVys3Z+pUOdmax+PY-OP0tjvx0D=X7t67nOTHUa396jOz_pg@mail.gmail.com>
Message-ID: <1547785533.9262.1.camel@acutus.pro>

Hello Denis, just my 2? in addition to what Stan said,

If you can't wait for the account REST service to be merged, you can create your own REST service to expose the data you need.

Check out Server Development [1] for how to create custom REST resources, BeerCloak [2] for how to secure them and ApplicationsBean.java [3] for how to obtain application list.

[1] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest
[2] https://github.com/dteleguin/beercloak
[3] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2019-01-17 at 14:11 +0200, Denis Danov wrote:
> Hi Keycloak members,
> 
> I am excited writing to you and I hope someone will answer.
> I am working on an application that should be registered and secured in
> Keycloak. Once the user is authenticated we want to show list of all other
> applications that the user has access to.
> Can this information be retrieved via REST API as I can see that it is
> already available from Keycloak UI for user's account under section
> applications
> https://www.keycloak.org/docs/3.3/server_admin/topics/account.html
> 
> Regards,
> Denis Danov
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Thu Jan 17 23:40:01 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 18 Jan 2019 07:40:01 +0300
Subject: [keycloak-user] keycloak security proxy does not proxy to
 external application url
In-Reply-To: <4acfbcc9-14a9-ed0a-66c6-4027b6683e23@ekt.gr>
References: <4acfbcc9-14a9-ed0a-66c6-4027b6683e23@ekt.gr>
Message-ID: <1547786401.9262.3.camel@acutus.pro>

Hello Dimitris,

If you want your application to be accessible under its original URL, you should use Keycloak adapters instead. When using proxy, the original URL remains hidden - this is how reverse proxying works. In this regard Keycloak security proxy is not much different from Apache mod_proxy, HAProxy or nginx. Your application needs to be able to handle the situation where it is exposed under different URL, and adjust the internal URLs (CSS, scripts etc.) accordingly. You can do this either by introducing a config param, or by processing X-Forwarded-Host and X-Forwarded-Proto headers.

Also I'd recommend that you use Keycloak Gatekeeper [1] instead of the now deprecated Keycloak proxy.

[1] https://github.com/keycloak/keycloak-gatekeeper

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2019-01-17 at 15:57 +0200, Dimitris Charlaftis wrote:
> Hello,
> 
> I have built the architecture shown in the attached image.
> 
> Step 1. A client authentication request reaches the keycloak security?
> proxy docker container
> 
> Step 2. Proxy asks the actual keycloak server docker container
> 
> Step 3. Keycloak Server asks an external LDAP for user credentials
> 
> Step 4. Keycloak server replies OK
> 
> Step 5. Keycloak proxy replies OK and passes control to the external?
> application url.
> 
> 
> THE PROBLEM IS that after successful authentication, the url of the host?
> server (i.e. where the keycloak proxy container and keyclak?
> authentication container lie) appears on the address bar of the browser?
> instead of the actual external application url.
> 
> For example, if the host machine where the keycloak containers lie is?
> keycloak.containers.gr, and the external application domain name is?
> www.external.application.gr, then, after a SUCCESSFUL login to the?
> keycloak SSO login page, the url in the address bar appears to?
> > behttp://keycloak.containers.gr <http://keycloak.containers.gr/>instead?
> > ofhttp://www.external.application.gr?
> > <http://www.external.application.gr/>. This fact destroys all the?
> relative css, js scripts, etc, attached to the site?
> www.external.application.gr.
> 
> 
> ? KEYCLOAK SECURITY PROXY CONFIGURATION
> 
> {
> > ???? "target-url": "http://www.external.application.gr",
> ???? "bind-address": "0.0.0.0",
> ???? "send-access-token": true,
> ???? "http-port": "8180",
> ???? "https-port": "8443",
> ???? "applications": [{
> ???? ??? "base-path": "/",
> ???? ??? "adapter-config": {
> ???? ??? ??? "realm": "internal_applications",
> ???? ??? ??? "auth-server-url": "http://keycloak.containers.gr:8202/auth",
> ???? ??? ??? "resource": "test_app",
> ???? ??? ??? "ssl-required": "external",
> ???? ??? ??? "credentials": {
> ???? ??? ??? ??? "secret": "xxxxx-xxx-xxx-xxxx-xxxxxxxxxxx"
> ???? ??? ??? }
> ???? ??? },
> ???? ??? "constraints": [{
> ???? ??? ??? "pattern": "/*",
> ???? ??? ??? "authenticate": true
> ???? ??? }],
> ???? ??? "proxy-address-forwarding": true
> ???? }]
> }
> 
> I use a proxy.json for the keycloak security proxy configuration
> 
> 
> NOTE: I have tried to change the "bind-address": "0.0.0.0" parameter,?
> > from 0.0.0.0 to the IP of the www.external.application.gr but with no?
> luck...
> 
> please... any help??
> 
> Thank you!!
> 
> Dimitris
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Fri Jan 18 00:10:22 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 18 Jan 2019 08:10:22 +0300
Subject: [keycloak-user] Create initial access token from command line
In-Reply-To: <CACv+PfdZKy2HEdXxKa-phJvTPFBJR1cp3pny-MQCpz8GX7JV3g@mail.gmail.com>
References: <CACv+PfdZKy2HEdXxKa-phJvTPFBJR1cp3pny-MQCpz8GX7JV3g@mail.gmail.com>
Message-ID: <1547788222.9262.5.camel@acutus.pro>

Hello Puneeth,

The process it two-step, first you need to obtain an admin token (via token endpoint), then use it against clients-initial-access endpoint to create a token.

kcadm.sh can do that for you, but unfortunately it doesn't output the result, even with the --output option (bug?)

[user at localhost keycloak]$ bin/kcadm.sh create clients-initial-access -s count=1 -s expiration=60
Created new clients-initial-acces with id '0dfebcdd-35a9-4157-95e6-6d9eb5e887d8'

Luckily, you can still do it with curl:

KEYCLOAK_URL=http://localhost:8080/auth
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT=admin-cli
KEYCLOAK_USER=admin
KEYCLOAK_PASSWORD=admin

ACCESS_TOKEN=$(curl -s $KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token \
    -d client_id=$KEYCLOAK_CLIENT \
    -d grant_type=password \
    -d username=$KEYCLOAK_USER \
    -d password=$KEYCLOAK_PASSWORD\
    | jq -r '.access_token')

curl -s -H "Authorization: Bearer $ACCESS_TOKEN" $KEYCLOAK_URL/admin/realms/$KEYCLOAK_REALM/clients-initial-access \
    -H "Content-Type: application/json" \
    -d '{ "count": 1, "expiration": 60 }' \
    | jq -r ".token"

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-16 at 17:13 +0530, Puneeth M I wrote:
> Hi,
> 
> I want to create an initial access token with expiration=60 seconds and
> count=1 from command line using admin-cli through kcadm.sh script or a curl
> command and share with the clients to register(create clients) themselves
> at keycloak. I am using the following curl command as per the keycloak
> document but I am getting 401 unauthorized error. I am create an Initial
> access token from admin console but I don't want to expose it. *Please let
> me know on how to generate InitialAccessToken from CLI to register a
> client. *
> 
> 
> 
> *# curl -i -H 'Content-Type: application/json' -X
> POST http://<keycloak-IP>:<port>/auth/admin/realms/master/clients-initial-access
> <http://10.91.96.30:8665/auth/admin/realms/master/clients-initial-access> -d
> "client_id=admin-cli&grant_type=password&username=admin&password=admin"*
> HTTP/1.1 401 Unauthorized
> Connection: keep-alive
> Content-Length: 0
> Date: Tue, 15 Jan 2019 09:16:07 GMT
> 
> 
> 
> *I am able to register a client using the access token obtained from below
> command but I cannot control it for number of client registrations.*
> 
> # *curl -i -H 'Content-Type: application/x-www-form-urlencoded' -X
> POST http://<keycloak-ip>:<port>/auth/realms/master/protocol/openid-connect/token
> <http://10.91.96.30:8665/auth/realms/master/protocol/openid-connect/token> -d
> "client_id=admin-cli&grant_type=password&username=admin&password=admin"*
> 
> ???1. HTTP/1.1 200 OK
> ???Connection: keep-alive
> ???Cache-Control: no-store
> ???Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10
> ???GMT; Max-Age=0; Path=/auth/realms/master/; HttpOnly
> ???Pragma: no-cache
> ???Content-Type: application/json
> ???Content-Length: 1848
> ???Date: Tue, 15 Jan 2019 06:37:47 GMT
> 
> {"access_token":"eyJhbGciOiJSUzI1NiIs....","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOi.....","token_type":"bearer","not-before-policy":0,"session_state":"7af01cbb-f268-4263-bed2-c11a14008949","scope":"email
> profile"}
> 
> I am using Keycloak - Version *4.5.0* in standalone-HA mode.
> 
> Regards,
> Puneeth
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From keycloak-user at mattevans.email  Fri Jan 18 00:51:39 2019
From: keycloak-user at mattevans.email (Matt Evans)
Date: Fri, 18 Jan 2019 16:51:39 +1100
Subject: [keycloak-user] kcadm update client seems to ignore
	defaultClientScopes
In-Reply-To: <5b1cd4b2-13e0-6962-2481-c297214c83b8@redhat.com>
References: <CAEBpjQai-y5mOgJjiSHsCZU0OKkGXDd9vAuhxZLp-0+ZKX2rsw@mail.gmail.com>
	<5b1cd4b2-13e0-6962-2481-c297214c83b8@redhat.com>
Message-ID: <CAEBpjQY3bKDebpTt+T1JwaUqG2d7PcEOWY8ebHbOGZ6DnBXqKw@mail.gmail.com>

Hi Marek

I took your advice and looked at what the console does. It seems that you
have to individually PUT or DELETE each client scope in the
defaultClientScopes and optionalClientScopes.

e.g. PUT /clients/<client id>/defaultClientScopes/<scope id>

I tried to PUT to the /clients/<client id>/defaultClientScopes  endpoint to
set all the default client scopes in one go but the method is not allowed.

We currently have our clients deployed using ansible calling kcadm with the
json template, this works well for creating new clients, the default client
scopes are set correctly, but the update of an existing client template
ignores them if they are specified in the json.

Whilst we can add more code to extract the scopes from the template and
individually call DELETE or PUT to adjust them it seems overly complicated.
I guess for now we will delete and create the whole client if we need to
update them.

Are there plans to improve this in the future? It seems inconsistent that
the rest endpoint for the client just ignores those properties for updates,
but accepts them for creates.

Thanks

Matt


On Thu, 17 Jan 2019 at 22:20, Marek Posolda <mposolda at redhat.com> wrote:

> There are separate REST API operations for add/remove default client
> scope or optional client scope. I suggest to try admin console with
> browser and inspect the REST request, which admin console is doing for
> add/remove client scopes for client. This may show you how the REST
> request looks like and you should be able to "translate" this into
> proper format for kcadm then.
>
> Marek
>
> On 17/01/2019 05:27, Matt Evans wrote:
> > Has anyone noticed that updating a client using kcadm seems to ignore the
> > defaultClientScopes property?
> >
> > /opt/keycloak/bin/kcadm.sh update
> > clients/366b5cb2-f4ac-4b81-9ccb-1e8198fec9f9 -r therealm -s
> > 'defaultClientScopes=["web-origins"]' -s name=changedName --no-config
> > --server http://localhost:8080/auth --realm master --user admin --client
> > admin-cli --password xxxx
> >
> > We can update other properties ok, e.g. name, client id, redirectUris all
> > update ok, but defaultClientScopes doesn't change. Also I think
> > optionalClientScopes doesn't change either.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From mposolda at redhat.com  Fri Jan 18 03:59:05 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 18 Jan 2019 09:59:05 +0100
Subject: [keycloak-user] kcadm update client seems to ignore
 defaultClientScopes
In-Reply-To: <CAEBpjQZ5W08RmOR9FbjkcPw6e-gWauzVj1gC8Kga1YcYawrqtQ@mail.gmail.com>
References: <CAEBpjQai-y5mOgJjiSHsCZU0OKkGXDd9vAuhxZLp-0+ZKX2rsw@mail.gmail.com>
	<5b1cd4b2-13e0-6962-2481-c297214c83b8@redhat.com>
	<CAEBpjQZ5W08RmOR9FbjkcPw6e-gWauzVj1gC8Kga1YcYawrqtQ@mail.gmail.com>
Message-ID: <45b0311d-a168-4216-34d4-cecbb853e605@redhat.com>

Yes, they are few places, where there are inconsistencies between 
creates and updates. And yes, there is plan to improve admin REST API in 
the future to improve and hopefully remove such inconsistencies.

Thanks,
Marek

On 18/01/2019 05:38, Matt Evans wrote:
> Hi Marek
>
> I took your advice and looked at what the console does. It seems that 
> you have to individually PUT or DELETE each client scope in the 
> defaultClientScopes and optionalClientScopes.
>
> e.g. PUT /clients/<client id>/defaultClientScopes/<scope id>
>
> I tried to PUT to the /clients/<client id>/defaultClientScopes? 
> endpoint to set all the default client scopes in one go but the method 
> is not allowed.
>
> We currently have our clients deployed using ansible calling kcadm 
> with the json template, this works well for creating new clients, the 
> default client scopes are set correctly, but the update of an existing 
> client template ignores them if they are specified in the json.
>
> Whilst we can add more code to extract the scopes from the template 
> and individually call DELETE or PUT to adjust them it seems overly 
> complicated. I guess for now we will delete and create the whole 
> client if we need to update them.
>
> Are there plans to improve this in the?future? It seems inconsistent 
> that the rest endpoint for the client just ignores those properties 
> for updates, but accepts them for creates.
>
> Thanks
>
> Matt
>
>
> On Thu, 17 Jan 2019 at 22:20, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     There are separate REST API operations for add/remove default client
>     scope or optional client scope. I suggest to try admin console with
>     browser and inspect the REST request, which admin console is doing
>     for
>     add/remove client scopes for client. This may show you how the REST
>     request looks like and you should be able to "translate" this into
>     proper format for kcadm then.
>
>     Marek
>
>     On 17/01/2019 05:27, Matt Evans wrote:
>     > Has anyone noticed that updating a client using kcadm seems to
>     ignore the
>     > defaultClientScopes property?
>     >
>     > /opt/keycloak/bin/kcadm.sh update
>     > clients/366b5cb2-f4ac-4b81-9ccb-1e8198fec9f9 -r therealm -s
>     > 'defaultClientScopes=["web-origins"]' -s name=changedName
>     --no-config
>     > --server http://localhost:8080/auth --realm master --user admin
>     --client
>     > admin-cli --password xxxx
>     >
>     > We can update other properties ok, e.g. name, client id,
>     redirectUris all
>     > update ok, but defaultClientScopes doesn't change. Also I think
>     > optionalClientScopes doesn't change either.
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>


From dharlaftis at ekt.gr  Fri Jan 18 05:35:29 2019
From: dharlaftis at ekt.gr (Dimitris Charlaftis)
Date: Fri, 18 Jan 2019 12:35:29 +0200
Subject: [keycloak-user] Keycloak Gatekeeper docker image yml file
Message-ID: <54619a06-495d-4562-d33f-86d29129a2db@ekt.gr>

Hello,

I want to deploy the following keycloak gatekeeper docker image

https://hub.docker.com/r/keycloak/keycloak-gatekeeper
I want to map a .yml file through the VOLUME command but i don't know the path of the configuration inside the docker container.
Please can you provide where can i map the .yml file (the correct path inside the docker container) for the configuration?

Documentation presents a sample yml file, but it does not say where tomap it inside the container...
Thank you!
Dimitris


-- 
_____________________________

Dimitris Charlaftis
Software Engineer

National Documentation Center
email: dharlaftis at ekt.gr
_____________________________


From psilva at redhat.com  Fri Jan 18 05:36:55 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 18 Jan 2019 08:36:55 -0200
Subject: [keycloak-user] Missing permissions
In-Reply-To: <CAOPHCg9saL3r7qYxR8W=VWO1762-v4K-aOBQCoRJoBqSnYiPrA@mail.gmail.com>
References: <CAOPHCg9saL3r7qYxR8W=VWO1762-v4K-aOBQCoRJoBqSnYiPrA@mail.gmail.com>
Message-ID: <CAJrcDBfw6-hsVr4Pcrh8Vsi_iCewVawfMZ9TCNBRMSnO6Ga3_Q@mail.gmail.com>

Hi,

What if you try to obtain permissions by passing the resource id (instead
of asking all permissions)? Can you check if it works? I remember some
limitations when obtaining all permissions due to performance issues. Not
sure if that is the case.

On Thu, Jan 17, 2019 at 6:45 PM Julien Deruere <deruere.julien at gmail.com>
wrote:

> I'm getting permissions from this request:
>
> curl -X POST \
>   http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
> \
>   -H "Authorization: Bearer ${access_token}" \
>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
>   --data "audience={resource_server_client_id}" \  --data
> "response_mode=permissions"
>
> Which give me the good results when I use Keycloak UI to share a resource.
>
> Then if I give permission user the Policy API:
>
> curl -X POST \
>
> http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id}
> \
>   -H 'Authorization: Bearer '$access_token \
>   -H 'Cache-Control: no-cache' \
>   -H 'Content-Type: application/json' \
>   -d '{
>         "name": "Any people manager",
>         "description": "Allow access to any people manager",
>         "scopes": ["read"],
>         "groups": ["/Managers/People Managers"]
> }'
>
>
> It works and I can see it in the Keycloak User panel or in the evaluate
> permission page, but first request does not I mention does not include this
> permission in the response.
>
> Any idea?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From james.pridmore at ontexglobal.com  Fri Jan 18 06:11:28 2019
From: james.pridmore at ontexglobal.com (James Pridmore)
Date: Fri, 18 Jan 2019 11:11:28 +0000
Subject: [keycloak-user] User Federation
Message-ID: <VI1PR07MB423920C4292EAA93EC17D8DB929C0@VI1PR07MB4239.eurprd07.prod.outlook.com>

Hi all,

I wonder if anyone could help me. I'm trying to set up a realm with user federation. I'd like that realm to point to another realm within the same instance of Keycloak.

Is this possible and if so, how do I go about it?

The reason for this is we have one application supporting different contracts, users have different permissions in different contracts. We think we can achieve this by setting up 1 client over multiple realms and using one set of users in all those realms but with different permissions in each realm.

Any advice is much appreciated.

Kind regards,

James


From sidney.beekhoven at info.nl  Fri Jan 18 06:23:20 2019
From: sidney.beekhoven at info.nl (Sidney Beekhoven)
Date: Fri, 18 Jan 2019 11:23:20 +0000
Subject: [keycloak-user] Access user attributes in terms.ftl
Message-ID: <AA01DDCD-19E7-4206-9B43-633B06E1F812@info.nl>

Hello everyone,

I am trying to access the user attributes in a custom theme that I am developing. Under theme_folder/login/terms.ftl I want to access some of the user attributes to display the respective Terms and Conditions for each user. Somehow user is always null in the terms.ftl.

If i look in the source code where the freemarker template is processed i don?t see the user being set as freemarker model attribute so i guess it is not possible to access the user(?s attributes) from a required action template.

Does anyone know of any way to reach the user attributes in terms.ftl?

Best regards,
Sidney Beekhoven



From bruno at abstractj.org  Fri Jan 18 07:02:07 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 18 Jan 2019 10:02:07 -0200
Subject: [keycloak-user] Keycloak Gatekeeper docker image yml file
In-Reply-To: <54619a06-495d-4562-d33f-86d29129a2db@ekt.gr>
References: <54619a06-495d-4562-d33f-86d29129a2db@ekt.gr>
Message-ID: <20190118120206.GA2122@abstractj.org>

Hi Dimitris,

We do not provide any YAML file inside our Docker image, you can find
the sources here:

What I do is often mount a volume with my YAML configuration file.
Something like:

docker run --name=gatekeeper --rm -it -v ~/path/to/gatekeeper-config:/tmp -p 8282:8282 keycloak/keycloak-gatekeeper --config /tmp/gatekeeper-config.yaml

I hope it helps.

On 2019-01-18, Dimitris Charlaftis wrote:
> Hello,
> 
> I want to deploy the following keycloak gatekeeper docker image
> 
> https://hub.docker.com/r/keycloak/keycloak-gatekeeper
> I want to map a .yml file through the VOLUME command but i don't know the path of the configuration inside the docker container.
> Please can you provide where can i map the .yml file (the correct path inside the docker container) for the configuration?
> 
> Documentation presents a sample yml file, but it does not say where tomap it inside the container...
> Thank you!
> Dimitris
> 
> 
> -- 
> _____________________________
> 
> Dimitris Charlaftis
> Software Engineer
> 
> National Documentation Center
> email: dharlaftis at ekt.gr
> _____________________________
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From chris.smith at cmfirstgroup.com  Fri Jan 18 07:09:55 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Fri, 18 Jan 2019 12:09:55 +0000
Subject: [keycloak-user] Has anyone installed keycloak using snap or juju
Message-ID: <MWHPR22MB0255A66066FDD0171E9B25A7989C0@MWHPR22MB0255.namprd22.prod.outlook.com>

I created a new Ubuntu 18.10 Server VM

During install It had a step about installing common snaps.  Keycloak was one of them.

I selected it and I have no idea about how or where it installed keycloak or how to start keycloak.

I'm dubious as to it's usefulness as Java did not get installed.

Googleing has informed me a bit about snapd (snappy) and juju, but my attempts at using them were futile.

Are snap and juju based installation packages still half baked?

From deruere.julien at gmail.com  Fri Jan 18 07:20:16 2019
From: deruere.julien at gmail.com (Julien Deruere)
Date: Fri, 18 Jan 2019 07:20:16 -0500
Subject: [keycloak-user] Missing permissions
In-Reply-To: <CAJrcDBfw6-hsVr4Pcrh8Vsi_iCewVawfMZ9TCNBRMSnO6Ga3_Q@mail.gmail.com>
References: <CAOPHCg9saL3r7qYxR8W=VWO1762-v4K-aOBQCoRJoBqSnYiPrA@mail.gmail.com>
	<CAJrcDBfw6-hsVr4Pcrh8Vsi_iCewVawfMZ9TCNBRMSnO6Ga3_Q@mail.gmail.com>
Message-ID: <CAOPHCg9Fk008nJoPVew7a2-dJa82iWq4V81QrBDbjvfvDbV2Gw@mail.gmail.com>

My goal is to fetch the list of resources on wich I have permissions to. If
I can filter by type that would be even better. Is it possible?

Le ven. 18 janv. 2019 05:37, Pedro Igor Silva <psilva at redhat.com> a ?crit :

> Hi,
>
> What if you try to obtain permissions by passing the resource id (instead
> of asking all permissions)? Can you check if it works? I remember some
> limitations when obtaining all permissions due to performance issues. Not
> sure if that is the case.
>
> On Thu, Jan 17, 2019 at 6:45 PM Julien Deruere <deruere.julien at gmail.com>
> wrote:
>
>> I'm getting permissions from this request:
>>
>> curl -X POST \
>>   http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
>> \
>>   -H "Authorization: Bearer ${access_token}" \
>>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
>>   --data "audience={resource_server_client_id}" \  --data
>> "response_mode=permissions"
>>
>> Which give me the good results when I use Keycloak UI to share a resource.
>>
>> Then if I give permission user the Policy API:
>>
>> curl -X POST \
>>
>> http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id}
>> \
>>   -H 'Authorization: Bearer '$access_token \
>>   -H 'Cache-Control: no-cache' \
>>   -H 'Content-Type: application/json' \
>>   -d '{
>>         "name": "Any people manager",
>>         "description": "Allow access to any people manager",
>>         "scopes": ["read"],
>>         "groups": ["/Managers/People Managers"]
>> }'
>>
>>
>> It works and I can see it in the Keycloak User panel or in the evaluate
>> permission page, but first request does not I mention does not include
>> this
>> permission in the response.
>>
>> Any idea?
>>
> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From geoff at opticks.io  Fri Jan 18 07:38:53 2019
From: geoff at opticks.io (Geoffrey Cleaves)
Date: Fri, 18 Jan 2019 13:38:53 +0100
Subject: [keycloak-user] Missing permissions
In-Reply-To: <CAOPHCg9Fk008nJoPVew7a2-dJa82iWq4V81QrBDbjvfvDbV2Gw@mail.gmail.com>
References: <CAOPHCg9saL3r7qYxR8W=VWO1762-v4K-aOBQCoRJoBqSnYiPrA@mail.gmail.com>
	<CAJrcDBfw6-hsVr4Pcrh8Vsi_iCewVawfMZ9TCNBRMSnO6Ga3_Q@mail.gmail.com>
	<CAOPHCg9Fk008nJoPVew7a2-dJa82iWq4V81QrBDbjvfvDbV2Gw@mail.gmail.com>
Message-ID: <CAHzT=q8j6Crt7OiySTRCkWxZco2d4mM0BQG4hPLcwiHy_y1WYQ@mail.gmail.com>

Vote for my feature request! ;)
https://issues.jboss.org/browse/KEYCLOAK-8915

On Fri, 18 Jan 2019 at 13:26, Julien Deruere <deruere.julien at gmail.com>
wrote:

> My goal is to fetch the list of resources on wich I have permissions to. If
> I can filter by type that would be even better. Is it possible?
>
> Le ven. 18 janv. 2019 05:37, Pedro Igor Silva <psilva at redhat.com> a ?crit
> :
>
> > Hi,
> >
> > What if you try to obtain permissions by passing the resource id (instead
> > of asking all permissions)? Can you check if it works? I remember some
> > limitations when obtaining all permissions due to performance issues. Not
> > sure if that is the case.
> >
> > On Thu, Jan 17, 2019 at 6:45 PM Julien Deruere <deruere.julien at gmail.com
> >
> > wrote:
> >
> >> I'm getting permissions from this request:
> >>
> >> curl -X POST \
> >>   http://
> ${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
> >> \
> >>   -H "Authorization: Bearer ${access_token}" \
> >>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
> >>   --data "audience={resource_server_client_id}" \  --data
> >> "response_mode=permissions"
> >>
> >> Which give me the good results when I use Keycloak UI to share a
> resource.
> >>
> >> Then if I give permission user the Policy API:
> >>
> >> curl -X POST \
> >>
> >>
> http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id}
> >> \
> >>   -H 'Authorization: Bearer '$access_token \
> >>   -H 'Cache-Control: no-cache' \
> >>   -H 'Content-Type: application/json' \
> >>   -d '{
> >>         "name": "Any people manager",
> >>         "description": "Allow access to any people manager",
> >>         "scopes": ["read"],
> >>         "groups": ["/Managers/People Managers"]
> >> }'
> >>
> >>
> >> It works and I can see it in the Keycloak User panel or in the evaluate
> >> permission page, but first request does not I mention does not include
> >> this
> >> permission in the response.
> >>
> >> Any idea?
> >>
> > _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

Regards,
Geoffrey Cleaves

From bruno at abstractj.org  Fri Jan 18 08:09:24 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 18 Jan 2019 11:09:24 -0200
Subject: [keycloak-user] Keycloak Gatekeeper docker image yml file
In-Reply-To: <20190118120206.GA2122@abstractj.org>
References: <54619a06-495d-4562-d33f-86d29129a2db@ekt.gr>
	<20190118120206.GA2122@abstractj.org>
Message-ID: <CAM5SUC4AwseNkkv06f6_qy15PcTy37s=e7ikbCcjp5OQUJvOGw@mail.gmail.com>

The sources were missing from my previous email
https://github.com/jboss-dockerfiles/keycloak/tree/master/gatekeeper

On Fri, Jan 18, 2019 at 10:02 AM Bruno Oliveira <bruno at abstractj.org> wrote:
>
> Hi Dimitris,
>
> We do not provide any YAML file inside our Docker image, you can find
> the sources here:
>
> What I do is often mount a volume with my YAML configuration file.
> Something like:
>
> docker run --name=gatekeeper --rm -it -v ~/path/to/gatekeeper-config:/tmp -p 8282:8282 keycloak/keycloak-gatekeeper --config /tmp/gatekeeper-config.yaml
>
> I hope it helps.
>
> On 2019-01-18, Dimitris Charlaftis wrote:
> > Hello,
> >
> > I want to deploy the following keycloak gatekeeper docker image
> >
> > https://hub.docker.com/r/keycloak/keycloak-gatekeeper
> > I want to map a .yml file through the VOLUME command but i don't know the path of the configuration inside the docker container.
> > Please can you provide where can i map the .yml file (the correct path inside the docker container) for the configuration?
> >
> > Documentation presents a sample yml file, but it does not say where tomap it inside the container...
> > Thank you!
> > Dimitris
> >
> >
> > --
> > _____________________________
> >
> > Dimitris Charlaftis
> > Software Engineer
> >
> > National Documentation Center
> > email: dharlaftis at ekt.gr
> > _____________________________
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj



-- 
- abstractj

From ssilvert at redhat.com  Fri Jan 18 08:18:34 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 18 Jan 2019 08:18:34 -0500
Subject: [keycloak-user] User Federation
In-Reply-To: <VI1PR07MB423920C4292EAA93EC17D8DB929C0@VI1PR07MB4239.eurprd07.prod.outlook.com>
References: <VI1PR07MB423920C4292EAA93EC17D8DB929C0@VI1PR07MB4239.eurprd07.prod.outlook.com>
Message-ID: <bb84fb54-5811-3f66-b9d7-14f3ec605d12@redhat.com>

Yes, one realm can point to another realm for federation.

Realm A uses Realm B for authentication.

Set up an identity provider in Realm A.? If you want Realm B to handle 
all logins for Realm A, got to Authentication and set the Identity 
Provider Redirector to the identity provider you just created.

In Realm B, create an openid-connect client for your application. Copy 
and paste the Client ID and Client Secret from Realm B into the identity 
provider in Realm A.

At first login, the users from Realm B will be created in Realm A.? I'm 
not sure if this will solve your use case concerning permissions, but it 
gives you something to play around with.


On 1/18/2019 6:11 AM, James Pridmore wrote:
> Hi all,
>
> I wonder if anyone could help me. I'm trying to set up a realm with user federation. I'd like that realm to point to another realm within the same instance of Keycloak.
>
> Is this possible and if so, how do I go about it?
>
> The reason for this is we have one application supporting different contracts, users have different permissions in different contracts. We think we can achieve this by setting up 1 client over multiple realms and using one set of users in all those realms but with different permissions in each realm.
>
> Any advice is much appreciated.
>
> Kind regards,
>
> James
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From will.osborn at VAKT.io  Fri Jan 18 08:30:53 2019
From: will.osborn at VAKT.io (Will Osborn)
Date: Fri, 18 Jan 2019 13:30:53 +0000
Subject: [keycloak-user] Role Mappings on Subsequent Logons
Message-ID: <3B6263F0-3A89-4573-B1F3-3658A6041113@contoso.com>

Hi,

I have setup a keycloak server and using an identity provider successfully setup SSO with claims to role mappings.  Is there any way to allow subsequent logons to recheck the claims and reapply the role mappings so if they change in the identity provide system those changes are passed through to Keycloak?

Thanks
Will

[/var/folders/zg/5xxh34t177b013xm4c89lzw00000gp/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/AeG8I8l0vp2nAAAAABJRU5ErkJggg==]
Will Osborn | Head of delivery
Phone +44 203 9301640
VAKT Global Ltd, Floor 24
1 Canada Square,?
London, E14 5AB
Disclaimer: This e-mail and any attachment may contain information that is privileged or confidential. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment.

VAKT Global Limited is registered in England and Wales under the Company Number 11295972. Its registered office is Floor 24, 1 Canada Square, London, E14 5AB.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1047 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190118/ded6bf2d/attachment.png 

From psilva at redhat.com  Fri Jan 18 08:44:25 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 18 Jan 2019 11:44:25 -0200
Subject: [keycloak-user] Missing permissions
In-Reply-To: <CAHzT=q8j6Crt7OiySTRCkWxZco2d4mM0BQG4hPLcwiHy_y1WYQ@mail.gmail.com>
References: <CAOPHCg9saL3r7qYxR8W=VWO1762-v4K-aOBQCoRJoBqSnYiPrA@mail.gmail.com>
	<CAJrcDBfw6-hsVr4Pcrh8Vsi_iCewVawfMZ9TCNBRMSnO6Ga3_Q@mail.gmail.com>
	<CAOPHCg9Fk008nJoPVew7a2-dJa82iWq4V81QrBDbjvfvDbV2Gw@mail.gmail.com>
	<CAHzT=q8j6Crt7OiySTRCkWxZco2d4mM0BQG4hPLcwiHy_y1WYQ@mail.gmail.com>
Message-ID: <CAJrcDBdPQ6H_DLZP_mH63CCzJKUiroHP2JYkhxUn2d7bnuZpQQ@mail.gmail.com>

Ok, Geoffrey. You won :) That should be delivered as soon as we start
developing new features earlier this year.

On Fri, Jan 18, 2019 at 10:39 AM Geoffrey Cleaves <geoff at opticks.io> wrote:

> Vote for my feature request! ;)
> https://issues.jboss.org/browse/KEYCLOAK-8915
>
> On Fri, 18 Jan 2019 at 13:26, Julien Deruere <deruere.julien at gmail.com>
> wrote:
>
>> My goal is to fetch the list of resources on wich I have permissions to.
>> If
>> I can filter by type that would be even better. Is it possible?
>>
>> Le ven. 18 janv. 2019 05:37, Pedro Igor Silva <psilva at redhat.com> a
>> ?crit :
>>
>> > Hi,
>> >
>> > What if you try to obtain permissions by passing the resource id
>> (instead
>> > of asking all permissions)? Can you check if it works? I remember some
>> > limitations when obtaining all permissions due to performance issues.
>> Not
>> > sure if that is the case.
>> >
>> > On Thu, Jan 17, 2019 at 6:45 PM Julien Deruere <
>> deruere.julien at gmail.com>
>> > wrote:
>> >
>> >> I'm getting permissions from this request:
>> >>
>> >> curl -X POST \
>> >>   http://
>> ${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
>> >> \
>> >>   -H "Authorization: Bearer ${access_token}" \
>> >>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
>> >>   --data "audience={resource_server_client_id}" \  --data
>> >> "response_mode=permissions"
>> >>
>> >> Which give me the good results when I use Keycloak UI to share a
>> resource.
>> >>
>> >> Then if I give permission user the Policy API:
>> >>
>> >> curl -X POST \
>> >>
>> >>
>> http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id}
>> >> \
>> >>   -H 'Authorization: Bearer '$access_token \
>> >>   -H 'Cache-Control: no-cache' \
>> >>   -H 'Content-Type: application/json' \
>> >>   -d '{
>> >>         "name": "Any people manager",
>> >>         "description": "Allow access to any people manager",
>> >>         "scopes": ["read"],
>> >>         "groups": ["/Managers/People Managers"]
>> >> }'
>> >>
>> >>
>> >> It works and I can see it in the Keycloak User panel or in the evaluate
>> >> permission page, but first request does not I mention does not include
>> >> this
>> >> permission in the response.
>> >>
>> >> Any idea?
>> >>
>> > _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> Regards,
> Geoffrey Cleaves
>
>
>
>
>
>

From deruere.julien at gmail.com  Fri Jan 18 08:50:11 2019
From: deruere.julien at gmail.com (Julien Deruere)
Date: Fri, 18 Jan 2019 08:50:11 -0500
Subject: [keycloak-user] Missing permissions
In-Reply-To: <CAJrcDBdPQ6H_DLZP_mH63CCzJKUiroHP2JYkhxUn2d7bnuZpQQ@mail.gmail.com>
References: <CAOPHCg9saL3r7qYxR8W=VWO1762-v4K-aOBQCoRJoBqSnYiPrA@mail.gmail.com>
	<CAJrcDBfw6-hsVr4Pcrh8Vsi_iCewVawfMZ9TCNBRMSnO6Ga3_Q@mail.gmail.com>
	<CAOPHCg9Fk008nJoPVew7a2-dJa82iWq4V81QrBDbjvfvDbV2Gw@mail.gmail.com>
	<CAHzT=q8j6Crt7OiySTRCkWxZco2d4mM0BQG4hPLcwiHy_y1WYQ@mail.gmail.com>
	<CAJrcDBdPQ6H_DLZP_mH63CCzJKUiroHP2JYkhxUn2d7bnuZpQQ@mail.gmail.com>
Message-ID: <CAOPHCg9D8cK05LOSofPgsKrBC0kNhQVuWPXpFs1vuWC36TBZOQ@mail.gmail.com>

Voted, it's exactly what I need

Le ven. 18 janv. 2019 ? 08:44, Pedro Igor Silva <psilva at redhat.com> a
?crit :

> Ok, Geoffrey. You won :) That should be delivered as soon as we start
> developing new features earlier this year.
>
> On Fri, Jan 18, 2019 at 10:39 AM Geoffrey Cleaves <geoff at opticks.io>
> wrote:
>
>> Vote for my feature request! ;)
>> https://issues.jboss.org/browse/KEYCLOAK-8915
>>
>> On Fri, 18 Jan 2019 at 13:26, Julien Deruere <deruere.julien at gmail.com>
>> wrote:
>>
>>> My goal is to fetch the list of resources on wich I have permissions to.
>>> If
>>> I can filter by type that would be even better. Is it possible?
>>>
>>> Le ven. 18 janv. 2019 05:37, Pedro Igor Silva <psilva at redhat.com> a
>>> ?crit :
>>>
>>> > Hi,
>>> >
>>> > What if you try to obtain permissions by passing the resource id
>>> (instead
>>> > of asking all permissions)? Can you check if it works? I remember some
>>> > limitations when obtaining all permissions due to performance issues.
>>> Not
>>> > sure if that is the case.
>>> >
>>> > On Thu, Jan 17, 2019 at 6:45 PM Julien Deruere <
>>> deruere.julien at gmail.com>
>>> > wrote:
>>> >
>>> >> I'm getting permissions from this request:
>>> >>
>>> >> curl -X POST \
>>> >>   http://
>>> ${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
>>> >> \
>>> >>   -H "Authorization: Bearer ${access_token}" \
>>> >>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
>>> >>   --data "audience={resource_server_client_id}" \  --data
>>> >> "response_mode=permissions"
>>> >>
>>> >> Which give me the good results when I use Keycloak UI to share a
>>> resource.
>>> >>
>>> >> Then if I give permission user the Policy API:
>>> >>
>>> >> curl -X POST \
>>> >>
>>> >>
>>> http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id}
>>> >> \
>>> >>   -H 'Authorization: Bearer '$access_token \
>>> >>   -H 'Cache-Control: no-cache' \
>>> >>   -H 'Content-Type: application/json' \
>>> >>   -d '{
>>> >>         "name": "Any people manager",
>>> >>         "description": "Allow access to any people manager",
>>> >>         "scopes": ["read"],
>>> >>         "groups": ["/Managers/People Managers"]
>>> >> }'
>>> >>
>>> >>
>>> >> It works and I can see it in the Keycloak User panel or in the
>>> evaluate
>>> >> permission page, but first request does not I mention does not include
>>> >> this
>>> >> permission in the response.
>>> >>
>>> >> Any idea?
>>> >>
>>> > _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >>
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>>
>> Regards,
>> Geoffrey Cleaves
>>
>>
>>
>>
>>
>>

From psilva at redhat.com  Fri Jan 18 08:53:14 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 18 Jan 2019 11:53:14 -0200
Subject: [keycloak-user] Missing permissions
In-Reply-To: <CAOPHCg9Fk008nJoPVew7a2-dJa82iWq4V81QrBDbjvfvDbV2Gw@mail.gmail.com>
References: <CAOPHCg9saL3r7qYxR8W=VWO1762-v4K-aOBQCoRJoBqSnYiPrA@mail.gmail.com>
	<CAJrcDBfw6-hsVr4Pcrh8Vsi_iCewVawfMZ9TCNBRMSnO6Ga3_Q@mail.gmail.com>
	<CAOPHCg9Fk008nJoPVew7a2-dJa82iWq4V81QrBDbjvfvDbV2Gw@mail.gmail.com>
Message-ID: <CAJrcDBfGhRWjbcZ5dY1RSWYdZ-tTmThU3auPkPU9+UBpXU-a6Q@mail.gmail.com>

Did it work when passing the resource id ?

On Fri, Jan 18, 2019 at 10:20 AM Julien Deruere <deruere.julien at gmail.com>
wrote:

> My goal is to fetch the list of resources on wich I have permissions to.
> If I can filter by type that would be even better. Is it possible?
>
> Le ven. 18 janv. 2019 05:37, Pedro Igor Silva <psilva at redhat.com> a
> ?crit :
>
>> Hi,
>>
>> What if you try to obtain permissions by passing the resource id (instead
>> of asking all permissions)? Can you check if it works? I remember some
>> limitations when obtaining all permissions due to performance issues. Not
>> sure if that is the case.
>>
>> On Thu, Jan 17, 2019 at 6:45 PM Julien Deruere <deruere.julien at gmail.com>
>> wrote:
>>
>>> I'm getting permissions from this request:
>>>
>>> curl -X POST \
>>>   http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token
>>> \
>>>   -H "Authorization: Bearer ${access_token}" \
>>>   --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
>>>   --data "audience={resource_server_client_id}" \  --data
>>> "response_mode=permissions"
>>>
>>> Which give me the good results when I use Keycloak UI to share a
>>> resource.
>>>
>>> Then if I give permission user the Policy API:
>>>
>>> curl -X POST \
>>>
>>> http://localhost:8180/auth/realms/photoz/authz/protection/uma-policy/{resource_id}
>>> \
>>>   -H 'Authorization: Bearer '$access_token \
>>>   -H 'Cache-Control: no-cache' \
>>>   -H 'Content-Type: application/json' \
>>>   -d '{
>>>         "name": "Any people manager",
>>>         "description": "Allow access to any people manager",
>>>         "scopes": ["read"],
>>>         "groups": ["/Managers/People Managers"]
>>> }'
>>>
>>>
>>> It works and I can see it in the Keycloak User panel or in the evaluate
>>> permission page, but first request does not I mention does not include
>>> this
>>> permission in the response.
>>>
>>> Any idea?
>>>
>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From dev.ebondu at gmail.com  Fri Jan 18 08:57:22 2019
From: dev.ebondu at gmail.com (Emilien Bondu)
Date: Fri, 18 Jan 2019 14:57:22 +0100
Subject: [keycloak-user] Post profile update required actions
Message-ID: <41B41AEA-DDA7-4090-B577-29697DB78662@gmail.com>

Hello,

I am working on user's mobile phone number attribute validation with SMS code. To do this I created some required actions to send sms code and validate the user profile attribute. Everything is ok for user registration and post external providers login (Post Login Flow), however I would like to validate the mobile number with these required actions during user profile modification. I tried to implement an event listener to add required actions on user profile after the profile update but this actions will only be triggered during the next login (asynchronously). Is there any way to trigger required actions during user profile modification with a "Post Profile Update Flow" ?

Here the link to the project : https://github.com/ebondu/keycloak-sms-authenticator-sns

Thanks,
Emilien

From denis.danov at dreamix.eu  Fri Jan 18 09:30:32 2019
From: denis.danov at dreamix.eu (Denis Danov)
Date: Fri, 18 Jan 2019 16:30:32 +0200
Subject: [keycloak-user] Retrieve all accessible applications for the
 logged user
In-Reply-To: <1547785533.9262.1.camel@acutus.pro>
References: <CAHOVys3Z+pUOdmax+PY-OP0tjvx0D=X7t67nOTHUa396jOz_pg@mail.gmail.com>
	<1547785533.9262.1.camel@acutus.pro>
Message-ID: <CAHOVys2o-GF5UugD1COdwV5O32tOG7k0jmQ_nPTAiYR-m+RWFg@mail.gmail.com>

Hi Dmitry, Stan,

thank you for the responses. We will check the custom REST API option.
Thank you a lot about the information.

On Fri, Jan 18, 2019 at 6:25 AM Dmitry Telegin <dt at acutus.pro> wrote:

> Hello Denis, just my 2? in addition to what Stan said,
>
> If you can't wait for the account REST service to be merged, you can
> create your own REST service to expose the data you need.
>
> Check out Server Development [1] for how to create custom REST resources,
> BeerCloak [2] for how to secure them and ApplicationsBean.java [3] for how
> to obtain application list.
>
> [1]
> https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest
> [2] https://github.com/dteleguin/beercloak
> [3]
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Thu, 2019-01-17 at 14:11 +0200, Denis Danov wrote:
> > Hi Keycloak members,
> >
> > I am excited writing to you and I hope someone will answer.
> > I am working on an application that should be registered and secured in
> > Keycloak. Once the user is authenticated we want to show list of all
> other
> > applications that the user has access to.
> > Can this information be retrieved via REST API as I can see that it is
> > already available from Keycloak UI for user's account under section
> > applications
> > https://www.keycloak.org/docs/3.3/server_admin/topics/account.html
> >
> > Regards,
> > Denis Danov
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From luca.stancapiano at vige.it  Fri Jan 18 09:34:41 2019
From: luca.stancapiano at vige.it (Luca Stancapiano)
Date: Fri, 18 Jan 2019 15:34:41 +0100 (CET)
Subject: [keycloak-user] Registration page and comboboxes
In-Reply-To: <1546616999.3690.13.camel@acutus.pro>
References: <2137152622.449907.1546081736355@pim.register.it>
	<1546616999.3690.13.camel@acutus.pro>
Message-ID: <334714680.52187.1547822085649@pim.register.it>

thanks Dmitry.

Actually I can create JPA and Rest api. I can also create a custom registration page. The registration page can read custom attributes but I still can not figure out where to go to enhance them. 
The documentation explains how to implement an org.keycloak.authentication.Authenticator but also deals with managing authentication, which I do not need because I only need to enhance the attributes to be read in the registration form. 
I've seen that you can implement an org.keycloak.authentication.FormAuthenticator which only provides a render method, which would be right for me but I do not understand how to hook it to the registration page

> Il 4 gennaio 2019 alle 16.49 Dmitry Telegin <dt at acutus.pro> ha scritto:
> 
> 
> Hello Luca,
> 
> What you're talking about is 100% feasible, but will require some coding.
> 
> You will need to implement the following:
> - custom JPA entity [1] to store combobox values;
> - custom REST resource [2] to enable management via Admin Console + provide the list to the registration page;
> - Admin Console additions [3] to implement the management GUI;
> - customized registration page (via custom login theme).
> 
> I'd also suggest that you take a look at BeerCloak [4], an all-in-one example where all of the above is implemented, except for the last item. I'm planning to do it it maybe in the second half of January. As I see it, the registration page will feature a drop-down with beers for a user to choose a favorite from.
> 
> [1] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
> [2] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest
> [3] https://www.keycloak.org/docs/latest/server_development/index.html#_themes
> [4] https://github.com/dteleguin/beercloak
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> On Sat, 2018-12-29 at 12:08 +0100, Luca Stancapiano wrote:
> > I have a registration page in a Keycloak theme where the user has to choose from a list from a combobox. This list is dynamic, meaning it could be changed by an administrator at any time. What is the best way to manage this list with Keycloak? Can I use the administrative console to update this data? If you are on which component?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user

From scott.thibault at multiscalehn.com  Fri Jan 18 13:03:45 2019
From: scott.thibault at multiscalehn.com (Scott Thibault)
Date: Fri, 18 Jan 2019 13:03:45 -0500
Subject: [keycloak-user] Google login without automatic user registration
In-Reply-To: <1547679165.4393.16.camel@acutus.pro>
References: <CALWScZPDZYWGEpP4HYdyonbdnJps2jZGumcF8oNvd2JAXKLNbQ@mail.gmail.com>
	<1547679165.4393.16.camel@acutus.pro>
Message-ID: <CALWScZMFH_T-LecXzqWh9h8okxR8jef8D9zarO06t0BHR_iOhg@mail.gmail.com>

That does look like it does what we would want.  However, I don't think I
can add custom authenticators.  I'm administering an Eclipse Che instance
which embeds Keycloak for it's authentication.  Is there any other approach?

--Scott


On Wed, Jan 16, 2019 at 5:52 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Scott,
>
> I think Geoffrey Cleaves has done this with the help of custom
> authenticator, please check out this thread:
> http://lists.jboss.org/pipermail/keycloak-user/2018-December/016703.html
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Wed, 2019-01-16 at 14:12 -0500, Scott Thibault wrote:
> > Out-of-the-box, the First Broker Login flow automatically registers
> > non-existing users authenticated by an identity provider.  I would not
> like
> > anyone with a valid Google account to be able to login, but only those
> with
> > existing accounts.  However, any attempt to create a custom flow without
> > the "Create User If Unique" item leads to an
> error=invalid_user_credentials.
> >
> > Is there some solution that would allow me to prevent users without an
> > existing account to login via the Google identity provider?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at acutus.pro  Fri Jan 18 13:54:48 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 18 Jan 2019 21:54:48 +0300
Subject: [keycloak-user] Google login without automatic user registration
In-Reply-To: <CALWScZMFH_T-LecXzqWh9h8okxR8jef8D9zarO06t0BHR_iOhg@mail.gmail.com>
References: <CALWScZPDZYWGEpP4HYdyonbdnJps2jZGumcF8oNvd2JAXKLNbQ@mail.gmail.com>
	<1547679165.4393.16.camel@acutus.pro>
	<CALWScZMFH_T-LecXzqWh9h8okxR8jef8D9zarO06t0BHR_iOhg@mail.gmail.com>
Message-ID: <1547837688.13934.1.camel@acutus.pro>

Hi Scott,

On Fri, 2019-01-18 at 13:03 -0500, Scott Thibault wrote:
> That does look like it does what we would want.? However, I don't think I can add custom authenticators.? I'm administering an Eclipse Che instance which embeds Keycloak for it's authentication.? Is there any other approach?

Just FYI, Che's embedded Keycloak is fully accessible [1], so it?shouldn't be problematic install a single JS authenticator.

[1] https://www.eclipse.org/che/docs/che-6/user-management.html

Good luck,
Dmitry

> 
> --Scott
> 
> 
> > On Wed, Jan 16, 2019 at 5:52 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Scott,
> > 
> > I think Geoffrey Cleaves has done this with the help of custom authenticator, please check out this thread: http://lists.jboss.org/pipermail/keycloak-user/2018-December/016703.html
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Wed, 2019-01-16 at 14:12 -0500, Scott Thibault wrote:
> > > Out-of-the-box, the First Broker Login flow automatically registers
> > > non-existing users authenticated by an identity provider.??I would not like
> > > anyone with a valid Google account to be able to login, but only those with
> > > existing accounts.??However, any attempt to create a custom flow without
> > > the "Create User If Unique" item leads to an error=invalid_user_credentials.
> > >?
> > > Is there some solution that would allow me to prevent users without an
> > > existing account to login via the Google identity provider?
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 

From scott.thibault at multiscalehn.com  Fri Jan 18 14:05:34 2019
From: scott.thibault at multiscalehn.com (Scott Thibault)
Date: Fri, 18 Jan 2019 14:05:34 -0500
Subject: [keycloak-user] Google login without automatic user registration
In-Reply-To: <1547837688.13934.1.camel@acutus.pro>
References: <CALWScZPDZYWGEpP4HYdyonbdnJps2jZGumcF8oNvd2JAXKLNbQ@mail.gmail.com>
	<1547679165.4393.16.camel@acutus.pro>
	<CALWScZMFH_T-LecXzqWh9h8okxR8jef8D9zarO06t0BHR_iOhg@mail.gmail.com>
	<1547837688.13934.1.camel@acutus.pro>
Message-ID: <CALWScZN0Z14YGmFhF_CbTS5x8ASq=BG0Umm6EKqHaw0=zD1G=g@mail.gmail.com>

Oh, I did not realize you create these from the admin console.  That should
work.  I see there is a REST API as well, so I could automate the setup
which is really nice.

Thanks!
--Scott

On Fri, Jan 18, 2019 at 1:54 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Scott,
>
> On Fri, 2019-01-18 at 13:03 -0500, Scott Thibault wrote:
> > That does look like it does what we would want.  However, I don't think
> I can add custom authenticators.  I'm administering an Eclipse Che instance
> which embeds Keycloak for it's authentication.  Is there any other approach?
>
> Just FYI, Che's embedded Keycloak is fully accessible [1], so it shouldn't
> be problematic install a single JS authenticator.
>
> [1] https://www.eclipse.org/che/docs/che-6/user-management.html
>
> Good luck,
> Dmitry
>
> >
> > --Scott
> >
> >
> > > On Wed, Jan 16, 2019 at 5:52 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Scott,
> > >
> > > I think Geoffrey Cleaves has done this with the help of custom
> authenticator, please check out this thread:
> http://lists.jboss.org/pipermail/keycloak-user/2018-December/016703.html
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Wed, 2019-01-16 at 14:12 -0500, Scott Thibault wrote:
> > > > Out-of-the-box, the First Broker Login flow automatically registers
> > > > non-existing users authenticated by an identity provider.  I would
> not like
> > > > anyone with a valid Google account to be able to login, but only
> those with
> > > > existing accounts.  However, any attempt to create a custom flow
> without
> > > > the "Create User If Unique" item leads to an
> error=invalid_user_credentials.
> > > >
> > > > Is there some solution that would allow me to prevent users without
> an
> > > > existing account to login via the Google identity provider?
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
>

From scott.thibault at multiscalehn.com  Fri Jan 18 14:43:38 2019
From: scott.thibault at multiscalehn.com (Scott Thibault)
Date: Fri, 18 Jan 2019 14:43:38 -0500
Subject: [keycloak-user] Verify Existing Account By Email and user Email
	Verify field
In-Reply-To: <1547679165.4393.16.camel@acutus.pro>
References: <CALWScZPDZYWGEpP4HYdyonbdnJps2jZGumcF8oNvd2JAXKLNbQ@mail.gmail.com>
	<1547679165.4393.16.camel@acutus.pro>
Message-ID: <CALWScZPOCWZ-6ie_awAxcFV+OeT5iTjGiiFCqPgxGwR=CmW1Og@mail.gmail.com>

The Verify Existing Account By Email seems to be trying to send an e-mail
verification even though the Email Verified flag is on.  Is that normal
behavior?

Thanks,
--Scott

From dt at acutus.pro  Fri Jan 18 16:31:49 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Sat, 19 Jan 2019 00:31:49 +0300
Subject: [keycloak-user] Google login without automatic user registration
In-Reply-To: <CALWScZN0Z14YGmFhF_CbTS5x8ASq=BG0Umm6EKqHaw0=zD1G=g@mail.gmail.com>
References: <CALWScZPDZYWGEpP4HYdyonbdnJps2jZGumcF8oNvd2JAXKLNbQ@mail.gmail.com>
	<1547679165.4393.16.camel@acutus.pro>
	<CALWScZMFH_T-LecXzqWh9h8okxR8jef8D9zarO06t0BHR_iOhg@mail.gmail.com>
	<1547837688.13934.1.camel@acutus.pro>
	<CALWScZN0Z14YGmFhF_CbTS5x8ASq=BG0Umm6EKqHaw0=zD1G=g@mail.gmail.com>
Message-ID: <1547847109.13934.4.camel@acutus.pro>

Yes, generally there are three ways to do things in Keycloak, namely admin console, REST API and kcadm.sh tool (that uses REST API under the hood). The latter may be preferable from the automation PoV since it hides the?complexity of the API behind a (relatively) simple CLI wrapper.

I remember Craig Setera (in CC) was trying to create custom JS authenticator via kcadm.sh, so I hope he can tell you more.

Cheers,
Dmitry

On Fri, 2019-01-18 at 14:05 -0500, Scott Thibault wrote:
> Oh, I did not realize you create these from the admin console.? That should work.? I see there is a REST API as well, so I could automate the setup which is really nice.
> 
> Thanks!
> --Scott
> 
> > On Fri, Jan 18, 2019 at 1:54 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Scott,
> > 
> > On Fri, 2019-01-18 at 13:03 -0500, Scott Thibault wrote:
> > > That does look like it does what we would want.? However, I don't think I can add custom authenticators.? I'm administering an Eclipse Che instance which embeds Keycloak for it's authentication.? Is there any other approach?
> > 
> > Just FYI, Che's embedded Keycloak is fully accessible [1], so it?shouldn't be problematic install a single JS authenticator.
> > 
> > [1] https://www.eclipse.org/che/docs/che-6/user-management.html
> > 
> > Good luck,
> > Dmitry
> > 
> > >?
> > > --Scott
> > >?
> > >?
> > > > > > On Wed, Jan 16, 2019 at 5:52 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > > > Hi Scott,
> > > >?
> > > > I think Geoffrey Cleaves has done this with the help of custom authenticator, please check out this thread: http://lists.jboss.org/pipermail/keycloak-user/2018-December/016703.html
> > > >?
> > > > Cheers,
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > >?
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > >?
> > > > On Wed, 2019-01-16 at 14:12 -0500, Scott Thibault wrote:
> > > > > Out-of-the-box, the First Broker Login flow automatically registers
> > > > > non-existing users authenticated by an identity provider.??I would not like
> > > > > anyone with a valid Google account to be able to login, but only those with
> > > > > existing accounts.??However, any attempt to create a custom flow without
> > > > > the "Create User If Unique" item leads to an error=invalid_user_credentials.
> > > > >?
> > > > > Is there some solution that would allow me to prevent users without an
> > > > > existing account to login via the Google identity provider?
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >?
> > 

From craig at baseventure.com  Fri Jan 18 17:18:42 2019
From: craig at baseventure.com (Craig Setera)
Date: Fri, 18 Jan 2019 16:18:42 -0600
Subject: [keycloak-user] Google login without automatic user registration
In-Reply-To: <1547847109.13934.4.camel@acutus.pro>
References: <CALWScZPDZYWGEpP4HYdyonbdnJps2jZGumcF8oNvd2JAXKLNbQ@mail.gmail.com>
	<1547679165.4393.16.camel@acutus.pro>
	<CALWScZMFH_T-LecXzqWh9h8okxR8jef8D9zarO06t0BHR_iOhg@mail.gmail.com>
	<1547837688.13934.1.camel@acutus.pro>
	<CALWScZN0Z14YGmFhF_CbTS5x8ASq=BG0Umm6EKqHaw0=zD1G=g@mail.gmail.com>
	<1547847109.13934.4.camel@acutus.pro>
Message-ID: <CAPVdwjq9h0ZXOQ8crCKnxv4V=L4mwT=YN52+L5=A4pTZnK+Vjg@mail.gmail.com>

I've attached a subset of my (Bash) setup script.  This is the part that
handles the script authenticator setup.  Hope it helps.

Craig


=================================
*Craig Setera*

*Chief Technology Officer*




On Fri, Jan 18, 2019 at 3:31 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Yes, generally there are three ways to do things in Keycloak, namely admin
> console, REST API and kcadm.sh tool (that uses REST API under the hood).
> The latter may be preferable from the automation PoV since it hides
> the complexity of the API behind a (relatively) simple CLI wrapper.
>
> I remember Craig Setera (in CC) was trying to create custom JS
> authenticator via kcadm.sh, so I hope he can tell you more.
>
> Cheers,
> Dmitry
>
> On Fri, 2019-01-18 at 14:05 -0500, Scott Thibault wrote:
> > Oh, I did not realize you create these from the admin console.  That
> should work.  I see there is a REST API as well, so I could automate the
> setup which is really nice.
> >
> > Thanks!
> > --Scott
> >
> > > On Fri, Jan 18, 2019 at 1:54 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Scott,
> > >
> > > On Fri, 2019-01-18 at 13:03 -0500, Scott Thibault wrote:
> > > > That does look like it does what we would want.  However, I don't
> think I can add custom authenticators.  I'm administering an Eclipse Che
> instance which embeds Keycloak for it's authentication.  Is there any other
> approach?
> > >
> > > Just FYI, Che's embedded Keycloak is fully accessible [1], so
> it shouldn't be problematic install a single JS authenticator.
> > >
> > > [1] https://www.eclipse.org/che/docs/che-6/user-management.html
> > >
> > > Good luck,
> > > Dmitry
> > >
> > > >
> > > > --Scott
> > > >
> > > >
> > > > > > > On Wed, Jan 16, 2019 at 5:52 PM Dmitry Telegin <dt at acutus.pro>
> wrote:
> > > > > Hi Scott,
> > > > >
> > > > > I think Geoffrey Cleaves has done this with the help of custom
> authenticator, please check out this thread:
> http://lists.jboss.org/pipermail/keycloak-user/2018-December/016703.html
> > > > >
> > > > > Cheers,
> > > > > Dmitry Telegin
> > > > > CTO, Acutus s.r.o.
> > > > > Keycloak Consulting and Training
> > > > >
> > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > > +42 (022) 888-30-71
> > > > > E-mail: info at acutus.pro
> > > > >
> > > > > On Wed, 2019-01-16 at 14:12 -0500, Scott Thibault wrote:
> > > > > > Out-of-the-box, the First Broker Login flow automatically
> registers
> > > > > > non-existing users authenticated by an identity provider.  I
> would not like
> > > > > > anyone with a valid Google account to be able to login, but only
> those with
> > > > > > existing accounts.  However, any attempt to create a custom flow
> without
> > > > > > the "Create User If Unique" item leads to an
> error=invalid_user_credentials.
> > > > > >
> > > > > > Is there some solution that would allow me to prevent users
> without an
> > > > > > existing account to login via the Google identity provider?
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: script-auth-setup.sh.zip
Type: application/zip
Size: 1383 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190118/78922ebb/attachment.zip 

From bauer_marie at gmx.net  Mon Jan 21 01:15:43 2019
From: bauer_marie at gmx.net (bauer_marie at gmx.net)
Date: Mon, 21 Jan 2019 07:15:43 +0100
Subject: [keycloak-user] Shared datastore?
In-Reply-To: <CABS93FRCTK-6apPK1Yxp=-5WdZdUwEuqCAhhJMh27fAH-xpZwg@mail.gmail.com>
References: <CABS93FQoYAW5trxmEww9j8RsyCSmiNAxxopnvj6iHvDNM4qtjg@mail.gmail.com>
	<CABS93FTjHkHaZRFWKuXsFoQ50u4fAN1EFyXoTsyJRtXf4HmS3w@mail.gmail.com>
	<CAA9R9O5OKgZqrkCXbifNoHEYOfKKV52ujycoHMOMBvq7jzNFLQ@mail.gmail.com>
	<1408145257.66131813.1541706517375.JavaMail.zimbra@redhat.com>
	<CAA9R9O4GmBwUrbOGDmWRyUUaduFOc0t0fDKN1qb_ZTJiysRMtg@mail.gmail.com>
	<6c684abf-809f-1a16-453b-5f99dbbe6a14@redhat.com>
	<CABS93FRCTK-6apPK1Yxp=-5WdZdUwEuqCAhhJMh27fAH-xpZwg@mail.gmail.com>
Message-ID: <trinity-4b66a170-11e3-477e-b129-ec61af1ea7eb-1548051343088@3c-app-gmx-bs06>


Hi,
?
we are also using a shared database store for the sessions and until Keycloak 3.0.0 (Infinispant 8.1.0) it worked with passivation disabled.
Lately we updated to 3.4.3 (Infinispan 8.2.) with the same configuration, but it's not working anymore. Sessions are lost and not written to the database (work table works and gets entries on startup).
?
the configuration looks like that:

??????????????? <distributed-cache name="sessions" mode="SYNC" owners="2">
????????????????? <string-keyed-jdbc-store shared="true" preload="true" fetch-state="false" purge="false" passivation="false" data-source="KeycloakSessionDS">
????????????????????? <string-keyed-table prefix="ispn_entry">
????????????????????????? <id-column name="id_column" type="VARCHAR(255)" />
????????????????????????? <data-column name="data_column" type="BLOB" />
????????????????????????? <timestamp-column name="timestamp_column" type="BIGINT" />
????????????????????? </string-keyed-table>
????????????????? </string-keyed-jdbc-store>
????????????? </distributed-cache>
????????????? <distributed-cache name="offlineSessions" mode="SYNC" owners="2">
????????????????? <string-keyed-jdbc-store shared="true" preload="true" fetch-state="false" purge="false" data-source="KeycloakSessionDS">
????????????????????? <string-keyed-table prefix="ispn_entry">
????????????????????????? <id-column name="id_column" type="VARCHAR(255)" />
????????????????????????? <data-column name="data_column" type="BLOB" />
????????????????????????? <timestamp-column name="timestamp_column" type="BIGINT" />
????????????????????? </string-keyed-table>
????????????????? </string-keyed-jdbc-store>
????????????? </distributed-cache>
????????????? <distributed-cache name="loginFailures" mode="SYNC" owners="2"/>
????????????? <replicated-cache name="work" mode="SYNC">
????????????????? <string-keyed-jdbc-store shared="true" preload="true" fetch-state="false" purge="false" data-source="KeycloakSessionDS">
????????????????????? <string-keyed-table prefix="ispn_entry">
????????????????????????? <id-column name="id_column" type="VARCHAR(255)" />
????????????????????????? <data-column name="data_column" type="BLOB" />
????????????????????????? <timestamp-column name="timestamp_column" type="BIGINT" />
????????????????????? </string-keyed-table>
????????????????? </string-keyed-jdbc-store>
????????????? </replicated-cache>
?
?
Is there any configuration that I could change to make it work again? Will it work in future versions?

Marie
?
?

Gesendet:?Donnerstag, 15. November 2018 um 19:38 Uhr
Von:?"Nicolas Ocquidant" <nocquidant at gmail.com>
An:?mposolda at redhat.com
Cc:?keycloak-user at lists.jboss.org, wburns at redhat.com
Betreff:?Re: [keycloak-user] Shared datastore?
OK, so I setup one KC node with a remote store, and one JDG (ISPN) server
with a shared JDBC store and it seems to work fine. Thanks!
I would have preferred not to add a JDG server but at least I have a
solution.

But a few things remain unclear:
- each time I update/insert/delete a session entity from KC, the JDG
server will always be updated, right?
- what about read operations? Does it mean there are 2 independent
caches, one in KC and one in ISPN (JMX shows same numEntriesInMemory for
both)?

So let's say I am not interested in Cross DC yet, but i want to set up a
cluster of 3 VMs (with HAProxy in front of them), each VM holding one KC
process + one ISPN process:

* VM#1 : kc_node11 && ispn_node11 (kc_node11 uses ispn_node11 as remote
cache)
* VM#2 : kc_node21 && ispn_node21 (kc_node21 uses ispn_node21 as remote
cache)
* VM#3 : kc_node31 && ispn_node31 (kc_node31 uses ispn_node31 as remote
cache)

Which cache mode
<http://infinispan.org/docs/stable/user_guide/user_guide.html#which_cache_mode_should_i_use>
should I use then and how many owners, for both KC and ISPN? Invalidation
mode and numOfOwner=2 for KC, and distributed mode and numOfOwner=2 for
ISPN? Would that work?

Thanks again
--nick


Le jeu. 15 nov. 2018 ? 11:55, Marek Posolda <mposolda at redhat.com> a ?crit :

> Yes, true. We're using SKIP_CACHE_STORE when writing to sessions. We never
> tested with CacheStores enabled.
>
> The only store, which we're tested with, is the "remote-store" which we're
> using for the cross-datacenter setup. We have lots of places when we're not
> just writing data to the "cache" directly and let the "remote-store" to
> propagate it, but instead we obtain "remoteCache" instance from the
> underlying remote-store and CRUD data directly to remoteCache to have some
> optimizations and guaranteed consistency and atomicity for remoteCache
> operations (EG. putIfAbsent, replace etc). That's also the reason why we're
> using SKIP_CACHE_STORE flag.
>
> Feel free to create JIRA for better support of other CacheStores.
>
> The other possibility to workaround this (besides what Sebastian already
> mentioned) is to have JDG server and configure your cache with the
> remote-store as described in our "Cross-Datacenter setup" documentation. On
> JDG side, you can configure the JDBC store to your cache. In other words,
> the session will be always written to JDG and JDG will write it to the
> undrlying JDBC. I know this option is far from ideal (you need to add JDG
> server just to workaround things), just mentioning it for completeness.
>
> Marek
>
>
> On 09/11/18 14:29, Sebastian Laskawiec wrote:
>
> Yes, I think that could be case, I see a plenty of places where we
> use SKIP_CACHE_STORE.
>
> Let me ask Marek for help here since it has been implemented long before I
> joined the team and I don't know the history behind it...
>
> On Thu, Nov 8, 2018 at 8:48 PM William Burns <wburns at redhat.com> wrote:
>
>>
>>
>> ----- Original Message -----
>> > From: "Sebastian Laskawiec" <slaskawi at redhat.com>
>> > To: "Nicolas Ocquidant" <nocquidant at gmail.com>
>> > Cc: keycloak-user at lists.jboss.org, "Will Burns Rosenquist Burns" <
>> wburns at redhat.com>
>> > Sent: Thursday, November 8, 2018 12:33:47 PM
>> > Subject: Re: [keycloak-user] Shared datastore?
>> >
>> > So I think there are at least two ways to address this problem. This
>> first
>> > one is to use Offline Tokens [1]. I'm not sure if that fits into your
>> > application since it requires your client applications to store the
>> token.
>> > In other words you can simply delegate this problem one layer below in
>> your
>> > system.
>> >
>> > If that doesn't work for you, yes passivation is a way to go. Frankly, I
>> > haven't used passivation but from the manual I see it works hand in hand
>> > with eviction [2][3]. Will (on CC) can probably correct me here, but my
>> > understanding is that whenever an entry gets evicted, the passivation
>> > mechanism picks it up and stores somewhere.
>>
>> It does and it works, the problem is that passivation doesn't play well
>> with shared stores in Infinispan. We prevent this configuration in 9.4 or
>> newer even.
>>
>> I recommended that Nicolas just use eviction and a shared store without
>> passivation. However it seems that entries are not written to the store in
>> this configuration. My guess is that KeyCloak performs write operations
>> with the SKIP_CACHE_STORE flag and assumes entries will only be written to
>> the store due to passivation. Is there a reason for that?
>>
>> >
>> > [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html[http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html]
>> > [2]
>> >
>> http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passivation[http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passivation]
>> > [3]
>> >
>> https://github.com/infinispan/infinispan/blob/master/core/src/test/java/org/infinispan/eviction/impl/EvictionWithPassivationTest.java#L61-L69[https://github.com/infinispan/infinispan/blob/master/core/src/test/java/org/infinispan/eviction/impl/EvictionWithPassivationTest.java#L61-L69]
>> >
>> > On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant <nocquidant at gmail.com>
>> > wrote:
>> >
>> > > My requirements are the following: store tokens emitted by KC during
>> one
>> > > year.
>> > >
>> > > I don't know how many users there are, but here are the number I get:
>> > > * the number of connections a week is about 700k.
>> > > * the number of session refresh a week is about 200k.
>> > >
>> > > I approximated around 1M of sessions a week, thus 52M a year.
>> > > In memory, a user session has been estimated around 4KB (about 1KB in
>> > > file/DB).
>> > >
>> > > But I guess a refresh does not create another session isn't it? And
>> maybe
>> > > it's possible to ask KC to delete previous emitted tokens when a new
>> one is
>> > > created for a same user?
>> > >
>> > > If yes, my estimation is probably a little bit too high here, but I
>> > > certainly have several millions of tokens to keep (and maybe dozens of
>> > > millions).
>> > >
>> > > Thanks
>> > > --nick
>> > >
>> > > Le mer. 7 nov. 2018 ? 18:17, Nicolas Ocquidant <nocquidant at gmail.com>
>> a
>> > > ?crit :
>> > >
>> > > > Hi,
>> > > >
>> > > > According to Infinispan, when passivation is disabled, every update
>> to
>> > > the
>> > > > cache should always write to the store.
>> > > >
>> > > > But I can't manage to get it work with Keycloak. If I disable
>> > > passivation,
>> > > > my SQL store (Postgres) stays empty, even if the cache is full.
>> > > >
>> > > > So, if passivation is needed for Keycloak to write to the DB, it
>> means
>> > > > that the use of a shared DB is not possible...
>> > > >
>> > > > But this leads to another issue for me. Enable passivation without a
>> > > > shared DB seems to imply that either 'fetch-state' or 'purge'
>> should be
>> > > > enabled on startup, in order for the cache to not contain stale
>> entries.
>> > > >
>> > > > 15:27:44,626 WARN
>> > > >
>> [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder]
>> > > (MSC
>> > > > service thread 1-6) ISPN000149: Fetch persistent state and purge on
>> > > startup
>> > > > are both disabled, cache may contain stale entries on startup
>> > > >
>> > > > As I need to keep millions of sessions, this will considerably slow
>> down
>> > > > the startup of my node (when started again after a crash for
>> instance).
>> > > >
>> > > > So, is shared datastore allowed in Keycloak? If yes, how to enable
>> it?
>> > > > Otherwise what other options do I have to improve my startup time,
>> if
>> > > > millions of sessions are in the store?
>> > > >
>> > > > Thanks
>> > > > --nick
>> > > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user[https://lists.jboss.org/mailman/listinfo/keycloak-user]
>> >
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user[https://lists.jboss.org/mailman/listinfo/keycloak-user]


From imartynovsp at gmail.com  Mon Jan 21 03:10:24 2019
From: imartynovsp at gmail.com (=?UTF-8?B?0JzQsNGA0YLRi9C90L7QsiDQmNC70YzRjw==?=)
Date: Mon, 21 Jan 2019 11:10:24 +0300
Subject: [keycloak-user] RP-initiated backchannel logout
Message-ID: <CAE_vG5ai=ij-R+CsX1e05WdLXpPbNE7Ra8CP1rb4XUcQt7Xi1Q@mail.gmail.com>

Hello,
My RP should support dropping user's session by admin. I need to drop KC
session together with RP's session. But I can't use frontchannel here as
admin is dropping session for another user. So RP-initiated backchannel
logout is required. I see no docs about this functionality in KC. We use
OpenID Connect between RP and KC, so I've searched protocol specs.
 From section "3.  RP-Initiated Logout Functionality" of
https://openid.net/specs/openid-connect-backchannel-1_0.html and from
section "5.  RP-Initiated Logout" of
https://openid.net/specs/openid-connect-session-1_0.html one can conclude
that sending backchannel request to end_session_endpoint with ID token
should drop the session on KC side.

Could you please comment, is my understanding correct?

From thomas.darimont at googlemail.com  Mon Jan 21 03:20:40 2019
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Mon, 21 Jan 2019 09:20:40 +0100
Subject: [keycloak-user] User federation via AD/LDAP - how to handle
 deleted users?
In-Reply-To: <852a51cb-56a2-a32b-8877-bfcd2b9cea07@redhat.com>
References: <CAK-7U1jB0N+rVhDCxyCGyTEpcMst9RgrMKCDW8h_qOqWHeHk6g@mail.gmail.com>
	<852a51cb-56a2-a32b-8877-bfcd2b9cea07@redhat.com>
Message-ID: <CAK-7U1haBj=jTZQnVx3L3vHJpt9BbdxruLVnNXMgF6Gk+WtmGQ@mail.gmail.com>

Thanks Marek!

Cheers,
Thomas

Am Di., 15. Jan. 2019 um 19:47 Uhr schrieb Marek Posolda <
mposolda at redhat.com>:

> Hi Thomas,
>
> On 15/01/2019 12:32, Thomas Darimont wrote:
> > Hello,
> >
> > currently, Keycloak (up to 4.8.2) does not handle the case where a user
> is
> > deleted in the federated user-store when the built-in LDAP / AD
> federation
> > provider is used.
> >
> > The relevant code is located within the LDAPStorageProviderFactory:
> >
> https://github.com/keycloak/keycloak/blob/c4a46a5591471893db8428a5707c2d9547a554a3/federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java#L430
> >
> > There is a TODO which reads:
> > // TODO: Remove all existing Keycloak users, which have federation links,
> > but are not in LDAP. Perhaps don't check users, which were just added or
> > updated during this sync?
> >
> > I wonder what would be the right thing to do in this case..
> > If the federated user-store dictates the truth, then IMHO the right thing
> > to do would be to also delete the user that is associated with the
> > user-storage provider federation link in Keycloak, if the linked AD /
> LDAP
> > user was deleted.
>
> yes, when you click the "Sync users" button, the users, which were
> deleted in LDAP, won't be directly deleted in Keycloak. However when you
> do any action in Keycloak related to that particular user (EG. attempt
> to login as that user or search the user from admin console), then user
> will be deleted from Keycloak DB and can't be seen in Keycloak anymore.
> See UserStorageManager.importValidation and LDAPStorageProvider.validate
> methods.
>
> Marek
>
> >
> > How do you handle this situation in your systems?
> >
> > Cheers,
> > Thomas
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From katariakhyati11 at gmail.com  Mon Jan 21 11:32:50 2019
From: katariakhyati11 at gmail.com (Khyati Kataria)
Date: Mon, 21 Jan 2019 11:32:50 -0500
Subject: [keycloak-user] how to access user details.
Message-ID: <CACVn=vrtt9fYiKn_XKoyBYJt7Pk+igcEzHKn+KUFUD2HDWqicA@mail.gmail.com>

Hi,

Is there a way to retrieve the last login time of a given user? I
would like to store some other user attribute like last successful
login time, login attempts, user name etc.

Please let me know best possible way to fulfill this requirement.


Thanks in advance.


Regards,
Khyati

From vagelis.savvas at gmail.com  Tue Jan 22 03:04:38 2019
From: vagelis.savvas at gmail.com (Vagelis Savvas)
Date: Tue, 22 Jan 2019 10:04:38 +0200
Subject: [keycloak-user] Add dynamically resolved token claim
In-Reply-To: <bfd499d8-0e9f-0d9c-348a-b30502a5ae2c@gmail.com>
References: <bfd499d8-0e9f-0d9c-348a-b30502a5ae2c@gmail.com>
Message-ID: <216f1e15-444a-93ad-18ef-edcae2c2e505@gmail.com>

To answer my own question, it is possible to use 
authenticationSession.setUserSessionNote(...)
at the authenticator script and then access the session note, via 
userSession.getNote(...), at the token mapper script.
Since the note is attached at the user session object it remains 
available throughout the session's lifetime
so it is still there in subsequent invocations of the mapper script , 
such as when an access token is refreshed, etc.

Cheers,
Vagelis

On 13/01/2019 12:29, Vagelis Savvas wrote:
> Hello,
> I have an authenticator script and a mapper script and I would like to 
> attach a piece of information
> during login in the authenticator script then retrieve it in the 
> mapper script and set it as a token claim.
> (background: this piece of information originates from an extra input 
> field of a custom login page and
> I want it to appear in the user's access token in order to 
> differentiate users based on it).
>
> So, I can't use the user object to attach my info because its not 
> fully reliable.
> What would work best is to use an object that is unique per 
> authentication session and available in both scripts.
> The user object is both unique and available but is also a singleton.
>
> Thus I've tried via keycloakSession.setAttribute('myInfo', value) in 
> auth script and then keycloakSession.getAttribute('myInfo')
> in mapper script? but it doesn't work (why isn't the keycloakSession 
> object the same in the two scripts?).
> I've also tried in auth script 
> authenticationSession.setUserSessionNote('myInfo',value) and then 
> userSession.getNote('myInfo')
> in mapper script? but it doesn't work as well.
> Any further ideas on how to solve this in a reliable way?
>
> Cheers,
> Vagelis


From chttl582 at gmail.com  Tue Jan 22 03:37:01 2019
From: chttl582 at gmail.com (Jon Huang)
Date: Tue, 22 Jan 2019 16:37:01 +0800
Subject: [keycloak-user] Is it possible to assign user group to specific
	user storage?
Message-ID: <CAP45m-ZyshRWMNk0P2_HCX=tkqMoXhY3-aRTdrgwFMF+Ojdk-A@mail.gmail.com>

Hi everyone,
Please forgive me if this issue was ever asked previously.

I would like to know if it is possible to assign role to specific
federation provider?
(for example below, user1 & 2 has role1 and user3 has role2)
It's hard to assign role to user one by one via UI. (too many users)
Nor default group can only assign role to every user.
Or is there any other way to achieve the goal?
Thanks



[image: image.png]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 35910 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190122/d62c6a28/attachment-0001.png 

From dharlaftis at ekt.gr  Tue Jan 22 04:32:15 2019
From: dharlaftis at ekt.gr (Dimitris Charlaftis)
Date: Tue, 22 Jan 2019 11:32:15 +0200
Subject: [keycloak-user] Gatekeeper docker configuration question
Message-ID: <0f88cad1-3893-fc7e-ee9d-e912a8c9141e@ekt.gr>

Hello,

I use the following gatekeeper docker image

https://hub.docker.com/r/keycloak/keycloak-gatekeeper/

In the gatekeeper-config.yaml file

---

client-id: test_app
client-secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
discovery-url: http://dev.server:8202/auth/realms/internal_applications
listen: 127.0.0.1:3000
secure-cookie: false
enable-default-deny: false
redirection-url: http://site.gr
upstream-url:? 127.0.0.1:80
resources:
- uri: /*
 ? white-listed: true

---

(keycloak server runs at http://dev.server:8202)

 ?I run the gatekeeper container as following

 ?docker run --name=keycloak_gatekeeper --rm -it -v 
/home/dharlaftis/docker/gatekeeper:/tmp -p 8213:3000 
keycloak/keycloak-gatekeeper --config /tmp/gatekeeper-config.yaml

As i have a port mapping 8213:3000, i expect the following sxcenatio

1. I hit the host machine through http at 8213 port http://dev.server:8213

2. will end up to the listening interface 127.0.0.1:3000 of the gatekeeper

which in turn

3. will redirect the request to http://site.gr


correct?

none of the above happens... when i hit http://dev.server:8213 nothing 
happens (site unavailable).

Also, what is the difference between redirection-url and upstream-url? 
How is this configured?

Thank you in advance!!! please help...

Dimitris


-- 
_____________________________

Dimitris Charlaftis
Software Engineer

National Documentation Center
email: dharlaftis at ekt.gr
_____________________________


From max.allan+keycloak at surevine.com  Tue Jan 22 10:36:05 2019
From: max.allan+keycloak at surevine.com (Max Allan)
Date: Tue, 22 Jan 2019 15:36:05 +0000
Subject: [keycloak-user] OIDC login URLs, how to hide them from the user??
Message-ID: <CADNp1BbVc6A-HsiTszRV_TJY+QHH4q+QyFeSfqhPWc-dVD1jLw@mail.gmail.com>

Hi,

When a user hits a (Keycloak gatekeeper) protected site, they get
redirected to the keycloak server login page, a URL like this :

https://auth.website.org.uk/auth/realms/saturn/protocol/openid-connect/auth?client_id=alb&redirect_uri=https%3A%2F%2Fwww.website.org.uk%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=7103645f-0d0e-4015-ff62-206ff3eb44bf

So, a typical new user journey looks like "type in https colon slash *which
slash was it? oh that one* and another slash ww dot website dot com *oops
no, www and dot org dot uk ENTER"
*I don't want to type _that_ in again : Click Bookmark button QUICK*

So they've now bookmarked a login page that includes a state of 7103....

The session they have works and if they don't use their bookmark, it works.

If they come back to it later, and use the bookmark, get asked to login and
then get a "403 authorisation denied" error.
The gatekeeper logs say :
1.5481603986412873e+09 error State parameter mismatch
1.5481603986665585e+09 error unable to exchange code for access token {"error":
"invalid_grant: Incorrect redirect_uri"}

So, how can I make this user journey easier with keycloak?
Ideally I'd like to hide the auth urls completely, their browser doesn't
need to know they're authenticating on different site.
I tried a "sign-in-page" with a frame containing the login page from
keycloak :
<html>
<frameset cols="100%">
<frame src="{{ .redirect }}">
</frameset>
</html>
(and change the security settings for frame-ancestors )

And when you've logged in, you get an empty page with a 403 error.
Gatekeeper says "unable to exchange code for access token {"error":
"invalid_grant: Incorrect redirect_uri"}" again.
Keycloak says :
type=CODE_TO_TOKEN_ERROR, realmId=86979f4f-7314-4fb6-86bc-3516fcb0c3ae,
clientId=alb, userId=01cf3b8f-498e-46b8-815e-6a9a5c2dda1c,
ipAddress=180.430.597.666, error=invalid_code,
grant_type=authorization_code,
code_id=02221f30-faa5-48ad-aae6-a5adec6a705a,
client_auth_method=client-secret
(ip address etc. has been obfuscated)

IF the user is clever, they can then remove
the oauth/authorize?state=ba4fcb0d-6ecf-4afe-8b98-e0fbcbc4ca25 from the URL
in the browser and the session carries on quite happily.

Is there a setting I'm getting wrong in keycloak somewhere that is breaking
this?
In this first instance, we are returning to an old "state". I can imagine
that not working.

But the second setup, I'm just logging in to keycloak, in a frame, nothing
else has changed from a "working" setup, just the login page is in a frame.
(I also need to figure out how to escape the frame!!)

Thanks,
Max

From aliaksei.lahachou at gmail.com  Tue Jan 22 10:36:29 2019
From: aliaksei.lahachou at gmail.com (Aliaksei Lahachou)
Date: Tue, 22 Jan 2019 16:36:29 +0100
Subject: [keycloak-user] Error controller is not invoked if authentication
	failed
Message-ID: <CALcFPWHj9Ca34BWTELugjy9cPHSosL1GTB=x-=AnHW5-jQQcqg@mail.gmail.com>

Hello,

I'm migrating our application from Spring Boot 1.5.19 / Keycloak 3.4.3 to
Spring Boot 2.1.2 / Keycloak 4.8.3.

I'm currently facing the problem that if authentication fails (invalid
token), the error controller is not invoked (BasicErrorController by
default).

The reason is that when authentication fails, the request is redirected to
error controller, and the security filters are invoked again. Because the
authorization header is still there, KeycloakAuthenticationProcessingFilter
fails again.

In older versions of Spring Boot / Keycloak security filters are not
invoked after request is redirected to error controller. Basic
authentication works as expected in both old and new versions, seemingly
because BasicAuthenticationFilter extends OncePerRequestFilter, which skips
filter for error URI (skipDispatch method).

I created example applications with tests that reproduce the problem, see
[1] and [2]. Am I missing some configuration? Or is this a bug?

[1] https://github.com/htfv/examples/tree/master/spring-boot-1-keycloak
[2] https://github.com/htfv/examples/tree/master/spring-boot-2-keycloak

Regards,
Aliaksei

From aliaksei.lahachou at gmail.com  Tue Jan 22 10:50:05 2019
From: aliaksei.lahachou at gmail.com (Aliaksei Lahachou)
Date: Tue, 22 Jan 2019 16:50:05 +0100
Subject: [keycloak-user] Error controller is not invoked if
	authentication failed
In-Reply-To: <CALcFPWHj9Ca34BWTELugjy9cPHSosL1GTB=x-=AnHW5-jQQcqg@mail.gmail.com>
References: <CALcFPWHj9Ca34BWTELugjy9cPHSosL1GTB=x-=AnHW5-jQQcqg@mail.gmail.com>
Message-ID: <CALcFPWEvtd66PMJeVTdbR_JeGfDu4yasPmYKSmHnLxqvxwjWHg@mail.gmail.com>

As a proof of concept, I wrapped KeycloakAuthenticationProcessingFilter
with a OncePerRequestFilter implementation and error controller is invoked
as expected.

On Tue, Jan 22, 2019 at 4:36 PM Aliaksei Lahachou <
aliaksei.lahachou at gmail.com> wrote:

> Hello,
>
> I'm migrating our application from Spring Boot 1.5.19 / Keycloak 3.4.3 to
> Spring Boot 2.1.2 / Keycloak 4.8.3.
>
> I'm currently facing the problem that if authentication fails (invalid
> token), the error controller is not invoked (BasicErrorController by
> default).
>
> The reason is that when authentication fails, the request is redirected to
> error controller, and the security filters are invoked again. Because the
> authorization header is still there, KeycloakAuthenticationProcessingFilter
> fails again.
>
> In older versions of Spring Boot / Keycloak security filters are not
> invoked after request is redirected to error controller. Basic
> authentication works as expected in both old and new versions, seemingly
> because BasicAuthenticationFilter extends OncePerRequestFilter, which skips
> filter for error URI (skipDispatch method).
>
> I created example applications with tests that reproduce the problem, see
> [1] and [2]. Am I missing some configuration? Or is this a bug?
>
> [1] https://github.com/htfv/examples/tree/master/spring-boot-1-keycloak
> [2] https://github.com/htfv/examples/tree/master/spring-boot-2-keycloak
>
> Regards,
> Aliaksei
>

From xiaoling2003 at msn.com  Tue Jan 22 12:20:32 2019
From: xiaoling2003 at msn.com (Xiaoling Chen)
Date: Tue, 22 Jan 2019 17:20:32 +0000
Subject: [keycloak-user] configure keycloak nbf value in jwt token
Message-ID: <CY4PR18MB1111CA2644C92D761A433FA2D7980@CY4PR18MB1111.namprd18.prod.outlook.com>

Hi,
    I am trying to use keycloak as our authentication server in the google cloud endpoints. But looks the google cloud endpoints required nbf > 0. In the jwt token I get from keycloak, the nbf is always 0. Is there a way I can configure the nbf value in the keycloak jwt token? I  search the documentation and the internet but did not get any result.

Thanks in advanced
Xiaoling

From dt at acutus.pro  Tue Jan 22 17:14:55 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Wed, 23 Jan 2019 01:14:55 +0300
Subject: [keycloak-user] configure keycloak nbf value in jwt token
In-Reply-To: <CY4PR18MB1111CA2644C92D761A433FA2D7980@CY4PR18MB1111.namprd18.prod.outlook.com>
References: <CY4PR18MB1111CA2644C92D761A433FA2D7980@CY4PR18MB1111.namprd18.prod.outlook.com>
Message-ID: <1548195295.27802.1.camel@acutus.pro>

Hello Xiaoling,

Internally, Keycloak does track NBF value on the realm, client and user levels, but never propagates it to the tokens. It can only be seen as the "not-before-policy" property of the token response. Not sure if it's a bug, I hope Keycloak developers can tell more about it.

As a workaround, you can either:
- hardcode a non-zero value into the "nbf" claim, using Hardcoded Claim mapper in your client, or
- compute the value similarly to how it is done in TokenManager [1], using Script Mapper and setting it via the token.notBefore() method.

[1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L829

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Tue, 2019-01-22 at 17:20 +0000, Xiaoling Chen wrote:
> Hi,
> ????I am trying to use keycloak as our authentication server in the google cloud endpoints. But looks the google cloud endpoints required nbf > 0. In the jwt token I get from keycloak, the nbf is always 0. Is there a way I can configure the nbf value in the keycloak jwt token? I??search the documentation and the internet but did not get any result.
> 
> Thanks in advanced
> Xiaoling
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Tue Jan 22 17:26:04 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Wed, 23 Jan 2019 01:26:04 +0300
Subject: [keycloak-user] Is it possible to assign user group to specific
 user storage?
In-Reply-To: <CAP45m-ZyshRWMNk0P2_HCX=tkqMoXhY3-aRTdrgwFMF+Ojdk-A@mail.gmail.com>
References: <CAP45m-ZyshRWMNk0P2_HCX=tkqMoXhY3-aRTdrgwFMF+Ojdk-A@mail.gmail.com>
Message-ID: <1548195964.27802.3.camel@acutus.pro>

Hello Jon,

Open your federation provider settings, go to the Mappers tab, create a mapper of type hardcoded-ldap-role-mapper, and type in role name (role selector seems to be broken unfortunately).

Repeat for every other role you need. Good luck :)

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Tue, 2019-01-22 at 16:37 +0800, Jon Huang wrote:
> Hi everyone,
> Please forgive me if this issue was ever asked previously.
> 
> I would like to know if it is possible to assign role to specific
> federation provider?
> (for example below, user1 & 2 has role1 and user3 has role2)
> It's hard to assign role to user one by one via UI. (too many users)
> Nor default group can only assign role to every user.
> Or is there any other way to achieve the goal?
> Thanks
> 
> 
> 
> [image: image.png]
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Wed Jan 23 00:00:18 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Wed, 23 Jan 2019 08:00:18 +0300
Subject: [keycloak-user] Add dynamically resolved token claim
In-Reply-To: <216f1e15-444a-93ad-18ef-edcae2c2e505@gmail.com>
References: <bfd499d8-0e9f-0d9c-348a-b30502a5ae2c@gmail.com>
	<216f1e15-444a-93ad-18ef-edcae2c2e505@gmail.com>
Message-ID: <1548219618.4382.1.camel@acutus.pro>

Just my 2?, user session notes are THE method to pass info from the authentication layer down to protocol mappers. You can expose data otherwise unavailable for the mappers, like scope, URL, custom input fields, succeeded authenticator etc.

Out of interest, have you figured out why it didn't work earlier? You mentioned authenticationSession.setUserSessionNote() / userSession.getNote() in your original message, but said it didn't work either.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Tue, 2019-01-22 at 10:04 +0200, Vagelis Savvas wrote:
> To answer my own question, it is possible to use?
> authenticationSession.setUserSessionNote(...)
> at the authenticator script and then access the session note, via?
> userSession.getNote(...), at the token mapper script.
> Since the note is attached at the user session object it remains?
> available throughout the session's lifetime
> so it is still there in subsequent invocations of the mapper script ,?
> such as when an access token is refreshed, etc.
> 
> Cheers,
> Vagelis
> 
> On 13/01/2019 12:29, Vagelis Savvas wrote:
> > Hello,
> > I have an authenticator script and a mapper script and I would like to?
> > attach a piece of information
> > during login in the authenticator script then retrieve it in the?
> > mapper script and set it as a token claim.
> > (background: this piece of information originates from an extra input?
> > field of a custom login page and
> > I want it to appear in the user's access token in order to?
> > differentiate users based on it).
> > 
> > So, I can't use the user object to attach my info because its not?
> > fully reliable.
> > What would work best is to use an object that is unique per?
> > authentication session and available in both scripts.
> > The user object is both unique and available but is also a singleton.
> > 
> > Thus I've tried via keycloakSession.setAttribute('myInfo', value) in?
> > auth script and then keycloakSession.getAttribute('myInfo')
> > in mapper script? but it doesn't work (why isn't the keycloakSession?
> > object the same in the two scripts?).
> > I've also tried in auth script?
> > authenticationSession.setUserSessionNote('myInfo',value) and then?
> > userSession.getNote('myInfo')
> > in mapper script? but it doesn't work as well.
> > Any further ideas on how to solve this in a reliable way?
> > 
> > Cheers,
> > Vagelis
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Wed Jan 23 00:14:04 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Wed, 23 Jan 2019 08:14:04 +0300
Subject: [keycloak-user] how to access user details.
In-Reply-To: <CACVn=vrtt9fYiKn_XKoyBYJt7Pk+igcEzHKn+KUFUD2HDWqicA@mail.gmail.com>
References: <CACVn=vrtt9fYiKn_XKoyBYJt7Pk+igcEzHKn+KUFUD2HDWqicA@mail.gmail.com>
Message-ID: <1548220444.4382.3.camel@acutus.pro>

Hello Khyati,

This is not out of the box in Keycloak, but it's not hard to do it yourself. After all, we are offering this as a hands-on assignment to the students at our Keycloak trainings :)

There are several ways to implement it: using script authenticator, required action (Thomas Darimont did it this way [1]), or event listener. To me, the latter seems the most versatile (can record login successes / errors and much more), however it will require some Java coding. Let me know if you need more info.

[1] https://gist.github.com/thomasdarimont/25f801c624f3f457fa772fadd19b1e15

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2019-01-21 at 11:32 -0500, Khyati Kataria wrote:
> Hi,
> 
> Is there a way to retrieve the last login time of a given user? I
> would like to store some other user attribute like last successful
> login time, login attempts, user name etc.
> 
> Please let me know best possible way to fulfill this requirement.
> 
> 
> Thanks in advance.
> 
> 
> Regards,
> Khyati
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Nithin.Chandrashekhar at Teradata.com  Wed Jan 23 00:27:26 2019
From: Nithin.Chandrashekhar at Teradata.com (Chandrashekhar, Nithin)
Date: Wed, 23 Jan 2019 05:27:26 +0000
Subject: [keycloak-user] Timeout value for DEFAULT cache policy
Message-ID: <EAC72766-B431-4E91-AF82-0DBC8D4FF069@teradata.com>

Hello,


  1.  What is the timeout value for DEFAULT cache policy under user federation?
  2.  How can this DEFAULT value be configured?

Thanks
Nithin

From vagelis.savvas at gmail.com  Wed Jan 23 02:15:38 2019
From: vagelis.savvas at gmail.com (Vagelis Savvas)
Date: Wed, 23 Jan 2019 09:15:38 +0200
Subject: [keycloak-user] Add dynamically resolved token claim
In-Reply-To: <1548219618.4382.1.camel@acutus.pro>
References: <bfd499d8-0e9f-0d9c-348a-b30502a5ae2c@gmail.com>
	<216f1e15-444a-93ad-18ef-edcae2c2e505@gmail.com>
	<1548219618.4382.1.camel@acutus.pro>
Message-ID: <9ee09a58-ee32-2b81-dc03-e7a480f51762@gmail.com>

Hi Dmitry,
I haven't...either I overlooked something or I was working late :-)
Indeed session notes work fine in this scenario and I am glad I tried 
them a second time
or else I was ready to write some nasty and needless workaround code.
Sincerely thank you for reading carefully the mails in this list!

Cheers,
Vagelis

On 23/01/2019 07:00, Dmitry Telegin wrote:
> Just my 2?, user session notes are THE method to pass info from the authentication layer down to protocol mappers. You can expose data otherwise unavailable for the mappers, like scope, URL, custom input fields, succeeded authenticator etc.
>
> Out of interest, have you figured out why it didn't work earlier? You mentioned authenticationSession.setUserSessionNote() / userSession.getNote() in your original message, but said it didn't work either.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Tue, 2019-01-22 at 10:04 +0200, Vagelis Savvas wrote:
>> To answer my own question, it is possible to use
>> authenticationSession.setUserSessionNote(...)
>> at the authenticator script and then access the session note, via
>> userSession.getNote(...), at the token mapper script.
>> Since the note is attached at the user session object it remains
>> available throughout the session's lifetime
>> so it is still there in subsequent invocations of the mapper script ,
>> such as when an access token is refreshed, etc.
>>
>> Cheers,
>> Vagelis
>>
>> On 13/01/2019 12:29, Vagelis Savvas wrote:
>>> Hello,
>>> I have an authenticator script and a mapper script and I would like to
>>> attach a piece of information
>>> during login in the authenticator script then retrieve it in the
>>> mapper script and set it as a token claim.
>>> (background: this piece of information originates from an extra input
>>> field of a custom login page and
>>> I want it to appear in the user's access token in order to
>>> differentiate users based on it).
>>>
>>> So, I can't use the user object to attach my info because its not
>>> fully reliable.
>>> What would work best is to use an object that is unique per
>>> authentication session and available in both scripts.
>>> The user object is both unique and available but is also a singleton.
>>>
>>> Thus I've tried via keycloakSession.setAttribute('myInfo', value) in
>>> auth script and then keycloakSession.getAttribute('myInfo')
>>> in mapper script? but it doesn't work (why isn't the keycloakSession
>>> object the same in the two scripts?).
>>> I've also tried in auth script
>>> authenticationSession.setUserSessionNote('myInfo',value) and then
>>> userSession.getNote('myInfo')
>>> in mapper script? but it doesn't work as well.
>>> Any further ideas on how to solve this in a reliable way?
>>>
>>> Cheers,
>>> Vagelis
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user


From alex.chatziparaskewas at trapezegroup.com  Wed Jan 23 02:24:39 2019
From: alex.chatziparaskewas at trapezegroup.com (Alex Chatziparaskewas)
Date: Wed, 23 Jan 2019 07:24:39 +0000
Subject: [keycloak-user] keycloak-gatekeeper and token refresh
Message-ID: <9624130dfb2949c6afea25a9162d9b2b@VOL-SLO-EXCH3.vgnet.volgrp.com>

Hi All,

We are using keycloak-gatekeeper to secure some server side application, however, we are having troubles with refreshing its access token.

Keycloak-gatekeeper stores its access/refresh tokens in server side cookies (kc-access / kc-state). Information about the access token can be obtained via the /oauth/token service.

I have now added logging to the client to show for how long the access token is valid. What I see: the number is slowly getting negative, /oauth/expired even says that the access token is expired. Regardless of the 'enable-refresh-tokens' setting, the access token is not refreshed by the keycloak-gatekeeper. Instead after some additional time - the expiry time long showing negative numbers, maybe once the refresh token is also almost expired - the application is delegated to the login sequence at which time (the refresh token still seems to be valid) a new access token is created and the application ends up on its 'home screen'.

Question: how to explicitely ask keycloak-gatekeeper to refresh the access token? As the access token is kept in some server side cookie keycloak-gatekeeper must do this.

Thanks & Regards,
Alex


From parth.kakadiya at e-kultur.eu  Wed Jan 23 06:21:06 2019
From: parth.kakadiya at e-kultur.eu (Parth Kakadiya)
Date: Wed, 23 Jan 2019 12:21:06 +0100
Subject: [keycloak-user] Keycloak - Email-verify Issue
Message-ID: <1MmUYD-1hUiDF0e49-00iWE7@mrelayeu.kundenserver.de>

I am working with the JHipster built Application where we authenticate via Keycloak(version 4.4.0 final). 
During verify email, I am receiving email with confirmation link to confirm email. In few situation the verification link is not working. Below I have mention the steps that I did and problems. 

Steps:
1. Registration with chrome 
2. Get mail for email verification
3. Close the chrome and restart
4. Try to use verification link

Problem: 	
1. If I closed the current browser window/ open link in private window/ open link in different browser, the link is not working anymore. 

Cause of the problem: 
This problem is accrued because  of the cookies that keyclaok creating during registration. AUTH_SESSION_ID and KC_RESTART
Because when I close the browser window this cookies are no more in browser. 

If i try to use verifcation link is the same browser window that i used for Registration than it?s working fine. Becuse in this browser window those two Cookies are stored.  



Sent from Mail for Windows 10


From chris.smith at cmfirstgroup.com  Wed Jan 23 09:08:02 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Wed, 23 Jan 2019 14:08:02 +0000
Subject: [keycloak-user] Get a GSSCredential when user browser is not in
 Active Directory domain
Message-ID: <BN6PR22MB024411A53CDE05035A0EEB1198990@BN6PR22MB0244.namprd22.prod.outlook.com>

I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation

I can get a Delegated GSSCredential when the SPNEGO enabled browser  runs on a workstation in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.

I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.  My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).

Less than 1% of the users will be using browsers on workstations in the Active Directory domain.

Can Keycloak put a GSSCredential for the logged in user  in the Access Token when SPNEGO is not available from the browser?



From chris.smith at cmfirstgroup.com  Wed Jan 23 09:11:40 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Wed, 23 Jan 2019 14:11:40 +0000
Subject: [keycloak-user] Get a GSSCredential when user browser is not in
 Active Directory domain
In-Reply-To: <BN6PR22MB024411A53CDE05035A0EEB1198990@BN6PR22MB0244.namprd22.prod.outlook.com>
References: <BN6PR22MB024411A53CDE05035A0EEB1198990@BN6PR22MB0244.namprd22.prod.outlook.com>
Message-ID: <BN6PR22MB02446F8141FBA0DD80FB7E6A98990@BN6PR22MB0244.namprd22.prod.outlook.com>

Here is a Diagram of what I'm trying to do

From: Chris Smith
Sent: Wednesday, January 23, 2019 8:08 AM
To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
Subject: Get a GSSCredential when user browser is not in Active Directory domain

I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation

I can get a Delegated GSSCredential when the SPNEGO enabled browser  runs on a workstation in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.

I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.  My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).

Less than 1% of the users will be using browsers on workstations in the Active Directory domain.

Can Keycloak put a GSSCredential for the logged in user  in the Access Token when SPNEGO is not available from the browser?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: FMS_SSO.png
Type: image/png
Size: 39969 bytes
Desc: FMS_SSO.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190123/3426c781/attachment-0001.png 

From nakulkjain at gmail.com  Wed Jan 23 09:50:50 2019
From: nakulkjain at gmail.com (Nakul Jain)
Date: Wed, 23 Jan 2019 20:20:50 +0530
Subject: [keycloak-user] Need to limit concurrent session in a realm in
	keycloak
Message-ID: <CAB0q6mQmquA1oW4ik=wNVOpxbPtsfHvAcE+6bAymbarXPsSkoQ@mail.gmail.com>

Hi,

We need to restrict the number of concurrent sessions in a realm in
keycloak. Do we have any feature in keycloak through which we can support
this ?

Thanks,
Nakul

From tom at spicule.co.uk  Wed Jan 23 12:56:47 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Wed, 23 Jan 2019 09:56:47 -0800
Subject: [keycloak-user] Keycloak non-interactive SAML login
Message-ID: <CADibaRzPUS+q7-COqYO8SER1+a-UW-8za1JgZD6EUAnyxQYFqQ@mail.gmail.com>

Hi folks,

I have 2 apps, the UI which is authenticated using the Keycloak NodeJS OIDC
connector and provides a user UI login. This works fine.

Then I have a Java based app that is legacy and uses the Spring SAML
connector and when you go to its UI Keycloak also logs you in fine, but
we?re trying to connect to its API without a user having to manually open
its landing page to login.

When you try and use a service on the Java app having authenticated on the
client app you get:

Note: Since your browser does not support JavaScript, you must press the
Continue button once to proceed.


In the javascript console. Both these apps are in the same realm. Is there
anything I?m missing on the Keycloak side I can do to resolve this issue or
do I have to find the Java code and jump in with two feet there?

Thanks

Tom

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From dt at acutus.pro  Wed Jan 23 13:35:23 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Wed, 23 Jan 2019 21:35:23 +0300
Subject: [keycloak-user] Keycloak non-interactive SAML login
In-Reply-To: <CADibaRzPUS+q7-COqYO8SER1+a-UW-8za1JgZD6EUAnyxQYFqQ@mail.gmail.com>
References: <CADibaRzPUS+q7-COqYO8SER1+a-UW-8za1JgZD6EUAnyxQYFqQ@mail.gmail.com>
Message-ID: <1548268523.3714.1.camel@acutus.pro>

Hello Tom,

Please go to client config in the Keycloak Admin Console and turn off "Force POST Binding". Does it make any difference?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-23 at 09:56 -0800, Tom Barber wrote:
> Hi folks,
> 
> I have 2 apps, the UI which is authenticated using the Keycloak NodeJS OIDC
> connector and provides a user UI login. This works fine.
> 
> Then I have a Java based app that is legacy and uses the Spring SAML
> connector and when you go to its UI Keycloak also logs you in fine, but
> we?re trying to connect to its API without a user having to manually open
> its landing page to login.
> 
> When you try and use a service on the Java app having authenticated on the
> client app you get:
> 
> Note: Since your browser does not support JavaScript, you must press the
> Continue button once to proceed.
> 
> 
> In the javascript console. Both these apps are in the same realm. Is there
> anything I?m missing on the Keycloak side I can do to resolve this issue or
> do I have to find the Java code and jump in with two feet there?
> 
> Thanks
> 
> Tom
> 

From tom at spicule.co.uk  Wed Jan 23 15:13:13 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Wed, 23 Jan 2019 12:13:13 -0800
Subject: [keycloak-user] Keycloak non-interactive SAML login
In-Reply-To: <1548268523.3714.1.camel@acutus.pro>
References: <CADibaRzPUS+q7-COqYO8SER1+a-UW-8za1JgZD6EUAnyxQYFqQ@mail.gmail.com>
	<1548268523.3714.1.camel@acutus.pro>
Message-ID: <CADibaRxXQkCr4fwn2MK8TWHXp9++fRRhZdipBnFTfYP3UchODw@mail.gmail.com>

Hey Dmitry

I turned that setting off earlier today with no obvious change in outcome.

Thanks

Tom


On 23 January 2019 at 18:35:28, Dmitry Telegin (dt at acutus.pro) wrote:

Hello Tom,

Please go to client config in the Keycloak Admin Console and turn off
"Force POST Binding". Does it make any difference?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-23 at 09:56 -0800, Tom Barber wrote:
> Hi folks,
>
> I have 2 apps, the UI which is authenticated using the Keycloak NodeJS
OIDC
> connector and provides a user UI login. This works fine.
>
> Then I have a Java based app that is legacy and uses the Spring SAML
> connector and when you go to its UI Keycloak also logs you in fine, but
> we?re trying to connect to its API without a user having to manually open
> its landing page to login.
>
> When you try and use a service on the Java app having authenticated on
the
> client app you get:
>
> Note: Since your browser does not support JavaScript, you must press the
> Continue button once to proceed.
>
>
> In the javascript console. Both these apps are in the same realm. Is
there
> anything I?m missing on the Keycloak side I can do to resolve this issue
or
> do I have to find the Java code and jump in with two feet there?
>
> Thanks
>
> Tom
>

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From tom at spicule.co.uk  Wed Jan 23 15:56:54 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Wed, 23 Jan 2019 12:56:54 -0800
Subject: [keycloak-user] Keycloak non-interactive SAML login
In-Reply-To: <CADibaRxXQkCr4fwn2MK8TWHXp9++fRRhZdipBnFTfYP3UchODw@mail.gmail.com>
References: <CADibaRzPUS+q7-COqYO8SER1+a-UW-8za1JgZD6EUAnyxQYFqQ@mail.gmail.com>
	<1548268523.3714.1.camel@acutus.pro>
	<CADibaRxXQkCr4fwn2MK8TWHXp9++fRRhZdipBnFTfYP3UchODw@mail.gmail.com>
Message-ID: <CADibaRyi+RXiwf-9B6gAhwnViJPNc+YT+ivERsZCutmDf4U0BQ@mail.gmail.com>

Also whats stupid about it is in the Java logs I see

20:55:43,894 INFO  [SAMLDefaultLogger]
AuthNRequest;SUCCESS;86.162.163.65;client;
https://auth.domain.co.uk/auth/realms/ies;;;

So I can even see it working! =/

On 23 January 2019 at 20:13:13, Tom Barber (tom at spicule.co.uk) wrote:

Hey Dmitry

I turned that setting off earlier today with no obvious change in outcome.

Thanks

Tom


On 23 January 2019 at 18:35:28, Dmitry Telegin (dt at acutus.pro) wrote:

Hello Tom,

Please go to client config in the Keycloak Admin Console and turn off
"Force POST Binding". Does it make any difference?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-23 at 09:56 -0800, Tom Barber wrote:
> Hi folks,
>
> I have 2 apps, the UI which is authenticated using the Keycloak NodeJS
OIDC
> connector and provides a user UI login. This works fine.
>
> Then I have a Java based app that is legacy and uses the Spring SAML
> connector and when you go to its UI Keycloak also logs you in fine, but
> we?re trying to connect to its API without a user having to manually open
> its landing page to login.
>
> When you try and use a service on the Java app having authenticated on the
> client app you get:
>
> Note: Since your browser does not support JavaScript, you must press the
> Continue button once to proceed.
>
>
> In the javascript console. Both these apps are in the same realm. Is there
> anything I?m missing on the Keycloak side I can do to resolve this issue
or
> do I have to find the Java code and jump in with two feet there?
>
> Thanks
>
> Tom
>

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From SMuddamsetty at vitechinc.com  Wed Jan 23 16:46:14 2019
From: SMuddamsetty at vitechinc.com (Sandeep Muddamsetty)
Date: Wed, 23 Jan 2019 21:46:14 +0000
Subject: [keycloak-user] Keyclaok Integration with SAML+ADFS+Tomcat
Message-ID: <BN7PR02MB5010039E55AB29FE1AA67D75DC990@BN7PR02MB5010.namprd02.prod.outlook.com>


HI ,

I need assistance in setting up the SSO for my tomcat application using Keycloak  . Can any one suggest me on this . Actually my requirement is to use SAML which should redirect to my tomcat application after successful authentication of my ADFS . Can any one suggest  a good work around for this or any documentation .

Thanks in Advance .

Thanks ,
Sandeep .






This e-mail message and any files transmitted with it may contain confidential and proprietary information and are intended solely for the use of the individual or entity to which they are addressed. Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you have received this e-mail in error please notify the sender by reply email and destroy all copies of the original message. Thank you for your cooperation.

From tom at spicule.co.uk  Wed Jan 23 17:15:13 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Wed, 23 Jan 2019 14:15:13 -0800
Subject: [keycloak-user] Keycloak non-interactive SAML login
In-Reply-To: <CADibaRyi+RXiwf-9B6gAhwnViJPNc+YT+ivERsZCutmDf4U0BQ@mail.gmail.com>
References: <CADibaRzPUS+q7-COqYO8SER1+a-UW-8za1JgZD6EUAnyxQYFqQ@mail.gmail.com>
	<1548268523.3714.1.camel@acutus.pro>
	<CADibaRxXQkCr4fwn2MK8TWHXp9++fRRhZdipBnFTfYP3UchODw@mail.gmail.com>
	<CADibaRyi+RXiwf-9B6gAhwnViJPNc+YT+ivERsZCutmDf4U0BQ@mail.gmail.com>
Message-ID: <CADibaRxPOWfYcbnP6EXZnY7KPt--ePq+8pf+5jckD0V4qRR4Sg@mail.gmail.com>

Okay so I?ve tweaked the POST vs GET stuff a bit more and now if I do
something like:

https://gist.github.com/buggtb/7883fd2aba5c3b8215e8c8890c7881e9

On the API call it will then do a redirect to the SAML auth endpoint and
that returns a 200? then shortly after there seems to be a call to the init
endpoint with the login-status-iframe.html which returns a 204..

But the response from the axios call is still:

<HTML><HEAD><TITLE>SAML HTTP Post Binding</TITLE></HEAD><BODY
Onload="document.forms[0].submit()"><FORM METHOD="POST" ACTION="
https://otv.spicule.co.uk/pentaho/saml/SSO"><INPUT TYPE="HIDDEN"
NAME="SAMLResponse" VALUE=??../><NOSCRIPT><P>JavaScript is disabled. We
strongly recommend to enable it. Click the button below to
continue.</P><INPUT TYPE="SUBMIT" VALUE="CONTINUE"
/></NOSCRIPT></FORM></BODY></HTML>

So the chain is different but still fails.

Sad times!


On 23 January 2019 at 20:56:54, Tom Barber (tom at spicule.co.uk) wrote:

Also whats stupid about it is in the Java logs I see

20:55:43,894 INFO  [SAMLDefaultLogger]
AuthNRequest;SUCCESS;86.162.163.65;client;
https://auth.domain.co.uk/auth/realms/ies;;;

So I can even see it working! =/

On 23 January 2019 at 20:13:13, Tom Barber (tom at spicule.co.uk) wrote:

Hey Dmitry

I turned that setting off earlier today with no obvious change in outcome.

Thanks

Tom


On 23 January 2019 at 18:35:28, Dmitry Telegin (dt at acutus.pro) wrote:

Hello Tom,

Please go to client config in the Keycloak Admin Console and turn off
"Force POST Binding". Does it make any difference?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-23 at 09:56 -0800, Tom Barber wrote:
> Hi folks,
>
> I have 2 apps, the UI which is authenticated using the Keycloak NodeJS
OIDC
> connector and provides a user UI login. This works fine.
>
> Then I have a Java based app that is legacy and uses the Spring SAML
> connector and when you go to its UI Keycloak also logs you in fine, but
> we?re trying to connect to its API without a user having to manually open
> its landing page to login.
>
> When you try and use a service on the Java app having authenticated on the
> client app you get:
>
> Note: Since your browser does not support JavaScript, you must press the
> Continue button once to proceed.
>
>
> In the javascript console. Both these apps are in the same realm. Is there
> anything I?m missing on the Keycloak side I can do to resolve this issue
or
> do I have to find the Java code and jump in with two feet there?
>
> Thanks
>
> Tom
>

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From dt at acutus.pro  Wed Jan 23 17:29:06 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 24 Jan 2019 01:29:06 +0300
Subject: [keycloak-user] Keycloak non-interactive SAML login
In-Reply-To: <CADibaRyi+RXiwf-9B6gAhwnViJPNc+YT+ivERsZCutmDf4U0BQ@mail.gmail.com>
References: <CADibaRzPUS+q7-COqYO8SER1+a-UW-8za1JgZD6EUAnyxQYFqQ@mail.gmail.com>
	<1548268523.3714.1.camel@acutus.pro>
	<CADibaRxXQkCr4fwn2MK8TWHXp9++fRRhZdipBnFTfYP3UchODw@mail.gmail.com>
	<CADibaRyi+RXiwf-9B6gAhwnViJPNc+YT+ivERsZCutmDf4U0BQ@mail.gmail.com>
Message-ID: <1548282546.3714.3.camel@acutus.pro>

Hi,

This message in the logs can be misleading since it reports the
delivery of SAMLAuthnRequest only. The successful completion of SAML
transaction would have been signaled by SAMLResponse (had it been
received).

I'm afraid SAML HTTP Redirect binding won't help either, since it's not
allowed by Spring Security SAML [1] (which is in full accordance with
the standard).

I guess you're trying to fetch some data from your legacy app via XHR,
and receive Keycloak-generated POST binding in response. I suggest that
you implement a silent refresh pattern [2], similarly to what Scott has
done for OIDC implicit flow. In a few words, you should create a hidden
iframe with your SAML app, which, upon loading, will process POST
binding and set up a valid session. After that, you should be able to
perform requests to your legacy app normally. The iframe will also need
to be reloaded periodically to mitigate session expiry.

OIDC to SAML token exchange would have allowed for a more
straightforward solution, but unfortunately is not supported in
Keycloak at the moment.

[1] https://stackoverflow.com/questions/29889644/metadatagenerator-of-spring-security-saml-doesnt-support-redirect-binding-for-a
[2] https://www.scottbrady91.com/OpenID-Connect/Silent-Refresh-Refreshing-Access-Tokens-when-using-the-Implicit-Flow

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-23 at 12:56 -0800, Tom Barber wrote:
> Also whats stupid about it is in the Java logs I see
> 
> 20:55:43,894 INFO??[SAMLDefaultLogger]
> AuthNRequest;SUCCESS;86.162.163.65;client;
> https://auth.domain.co.uk/auth/realms/ies;;;
> 
> So I can even see it working! =/
> 
> > On 23 January 2019 at 20:13:13, Tom Barber (tom at spicule.co.uk) wrote:
> 
> Hey Dmitry
> 
> I turned that setting off earlier today with no obvious change in outcome.
> 
> Thanks
> 
> Tom
> 
> 
> > On 23 January 2019 at 18:35:28, Dmitry Telegin (dt at acutus.pro) wrote:
> 
> Hello Tom,
> 
> Please go to client config in the Keycloak Admin Console and turn off
> "Force POST Binding". Does it make any difference?
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> On Wed, 2019-01-23 at 09:56 -0800, Tom Barber wrote:
> > Hi folks,
> > 
> > I have 2 apps, the UI which is authenticated using the Keycloak NodeJS
> 
> OIDC
> > connector and provides a user UI login. This works fine.
> > 
> > Then I have a Java based app that is legacy and uses the Spring SAML
> > connector and when you go to its UI Keycloak also logs you in fine, but
> > we?re trying to connect to its API without a user having to manually open
> > its landing page to login.
> > 
> > When you try and use a service on the Java app having authenticated on the
> > client app you get:
> > 
> > Note: Since your browser does not support JavaScript, you must press the
> > Continue button once to proceed.
> > 
> > 
> > In the javascript console. Both these apps are in the same realm. Is there
> > anything I?m missing on the Keycloak side I can do to resolve this issue
> 
> or
> > do I have to find the Java code and jump in with two feet there?
> > 
> > Thanks
> > 
> > Tom
> > 
> 
> 

From tom at spicule.co.uk  Wed Jan 23 17:52:15 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Wed, 23 Jan 2019 14:52:15 -0800
Subject: [keycloak-user] Keycloak non-interactive SAML login
In-Reply-To: <1548282546.3714.3.camel@acutus.pro>
References: <CADibaRzPUS+q7-COqYO8SER1+a-UW-8za1JgZD6EUAnyxQYFqQ@mail.gmail.com>
	<1548268523.3714.1.camel@acutus.pro>
	<CADibaRxXQkCr4fwn2MK8TWHXp9++fRRhZdipBnFTfYP3UchODw@mail.gmail.com>
	<CADibaRyi+RXiwf-9B6gAhwnViJPNc+YT+ivERsZCutmDf4U0BQ@mail.gmail.com>
	<1548282546.3714.3.camel@acutus.pro>
Message-ID: <CADibaRz+PU0E6oj60yn_X_yscFomyivasW3__9f+_jOSHc74SQ@mail.gmail.com>

Thanks Dmitry

Ironically we started down the hidden iframe route last week and felt there
must be a better solution! Clearly not, so we?ll head back down that avenue.

Thanks for your help.

Tom


On 23 January 2019 at 22:29:14, Dmitry Telegin (dt at acutus.pro) wrote:

Hi,

This message in the logs can be misleading since it reports the
delivery of SAMLAuthnRequest only. The successful completion of SAML
transaction would have been signaled by SAMLResponse (had it been
received).

I'm afraid SAML HTTP Redirect binding won't help either, since it's not
allowed by Spring Security SAML [1] (which is in full accordance with
the standard).

I guess you're trying to fetch some data from your legacy app via XHR,
and receive Keycloak-generated POST binding in response. I suggest that
you implement a silent refresh pattern [2], similarly to what Scott has
done for OIDC implicit flow. In a few words, you should create a hidden
iframe with your SAML app, which, upon loading, will process POST
binding and set up a valid session. After that, you should be able to
perform requests to your legacy app normally. The iframe will also need
to be reloaded periodically to mitigate session expiry.

OIDC to SAML token exchange would have allowed for a more
straightforward solution, but unfortunately is not supported in
Keycloak at the moment.

[1]
https://stackoverflow.com/questions/29889644/metadatagenerator-of-spring-security-saml-doesnt-support-redirect-binding-for-a
[2]
https://www.scottbrady91.com/OpenID-Connect/Silent-Refresh-Refreshing-Access-Tokens-when-using-the-Implicit-Flow

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-01-23 at 12:56 -0800, Tom Barber wrote:
> Also whats stupid about it is in the Java logs I see
>
> 20:55:43,894 INFO  [SAMLDefaultLogger]
> AuthNRequest;SUCCESS;86.162.163.65;client;
> https://auth.domain.co.uk/auth/realms/ies;;;
>
> So I can even see it working! =/
>
> > On 23 January 2019 at 20:13:13, Tom Barber (tom at spicule.co.uk) wrote:
>
> Hey Dmitry
>
> I turned that setting off earlier today with no obvious change in
outcome.
>
> Thanks
>
> Tom
>
>
> > On 23 January 2019 at 18:35:28, Dmitry Telegin (dt at acutus.pro) wrote:
>
> Hello Tom,
>
> Please go to client config in the Keycloak Admin Console and turn off
> "Force POST Binding". Does it make any difference?
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Wed, 2019-01-23 at 09:56 -0800, Tom Barber wrote:
> > Hi folks,
> >
> > I have 2 apps, the UI which is authenticated using the Keycloak NodeJS
>
> OIDC
> > connector and provides a user UI login. This works fine.
> >
> > Then I have a Java based app that is legacy and uses the Spring SAML
> > connector and when you go to its UI Keycloak also logs you in fine, but
> > we?re trying to connect to its API without a user having to manually
open
> > its landing page to login.
> >
> > When you try and use a service on the Java app having authenticated on
the
> > client app you get:
> >
> > Note: Since your browser does not support JavaScript, you must press
the
> > Continue button once to proceed.
> >
> >
> > In the javascript console. Both these apps are in the same realm. Is
there
> > anything I?m missing on the Keycloak side I can do to resolve this
issue
>
> or
> > do I have to find the Java code and jump in with two feet there?
> >
> > Thanks
> >
> > Tom
> >
>
>

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From dt at acutus.pro  Wed Jan 23 18:08:06 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 24 Jan 2019 02:08:06 +0300
Subject: [keycloak-user] Keycloak non-interactive SAML login
In-Reply-To: <CADibaRz+PU0E6oj60yn_X_yscFomyivasW3__9f+_jOSHc74SQ@mail.gmail.com>
References: <CADibaRzPUS+q7-COqYO8SER1+a-UW-8za1JgZD6EUAnyxQYFqQ@mail.gmail.com>
	<1548268523.3714.1.camel@acutus.pro>
	<CADibaRxXQkCr4fwn2MK8TWHXp9++fRRhZdipBnFTfYP3UchODw@mail.gmail.com>
	<CADibaRyi+RXiwf-9B6gAhwnViJPNc+YT+ivERsZCutmDf4U0BQ@mail.gmail.com>
	<1548282546.3714.3.camel@acutus.pro>
	<CADibaRz+PU0E6oj60yn_X_yscFomyivasW3__9f+_jOSHc74SQ@mail.gmail.com>
Message-ID: <1548284886.3714.5.camel@acutus.pro>

Tom, you're welcome,

I'd also recommend to use axios-keycloak [1] since it handles token
refresh automatically. I only had to do a "npm run build" on it, since
there's some webpack-related issue with their dist build. Or you can
simply copy their index.js to your project under a different name and?
import AxiosKeycloak from it.

[1] https://github.com/herrmannplatz/axios-keycloak

Good luck!
Dmitry

On Wed, 2019-01-23 at 14:52 -0800, Tom Barber wrote:
> Thanks Dmitry
> 
> Ironically we started down the hidden iframe route last week and felt there must be a better solution! Clearly not, so we?ll head back down that avenue.
> 
> Thanks for your help.
> 
> Tom
> 
> 
> > On 23 January 2019 at 22:29:14, Dmitry Telegin (dt at acutus.pro) wrote:
> > Hi,?
> > 
> > This message in the logs can be misleading since it reports the?
> > delivery of SAMLAuthnRequest only. The successful completion of SAML?
> > transaction would have been signaled by SAMLResponse (had it been?
> > received).?
> > 
> > I'm afraid SAML HTTP Redirect binding won't help either, since it's not?
> > allowed by Spring Security SAML [1] (which is in full accordance with?
> > the standard).?
> > 
> > I guess you're trying to fetch some data from your legacy app via XHR,?
> > and receive Keycloak-generated POST binding in response. I suggest that?
> > you implement a silent refresh pattern [2], similarly to what Scott has?
> > done for OIDC implicit flow. In a few words, you should create a hidden?
> > iframe with your SAML app, which, upon loading, will process POST?
> > binding and set up a valid session. After that, you should be able to?
> > perform requests to your legacy app normally. The iframe will also need?
> > to be reloaded periodically to mitigate session expiry.?
> > 
> > OIDC to SAML token exchange would have allowed for a more?
> > straightforward solution, but unfortunately is not supported in?
> > Keycloak at the moment.?
> > 
> > [1] https://stackoverflow.com/questions/29889644/metadatagenerator-of-spring-security-saml-doesnt-support-redirect-binding-for-a?
> > [2] https://www.scottbrady91.com/OpenID-Connect/Silent-Refresh-Refreshing-Access-Tokens-when-using-the-Implicit-Flow?
> > 
> > Good luck,?
> > Dmitry Telegin?
> > CTO, Acutus s.r.o.?
> > Keycloak Consulting and Training?
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic?
> > +42 (022) 888-30-71?
> > > > E-mail: info at acutus.pro?
> > 
> > On Wed, 2019-01-23 at 12:56 -0800, Tom Barber wrote:?
> > > Also whats stupid about it is in the Java logs I see?
> > >?
> > > 20:55:43,894 INFO??[SAMLDefaultLogger]?
> > > AuthNRequest;SUCCESS;86.162.163.65;client;?
> > > > > https://auth.domain.co.uk/auth/realms/ies;;;?
> > >?
> > > So I can even see it working! =/?
> > >?
> > > > > > On 23 January 2019 at 20:13:13, Tom Barber (tom at spicule.co.uk) wrote:?
> > >?
> > > Hey Dmitry?
> > >?
> > > I turned that setting off earlier today with no obvious change in outcome.?
> > >?
> > > Thanks?
> > >?
> > > Tom?
> > >?
> > >?
> > > > > > On 23 January 2019 at 18:35:28, Dmitry Telegin (dt at acutus.pro) wrote:?
> > >?
> > > Hello Tom,?
> > >?
> > > Please go to client config in the Keycloak Admin Console and turn off?
> > > "Force POST Binding". Does it make any difference??
> > >?
> > > Cheers,?
> > > Dmitry Telegin?
> > > CTO, Acutus s.r.o.?
> > > Keycloak Consulting and Training?
> > >?
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic?
> > > +42 (022) 888-30-71?
> > > > > E-mail: info at acutus.pro?
> > >?
> > > On Wed, 2019-01-23 at 09:56 -0800, Tom Barber wrote:?
> > > > Hi folks,?
> > > >?
> > > > I have 2 apps, the UI which is authenticated using the Keycloak NodeJS?
> > >?
> > > OIDC?
> > > > connector and provides a user UI login. This works fine.?
> > > >?
> > > > Then I have a Java based app that is legacy and uses the Spring SAML?
> > > > connector and when you go to its UI Keycloak also logs you in fine, but?
> > > > we?re trying to connect to its API without a user having to manually open?
> > > > its landing page to login.?
> > > >?
> > > > When you try and use a service on the Java app having authenticated on the?
> > > > client app you get:?
> > > >?
> > > > Note: Since your browser does not support JavaScript, you must press the?
> > > > Continue button once to proceed.?
> > > >?
> > > >?
> > > > In the javascript console. Both these apps are in the same realm. Is there?
> > > > anything I?m missing on the Keycloak side I can do to resolve this issue?
> > >?
> > > or?
> > > > do I have to find the Java code and jump in with two feet there??
> > > >?
> > > > Thanks?
> > > >?
> > > > Tom?
> > > >?
> > >?
> > >?
> ?
> Spicule Limited is registered in England & Wales. Company Number: 09954122. Registered office: First Floor, Telecom House, 125-135 Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891.
> 
> All engagements are subject to Spicule Terms and Conditions of Business. This email and its contents are intended solely for the individual to whom it is addressed and may contain information that is confidential, privileged or otherwise protected from disclosure, distributing or copying. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Spicule Limited. The company accepts no liability for any damage caused by any virus transmitted by this email. If you have received this message in error, please notify us immediately by reply email before deleting it from your system. Service of legal notice cannot be effected on Spicule Limited by email.

From polfilm at gmail.com  Wed Jan 23 19:53:59 2019
From: polfilm at gmail.com (Peter S)
Date: Thu, 24 Jan 2019 00:53:59 +0000
Subject: [keycloak-user] Domain per Realm
Message-ID: <CAFhxTcz2sN5zb85Lepc0ieENKBYrzowNFObXrB0jfFpMkFcD3A@mail.gmail.com>

I'm currently using several realms. Is there any way at all (or was it ever
asked) to have ability to setup a realm on a completely different domain?
My services are domain based hence redirect to master domain for signin is
somewhat out of sync with the experience.

Peter

From edmund.loh.1985 at gmail.com  Thu Jan 24 03:55:58 2019
From: edmund.loh.1985 at gmail.com (Edmund Loh)
Date: Thu, 24 Jan 2019 16:55:58 +0800
Subject: [keycloak-user] Changing the link in emails sent
Message-ID: <CAMTfnMYq_PioZay+LV51DhjtYRvdakbB4FOFJge1WSFFYpPsgg@mail.gmail.com>

Hi

In my current implementation, my application makes an api call to
Keycloak's REST API to send an email to alert the user to reset their
password.

The URL in the email would look like this:

http://<internal ip address and
port>/auth/realms/MyRealm/login-actions/action-token?key=...

However, since it is an internal address, the user is enable to access it
from his environment. I need the URL in the email to be using an external
address instead. Is there a way this can be done?

https://<external
address>/auth/realms/MyRealm/login-actions/action-token?key=...

From rpalmarin at yahoo.com  Thu Jan 24 05:22:37 2019
From: rpalmarin at yahoo.com (roberto palmarin)
Date: Thu, 24 Jan 2019 10:22:37 +0000 (UTC)
Subject: [keycloak-user] Enable X.509 Client Certificate User Authentication
 only to specific realm
References: <392255193.395664.1548325357448.ref@mail.yahoo.com>
Message-ID: <392255193.395664.1548325357448@mail.yahoo.com>

Hi, my goal is to have services that authenticate with user and password and services that authenticate with X509 certificate.
Moreover, if I am authenticated with the certificate, I no longer have to authenticate with username and password.

I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak, which would allow to force the authentication method!

I then tried to create new realms and use one realm for authentication with username/password and the other realm for X509 mutual authentication.
The question is how can I disable X509 mutual authentication for a realm on keycloak? the configuration for mutual authentication is at the wildfly level and not at the realm level nor at the client keycloak level.
is it possible to have the correct value of authnContextClassRef in the keycloak SAML response?

Thank'sRoberto Palmarin


From greetrobijns at gmail.com  Thu Jan 24 09:10:49 2019
From: greetrobijns at gmail.com (Greet Robijns)
Date: Thu, 24 Jan 2019 15:10:49 +0100
Subject: [keycloak-user] reverse proxy nginx before keycloak
Message-ID: <CAC530nWsxKJuWH2aSVudgm1NSG=OmyOiK_0sME7YR5eKL-hHYQ@mail.gmail.com>

Hi,

I am having some trouble configuring my nginx server before my keycloak
server. I read the documentation at:
https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
.

The problem is that the layout files are not loading and after logging in,
the redirection is incorrect: it goes to /auth/.... instead of
/test/aa/auth.

I am really stuck here? Should I change something in my keycloak
configuration?

my nginx:

worker_processes 1;

events { worker_connections 1024; }

http {

sendfile on;

server {
listen 8080;

location /test/aa/ {
resolver 127.0.0.11;
proxy_pass http://mc:4000/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
}

}

}

Kind Regards,
Greet Robijns

From geoff at opticks.io  Thu Jan 24 09:45:35 2019
From: geoff at opticks.io (Geoffrey Cleaves)
Date: Thu, 24 Jan 2019 15:45:35 +0100
Subject: [keycloak-user] reverse proxy nginx before keycloak
In-Reply-To: <CAC530nWsxKJuWH2aSVudgm1NSG=OmyOiK_0sME7YR5eKL-hHYQ@mail.gmail.com>
References: <CAC530nWsxKJuWH2aSVudgm1NSG=OmyOiK_0sME7YR5eKL-hHYQ@mail.gmail.com>
Message-ID: <CAHzT=q8s0XXOCi-_sX4WYpBvEWHL6ixm7Us1kyEOgDgS=QKrqA@mail.gmail.com>

I'm no expert with Nginx, but have run into this problem before. It's
extremely difficult to reverse proxy to "/test/aa" when the service being
proxied (Keycloak) does not expect to serve at this prefix. The
service-to-be-proxied should offer a config option such as proxy_path which
could be set to "/test/aa" so that the service know it need to add that
prefix to all its routes.

Does Keycloak have a proxy_path config option? I don't think it does.

I suppose it may be possible using some rewrite rules, but those are pretty
tricky and I have never been able to make it work. You might have luck
using the nginx Content modification module:
http://nginx.org/en/docs/http/ngx_http_sub_module.html .

But do you really need to do what you want to do? Why not just proxy the
"/auth" location? That works for me, because that where KC expect to serve
content.


On Thu, 24 Jan 2019 at 15:16, Greet Robijns <greetrobijns at gmail.com> wrote:

> Hi,
>
> I am having some trouble configuring my nginx server before my keycloak
> server. I read the documentation at:
>
> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
> .
>
> The problem is that the layout files are not loading and after logging in,
> the redirection is incorrect: it goes to /auth/.... instead of
> /test/aa/auth.
>
> I am really stuck here? Should I change something in my keycloak
> configuration?
>
> my nginx:
>
> worker_processes 1;
>
> events { worker_connections 1024; }
>
> http {
>
> sendfile on;
>
> server {
> listen 8080;
>
> location /test/aa/ {
> resolver 127.0.0.11;
> proxy_pass http://mc:4000/;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_set_header Host $host;
> }
>
> }
>
> }
>
> Kind Regards,
> Greet Robijns
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

Regards,
Geoffrey Cleaves

From sthorger at redhat.com  Thu Jan 24 10:23:36 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 24 Jan 2019 16:23:36 +0100
Subject: [keycloak-user] reverse proxy nginx before keycloak
In-Reply-To: <CAHzT=q8s0XXOCi-_sX4WYpBvEWHL6ixm7Us1kyEOgDgS=QKrqA@mail.gmail.com>
References: <CAC530nWsxKJuWH2aSVudgm1NSG=OmyOiK_0sME7YR5eKL-hHYQ@mail.gmail.com>
	<CAHzT=q8s0XXOCi-_sX4WYpBvEWHL6ixm7Us1kyEOgDgS=QKrqA@mail.gmail.com>
Message-ID: <CAJgngAfsMZiROPqwd94N0ZpqXLKBHfqpgAn+mFAU=uFCw0QeEw@mail.gmail.com>

You can change the context path of Keycloak to match what you have on the
reverse proxy. See docs for details.

On Thu, 24 Jan 2019 at 15:47, Geoffrey Cleaves <geoff at opticks.io> wrote:

> I'm no expert with Nginx, but have run into this problem before. It's
> extremely difficult to reverse proxy to "/test/aa" when the service being
> proxied (Keycloak) does not expect to serve at this prefix. The
> service-to-be-proxied should offer a config option such as proxy_path which
> could be set to "/test/aa" so that the service know it need to add that
> prefix to all its routes.
>
> Does Keycloak have a proxy_path config option? I don't think it does.
>
> I suppose it may be possible using some rewrite rules, but those are pretty
> tricky and I have never been able to make it work. You might have luck
> using the nginx Content modification module:
> http://nginx.org/en/docs/http/ngx_http_sub_module.html .
>
> But do you really need to do what you want to do? Why not just proxy the
> "/auth" location? That works for me, because that where KC expect to serve
> content.
>
>
> On Thu, 24 Jan 2019 at 15:16, Greet Robijns <greetrobijns at gmail.com>
> wrote:
>
> > Hi,
> >
> > I am having some trouble configuring my nginx server before my keycloak
> > server. I read the documentation at:
> >
> >
> https://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy
> > .
> >
> > The problem is that the layout files are not loading and after logging
> in,
> > the redirection is incorrect: it goes to /auth/.... instead of
> > /test/aa/auth.
> >
> > I am really stuck here? Should I change something in my keycloak
> > configuration?
> >
> > my nginx:
> >
> > worker_processes 1;
> >
> > events { worker_connections 1024; }
> >
> > http {
> >
> > sendfile on;
> >
> > server {
> > listen 8080;
> >
> > location /test/aa/ {
> > resolver 127.0.0.11;
> > proxy_pass http://mc:4000/;
> > proxy_set_header X-Real-IP $remote_addr;
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > proxy_set_header X-Forwarded-Proto $scheme;
> > proxy_set_header Host $host;
> > }
> >
> > }
> >
> > }
> >
> > Kind Regards,
> > Greet Robijns
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> --
>
> Regards,
> Geoffrey Cleaves
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Thu Jan 24 10:24:34 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 24 Jan 2019 16:24:34 +0100
Subject: [keycloak-user] Changing the link in emails sent
In-Reply-To: <CAMTfnMYq_PioZay+LV51DhjtYRvdakbB4FOFJge1WSFFYpPsgg@mail.gmail.com>
References: <CAMTfnMYq_PioZay+LV51DhjtYRvdakbB4FOFJge1WSFFYpPsgg@mail.gmail.com>
Message-ID: <CAJgngAe4C3gUeaMnE4Fziu_5qP46+wVyWfQWsUfuJ4h9fhQpsg@mail.gmail.com>

See here https://www.keycloak.org/docs/latest/server_admin/index.html#host

On Thu, 24 Jan 2019 at 10:08, Edmund Loh <edmund.loh.1985 at gmail.com> wrote:

> Hi
>
> In my current implementation, my application makes an api call to
> Keycloak's REST API to send an email to alert the user to reset their
> password.
>
> The URL in the email would look like this:
>
> http://<internal ip address and
> port>/auth/realms/MyRealm/login-actions/action-token?key=...
>
> However, since it is an internal address, the user is enable to access it
> from his environment. I need the URL in the email to be using an external
> address instead. Is there a way this can be done?
>
> https://<external
> address>/auth/realms/MyRealm/login-actions/action-token?key=...
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From SMuddamsetty at vitechinc.com  Thu Jan 24 10:52:41 2019
From: SMuddamsetty at vitechinc.com (Sandeep Muddamsetty)
Date: Thu, 24 Jan 2019 15:52:41 +0000
Subject: [keycloak-user] SAML on Tomcat using keyclaok .
Message-ID: <BN7PR02MB5010B5B302428E7D17F138DADC9A0@BN7PR02MB5010.namprd02.prod.outlook.com>

Hi ,

We have an requirement to  implement SSO on Tomcat . After referring to many blogs and threads we came to know that here is no direct solution in Tomcat like other application servers like WebLogic and WebSphere . And few blogs suggested Key cloak but not full documentation . Can any one  help on this to implement SSO on tomcat using Keycloak  with guidance or any documentation .


Thanks ,
Sandeep .


This e-mail message and any files transmitted with it may contain confidential and proprietary information and are intended solely for the use of the individual or entity to which they are addressed. Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you have received this e-mail in error please notify the sender by reply email and destroy all copies of the original message. Thank you for your cooperation.

From ieugen at netdava.com  Thu Jan 24 11:39:49 2019
From: ieugen at netdava.com (Eugen Stan)
Date: Thu, 24 Jan 2019 18:39:49 +0200
Subject: [keycloak-user] adding translations to theme leads to
	NullPointerException
Message-ID: <c7f64b74-ffc5-619b-6035-4c0d2dffe0f5@netdava.com>

Hello,

We have translated keycloak into multiple languages, available at [1].

I've copied those translations into our custom theme and build the
docker image.

I updated the iimage and it fails to start with the following exception.

Just the files being there causes the above exception.

Any ideas how to fix this ?


Regards,


```

15:47:17,655 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-6) Failed to create error page: java.lang.NullPointerException
??? at
org.keycloak.theme.ExtendingThemeManager.loadTheme(ExtendingThemeManager.java:117)
??? at
org.keycloak.theme.ExtendingThemeManager.getTheme(ExtendingThemeManager.java:95)
??? at
org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java:26)
??? at
org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java:21)
??? at
org.keycloak.services.error.KeycloakErrorHandler.toResponse(KeycloakErrorHandler.java:71)
??? at
org.jboss.resteasy.core.ExceptionHandler.executeExceptionMapper(ExceptionHandler.java:102)
??? at
org.jboss.resteasy.core.ExceptionHandler.unwrapException(ExceptionHandler.java:131)
??? at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
??? at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
??? at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:197)
??? at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:459)
??? at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
??? at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
??? at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
??? at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
??? at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
??? at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
??? at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
??? at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
??? at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
??? at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
??? at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
??? at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
??? at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
??? at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
??? at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
??? at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
??? at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
??? at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
??? at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
??? at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
??? at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
??? at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
??? at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
??? at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
??? at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
??? at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
??? at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
??? at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
??? at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
??? at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
??? at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
??? at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
??? at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
??? at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
??? at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
??? at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
??? at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
??? at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
??? at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
??? at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
??? at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
??? at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
??? at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
??? at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
??? at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
??? at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
??? at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
??? at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
??? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
??? at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
??? at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
??? at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
??? at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
??? at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
??? at java.lang.Thread.run(Thread.java:748)

````


[1] https://github.com/GreatPeopleInside/keycloak


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190124/b2b90ce0/attachment-0001.bin 

From cwalker at sumglobal.com  Thu Jan 24 16:56:42 2019
From: cwalker at sumglobal.com (Walker, Charles)
Date: Thu, 24 Jan 2019 16:56:42 -0500
Subject: [keycloak-user] Adding multiple custom REST endpoints
Message-ID: <CAFdq00HRMAQGyHUqT-7Wsc9GBQKGL84USxur9En2gUp4b4szdA@mail.gmail.com>

The documentation states that if you want to add a custom endpoint, you
need to implement the RealmResourceProviderFactory and
RealmResourceProvider interfaces.  Then the examples show that you create
an "org.keycloak.services.resource.RealmResourceProviderFactory" file in
the "META-INF/services" directory that references the implementation.

But what if I want to have multiple implementations?  would these
implementations be just listed in the above file
"org.keycloak.services.resource.RealmResourceProviderFactory" as comma
separated, space separated or what?


Thanks for your help,

Charles Walker

From dt at acutus.pro  Thu Jan 24 21:19:50 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 25 Jan 2019 05:19:50 +0300
Subject: [keycloak-user] Adding multiple custom REST endpoints
In-Reply-To: <CAFdq00HRMAQGyHUqT-7Wsc9GBQKGL84USxur9En2gUp4b4szdA@mail.gmail.com>
References: <CAFdq00HRMAQGyHUqT-7Wsc9GBQKGL84USxur9En2gUp4b4szdA@mail.gmail.com>
Message-ID: <1548382790.14282.1.camel@acutus.pro>

Hello Charles,

Your implementations should be listed one per line [1].

Also you can implement multiple REST endpoints within a single provider (as JAX-RS subresources), if only you're ok that they share the same prefix, i.e. a string returned by your factory's getId() method.

[1] https://docs.oracle.com/javase/8/docs/api/java/util/ServiceLoader.html

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2019-01-24 at 16:56 -0500, Walker, Charles wrote:
> The documentation states that if you want to add a custom endpoint, you
> need to implement the RealmResourceProviderFactory and
> RealmResourceProvider interfaces.??Then the examples show that you create
> an "org.keycloak.services.resource.RealmResourceProviderFactory" file in
> the "META-INF/services" directory that references the implementation.
> 
> But what if I want to have multiple implementations???would these
> implementations be just listed in the above file
> "org.keycloak.services.resource.RealmResourceProviderFactory" as comma
> separated, space separated or what?
> 
> 
> Thanks for your help,
> 
> Charles Walker
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From duzimartin at gmail.com  Fri Jan 25 06:47:30 2019
From: duzimartin at gmail.com (=?UTF-8?B?TWFydGluIER1xb7DrQ==?=)
Date: Fri, 25 Jan 2019 12:47:30 +0100
Subject: [keycloak-user] SAML SSO logout invalid destination error
Message-ID: <CAMbE=ee_orKKEq3x8FSLsHdt1wMMzfueWUxiSFgDwfAwirwK4A@mail.gmail.com>

Hello,

our team is using SAML SSO via Keycloak with several 3rd party applications.

After updating Keycloak version from 4.2.1 to 4.8.2, we started having
problem with logout from JFrog Artifactory, which ends up on page "We're
sorry ... Invalid Request".

Keycloak prints following error in server.log:

2019-01-18 19:02:44,198 WARN  [org.keycloak.events] (default task-1)
type=LOGOUT_ERROR, realmId=fea322ef-a93e-c7db-aa08-c4eea81b38ff,
clientId=null, userId=null, ipAddress=(null), error=invalid_logout_request,
reason=invalid_destination

Which seems to indicate problem with destination attribute in logout
request and it is indeed missing from the xml sent by Artifactory:

<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
ID="add9d022-12da-40a2-80bd-f1d5b042a595"
IssueInstant="2019-01-18T07:23:50.822Z" Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">artifactory.example.com</saml2:Issuer><saml2:NameID
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">logout
user</saml2:NameID><saml2p:SessionIndex>a8ec478f-a05c-4feb-8ec2-4dd9015eabe9::37dcf7a4-0a11-4cfe-9a23-6d4d3cd4e9e0</saml2p:SessionIndex></saml2p:LogoutRequest>

Looking at SAML specs and also recent code changes in Keycloak, destination
should be optional. Client Signature Required is turned off. Other
applications that actually send destination attribute can logout without
issues.

Anyone has idea what could be the problem here?

BR

Martin Duzi

From pavel.masloff at gmail.com  Sun Jan 27 07:09:15 2019
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Sun, 27 Jan 2019 13:09:15 +0100
Subject: [keycloak-user] [docker] Enabling SSL/HTTPS in Keycloak 4.8.3.Final
Message-ID: <CAF9aV_r4TgenzhdrtKYGfdKqmv1N=AZ9fJR3dx8eHax8U4cabw@mail.gmail.com>

Hi all,


I am trying to import a custom jks keystore into keycloak in a Dockerfile
[1]. The problem is Wildfly uses the default self-signed certificate
instead.

Everything worked fine with Keycloak 4.1.0.Final. Something might have
broken in the latest version (I suspect the new Undertow server). Perhaps,
the documentation [2] should be updated.

Any help would be appreciated. Thanks in advance.

Regards,
Pavel Maslov, MS

[1] https://github.com/maslick/keycloak-docker
[2]
https://www.keycloak.org/docs/latest/server_installation/index.html#enabling-ssl-https-for-the-keycloak-server

From pavel.masloff at gmail.com  Sun Jan 27 07:41:45 2019
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Sun, 27 Jan 2019 13:41:45 +0100
Subject: [keycloak-user] [docker] Enabling SSL/HTTPS in Keycloak
	4.8.3.Final
In-Reply-To: <CAF9aV_r4TgenzhdrtKYGfdKqmv1N=AZ9fJR3dx8eHax8U4cabw@mail.gmail.com>
References: <CAF9aV_r4TgenzhdrtKYGfdKqmv1N=AZ9fJR3dx8eHax8U4cabw@mail.gmail.com>
Message-ID: <CAF9aV_q5SQejW41fw2KMHB3kQA2hY3yM0T=LEdvDwumPMyey3w@mail.gmail.com>

One thing to add: the problem is traced to migrating from 4.4.0 to 4.5.0
(4.4.0.Final is fine). Looking at the release notes [1] there seems to be
no major changes that could affect the SSL configuration.

Any ideas?

[1]
https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-4-5-0-final


Regards,
Pavel Maslov, MS


On Sun, Jan 27, 2019 at 1:09 PM Pavel Maslov <pavel.masloff at gmail.com>
wrote:

> Hi all,
>
>
> I am trying to import a custom jks keystore into keycloak in a Dockerfile
> [1]. The problem is Wildfly uses the default self-signed certificate
> instead.
>
> Everything worked fine with Keycloak 4.1.0.Final. Something might have
> broken in the latest version (I suspect the new Undertow server). Perhaps,
> the documentation [2] should be updated.
>
> Any help would be appreciated. Thanks in advance.
>
> Regards,
> Pavel Maslov, MS
>
> [1] https://github.com/maslick/keycloak-docker
> [2]
> https://www.keycloak.org/docs/latest/server_installation/index.html#enabling-ssl-https-for-the-keycloak-server
>
>

From pavel.masloff at gmail.com  Sun Jan 27 08:22:01 2019
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Sun, 27 Jan 2019 14:22:01 +0100
Subject: [keycloak-user] [docker] Enabling SSL/HTTPS in Keycloak
	4.8.3.Final
In-Reply-To: <CAF9aV_q5SQejW41fw2KMHB3kQA2hY3yM0T=LEdvDwumPMyey3w@mail.gmail.com>
References: <CAF9aV_r4TgenzhdrtKYGfdKqmv1N=AZ9fJR3dx8eHax8U4cabw@mail.gmail.com>
	<CAF9aV_q5SQejW41fw2KMHB3kQA2hY3yM0T=LEdvDwumPMyey3w@mail.gmail.com>
Message-ID: <CAF9aV_oNDCbRwiaMOfKnF0=AyT2UFvMjW8-iDO82TZSSAi57-Q@mail.gmail.com>

Attaching two files:

1. standalone.xml - the resulting keycloak configuration.
2. keycloak-ssl.log - keycloak log.

HTH

Regards,
Pavel Maslov, MS


On Sun, Jan 27, 2019 at 1:41 PM Pavel Maslov <pavel.masloff at gmail.com>
wrote:

> One thing to add: the problem is traced to migrating from 4.4.0 to 4.5.0
> (4.4.0.Final is fine). Looking at the release notes [1] there seems to be
> no major changes that could affect the SSL configuration.
>
> Any ideas?
>
> [1]
> https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-4-5-0-final
>
>
> Regards,
> Pavel Maslov, MS
>
>
> On Sun, Jan 27, 2019 at 1:09 PM Pavel Maslov <pavel.masloff at gmail.com>
> wrote:
>
>> Hi all,
>>
>>
>> I am trying to import a custom jks keystore into keycloak in a Dockerfile
>> [1]. The problem is Wildfly uses the default self-signed certificate
>> instead.
>>
>> Everything worked fine with Keycloak 4.1.0.Final. Something might have
>> broken in the latest version (I suspect the new Undertow server). Perhaps,
>> the documentation [2] should be updated.
>>
>> Any help would be appreciated. Thanks in advance.
>>
>> Regards,
>> Pavel Maslov, MS
>>
>> [1] https://github.com/maslick/keycloak-docker
>> [2]
>> https://www.keycloak.org/docs/latest/server_installation/index.html#enabling-ssl-https-for-the-keycloak-server
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: standalone.xml
Type: text/xml
Size: 27008 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190127/1ca17d63/attachment-0001.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak-ssl.log
Type: application/octet-stream
Size: 20899 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190127/1ca17d63/attachment-0001.obj 

From dt at acutus.pro  Sun Jan 27 13:06:26 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Sun, 27 Jan 2019 21:06:26 +0300
Subject: [keycloak-user] [docker] Enabling SSL/HTTPS in Keycloak
 4.8.3.Final
In-Reply-To: <CAF9aV_r4TgenzhdrtKYGfdKqmv1N=AZ9fJR3dx8eHax8U4cabw@mail.gmail.com>
References: <CAF9aV_r4TgenzhdrtKYGfdKqmv1N=AZ9fJR3dx8eHax8U4cabw@mail.gmail.com>
Message-ID: <1548612386.3702.1.camel@acutus.pro>

Hello Pavel,

Starting with 4.5.0, Keycloak Docker image uses standalone-ha.xml by default. I guess this is the issue. Unfortunately, this change was not documented, and you're not the first one to step on this landmine.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Sun, 2019-01-27 at 13:09 +0100, Pavel Maslov wrote:
> Hi all,
> 
> 
> I am trying to import a custom jks keystore into keycloak in a Dockerfile
> [1]. The problem is Wildfly uses the default self-signed certificate
> instead.
> 
> Everything worked fine with Keycloak 4.1.0.Final. Something might have
> broken in the latest version (I suspect the new Undertow server). Perhaps,
> the documentation [2] should be updated.
> 
> Any help would be appreciated. Thanks in advance.
> 
> Regards,
> Pavel Maslov, MS
> 
> [1] https://github.com/maslick/keycloak-docker
> [2]
> https://www.keycloak.org/docs/latest/server_installation/index.html#enabling-ssl-https-for-the-keycloak-server
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From pavel.masloff at gmail.com  Sun Jan 27 15:13:07 2019
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Sun, 27 Jan 2019 21:13:07 +0100
Subject: [keycloak-user] [docker] Enabling SSL/HTTPS in Keycloak
	4.8.3.Final
In-Reply-To: <1548612386.3702.1.camel@acutus.pro>
References: <CAF9aV_r4TgenzhdrtKYGfdKqmv1N=AZ9fJR3dx8eHax8U4cabw@mail.gmail.com>
	<1548612386.3702.1.camel@acutus.pro>
Message-ID: <CAF9aV_r43frKAaNipnQn3RKjZEmLMbBgmR-d-Y3tG5YfWSH3qQ@mail.gmail.com>

Spasibo, Dmitry! That solved the issue :)


Regards,
Pavel Maslov, MS


On Sun, Jan 27, 2019 at 7:06 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hello Pavel,
>
> Starting with 4.5.0, Keycloak Docker image uses standalone-ha.xml by
> default. I guess this is the issue. Unfortunately, this change was not
> documented, and you're not the first one to step on this landmine.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Sun, 2019-01-27 at 13:09 +0100, Pavel Maslov wrote:
> > Hi all,
> >
> >
> > I am trying to import a custom jks keystore into keycloak in a Dockerfile
> > [1]. The problem is Wildfly uses the default self-signed certificate
> > instead.
> >
> > Everything worked fine with Keycloak 4.1.0.Final. Something might have
> > broken in the latest version (I suspect the new Undertow server).
> Perhaps,
> > the documentation [2] should be updated.
> >
> > Any help would be appreciated. Thanks in advance.
> >
> > Regards,
> > Pavel Maslov, MS
> >
> > [1] https://github.com/maslick/keycloak-docker
> > [2]
> >
> https://www.keycloak.org/docs/latest/server_installation/index.html#enabling-ssl-https-for-the-keycloak-server
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From chris.smith at cmfirstgroup.com  Sun Jan 27 22:04:36 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Mon, 28 Jan 2019 03:04:36 +0000
Subject: [keycloak-user] Get a GSSCredential when user browser is not in
 Active Directory domain
In-Reply-To: <BN6PR22MB02446F8141FBA0DD80FB7E6A98990@BN6PR22MB0244.namprd22.prod.outlook.com>
References: <BN6PR22MB024411A53CDE05035A0EEB1198990@BN6PR22MB0244.namprd22.prod.outlook.com>
	<BN6PR22MB02446F8141FBA0DD80FB7E6A98990@BN6PR22MB0244.namprd22.prod.outlook.com>
Message-ID: <CY4PR22MB0248BF0B11C97A1D9E4EA1C798960@CY4PR22MB0248.namprd22.prod.outlook.com>

Does anyone have feedback about getting a delegated GSSCredential?

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
Sent: Wednesday, January 23, 2019 10:12 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

Here is a Diagram of what I'm trying to do

From: Chris Smith
Sent: Wednesday, January 23, 2019 8:08 AM
To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
Subject: Get a GSSCredential when user browser is not in Active Directory domain

I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation

I can get a Delegated GSSCredential when the SPNEGO enabled browser  runs on a workstation in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.

I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.  My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).

Less than 1% of the users will be using browsers on workstations in the Active Directory domain.

Can Keycloak put a GSSCredential for the logged in user  in the Access Token when SPNEGO is not available from the browser?




From testoauth55 at gmail.com  Mon Jan 28 00:14:31 2019
From: testoauth55 at gmail.com (Bruce Wings)
Date: Mon, 28 Jan 2019 10:44:31 +0530
Subject: [keycloak-user] Server Admin: Ship master realm with ssl disabled /
	set to none
Message-ID: <CANAVTmMrfEJ9X4aUh4DQSCMJ8HbqqxXp=awhJMkfXLSg4Ntk_A@mail.gmail.com>

I am using reverse proxy with keycloak server which is SSL protected. I
have also shipped default configuration for my custom realm with SSL set to
"none". But what is the way to ship master realm with ssl set to none? By
default it's getting shipped with ssl set to "external requests"

From dt at acutus.pro  Mon Jan 28 01:17:53 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 28 Jan 2019 09:17:53 +0300
Subject: [keycloak-user] Switching to Native JavaScript promise by
 default
In-Reply-To: <CAJgngAekhwKAa24cNgEY_vgq2HZsbM3tUog0z0FnvkSmTa35KA@mail.gmail.com>
References: <CAJgngAekhwKAa24cNgEY_vgq2HZsbM3tUog0z0FnvkSmTa35KA@mail.gmail.com>
Message-ID: <1548656273.19952.1.camel@acutus.pro>

Hi, are there any particular plans for it?

I think I've found a promise-related bug in JS adapter, but not sure if it makes any sense fixing it, since the whole thing is going to be transitioned to native promises.

The bug is that the success()/error() functions are expected in doLogin() (keycloak.js:145), but the corresponding createPromise() is called without explicit true arg (line 1163), so if { promiseType: 'native' } is used, doLogin() will barf with "TypeError: kc.login(...).success is not a function".

Cheers,
Dmitry

On Thu, 2019-01-17 at 08:55 +0100, Stian Thorgersen wrote:
> I would like to switch the JavaScript adapter to use Native promises by
> default and deprecate the legacy promise with the aim to remove it in the
> future.
> 
> This would result in users that want to continue to use the legacy promise
> having to explicitly enable this in the config.
> 
> I see this as the best path to eventually remove the legacy promises.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jan 28 01:21:06 2019
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 28 Jan 2019 09:21:06 +0300
Subject: [keycloak-user] Get a GSSCredential when user browser is not in
 Active Directory domain
In-Reply-To: <CY4PR22MB0248BF0B11C97A1D9E4EA1C798960@CY4PR22MB0248.namprd22.prod.outlook.com>
References: <BN6PR22MB024411A53CDE05035A0EEB1198990@BN6PR22MB0244.namprd22.prod.outlook.com>
	<BN6PR22MB02446F8141FBA0DD80FB7E6A98990@BN6PR22MB0244.namprd22.prod.outlook.com>
	<CY4PR22MB0248BF0B11C97A1D9E4EA1C798960@CY4PR22MB0248.namprd22.prod.outlook.com>
Message-ID: <1548656466.19952.3.camel@acutus.pro>

Hello Chris,

AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.

Cheers,
Dmitry

On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> Does anyone have feedback about getting a delegated GSSCredential?
> 
> -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
> Sent: Wednesday, January 23, 2019 10:12 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
> 
> Here is a Diagram of what I'm trying to do
> 
> From: Chris Smith
> Sent: Wednesday, January 23, 2019 8:08 AM
> > > To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
> Subject: Get a GSSCredential when user browser is not in Active Directory domain
> 
> I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation
> 
> I can get a Delegated GSSCredential when the SPNEGO enabled browser??runs on a workstation in the AD domain.
> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
> 
> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
> 
> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
> 
> Can Keycloak put a GSSCredential for the logged in user??in the Access Token when SPNEGO is not available from the browser?
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From marom.guy at gmail.com  Mon Jan 28 03:35:02 2019
From: marom.guy at gmail.com (Guy Marom)
Date: Mon, 28 Jan 2019 10:35:02 +0200
Subject: [keycloak-user] Showing error messages originating from external
	identity providers
Message-ID: <CAAjYAJpOkE7Wrr8bTosgb-KcG36hBh3x6XLqWim=N4g+LdMj4w@mail.gmail.com>

Hello all,

First of - thanks for developing this. The product is very useful for us!

Second, I wanted to ask about external identity providers. We have an
integration with *Azure Active Directory* and I configured an app in Azure
that does not allow all users to use it by default, instead I need to
assign a user to the app.
When I try to login to Keycloak with a user that's unauthorized, I get
redirected to Keycloak's login page with no error message shown.
Is there a way to fix this (other than editing the HTML template of the
login page)?

Thanks,
Guy Marom

From kapilkumarjoshi001 at gmail.com  Mon Jan 28 04:24:35 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Mon, 28 Jan 2019 14:54:35 +0530
Subject: [keycloak-user] Configuring Admin Access Control or
 realm-management client role for LDAP user in keycloak via imported
 realm.json configuration
Message-ID: <CAMLZ2vmku1QGqvXTYJOs2BXxUHHSHvFmOMepPE7ZG41bD03itQ@mail.gmail.com>

Hi All,

Can we assign realm-management client roles for users imported from LDAP in
Keycloak.
Currently we are trying to set up LDAP based user federation using by
importing a realm.json, configured with LDAP related configuration. Have
attached it to this email.
Basically the requirement is when we login to the client using the LDAP
credentials, the user should be able to access user-management and
view-realm client(i.e accessing the admin console) from client side.

Thanks
Kapil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: realm2.json
Type: application/json
Size: 8166 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190128/73dfb23a/attachment.bin 

From Edgar at info.nl  Mon Jan 28 06:10:53 2019
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Mon, 28 Jan 2019 11:10:53 +0000
Subject: [keycloak-user] Keycloak Identity provider SAML LogoutRequest not
 working with NetIQ Access Manager because it is not signed?
Message-ID: <82603569-9670-44FD-8D01-9BA5F1998CEF@info.nl>

hi all,

We are trying to set up Keycloak to act as a federated identity provider between our (OAuth2-enabled) application and the external SAML 2.0-enabled NetIQ Acces Manager identity provider using: https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-identity-providers

The basic setup including authentication works fine. However logging out does not. When attempting to logout from our application Keycloak sends a SAML LogoutRequest to NetIQ Access Manager but NetIQ does not accept this request because, from what we understand from NetIQ, this request is not signed.

It seems that Keycloak does not support sending signed LogoutRequests from SAML Identity Providers? Is this indeed the case and how could we go about solving this? Maybe create a custom IdentityProvider or possibly send a SAML LogoutRequest to NetIQ from our application directly?

Example of SAML LogoutRequest send by Keycloak:

<samlp:LogoutRequest Destination="https://dummyhost.net/nidp/saml2/slo"
    ID="ID_7b7e1700-235b-403d-af08-a0c77dd7f26d" IssueInstant="2019-01-28T10:43:56.896Z" Version="2.0"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/auth/realms/our-realm</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">00001234</saml:NameID>
    <samlp:SessionIndex>id05SkNYJwvT2uGPaCu5PvQvT5Dmg</samlp:SessionIndex>
</samlp:LogoutRequest>


I am no expert on SAML at all but this is from the SAML 2.0 specs (https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf):

4.4.4.1 <LogoutRequest> Usage:
  "The requester MUST authenticate itself to the responder and ensure message integrity, either by signing the message or using a binding-specific mechanism.?

Should Keycloak not support signing SAML LogoutRequests?

cheers

Edgar


From chris.smith at cmfirstgroup.com  Mon Jan 28 06:36:36 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Mon, 28 Jan 2019 11:36:36 +0000
Subject: [keycloak-user] FW: Get a GSSCredential when user browser is not in
 Active Directory domain
In-Reply-To: <CY4PR22MB0248D571E8627DD6FEE7215098960@CY4PR22MB0248.namprd22.prod.outlook.com>
References: <BN6PR22MB024411A53CDE05035A0EEB1198990@BN6PR22MB0244.namprd22.prod.outlook.com>
	<BN6PR22MB02446F8141FBA0DD80FB7E6A98990@BN6PR22MB0244.namprd22.prod.outlook.com>
	<CY4PR22MB0248BF0B11C97A1D9E4EA1C798960@CY4PR22MB0248.namprd22.prod.outlook.com>
	<1548656466.19952.3.camel@acutus.pro>
	<CY4PR22MB0248D571E8627DD6FEE7215098960@CY4PR22MB0248.namprd22.prod.outlook.com>
Message-ID: <CY4PR22MB02488A7411148AB273905CD698960@CY4PR22MB0248.namprd22.prod.outlook.com>




Thank you Dmitry

My Keycloak realm is setup for LDAP/Kerberos authentication with a Windows Active Directory domain.

So I am getting a delegated GSSCredential in my AccessToken when I access my Web App from a properly configured browser (SPNEGO) on a workstation in the Windows Active Directory Domain.

If the browser is not configured for SPNEGO or the workstation is not a member of the Windows Active Directory Domain, The browser is redirected to the Keycloak log in page After entering a correct user and password, the browser is redirected back to the Web App.
This step is what I need to successfully authenticate a Windows AD User ID/password combination and it works.
My problem is there is no claim in the AccessToken for a GSSCredential.

I have an absolute requirement for a GSSCredential for that Windows AD User ID/Password.  

The GSSCredential is to be used in the web app to connect to an IBM i (aka AS/400) for calling RPG and COBOL programs.
The IBM i is Configured to accept the GSSCredential and it works when the workstation is a member of the Windows AD domain and the browser is configured for SPNEGO.

Can Keycloak be configured to put a GSSCredential in the AccessToken when Keycloak authenticates the Windows AD User id/Password?

If not, would it be a large effort to add a plugin that would put a GSSCredential in the AccessToken?

-----Original Message-----
From: Dmitry Telegin <dt at acutus.pro>
Sent: Monday, January 28, 2019 2:21 PM
To: Chris Smith <chris.smith at cmfirstgroup.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

Hello Chris,

AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.

Cheers,
Dmitry

On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> Does anyone have feedback about getting a delegated GSSCredential?
> 
> -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org 
> > <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
> Sent: Wednesday, January 23, 2019 10:12 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is 
> not in Active Directory domain
> 
> Here is a Diagram of what I'm trying to do
> 
> From: Chris Smith
> Sent: Wednesday, January 23, 2019 8:08 AM
> > > To: 'keycloak-user at lists.jboss.org' 
> > > <keycloak-user at lists.jboss.org>
> Subject: Get a GSSCredential when user browser is not in Active 
> Directory domain
> 
> I have setup my servlet to authenticate a user my web app using 
> Keycloak Active Directory ldap user federation
> 
> I can get a Delegated GSSCredential when the SPNEGO enabled browser??runs on a workstation in the AD domain.
> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
> 
> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
> 
> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
> 
> Can Keycloak put a GSSCredential for the logged in user??in the Access Token when SPNEGO is not available from the browser?
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From hans.zandbelt at zmartzone.eu  Mon Jan 28 09:03:36 2019
From: hans.zandbelt at zmartzone.eu (Hans Zandbelt)
Date: Mon, 28 Jan 2019 15:03:36 +0100
Subject: [keycloak-user] Keycloak Identity provider SAML LogoutRequest
 not working with NetIQ Access Manager because it is not signed?
In-Reply-To: <mailman.160512.1548675399.4500.keycloak-user@lists.jboss.org>
References: <mailman.160512.1548675399.4500.keycloak-user@lists.jboss.org>
Message-ID: <CA+iA6ugVRDNSgSv3HthMW+vjsz-X3PDGO3cjUwM9YuOOjR2ffg@mail.gmail.com>

Hi Ed :-),

>From a quick peek at the code [1] it looks like Keycloak re-uses the
per-identity provider setting for signing authentication requests for the
logout requests as well. By setting "Want AuthnRequests Signed" in the
configuration for NetIQ Keycloak should start signing the logout requests
as well.

I believe you are right that the spec requires sending signed logout
requests when using the POST binding.

Let me know if that works,

Hans.

[1]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java#L321

On Mon, Jan 28, 2019 at 12:41 PM <keycloak-user-request at lists.jboss.org>
wrote:

> ------------------------------
>
> Message: 2
> Date: Mon, 28 Jan 2019 11:10:53 +0000
> From: "Edgar Vonk - Info.nl" <Edgar at info.nl>
> Subject: [keycloak-user] Keycloak Identity provider SAML LogoutRequest
>         not working with NetIQ Access Manager because it is not signed?
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID: <82603569-9670-44FD-8D01-9BA5F1998CEF at info.nl>
> Content-Type: text/plain; charset="utf-8"
>
> hi all,
>
> We are trying to set up Keycloak to act as a federated identity provider
> between our (OAuth2-enabled) application and the external SAML 2.0-enabled
> NetIQ Acces Manager identity provider using:
> https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-identity-providers
>
> The basic setup including authentication works fine. However logging out
> does not. When attempting to logout from our application Keycloak sends a
> SAML LogoutRequest to NetIQ Access Manager but NetIQ does not accept this
> request because, from what we understand from NetIQ, this request is not
> signed.
>
> It seems that Keycloak does not support sending signed LogoutRequests from
> SAML Identity Providers? Is this indeed the case and how could we go about
> solving this? Maybe create a custom IdentityProvider or possibly send a
> SAML LogoutRequest to NetIQ from our application directly?
>
> Example of SAML LogoutRequest send by Keycloak:
>
> <samlp:LogoutRequest Destination="https://dummyhost.net/nidp/saml2/slo"
>     ID="ID_7b7e1700-235b-403d-af08-a0c77dd7f26d"
> IssueInstant="2019-01-28T10:43:56.896Z" Version="2.0"
>     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>     <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
> http://localhost:8080/auth/realms/our-realm</saml:Issuer>
>     <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">00001234</saml:NameID>
>     <samlp:SessionIndex>id05SkNYJwvT2uGPaCu5PvQvT5Dmg</samlp:SessionIndex>
> </samlp:LogoutRequest>
>
>
> I am no expert on SAML at all but this is from the SAML 2.0 specs (
> https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf
> ):
>
> 4.4.4.1 <LogoutRequest> Usage:
>   "The requester MUST authenticate itself to the responder and ensure
> message integrity, either by signing the message or using a
> binding-specific mechanism.?
>
> Should Keycloak not support signing SAML LogoutRequests?
>
> cheers
>
> Edgar
>
>
-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu

From l.lech at ringler.ch  Mon Jan 28 10:30:03 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Mon, 28 Jan 2019 15:30:03 +0000
Subject: [keycloak-user] User sessions in DB
Message-ID: <5E48B917000C984B86B77170F441903A18915CF3@exch.ringler.ch>

Hello,

I'm using Keycloak docker image for 4.8.1

I have logged in users, but in DB, I see no entries in user_session.

Additionally, after some time server run, I've got NPE in RealmAdminResource.getClientSessionStats:614 when trying to navigate to Sessions position in Menu in Admin Console.

Are there any issues with JPA cache?

Best regards,
Lukasz Lech


From Edgar at info.nl  Mon Jan 28 11:16:20 2019
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Mon, 28 Jan 2019 16:16:20 +0000
Subject: [keycloak-user] Keycloak Identity provider SAML LogoutRequest
 not working with NetIQ Access Manager because it is not signed?
In-Reply-To: <82603569-9670-44FD-8D01-9BA5F1998CEF@info.nl>
References: <82603569-9670-44FD-8D01-9BA5F1998CEF@info.nl>
Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4@info.nl>

Thanks Hans! :-)

Unfortunately with "Want AuthnRequests Signed? enabled we can no longer log in to the external IdP.. I will check with the NetIQ provider people to check.


From wagnerspi at gmail.com  Mon Jan 28 11:51:26 2019
From: wagnerspi at gmail.com (Wagner)
Date: Mon, 28 Jan 2019 14:51:26 -0200
Subject: [keycloak-user]  Keycloak integration with django
Message-ID: <CAO0ino=wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA@mail.gmail.com>

Hi there,

I've been looking for ways to integrate keycloak with django, and have
found the django-keycloak project, but the docs are kind of limited.

Can anyone point me in the direction of integrating it with an existing
django project? I don't want to use the django admin web interface to
configure it, but haven't found any other way to do so.

Thanks,
Wagner

From ntle at castortech.com  Mon Jan 28 13:04:58 2019
From: ntle at castortech.com (Nhut Thai Le)
Date: Mon, 28 Jan 2019 13:04:58 -0500
Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver class
	on every request
Message-ID: <CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F=iE6nGV0JQ@mail.gmail.com>

Hello,

We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI env
to filter requests to our REST service as follow:

@Component(
service = {
ContainerRequestFilter.class,
ContainerResponseFilter.class
},
scope = ServiceScope.PROTOTYPE,
property = {
"osgi.jaxrs.extension=true",
JAX_RS_NAME + "=DiagramRestFilter",
DiagramConstants.REST_APP_SELECT
}
)
@PreMatching
@Priority(Priorities.AUTHENTICATION)
public final class DiagramRestFilter extends OsgiJaxrsBearerTokenFilterImpl
implements ContainerResponseFilter {
private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$
private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$
private final Logger log = LoggerFactory.getLogger(getClass());

@Reference
private SessionService sessionService;

@Activate
public void activate(BundleContext bundleContext) {
log.trace("Activating {}", getClass()); //$NON-NLS-1$
setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver");
//$NON-NLS-1$
setBundleContext(bundleContext);
}

As you can see, we set the filter scope to Prototype as recommended by OSGI
compedium (
https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685)
but we see a lot of the following line got printed when the server started
INFO: Using
com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver at 738e48f7
to resolve Keycloak configuration on a per-request basis.

Does that means the config resolver is being instantiate for each request ?
Since the the configuration never change, would it make sense to
instantiate this config resolver only once?

Thai Le

From mposolda at redhat.com  Mon Jan 28 15:00:02 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 28 Jan 2019 21:00:02 +0100
Subject: [keycloak-user] User sessions in DB
In-Reply-To: <5E48B917000C984B86B77170F441903A18915CF3@exch.ringler.ch>
References: <5E48B917000C984B86B77170F441903A18915CF3@exch.ringler.ch>
Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01@redhat.com>

On 28/01/2019 16:30, Lukasz Lech wrote:
> Hello,
>
> I'm using Keycloak docker image for 4.8.1
>
> I have logged in users, but in DB, I see no entries in user_session.
That is expected. The USER_SESSION table is probably something like a 
tombstone of some previous implementation. User sessions are not saved 
in the DB.
>
> Additionally, after some time server run, I've got NPE in RealmAdminResource.getClientSessionStats:614 when trying to navigate to Sessions position in Menu in Admin Console.

Looks like a bug. Feel free to create JIRA (with stacktrace and ideally 
exact steps to reproduce).

Thanks,
Marek

>
> Are there any issues with JPA cache?
>
> Best regards,
> Lukasz Lech
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Jan 28 15:07:05 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 28 Jan 2019 21:07:05 +0100
Subject: [keycloak-user] Get a GSSCredential when user browser is not in
 Active Directory domain
In-Reply-To: <1548656466.19952.3.camel@acutus.pro>
References: <BN6PR22MB024411A53CDE05035A0EEB1198990@BN6PR22MB0244.namprd22.prod.outlook.com>
	<BN6PR22MB02446F8141FBA0DD80FB7E6A98990@BN6PR22MB0244.namprd22.prod.outlook.com>
	<CY4PR22MB0248BF0B11C97A1D9E4EA1C798960@CY4PR22MB0248.namprd22.prod.outlook.com>
	<1548656466.19952.3.camel@acutus.pro>
Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67@redhat.com>

+1

GSSCredential is used just during SPNEGO authentication. You may 
possibly change the built-in authentication flows or userStorage 
provider, so that after verification with username/password, the 
GSSCredential will be somehow obtained from the JAAS Subject used for 
the authentication (See class KerberosUsernamePasswordAuthenticator for 
the details).

However I am not sure if this is really possible and it will require 
some more deep-dive into the Keycloak codebase and Kerberos 
implementation in JDK... Just a hint...

Marek

On 28/01/2019 07:21, Dmitry Telegin wrote:
> Hello Chris,
>
> AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.
>
> Cheers,
> Dmitry
>
> On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
>> Does anyone have feedback about getting a delegated GSSCredential?
>>
>> -----Original Message-----
>>> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
>> Sent: Wednesday, January 23, 2019 10:12 PM
>> To: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
>>
>> Here is a Diagram of what I'm trying to do
>>
>> From: Chris Smith
>> Sent: Wednesday, January 23, 2019 8:08 AM
>>>> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
>> Subject: Get a GSSCredential when user browser is not in Active Directory domain
>>
>> I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation
>>
>> I can get a Delegated GSSCredential when the SPNEGO enabled browser??runs on a workstation in the AD domain.
>> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
>>
>> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>>
>> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
>>
>> Can Keycloak put a GSSCredential for the logged in user??in the Access Token when SPNEGO is not available from the browser?
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From milan.zahradnik at itbh.at  Mon Jan 28 15:07:26 2019
From: milan.zahradnik at itbh.at (Zahradnik, Milan)
Date: Mon, 28 Jan 2019 21:07:26 +0100
Subject: [keycloak-user] keycloak adapter for elytron
Message-ID: <CAE+md6DtGW9y0g2MvjeEDu4O9jTLk9r0srpRksbg1eMfcErwLQ@mail.gmail.com>

Hi,

I am new on this forum so please forgive me any mistakes I make.
We have a strange issue with keycloak and wildfly Elytron. We use wildfly
15.0.0. After installing keycloak (4.8.3) adapter for wildfly 10 and more
(adapter-elytron-install-offline.cli) we always get exception  "Not allowed
exception" when we send request to our endpoint (stateless EJB bean). In
our access token we have all necessary roles which are then applied on
endpoint in @RolesAllowed("rest"). Also not working when we use
@SecurityDomain("keycloak") with EJB.

The strange is when we install keycloak adapter for older wildfly versions
(adapter-install-offline.cli) everything works as expected.

The same issue is here
http://lists.jboss.org/pipermail/keycloak-user/2018-August/015297.html
Does anybody of you any idea what could be an issue here?

Thanks for any help
Milan Zahradnik

From mposolda at redhat.com  Mon Jan 28 15:13:43 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 28 Jan 2019 21:13:43 +0100
Subject: [keycloak-user] Configuring Admin Access Control or
 realm-management client role for LDAP user in keycloak via imported
 realm.json configuration
In-Reply-To: <CAMLZ2vmku1QGqvXTYJOs2BXxUHHSHvFmOMepPE7ZG41bD03itQ@mail.gmail.com>
References: <CAMLZ2vmku1QGqvXTYJOs2BXxUHHSHvFmOMepPE7ZG41bD03itQ@mail.gmail.com>
Message-ID: <b0e3c8be-b9f3-cac0-333e-f22b739a9e3a@redhat.com>

Yes, this should be doable with hardcoded-ldap-role-mapper if I 
understand your use-case correctly (See tab "mappers" in the admin 
console when you're on the page with the details of LDAP provider).

Marek

On 28/01/2019 10:24, kapil joshi wrote:
> Hi All,
>
> Can we assign realm-management client roles for users imported from LDAP in
> Keycloak.
> Currently we are trying to set up LDAP based user federation using by
> importing a realm.json, configured with LDAP related configuration. Have
> attached it to this email.
> Basically the requirement is when we login to the client using the LDAP
> credentials, the user should be able to access user-management and
> view-realm client(i.e accessing the admin console) from client side.
>
> Thanks
> Kapil
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Jan 28 15:18:48 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 28 Jan 2019 21:18:48 +0100
Subject: [keycloak-user] keycloak adapter for elytron
In-Reply-To: <CAE+md6DtGW9y0g2MvjeEDu4O9jTLk9r0srpRksbg1eMfcErwLQ@mail.gmail.com>
References: <CAE+md6DtGW9y0g2MvjeEDu4O9jTLk9r0srpRksbg1eMfcErwLQ@mail.gmail.com>
Message-ID: <7469f32e-8828-f103-655a-11fffee3e9dd@redhat.com>

Hi,

could you try to install the "legacy" (non-elytron) adapter and check if 
it works? I think that it is the file |adapter-install-offline.cli 
instead of |adapter-elytron-install-offline.cli|| (not 100% sure).

If that helps, then feel free to create JIRA with your use-case.

Marek

On 28/01/2019 21:07, Zahradnik, Milan wrote:
> Hi,
>
> I am new on this forum so please forgive me any mistakes I make.
> We have a strange issue with keycloak and wildfly Elytron. We use wildfly
> 15.0.0. After installing keycloak (4.8.3) adapter for wildfly 10 and more
> (adapter-elytron-install-offline.cli) we always get exception  "Not allowed
> exception" when we send request to our endpoint (stateless EJB bean). In
> our access token we have all necessary roles which are then applied on
> endpoint in @RolesAllowed("rest"). Also not working when we use
> @SecurityDomain("keycloak") with EJB.
>
> The strange is when we install keycloak adapter for older wildfly versions
> (adapter-install-offline.cli) everything works as expected.
>
> The same issue is here
> http://lists.jboss.org/pipermail/keycloak-user/2018-August/015297.html
> Does anybody of you any idea what could be an issue here?
>
> Thanks for any help
> Milan Zahradnik
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Mon Jan 28 15:27:08 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 28 Jan 2019 21:27:08 +0100
Subject: [keycloak-user] Enable X.509 Client Certificate User
 Authentication only to specific realm
In-Reply-To: <392255193.395664.1548325357448@mail.yahoo.com>
References: <392255193.395664.1548325357448.ref@mail.yahoo.com>
	<392255193.395664.1548325357448@mail.yahoo.com>
Message-ID: <8f6a377e-94d6-3b4e-dbfa-9591f61d3aa9@redhat.com>

I think that on the Wildfly/Undertow level you can configure if client 
authentication is:
- mandatory
- optional (which means it is possible to be used, but things won't 
break if client certificate is not used)
- none

See docs (and Wildfly docs) for more details how to configure it.

I think that if you use the "optional", it will be possible that client 
certificates won't be used if you use them in realm1 (also you may need 
to ensure that X509 certificate authenticator is not in the browser flow 
of realm1).

Marek

On 24/01/2019 11:22, roberto palmarin wrote:
> Hi, my goal is to have services that authenticate with user and password and services that authenticate with X509 certificate.
> Moreover, if I am authenticated with the certificate, I no longer have to authenticate with username and password.
>
> I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak, which would allow to force the authentication method!
>
> I then tried to create new realms and use one realm for authentication with username/password and the other realm for X509 mutual authentication.
> The question is how can I disable X509 mutual authentication for a realm on keycloak? the configuration for mutual authentication is at the wildfly level and not at the realm level nor at the client keycloak level.
> is it possible to have the correct value of authnContextClassRef in the keycloak SAML response?
>
> Thank'sRoberto Palmarin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From hans.zandbelt at zmartzone.eu  Mon Jan 28 15:27:50 2019
From: hans.zandbelt at zmartzone.eu (Hans Zandbelt)
Date: Mon, 28 Jan 2019 21:27:50 +0100
Subject: [keycloak-user] keycloak-user Digest, Vol 61, Issue 39
In-Reply-To: <mailman.161616.1548706029.4500.keycloak-user@lists.jboss.org>
References: <mailman.161616.1548706029.4500.keycloak-user@lists.jboss.org>
Message-ID: <CA+iA6ujVmimfU7RCsPCP5ogvH=ZyveWyWcoXUPA33SOrapHCyQ@mail.gmail.com>

Hey Ed,

Ouch, bad NetIQ :-( apparently it considers the signature on the request as
something unexpected, which it really shouldn't...
However, you should be able to configure the signing certificate of
Keycloak on the NetIQ side (which you needed to do anyway for the
validation of the Logout requests) and make it "require" or "expect" signed
authentication requests from the Keycloak SP.

Hans.

On Mon, Jan 28, 2019 at 9:11 PM <keycloak-user-request at lists.jboss.org>
wrote:

>
> ------------------------------
>
> Message: 3
> Date: Mon, 28 Jan 2019 16:16:20 +0000
> From: "Edgar Vonk - Info.nl" <Edgar at info.nl>
> Subject: Re: [keycloak-user] Keycloak Identity provider SAML
>         LogoutRequest not working with NetIQ Access Manager because it is
> not
>         signed?
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4 at info.nl>
> Content-Type: text/plain; charset="utf-8"
>
> Thanks Hans! :-)
>
> Unfortunately with "Want AuthnRequests Signed? enabled we can no longer
> log in to the external IdP.. I will check with the NetIQ provider people to
> check.
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 28 Jan 2019 14:51:26 -0200
> From: Wagner <wagnerspi at gmail.com>
> Subject: [keycloak-user]  Keycloak integration with django
> To: keycloak-user at lists.jboss.org
> Message-ID:
>         <CAO0ino=
> wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi there,
>
> I've been looking for ways to integrate keycloak with django, and have
> found the django-keycloak project, but the docs are kind of limited.
>
> Can anyone point me in the direction of integrating it with an existing
> django project? I don't want to use the django admin web interface to
> configure it, but haven't found any other way to do so.
>
> Thanks,
> Wagner
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 28 Jan 2019 13:04:58 -0500
> From: Nhut Thai Le <ntle at castortech.com>
> Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver
>         class   on every request
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID:
>         <CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F=
> iE6nGV0JQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello,
>
> We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI env
> to filter requests to our REST service as follow:
>
> @Component(
> service = {
> ContainerRequestFilter.class,
> ContainerResponseFilter.class
> },
> scope = ServiceScope.PROTOTYPE,
> property = {
> "osgi.jaxrs.extension=true",
> JAX_RS_NAME + "=DiagramRestFilter",
> DiagramConstants.REST_APP_SELECT
> }
> )
> @PreMatching
> @Priority(Priorities.AUTHENTICATION)
> public final class DiagramRestFilter extends OsgiJaxrsBearerTokenFilterImpl
> implements ContainerResponseFilter {
> private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$
> private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$
> private final Logger log = LoggerFactory.getLogger(getClass());
>
> @Reference
> private SessionService sessionService;
>
> @Activate
> public void activate(BundleContext bundleContext) {
> log.trace("Activating {}", getClass()); //$NON-NLS-1$
>
> setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver");
> //$NON-NLS-1$
> setBundleContext(bundleContext);
> }
>
> As you can see, we set the filter scope to Prototype as recommended by OSGI
> compedium (
> https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685
> )
> but we see a lot of the following line got printed when the server started
> INFO: Using
>
> com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver at 738e48f7
> to resolve Keycloak configuration on a per-request basis.
>
> Does that means the config resolver is being instantiate for each request ?
> Since the the configuration never change, would it make sense to
> instantiate this config resolver only once?
>
> Thai Le
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 28 Jan 2019 21:00:02 +0100
> From: Marek Posolda <mposolda at redhat.com>
> Subject: Re: [keycloak-user] User sessions in DB
> To: Lukasz Lech <l.lech at ringler.ch>,    "keycloak-user at lists.jboss.org"
>         <keycloak-user at lists.jboss.org>
> Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01 at redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 28/01/2019 16:30, Lukasz Lech wrote:
> > Hello,
> >
> > I'm using Keycloak docker image for 4.8.1
> >
> > I have logged in users, but in DB, I see no entries in user_session.
> That is expected. The USER_SESSION table is probably something like a
> tombstone of some previous implementation. User sessions are not saved
> in the DB.
> >
> > Additionally, after some time server run, I've got NPE in
> RealmAdminResource.getClientSessionStats:614 when trying to navigate to
> Sessions position in Menu in Admin Console.
>
> Looks like a bug. Feel free to create JIRA (with stacktrace and ideally
> exact steps to reproduce).
>
> Thanks,
> Marek
>
> >
> > Are there any issues with JPA cache?
> >
> > Best regards,
> > Lukasz Lech
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 28 Jan 2019 21:07:05 +0100
> From: Marek Posolda <mposolda at redhat.com>
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
>         not in Active Directory domain
> To: Dmitry Telegin <dt at acutus.pro>, Chris Smith
>         <chris.smith at cmfirstgroup.com>, "keycloak-user at lists.jboss.org"
>         <keycloak-user at lists.jboss.org>
> Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67 at redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> +1
>
> GSSCredential is used just during SPNEGO authentication. You may
> possibly change the built-in authentication flows or userStorage
> provider, so that after verification with username/password, the
> GSSCredential will be somehow obtained from the JAAS Subject used for
> the authentication (See class KerberosUsernamePasswordAuthenticator for
> the details).
>
> However I am not sure if this is really possible and it will require
> some more deep-dive into the Keycloak codebase and Kerberos
> implementation in JDK... Just a hint...
>
> Marek
>
> On 28/01/2019 07:21, Dmitry Telegin wrote:
> > Hello Chris,
> >
> > AFAIK GSSCredential is something very specific to Kerberos, so I'm not
> sure it's possible at all to obtain it outside of Kerberos context, like
> e.g. via pure LDAP authentication.
> >
> > Cheers,
> > Dmitry
> >
> > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> >> Does anyone have feedback about getting a delegated GSSCredential?
> >>
> >> -----Original Message-----
> >>> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
> >> Sent: Wednesday, January 23, 2019 10:12 PM
> >> To: keycloak-user at lists.jboss.org
> >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
> not in Active Directory domain
> >>
> >> Here is a Diagram of what I'm trying to do
> >>
> >> From: Chris Smith
> >> Sent: Wednesday, January 23, 2019 8:08 AM
> >>>> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
> >> Subject: Get a GSSCredential when user browser is not in Active
> Directory domain
> >>
> >> I have setup my servlet to authenticate a user my web app using
> Keycloak Active Directory ldap user federation
> >>
> >> I can get a Delegated GSSCredential when the SPNEGO enabled
> browser??runs on a workstation in the AD domain.
> >> When the browser workstation is not a member of the AD Domain, Keycloak
> will authenticate the user id and password entered on the keycloak login
> page, but there will not be a Delegated GSSCredential in the Access Token
> in my servlet.
> >>
> >> I have a requirement to use the GSSCredential to call programs on an
> IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a
> Kerberos Ticket from Active Directory as an authenticated credential (aka
> EIM, Enterprise Identity Mapping).
> >>
> >> Less than 1% of the users will be using browsers on workstations in the
> Active Directory domain.
> >>
> >> Can Keycloak put a GSSCredential for the logged in user??in the Access
> Token when SPNEGO is not available from the browser?
> >>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 61, Issue 39
> *********************************************
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu

From mposolda at redhat.com  Mon Jan 28 15:28:53 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 28 Jan 2019 21:28:53 +0100
Subject: [keycloak-user] Need to limit concurrent session in a realm in
 keycloak
In-Reply-To: <CAB0q6mQmquA1oW4ik=wNVOpxbPtsfHvAcE+6bAymbarXPsSkoQ@mail.gmail.com>
References: <CAB0q6mQmquA1oW4ik=wNVOpxbPtsfHvAcE+6bAymbarXPsSkoQ@mail.gmail.com>
Message-ID: <1e361cf6-f350-511d-3047-22eae980d332@redhat.com>

There is no built-in support for this. You may need to customize 
Keycloak (probably create new Authenticator, which will reject to login 
user if the count of existing sessions is already big enough).

Marek

On 23/01/2019 15:50, Nakul Jain wrote:
> Hi,
>
> We need to restrict the number of concurrent sessions in a realm in
> keycloak. Do we have any feature in keycloak through which we can support
> this ?
>
> Thanks,
> Nakul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From hans.zandbelt at zmartzone.eu  Mon Jan 28 15:29:23 2019
From: hans.zandbelt at zmartzone.eu (Hans Zandbelt)
Date: Mon, 28 Jan 2019 21:29:23 +0100
Subject: [keycloak-user] Keycloak Identity provider SAML LogoutRequest
 not working with NetIQ Access Manager because it is not signed?
In-Reply-To: <CA+iA6ujVmimfU7RCsPCP5ogvH=ZyveWyWcoXUPA33SOrapHCyQ@mail.gmail.com>
References: <mailman.161616.1548706029.4500.keycloak-user@lists.jboss.org>
	<CA+iA6ujVmimfU7RCsPCP5ogvH=ZyveWyWcoXUPA33SOrapHCyQ@mail.gmail.com>
Message-ID: <CA+iA6uiWjRjv0n_FZw7p1U5EfyjLQCeZvUvA4aDEPNuAQ===bg@mail.gmail.com>

with corrected subject now

On Mon, Jan 28, 2019 at 9:27 PM Hans Zandbelt <hans.zandbelt at zmartzone.eu>
wrote:

> Hey Ed,
>
> Ouch, bad NetIQ :-( apparently it considers the signature on the request
> as something unexpected, which it really shouldn't...
> However, you should be able to configure the signing certificate of
> Keycloak on the NetIQ side (which you needed to do anyway for the
> validation of the Logout requests) and make it "require" or "expect" signed
> authentication requests from the Keycloak SP.
>
> Hans.
>
> On Mon, Jan 28, 2019 at 9:11 PM <keycloak-user-request at lists.jboss.org>
> wrote:
>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Mon, 28 Jan 2019 16:16:20 +0000
>> From: "Edgar Vonk - Info.nl" <Edgar at info.nl>
>> Subject: Re: [keycloak-user] Keycloak Identity provider SAML
>>         LogoutRequest not working with NetIQ Access Manager because it is
>> not
>>         signed?
>> To: keycloak-user <keycloak-user at lists.jboss.org>
>> Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4 at info.nl>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Thanks Hans! :-)
>>
>> Unfortunately with "Want AuthnRequests Signed? enabled we can no longer
>> log in to the external IdP.. I will check with the NetIQ provider people to
>> check.
>>
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Mon, 28 Jan 2019 14:51:26 -0200
>> From: Wagner <wagnerspi at gmail.com>
>> Subject: [keycloak-user]  Keycloak integration with django
>> To: keycloak-user at lists.jboss.org
>> Message-ID:
>>         <CAO0ino=
>> wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA at mail.gmail.com>
>> Content-Type: text/plain; charset="UTF-8"
>>
>> Hi there,
>>
>> I've been looking for ways to integrate keycloak with django, and have
>> found the django-keycloak project, but the docs are kind of limited.
>>
>> Can anyone point me in the direction of integrating it with an existing
>> django project? I don't want to use the django admin web interface to
>> configure it, but haven't found any other way to do so.
>>
>> Thanks,
>> Wagner
>>
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Mon, 28 Jan 2019 13:04:58 -0500
>> From: Nhut Thai Le <ntle at castortech.com>
>> Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver
>>         class   on every request
>> To: keycloak-user <keycloak-user at lists.jboss.org>
>> Message-ID:
>>         <CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F=
>> iE6nGV0JQ at mail.gmail.com>
>> Content-Type: text/plain; charset="UTF-8"
>>
>> Hello,
>>
>> We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI
>> env
>> to filter requests to our REST service as follow:
>>
>> @Component(
>> service = {
>> ContainerRequestFilter.class,
>> ContainerResponseFilter.class
>> },
>> scope = ServiceScope.PROTOTYPE,
>> property = {
>> "osgi.jaxrs.extension=true",
>> JAX_RS_NAME + "=DiagramRestFilter",
>> DiagramConstants.REST_APP_SELECT
>> }
>> )
>> @PreMatching
>> @Priority(Priorities.AUTHENTICATION)
>> public final class DiagramRestFilter extends
>> OsgiJaxrsBearerTokenFilterImpl
>> implements ContainerResponseFilter {
>> private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$
>> private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$
>> private final Logger log = LoggerFactory.getLogger(getClass());
>>
>> @Reference
>> private SessionService sessionService;
>>
>> @Activate
>> public void activate(BundleContext bundleContext) {
>> log.trace("Activating {}", getClass()); //$NON-NLS-1$
>>
>> setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver");
>> //$NON-NLS-1$
>> setBundleContext(bundleContext);
>> }
>>
>> As you can see, we set the filter scope to Prototype as recommended by
>> OSGI
>> compedium (
>>
>> https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685
>> )
>> but we see a lot of the following line got printed when the server started
>> INFO: Using
>>
>> com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver at 738e48f7
>> to resolve Keycloak configuration on a per-request basis.
>>
>> Does that means the config resolver is being instantiate for each request
>> ?
>> Since the the configuration never change, would it make sense to
>> instantiate this config resolver only once?
>>
>> Thai Le
>>
>>
>> ------------------------------
>>
>> Message: 6
>> Date: Mon, 28 Jan 2019 21:00:02 +0100
>> From: Marek Posolda <mposolda at redhat.com>
>> Subject: Re: [keycloak-user] User sessions in DB
>> To: Lukasz Lech <l.lech at ringler.ch>,    "keycloak-user at lists.jboss.org"
>>         <keycloak-user at lists.jboss.org>
>> Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01 at redhat.com>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>>
>> On 28/01/2019 16:30, Lukasz Lech wrote:
>> > Hello,
>> >
>> > I'm using Keycloak docker image for 4.8.1
>> >
>> > I have logged in users, but in DB, I see no entries in user_session.
>> That is expected. The USER_SESSION table is probably something like a
>> tombstone of some previous implementation. User sessions are not saved
>> in the DB.
>> >
>> > Additionally, after some time server run, I've got NPE in
>> RealmAdminResource.getClientSessionStats:614 when trying to navigate to
>> Sessions position in Menu in Admin Console.
>>
>> Looks like a bug. Feel free to create JIRA (with stacktrace and ideally
>> exact steps to reproduce).
>>
>> Thanks,
>> Marek
>>
>> >
>> > Are there any issues with JPA cache?
>> >
>> > Best regards,
>> > Lukasz Lech
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 7
>> Date: Mon, 28 Jan 2019 21:07:05 +0100
>> From: Marek Posolda <mposolda at redhat.com>
>> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
>>         not in Active Directory domain
>> To: Dmitry Telegin <dt at acutus.pro>, Chris Smith
>>         <chris.smith at cmfirstgroup.com>, "keycloak-user at lists.jboss.org"
>>         <keycloak-user at lists.jboss.org>
>> Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67 at redhat.com>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>>
>> +1
>>
>> GSSCredential is used just during SPNEGO authentication. You may
>> possibly change the built-in authentication flows or userStorage
>> provider, so that after verification with username/password, the
>> GSSCredential will be somehow obtained from the JAAS Subject used for
>> the authentication (See class KerberosUsernamePasswordAuthenticator for
>> the details).
>>
>> However I am not sure if this is really possible and it will require
>> some more deep-dive into the Keycloak codebase and Kerberos
>> implementation in JDK... Just a hint...
>>
>> Marek
>>
>> On 28/01/2019 07:21, Dmitry Telegin wrote:
>> > Hello Chris,
>> >
>> > AFAIK GSSCredential is something very specific to Kerberos, so I'm not
>> sure it's possible at all to obtain it outside of Kerberos context, like
>> e.g. via pure LDAP authentication.
>> >
>> > Cheers,
>> > Dmitry
>> >
>> > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
>> >> Does anyone have feedback about getting a delegated GSSCredential?
>> >>
>> >> -----Original Message-----
>> >>> From: keycloak-user-bounces at lists.jboss.org <
>> keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
>> >> Sent: Wednesday, January 23, 2019 10:12 PM
>> >> To: keycloak-user at lists.jboss.org
>> >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
>> not in Active Directory domain
>> >>
>> >> Here is a Diagram of what I'm trying to do
>> >>
>> >> From: Chris Smith
>> >> Sent: Wednesday, January 23, 2019 8:08 AM
>> >>>> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
>> >> Subject: Get a GSSCredential when user browser is not in Active
>> Directory domain
>> >>
>> >> I have setup my servlet to authenticate a user my web app using
>> Keycloak Active Directory ldap user federation
>> >>
>> >> I can get a Delegated GSSCredential when the SPNEGO enabled
>> browser??runs on a workstation in the AD domain.
>> >> When the browser workstation is not a member of the AD Domain,
>> Keycloak will authenticate the user id and password entered on the keycloak
>> login page, but there will not be a Delegated GSSCredential in the Access
>> Token in my servlet.
>> >>
>> >> I have a requirement to use the GSSCredential to call programs on an
>> IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a
>> Kerberos Ticket from Active Directory as an authenticated credential (aka
>> EIM, Enterprise Identity Mapping).
>> >>
>> >> Less than 1% of the users will be using browsers on workstations in
>> the Active Directory domain.
>> >>
>> >> Can Keycloak put a GSSCredential for the logged in user??in the Access
>> Token when SPNEGO is not available from the browser?
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> End of keycloak-user Digest, Vol 61, Issue 39
>> *********************************************
>>
>
>
> --
> hans.zandbelt at zmartzone.eu
> ZmartZone IAM - www.zmartzone.eu
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu

From milan.zahradnik at itbh.at  Mon Jan 28 16:00:51 2019
From: milan.zahradnik at itbh.at (Zahradnik, Milan)
Date: Mon, 28 Jan 2019 22:00:51 +0100
Subject: [keycloak-user] keycloak adapter for elytron
In-Reply-To: <7469f32e-8828-f103-655a-11fffee3e9dd@redhat.com>
References: <CAE+md6DtGW9y0g2MvjeEDu4O9jTLk9r0srpRksbg1eMfcErwLQ@mail.gmail.com>
	<7469f32e-8828-f103-655a-11fffee3e9dd@redhat.com>
Message-ID: <CAE+md6CqT=KC0gGP4aqD3Qk2L319QbEmticd30QnZ-msPwQpag@mail.gmail.com>

Hi Marek,

Thanks for your quick response.
Yes you are right. It is working correctly with
adapter-install-offline.cli. With elytron-install-offline.cli not.
We try to create JIRA then.

Thanks for help,
Milan Zahradnik.

Am Mo., 28. Jan. 2019 um 21:18 Uhr schrieb Marek Posolda <
mposolda at redhat.com>:

> Hi,
>
> could you try to install the "legacy" (non-elytron) adapter and check if
> it works? I think that it is the file adapter-install-offline.cli instead
> of adapter-elytron-install-offline.cli (not 100% sure).
>
> If that helps, then feel free to create JIRA with your use-case.
>
> Marek
>
> On 28/01/2019 21:07, Zahradnik, Milan wrote:
>
> Hi,
>
> I am new on this forum so please forgive me any mistakes I make.
> We have a strange issue with keycloak and wildfly Elytron. We use wildfly
> 15.0.0. After installing keycloak (4.8.3) adapter for wildfly 10 and more
> (adapter-elytron-install-offline.cli) we always get exception  "Not allowed
> exception" when we send request to our endpoint (stateless EJB bean). In
> our access token we have all necessary roles which are then applied on
> endpoint in @RolesAllowed("rest"). Also not working when we use
> @SecurityDomain("keycloak") with EJB.
>
> The strange is when we install keycloak adapter for older wildfly versions
> (adapter-install-offline.cli) everything works as expected.
>
> The same issue is herehttp://lists.jboss.org/pipermail/keycloak-user/2018-August/015297.html
> Does anybody of you any idea what could be an issue here?
>
> Thanks for any help
> Milan Zahradnik
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From edmund.loh.1985 at gmail.com  Tue Jan 29 01:07:36 2019
From: edmund.loh.1985 at gmail.com (Edmund Loh)
Date: Tue, 29 Jan 2019 14:07:36 +0800
Subject: [keycloak-user] Getting timestamp from EVENT_ENTITY
Message-ID: <CAMTfnMY8P_nQZgFrsHrNvLFhf61dfmkfHfC-SPH6H9C8E2=QRQ@mail.gmail.com>

The EVENT_TIME column in the EVENT_ENTITY table is stored as datatype
NUMBER(38,0). How can I go about converting this to a timestamp through the
use of SQL statements?

From rpalmarin at yahoo.com  Tue Jan 29 05:46:56 2019
From: rpalmarin at yahoo.com (roberto palmarin)
Date: Tue, 29 Jan 2019 10:46:56 +0000 (UTC)
Subject: [keycloak-user] Enable X.509 Client Certificate User
 Authentication only to specific realm
In-Reply-To: <8f6a377e-94d6-3b4e-dbfa-9591f61d3aa9@redhat.com>
References: <392255193.395664.1548325357448.ref@mail.yahoo.com>
	<392255193.395664.1548325357448@mail.yahoo.com>
	<8f6a377e-94d6-3b4e-dbfa-9591f61d3aa9@redhat.com>
Message-ID: <1850405791.4745851.1548758816757@mail.yahoo.com>

 Hi,so it is not possible to disable X509 auth for a single Keaycloak realm.
for the second question:
> it's possible to have the correct value of authnContextClassRef in the keycloak SAML response?Can anyone help me?

for every type of authentication I recive always the same value di authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
Thank'sRoberto


    Il luned? 28 gennaio 2019, 21:27:14 CET, Marek Posolda <mposolda at redhat.com> ha scritto:  
 
 I think that on the Wildfly/Undertow level you can configure if client 
authentication is:
- mandatory
- optional (which means it is possible to be used, but things won't 
break if client certificate is not used)
- none

See docs (and Wildfly docs) for more details how to configure it.

I think that if you use the "optional", it will be possible that client 
certificates won't be used if you use them in realm1 (also you may need 
to ensure that X509 certificate authenticator is not in the browser flow 
of realm1).

Marek

On 24/01/2019 11:22, roberto palmarin wrote:
> Hi, my goal is to have services that authenticate with user and password and services that authenticate with X509 certificate.
> Moreover, if I am authenticated with the certificate, I no longer have to authenticate with username and password.
>
> I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak, which would allow to force the authentication method!
>
> I then tried to create new realms and use one realm for authentication with username/password and the other realm for X509 mutual authentication.
> The question is how can I disable X509 mutual authentication for a realm on keycloak? the configuration for mutual authentication is at the wildfly level and not at the realm level nor at the client keycloak level.
> is it possible to have the correct value of authnContextClassRef in the keycloak SAML response?
>
> Thank'sRoberto Palmarin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


  

From kapilkumarjoshi001 at gmail.com  Tue Jan 29 06:48:00 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Tue, 29 Jan 2019 17:18:00 +0530
Subject: [keycloak-user] Accessing Admin Console from client application
	without logging in
Message-ID: <CAMLZ2vkw+gPoAew7zAhzfp1ssUh8+WGxLatgvaF1qAxsQaUKFA@mail.gmail.com>

Hi All,

In our product, we are using keycloak.js adapter. We are receiving access
and refresh token from 3rd party server.  We store these tokens in our
instance variables and update keycloak.js variables explicitly as shown
below:

let tokenStr = this.someService.tokenString;
console.log('token is ' + tokenStr);

let keycloakInstance = this.keycloakAngular.getKeycloakInstance();
if (tokenStr) {
  if (keycloakInstance['tokenTimeoutHandle']) {
    clearTimeout(keycloakInstance['tokenTimeoutHandle']);
    keycloakInstance['tokenTimeoutHandle'] = null;
  }
  keycloakInstance.token = tokenStr;
  keycloakInstance.authenticated = true;
  this.authenticated = true;
  keycloakInstance.tokenParsed = this.decodeToken(tokenStr);
  keycloakInstance.subject = keycloakInstance.tokenParsed.sub;
  keycloakInstance.realmAccess = keycloakInstance.tokenParsed.realm_access;
  keycloakInstance.resourceAccess =
keycloakInstance.tokenParsed.resource_access;
  this.roles = await this.keycloakAngular.getUserRoles(true);


This code is actually taken from setToken() API of keycloak.js and we
have just replaced it in our custom code.

So that we can make use of the keycloak.js adapter variables and methods.


Problem is when we try to access the account-management UI, it takes
the user to login screen, which want to avoid.

we are not able to find out the reason behind this ? When we login to
the application and

then when we try accessing account management url then it renders the
account management page seamlessly.

Would be great if there is a solution to render account management UI
when we update the tokens programatically into keycloak.js adapter
variables.


Let me know If we are doing anything wrong or work arounds to fix this issue.


Thanks

Kapil

From Edgar at info.nl  Tue Jan 29 08:05:18 2019
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Tue, 29 Jan 2019 13:05:18 +0000
Subject: [keycloak-user] Keycloak Identity provider SAML LogoutRequest
 not working with NetIQ Access Manager because it is not signed?
Message-ID: <140446D7-A1F3-4709-AD61-CE2B1E15871D@info.nl>

Hey Hans,


Indeed. You are right. We configured signing of AuthnRequests (and as you found out LogoutRequests) in Keycloak and configured our certificate on the NetIQ side and now both authentication and logging out works. :-) Thanks!


> Hey Ed,
>
> Ouch, bad NetIQ :-( apparently it considers the signature on the request
> as something unexpected, which it really shouldn't...
> However, you should be able to configure the signing certificate of
> Keycloak on the NetIQ side (which you needed to do anyway for the
> validation of the Logout requests) and make it "require" or "expect" signed
> authentication requests from the Keycloak SP.
>
> Hans.




From pulkitsrivastavajd at gmail.com  Tue Jan 29 08:25:56 2019
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Tue, 29 Jan 2019 18:55:56 +0530
Subject: [keycloak-user] Customize saml response
Message-ID: <CAA-7KZ8ZknvzAjvMzZk5rr38Mj10qig02-bH6GOW7qMqMYm_2Q@mail.gmail.com>

Hi,
I am  using as external idp with keycloak. External idp sends SAML response
to keycloak but keycloak modifies that response before sending it to the
application, so i am unable to get some important attributes. How can we
stop keycloak from modifying the response or how can we customize the
response.

Thanks,
Pulkit

From l.lech at ringler.ch  Tue Jan 29 11:01:56 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Tue, 29 Jan 2019 16:01:56 +0000
Subject: [keycloak-user] User sessions in DB
In-Reply-To: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01@redhat.com>
References: <5E48B917000C984B86B77170F441903A18915CF3@exch.ringler.ch>
	<1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01@redhat.com>
Message-ID: <5E48B917000C984B86B77170F441903A18915F4A@exch.ringler.ch>

Hello,

After restarting the server, there was no errors until now:

15:50:29,885 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-38) Uncaught server error: java.lang.NullPointerException
        at org.keycloak.services.resources.admin.RealmAdminResource.getClientSessionStats(RealmAdminResource.java:614)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
        at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
        at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
        at java.lang.Thread.run(Thread.java:748)
15:50:32,705 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-37) Uncaught server error: java.lang.NullPointerException
        at org.keycloak.services.resources.admin.RealmAdminResource.getClientSessionStats(RealmAdminResource.java:614)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
        at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
        at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
        at java.lang.Thread.run(Thread.java:748)


So In my environment, the way to replicate the error is to start Docker image based on 4.8.1, wait one day while the people are using it, and then log to admin console and navigate to sessions tab.

However, I experience such problems only in production instance. Test instances were tested with simulated heavy traffic, which generated much more users that we actually have in productions, but they all come from single IP...

The keycloak works, you can log in, only you can't view sessions.



-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: Montag, 28. Januar 2019 21:00
To: Lukasz Lech <l.lech at ringler.ch>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] User sessions in DB

On 28/01/2019 16:30, Lukasz Lech wrote:
> Hello,
>
> I'm using Keycloak docker image for 4.8.1
>
> I have logged in users, but in DB, I see no entries in user_session.
That is expected. The USER_SESSION table is probably something like a tombstone of some previous implementation. User sessions are not saved in the DB.
>
> Additionally, after some time server run, I've got NPE in RealmAdminResource.getClientSessionStats:614 when trying to navigate to Sessions position in Menu in Admin Console.

Looks like a bug. Feel free to create JIRA (with stacktrace and ideally exact steps to reproduce).

Thanks,
Marek

>
> Are there any issues with JPA cache?
>
> Best regards,
> Lukasz Lech
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From mposolda at redhat.com  Tue Jan 29 13:00:35 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 29 Jan 2019 19:00:35 +0100
Subject: [keycloak-user] User sessions in DB
In-Reply-To: <5E48B917000C984B86B77170F441903A18915F4A@exch.ringler.ch>
References: <5E48B917000C984B86B77170F441903A18915CF3@exch.ringler.ch>
	<1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01@redhat.com>
	<5E48B917000C984B86B77170F441903A18915F4A@exch.ringler.ch>
Message-ID: <acab0e83-ea99-63e9-38eb-cbfcdf0d9afb@redhat.com>

Feel free to create JIRA for this with this stacktrace included (and 
maybe also link to this thread on keycloak-user ML).

 From the stacktrace, it seems that issue is that some client was 
deleted. So it happened during some scenario like this:
- Some user authenticated to some client
- The client, to which user authenticated, was removed
- The client session stats were shown

The Keycloak shouldn't throw NPE when client was deleted, but probably 
should just ignore the stats for this client - and ideally remove all 
existing clientSessions related to that client.

Marek

On 29/01/2019 17:01, Lukasz Lech wrote:
> Hello,
>
> After restarting the server, there was no errors until now:
>
> 15:50:29,885 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-38) Uncaught server error: java.lang.NullPointerException
>          at org.keycloak.services.resources.admin.RealmAdminResource.getClientSessionStats(RealmAdminResource.java:614)
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>          at java.lang.reflect.Method.invoke(Method.java:498)
>          at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>          at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>          at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>          at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>          at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>          at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>          at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>          at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>          at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>          at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>          at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>          at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>          at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>          at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>          at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>          at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>          at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>          at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>          at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>          at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>          at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>          at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>          at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>          at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>          at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>          at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>          at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>          at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>          at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>          at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>          at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>          at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>          at java.lang.Thread.run(Thread.java:748)
> 15:50:32,705 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-37) Uncaught server error: java.lang.NullPointerException
>          at org.keycloak.services.resources.admin.RealmAdminResource.getClientSessionStats(RealmAdminResource.java:614)
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>          at java.lang.reflect.Method.invoke(Method.java:498)
>          at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>          at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>          at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>          at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>          at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>          at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>          at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>          at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>          at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>          at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>          at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>          at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>          at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>          at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>          at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>          at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>          at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>          at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>          at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>          at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>          at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>          at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>          at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>          at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>          at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>          at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>          at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>          at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>          at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>          at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>          at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>          at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>          at java.lang.Thread.run(Thread.java:748)
>
>
> So In my environment, the way to replicate the error is to start Docker image based on 4.8.1, wait one day while the people are using it, and then log to admin console and navigate to sessions tab.
>
> However, I experience such problems only in production instance. Test instances were tested with simulated heavy traffic, which generated much more users that we actually have in productions, but they all come from single IP...
>
> The keycloak works, you can log in, only you can't view sessions.
>
>
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Montag, 28. Januar 2019 21:00
> To: Lukasz Lech <l.lech at ringler.ch>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] User sessions in DB
>
> On 28/01/2019 16:30, Lukasz Lech wrote:
>> Hello,
>>
>> I'm using Keycloak docker image for 4.8.1
>>
>> I have logged in users, but in DB, I see no entries in user_session.
> That is expected. The USER_SESSION table is probably something like a tombstone of some previous implementation. User sessions are not saved in the DB.
>> Additionally, after some time server run, I've got NPE in RealmAdminResource.getClientSessionStats:614 when trying to navigate to Sessions position in Menu in Admin Console.
> Looks like a bug. Feel free to create JIRA (with stacktrace and ideally exact steps to reproduce).
>
> Thanks,
> Marek
>
>> Are there any issues with JPA cache?
>>
>> Best regards,
>> Lukasz Lech
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From Keith.Carlton at synchronoss.com  Tue Jan 29 13:12:46 2019
From: Keith.Carlton at synchronoss.com (Keith Carlton)
Date: Tue, 29 Jan 2019 18:12:46 +0000
Subject: [keycloak-user] Updating the Database Schema
Message-ID: <12C04003-89BF-4B12-80A7-74D952EBA931@contoso.com>

Good morning-

I was attempting to make some customizations to the Keycloak schema and the README for doing so here<https://github.com/keycloak/keycloak/blob/master/misc/UpdatingDatabaseSchema.md> shows files that no longer exist in the repo.  Does anyone know how to make modifications to the DB schema based on the current structure of the project?

Thank you,

Keith Carlton


From kapilkumarjoshi001 at gmail.com  Tue Jan 29 22:06:11 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Wed, 30 Jan 2019 08:36:11 +0530
Subject: [keycloak-user] Accessing Admin Console from client application
	without logging in
In-Reply-To: <CAMLZ2vkw+gPoAew7zAhzfp1ssUh8+WGxLatgvaF1qAxsQaUKFA@mail.gmail.com>
References: <CAMLZ2vkw+gPoAew7zAhzfp1ssUh8+WGxLatgvaF1qAxsQaUKFA@mail.gmail.com>
Message-ID: <CAMLZ2vnA+4TXMa43JVRM3YSsZCh2pqfAe5kisqsOR2Z23S+f-g@mail.gmail.com>

Hi All,

More precisely, I'm trying to achieve SSO with just access & refresh
tokens. But realised we need cookies too, is there a way to achieve that by
passing access token as
cookies redirection requests.

Thanks
Kapil

On Tue, Jan 29, 2019 at 5:18 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
wrote:

> Hi All,
>
> In our product, we are using keycloak.js adapter. We are receiving access
> and refresh token from 3rd party server.  We store these tokens in our
> instance variables and update keycloak.js variables explicitly as shown
> below:
>
> let tokenStr = this.someService.tokenString;
> console.log('token is ' + tokenStr);
>
> let keycloakInstance = this.keycloakAngular.getKeycloakInstance();
> if (tokenStr) {
>   if (keycloakInstance['tokenTimeoutHandle']) {
>     clearTimeout(keycloakInstance['tokenTimeoutHandle']);
>     keycloakInstance['tokenTimeoutHandle'] = null;
>   }
>   keycloakInstance.token = tokenStr;
>   keycloakInstance.authenticated = true;
>   this.authenticated = true;
>   keycloakInstance.tokenParsed = this.decodeToken(tokenStr);
>   keycloakInstance.subject = keycloakInstance.tokenParsed.sub;
>   keycloakInstance.realmAccess = keycloakInstance.tokenParsed.realm_access;
>   keycloakInstance.resourceAccess = keycloakInstance.tokenParsed.resource_access;
>   this.roles = await this.keycloakAngular.getUserRoles(true);
>
>
> This code is actually taken from setToken() API of keycloak.js and we have just replaced it in our custom code.
>
> So that we can make use of the keycloak.js adapter variables and methods.
>
>
> Problem is when we try to access the account-management UI, it takes the user to login screen, which want to avoid.
>
> we are not able to find out the reason behind this ? When we login to the application and
>
> then when we try accessing account management url then it renders the account management page seamlessly.
>
> Would be great if there is a solution to render account management UI when we update the tokens programatically into keycloak.js adapter variables.
>
>
> Let me know If we are doing anything wrong or work arounds to fix this issue.
>
>
> Thanks
>
> Kapil
>
>

From l.lech at ringler.ch  Wed Jan 30 02:23:53 2019
From: l.lech at ringler.ch (Lukasz Lech)
Date: Wed, 30 Jan 2019 07:23:53 +0000
Subject: [keycloak-user] User sessions in DB
In-Reply-To: <acab0e83-ea99-63e9-38eb-cbfcdf0d9afb@redhat.com>
References: <5E48B917000C984B86B77170F441903A18915CF3@exch.ringler.ch>
	<1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01@redhat.com>
	<5E48B917000C984B86B77170F441903A18915F4A@exch.ringler.ch>
	<acab0e83-ea99-63e9-38eb-cbfcdf0d9afb@redhat.com>
Message-ID: <5E48B917000C984B86B77170F441903A18915FD1@exch.ringler.ch>

Hello,

We haven't deleted any client...  and after last restart nothing was changed....

So it must be something else... 

Best regards,
Lukasz Lech

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: Dienstag, 29. Januar 2019 19:01
To: Lukasz Lech <l.lech at ringler.ch>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] User sessions in DB

Feel free to create JIRA for this with this stacktrace included (and maybe also link to this thread on keycloak-user ML).

 From the stacktrace, it seems that issue is that some client was deleted. So it happened during some scenario like this:
- Some user authenticated to some client
- The client, to which user authenticated, was removed
- The client session stats were shown

The Keycloak shouldn't throw NPE when client was deleted, but probably should just ignore the stats for this client - and ideally remove all existing clientSessions related to that client.

Marek

On 29/01/2019 17:01, Lukasz Lech wrote:
> Hello,
>
> After restarting the server, there was no errors until now:
>
> 15:50:29,885 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-38) Uncaught server error: java.lang.NullPointerException
>          at org.keycloak.services.resources.admin.RealmAdminResource.getClientSessionStats(RealmAdminResource.java:614)
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>          at java.lang.reflect.Method.invoke(Method.java:498)
>          at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>          at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>          at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>          at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>          at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>          at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>          at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>          at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>          at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>          at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>          at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>          at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>          at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>          at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>          at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>          at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>          at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>          at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>          at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>          at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>          at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>          at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>          at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>          at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>          at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>          at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>          at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>          at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>          at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>          at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>          at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>          at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>          at java.lang.Thread.run(Thread.java:748)
> 15:50:32,705 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-37) Uncaught server error: java.lang.NullPointerException
>          at org.keycloak.services.resources.admin.RealmAdminResource.getClientSessionStats(RealmAdminResource.java:614)
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>          at java.lang.reflect.Method.invoke(Method.java:498)
>          at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>          at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>          at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>          at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>          at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>          at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>          at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>          at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>          at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>          at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>          at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>          at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>          at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>          at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>          at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>          at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>          at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>          at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>          at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>          at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>          at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>          at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>          at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>          at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>          at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>          at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>          at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>          at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>          at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>          at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>          at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>          at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>          at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>          at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>          at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>          at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>          at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>          at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>          at java.lang.Thread.run(Thread.java:748)
>
>
> So In my environment, the way to replicate the error is to start Docker image based on 4.8.1, wait one day while the people are using it, and then log to admin console and navigate to sessions tab.
>
> However, I experience such problems only in production instance. Test instances were tested with simulated heavy traffic, which generated much more users that we actually have in productions, but they all come from single IP...
>
> The keycloak works, you can log in, only you can't view sessions.
>
>
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: Montag, 28. Januar 2019 21:00
> To: Lukasz Lech <l.lech at ringler.ch>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] User sessions in DB
>
> On 28/01/2019 16:30, Lukasz Lech wrote:
>> Hello,
>>
>> I'm using Keycloak docker image for 4.8.1
>>
>> I have logged in users, but in DB, I see no entries in user_session.
> That is expected. The USER_SESSION table is probably something like a tombstone of some previous implementation. User sessions are not saved in the DB.
>> Additionally, after some time server run, I've got NPE in RealmAdminResource.getClientSessionStats:614 when trying to navigate to Sessions position in Menu in Admin Console.
> Looks like a bug. Feel free to create JIRA (with stacktrace and ideally exact steps to reproduce).
>
> Thanks,
> Marek
>
>> Are there any issues with JPA cache?
>>
>> Best regards,
>> Lukasz Lech
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



From amritha_amarnath at amritatech.com  Wed Jan 30 04:20:24 2019
From: amritha_amarnath at amritatech.com (Amritha Amarnath)
Date: Wed, 30 Jan 2019 14:50:24 +0530 (IST)
Subject: [keycloak-user] Logo for customized theme
In-Reply-To: <26000243.887634.1548839566421.JavaMail.root@amritatech.com>
Message-ID: <19598668.888030.1548840024461.JavaMail.root@amritatech.com>


Hello, 



How to add logo for customized theme for my application.? I have set parent=keycloak in theme.properties for customized theme. 
I need source like below : 

<body> 

<div class="login-pf-page atcard "> 
<div id="kc-header" class="login-pf-page-header"> 
<div><img src="/auth/......./img/logo.png" alt=""></div> 
<div id="kc-header-wrapper" class="">{product name}</div> 
</div> 
</div> 

</body> 


But currently getting the source as: 

<body class =""> 
	<div class =" login-pf-page "> 

	<div id =" kc-header " class =" login-pf-page-header "> 

	<div id =" kc-header-wrapper " class =""> {product name} </div> 

	</div> 
<body> 
-- 




With Regards , 
Amritha Amaranath 


From pavel.masloff at gmail.com  Wed Jan 30 06:19:36 2019
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Wed, 30 Jan 2019 12:19:36 +0100
Subject: [keycloak-user] Send email on creating new user
Message-ID: <CAF9aV_phr3AAQscOCh1U9MQPuZk-9gdc+9j5YKmBctFFrQEJBw@mail.gmail.com>

Hi all,


When I manually create a new user from the Keycloak Admin Console (UI), can
Keycloak automatically send an email to that person?

>From what I can see now the user does not know that I have created an
account, unless I inform them (e.g. by email).


Regards,
Pavel Maslov, MS

From Jean-Damien.BOUVIER at calvados.fr  Wed Jan 30 06:50:45 2019
From: Jean-Damien.BOUVIER at calvados.fr (BOUVIER Jean-Damien)
Date: Wed, 30 Jan 2019 11:50:45 +0000
Subject: [keycloak-user] Add optional LDAP userPassword hashing
Message-ID: <9b8eac664ecc4ebc8e710d1630f2bb43@calvados.fr>

Hi all !

My problem is described in the KEYCLOAK-4989 issue, titled < add optional LDAP userPassword hashing >

I'm in the worst case scenario as I use OpenLDAP that doesn't hash password by default and the way it has been installed, I don't have the < ppolicy overlay > available.
So Keycloak sends password in clear text and I thought that I could add specific OpenLDAP configuration to hash the password before.
The LDAP administration has already some specific configuration for AD and I thought that I could start from here. (org.keycloak.storage.ldap.mappers.msad. MSADUserAccountControlStorageMapperFactory for example)

So, I've written my own StorageMapperFactory :

public class OpenLDAPUserAccountControlStorageMapperFactory implements LDAPStorageMapperFactory<LDAPStorageMapper>

That needs these dependencies :

   <dependencies>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-core</artifactId>
            <version>${version.keycloak}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-services</artifactId>
            <version>${version.keycloak}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-server-spi</artifactId>
            <version>${version.keycloak}</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-ldap-federation</artifactId>
            <version>${version.keycloak}</version>
            <scope>provided</scope>
        </dependency>
    </dependencies>

But whenever I try to deploy the jar, I get :

cat hash-password-openldap-provider.jar.failed
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"hash-password-openldap-provider.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"hash-password-openldap-provider.jar\"
    Caused by: java.lang.NoClassDefFoundError: Failed to link fr/calvados/keycloak/storage/ldap/mappers/openldap/OpenLDAPUserAccountControlStorageMapperFactory (Module \"deployment.hash-password-openldap-provider.jar\" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPStorageMapperFactory"}}

I probably lack one dependence but I can't find which one as the error message doesn't give a clue and my maven project compiles.

Could you help me to find out what is wrong ?

Regards,
Jean-Damien Bouvier


<a href="http://www.calvados.fr" target="_blank"><img src="https://www.calvados.fr/files/live/sites/calvados/files/signature-departement-calvados.gif" alt="Calvados D?partement - www.calvados.fr" border=0/></a>
**************************************************************************************************
? Cette transmission contient des informations confidentielles et/ou personnelles
appartenant au conseil d?partemental du Calvados pour ?tre utilis?es exclusivement par le
destinataire. Toute utilisation, reproduction, publication, diffusion en l'?tat ou
partiellement par une autre personne que le destinataire est interdite, sauf autorisation
expresse du conseil d?partemental du Calvados. En cas d'erreur de transmission, merci de
d?truire le(s) document(s) re?u(s). Le conseil d?partemental du Calvados n'est pas
responsable des virus, alt?rations, falsifications.
Droits r?serv?s - conseil d?partemental du Calvados?.
**************************************************************************************************

From rodrigo.leme at softwareexpress.com.br  Wed Jan 30 08:55:27 2019
From: rodrigo.leme at softwareexpress.com.br (Rodrigo Leme)
Date: Wed, 30 Jan 2019 11:55:27 -0200
Subject: [keycloak-user] [i18n] Time units in e-mails sent by Keycloak
Message-ID: <fee5629b-d6e5-6279-d515-29eade977379@softwareexpress.com.br>

Hi people,

We are currently using an i18n e-mail theme (to Brazilian Portuguese, 
pt_BR), but we noticed that a few portions of the e-mails sent by 
Keycloak cannot be internationalized, as in the sample below:

"Seu administrador acaba de solicitar que voc? atualize sua conta 
FEPAS-CARDSE executando as seguintes a??es: *Verify Email*. Clique no 
link abaixo para iniciar este processo.

Link para a atualiza??o da conta

Este link ir? expirar dentro de *12 hours*.
Se voc? n?o sabe que seu administrador solicitou isso, apenas ignore 
esta mensagem e nada ser? alterado."

According to the text above, the time was not internationalized ("12 
hours"), neither the action ("Verify Email"). We added the asterisks 
here for clarification purposes only.

In Portuguese, the displayed texts should be "12 horas" and "Verificar 
email".

Is somebody aware of any method to fully internationalize the emails, 
including the mentioned passages?

We even issued a bug report in Keycloak's JIRA 
(https://issues.jboss.org/browse/KEYCLOAK-9459), but it was summarily 
rejected by devs.

Best regards,
Rodrigo Lem

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


From ionel.gardais at tech-advantage.com  Wed Jan 30 11:13:09 2019
From: ionel.gardais at tech-advantage.com (GARDAIS Ionel)
Date: Wed, 30 Jan 2019 17:13:09 +0100 (CET)
Subject: [keycloak-user] [FGTSPAM] [i18n] Time units in e-mails sent by
 Keycloak
In-Reply-To: <fee5629b-d6e5-6279-d515-29eade977379@softwareexpress.com.br>
References: <fee5629b-d6e5-6279-d515-29eade977379@softwareexpress.com.br>
Message-ID: <720411074.667115.1548864789924.JavaMail.zimbra@tech-advantage.com>

Hi Rodrigo,

These keys are part of the theme internationalization.
They are the requiredAction and linkExpirationFormatter keys.

You should modify the messages_pt_BR.properties and submit a PR for this to be integrated.

(It looks like only brazilian portuguese is used. For plain portuguese, you should create a new messages_pt.properties, or maybe messages_pt_PT.properties)

-- 
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

----- Mail original -----
De: "Rodrigo Leme" <rodrigo.leme at softwareexpress.com.br>
?: "keycloak-user" <keycloak-user at lists.jboss.org>
Envoy?: Mercredi 30 Janvier 2019 14:55:27
Objet: [FGTSPAM] [keycloak-user] [i18n] Time units in e-mails sent by Keycloak

Hi people,

We are currently using an i18n e-mail theme (to Brazilian Portuguese, 
pt_BR), but we noticed that a few portions of the e-mails sent by 
Keycloak cannot be internationalized, as in the sample below:

"Seu administrador acaba de solicitar que voc? atualize sua conta 
FEPAS-CARDSE executando as seguintes a??es: *Verify Email*. Clique no 
link abaixo para iniciar este processo.

Link para a atualiza??o da conta

Este link ir? expirar dentro de *12 hours*.
Se voc? n?o sabe que seu administrador solicitou isso, apenas ignore 
esta mensagem e nada ser? alterado."

According to the text above, the time was not internationalized ("12 
hours"), neither the action ("Verify Email"). We added the asterisks 
here for clarification purposes only.

In Portuguese, the displayed texts should be "12 horas" and "Verificar 
email".

Is somebody aware of any method to fully internationalize the emails, 
including the mentioned passages?

We even issued a bug report in Keycloak's JIRA 
(https://issues.jboss.org/browse/KEYCLOAK-9459), but it was summarily 
rejected by devs.

Best regards,
Rodrigo Lem

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301



From jblashka at redhat.com  Wed Jan 30 12:00:20 2019
From: jblashka at redhat.com (Jared Blashka)
Date: Wed, 30 Jan 2019 12:00:20 -0500
Subject: [keycloak-user] Getting 'Failed to find provider' when attempting
	to set default SPI provider
Message-ID: <CALO-DfAPNw-+muRN7UGgfoKFEOrMDLiaHL2ZtgyWfdXOEefQUQ@mail.gmail.com>

I'm trying to use a custom Email sender provider with keycloak 3.4.3.Final
but something isn't working correctly because keycloak fails to start up
with:

java.lang.RuntimeException: Failed to find provider serviceEmailSender for
emailSender

I'm deploying the provider via a war in the /deployments directory. I have
the factory class listed in the
META-INF/services/org.keycloak.email.EmailSenderProviderFactory file

I've added this to the keycloak-server subsystem

            <spi name="emailSender">
                <default-provider>serviceEmailSender</default-provider>
                <provider name="serviceEmailSender" enabled="true"/>
            </spi>

If I leave out the <default-provider> entry and restart the server I can
see that the init() method is called on my EmailSenderProviderFactory
implementation so as far as I can tell everything is configured correctly.
But keycloak doesn't like when I try to set this provider as the default.
Is there something I'm missing?

Jared

From ssilvert at redhat.com  Wed Jan 30 12:45:40 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Wed, 30 Jan 2019 12:45:40 -0500
Subject: [keycloak-user] [i18n] Time units in e-mails sent by Keycloak
In-Reply-To: <fee5629b-d6e5-6279-d515-29eade977379@softwareexpress.com.br>
References: <fee5629b-d6e5-6279-d515-29eade977379@softwareexpress.com.br>
Message-ID: <ea2ab546-9d34-2c59-ff7d-e124cacb8c57@redhat.com>

IMO, this is a legitimate issue and it should be addressed.

However, it's actually larger than that one email template.? The problem 
here is that the Java code passes in parameters to the localized 
template text.? But the parameters themselves were never localized.? So 
to really fix it, we need to review everywhere that we send params to a 
template.

As for whether or not the JIRA should be open, I guess that depends on 
whether or not we can reasonably expect someone to fix it in the near 
future.

Stan

On 1/30/2019 8:55 AM, Rodrigo Leme wrote:
> Hi people,
>
> We are currently using an i18n e-mail theme (to Brazilian Portuguese,
> pt_BR), but we noticed that a few portions of the e-mails sent by
> Keycloak cannot be internationalized, as in the sample below:
>
> "Seu administrador acaba de solicitar que voc? atualize sua conta
> FEPAS-CARDSE executando as seguintes a??es: *Verify Email*. Clique no
> link abaixo para iniciar este processo.
>
> Link para a atualiza??o da conta
>
> Este link ir? expirar dentro de *12 hours*.
> Se voc? n?o sabe que seu administrador solicitou isso, apenas ignore
> esta mensagem e nada ser? alterado."
>
> According to the text above, the time was not internationalized ("12
> hours"), neither the action ("Verify Email"). We added the asterisks
> here for clarification purposes only.
>
> In Portuguese, the displayed texts should be "12 horas" and "Verificar
> email".
>
> Is somebody aware of any method to fully internationalize the emails,
> including the mentioned passages?
>
> We even issued a bug report in Keycloak's JIRA
> (https://issues.jboss.org/browse/KEYCLOAK-9459), but it was summarily
> rejected by devs.
>
> Best regards,
> Rodrigo Lem
>


From chris.smith at cmfirstgroup.com  Wed Jan 30 13:10:37 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Wed, 30 Jan 2019 18:10:37 +0000
Subject: [keycloak-user] GSS Credential delegation works for Internet
 Explorer but not for Chrome?
Message-ID: <CY4PR22MB024856E91D7DDACFF37DE16098900@CY4PR22MB0248.namprd22.prod.outlook.com>

I have Keycloak setup to authenticate to an Active Directory domain using LDAP/Kerberos

I have set Windows Internet options for SSO

Both Internet Explorer and Chrome successfully perform Authentication.

I have a requirement for a Delegated GSSCredential and have configured Keycloak and my Active Directory domain controller to perform this task

When I run my web app using  Internet Explorer as my browser, in the servlet I successfully get a Delegated GSSCredential from the Access Token.

When I run my web app using  Chrome as my browser, in the servlet I fail to get a Delegated GSSCredential from the Access Token.

Why the difference and what do I need to set to allow Chrome to be used as a fully supported browser?


From Kevin.Fox at pnnl.gov  Wed Jan 30 13:37:19 2019
From: Kevin.Fox at pnnl.gov (Fox, Kevin M)
Date: Wed, 30 Jan 2019 18:37:19 +0000
Subject: [keycloak-user] [i18n] Time units in e-mails sent by Keycloak
In-Reply-To: <ea2ab546-9d34-2c59-ff7d-e124cacb8c57@redhat.com>
References: <fee5629b-d6e5-6279-d515-29eade977379@softwareexpress.com.br>,
	<ea2ab546-9d34-2c59-ff7d-e124cacb8c57@redhat.com>
Message-ID: <1A3C52DFCD06494D8528644858247BF01C28DDC4@EX10MBOX03.pnnl.gov>

pet peeve/personal opinion. issues should not be closed or exist based on if the issue is quickly solvable. An issue is an issue. If your not ready to solve it, it still is an open issue. so that:
1. people don't keep reporting the same issue
2. the issue isn't forgotten
3. metrics can be gathered on how long people are actually suffering through an issue
4. there is a place new devs can go to find issues they may be interested in solving

and the list goes on.

Thanks,
Kevin
________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Stan Silvert [ssilvert at redhat.com]
Sent: Wednesday, January 30, 2019 9:45 AM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] [i18n] Time units in e-mails sent by Keycloak

IMO, this is a legitimate issue and it should be addressed.

However, it's actually larger than that one email template.  The problem
here is that the Java code passes in parameters to the localized
template text.  But the parameters themselves were never localized.  So
to really fix it, we need to review everywhere that we send params to a
template.

As for whether or not the JIRA should be open, I guess that depends on
whether or not we can reasonably expect someone to fix it in the near
future.

Stan

On 1/30/2019 8:55 AM, Rodrigo Leme wrote:
> Hi people,
>
> We are currently using an i18n e-mail theme (to Brazilian Portuguese,
> pt_BR), but we noticed that a few portions of the e-mails sent by
> Keycloak cannot be internationalized, as in the sample below:
>
> "Seu administrador acaba de solicitar que voc? atualize sua conta
> FEPAS-CARDSE executando as seguintes a??es: *Verify Email*. Clique no
> link abaixo para iniciar este processo.
>
> Link para a atualiza??o da conta
>
> Este link ir? expirar dentro de *12 hours*.
> Se voc? n?o sabe que seu administrador solicitou isso, apenas ignore
> esta mensagem e nada ser? alterado."
>
> According to the text above, the time was not internationalized ("12
> hours"), neither the action ("Verify Email"). We added the asterisks
> here for clarification purposes only.
>
> In Portuguese, the displayed texts should be "12 horas" and "Verificar
> email".
>
> Is somebody aware of any method to fully internationalize the emails,
> including the mentioned passages?
>
> We even issued a bug report in Keycloak's JIRA
> (https://issues.jboss.org/browse/KEYCLOAK-9459), but it was summarily
> rejected by devs.
>
> Best regards,
> Rodrigo Lem
>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From Shweta.Shetty at Teradata.com  Wed Jan 30 18:14:19 2019
From: Shweta.Shetty at Teradata.com (Shetty, Shweta)
Date: Wed, 30 Jan 2019 23:14:19 +0000
Subject: [keycloak-user] Admin client API - usersResource.list(offset,
	limit) - slowness
Message-ID: <DD998547-A14D-4444-8E2D-7AFBF56E0A5A@teradata.com>

We are seeing extreme slowness in using this API, we are still not sure what could be the culprit. We enabled more logging on the postgres side of thing, thinking it could be related to keycloak ? postgres slowness. Once we enabled more logging, we do see that keycloak is issuing a query like this one at a rate of about one per millisecond
```select clientscop0_.ROLE_ID as col_0_0_ from CLIENT_SCOPE_ROLE_MAPPING clientscop0_ where clientscop0_.SCOPE_ID=$1```

This fills up the logs so that it is hard to see anything else.

This could be the cause of the problem; which could be slowing postgres down. We wanted to know if its some configuration issue which we can optimize to overcome this issue or if it?s a known issue. Please advice.

Shweta

From hylton.peimer at datos-health.com  Wed Jan 30 23:25:22 2019
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Thu, 31 Jan 2019 06:25:22 +0200
Subject: [keycloak-user] Logout from IDP with Spring Keycloak adaptor
Message-ID: <CACGrZeuEauO44zhWXoBFq1vFPjTX4ueVTrO03f8qrTgBaPt-gg@mail.gmail.com>

I have a Keycloak Security Adaptor setup with a logout URL "/sso/logout".

The user logins in using to my application using an IDP, and then logs out
by POSTing to the /sso/logout the - they are redirected to the login page.

However when attempted to login again, the user doesn't need to
reauthenticate. It seems Spring doesn't logout from the IDP.

Is there a simple way to get Spring to logout from the IDP? Should I change
the logout URL?

From kapilkumarjoshi001 at gmail.com  Thu Jan 31 01:19:33 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Thu, 31 Jan 2019 11:49:33 +0530
Subject: [keycloak-user] Configuring Admin Access Control or
 realm-management client role for LDAP user in keycloak via imported
 realm.json configuration
In-Reply-To: <CAMLZ2v=OMQBLdAsiDucbdL+u0GVV_5MnGLaSMM=m1D6EvCBtmA@mail.gmail.com>
References: <CAMLZ2vmku1QGqvXTYJOs2BXxUHHSHvFmOMepPE7ZG41bD03itQ@mail.gmail.com>
	<b0e3c8be-b9f3-cac0-333e-f22b739a9e3a@redhat.com>
	<CAMLZ2vk0z6sbOqQeakyWnPQ4SNYMjtu+SdErzHDMEgok=80ALA@mail.gmail.com>
	<CAMLZ2v=OMQBLdAsiDucbdL+u0GVV_5MnGLaSMM=m1D6EvCBtmA@mail.gmail.com>
Message-ID: <CAMLZ2vmWSRhbDxft9kf_ZQ=jtKR3TxJstM9a-Xo6Yo31NcyGBw@mail.gmail.com>

Hi Marek,

I was trying to import realm.json which contains following entry, to
include hardcoded-ldap-mapper in keycloak, for realm-management role of
manage-users, but its failing to import, can you give us a small example of
such entry in realm.json which we can follow on.

// snippet of realm.json

 *          {*
*              "name": "administrator",*
              *"federationMapperType"**: "hardcoded-ldap-role-mapper",*
*"**federationProviderDisplayName"*
* : "ldap",*
*              "subComponents": {},*
*              "config": {*
*                "role": [*
*                  "realm-management.manage-users"*
*                ]*
*              }*
*           }*


*Thanks *

On Thu, Jan 31, 2019 at 11:49 AM kapil joshi <kapilkumarjoshi001 at gmail.com>
wrote:

> Hi Marek,
>
> I was trying to import realm.json which contains following entry, to
> include hardcoded-ldap-mapper in keycloak, for realm-management role of
> manage-users, but its failing to import, can you give us a small example of
> such entry in realm.json which we can follow on.
>
> // snippet of realm.json
>
>  *          {*
> *              "name": "administrator",*
>               *"federationMapperType"**: "hardcoded-ldap-role-mapper",*
> *"**federationProviderDisplayName"*
> * : "ldap",*
> *              "subComponents": {},*
> *              "config": {*
> *                "role": [*
> *                  "realm-management.manage-users"*
> *                ]*
> *              }*
> *           }*
>
>
> *Thanks *
> *Kapil*
>
> On Tue, Jan 29, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
> wrote:
>
>> Hi Marek,
>>
>> First of all thanks for your response,  it works !!! . I tried mapping a
>> client role (i.e realm-management roles), few observations:
>> 1) I was not able to save the configuration was getting below attached
>> error message.
>> [image: image.png]
>>
>> But then i saw there is already a bug filed on this issue.
>> So applied the work around, and was able to get the client role added for
>> LDAP imported user.
>>
>> Thanks again,
>> Kapil
>>
>>
>>
>> On Tue, Jan 29, 2019 at 1:43 AM Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> Yes, this should be doable with hardcoded-ldap-role-mapper if I
>>> understand your use-case correctly (See tab "mappers" in the admin console
>>> when you're on the page with the details of LDAP provider).
>>>
>>> Marek
>>>
>>> On 28/01/2019 10:24, kapil joshi wrote:
>>>
>>> Hi All,
>>>
>>> Can we assign realm-management client roles for users imported from LDAP in
>>> Keycloak.
>>> Currently we are trying to set up LDAP based user federation using by
>>> importing a realm.json, configured with LDAP related configuration. Have
>>> attached it to this email.
>>> Basically the requirement is when we login to the client using the LDAP
>>> credentials, the user should be able to access user-management and
>>> view-realm client(i.e accessing the admin console) from client side.
>>>
>>> Thanks
>>> Kapil
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 80148 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190131/c41a8866/attachment-0001.png 

From Johny.Dee at seznam.cz  Thu Jan 31 06:03:19 2019
From: Johny.Dee at seznam.cz (Vaclav Havlik)
Date: Thu, 31 Jan 2019 12:03:19 +0100 (CET)
Subject: [keycloak-user] TCPPING problem.
Message-ID: <132L.4OIY.4yZG0TU0L{r.1SKjNt@seznam.cz>

Dears,
I would like to ask a question.

I have Wildfly, version ? WildFly Full 14.0.1.Final(http://14.0.1.final) 
(WildFly Core 6.0.2.Final(http://6.0.2.final))??? .
And then I have Keycloak, version Keycloak 4.7.0.Final(http://4.7.0.final) 
(WildFly Core 6.0.2.Final(http://6.0.2.final))? .

Static cluster configuration, using TCPPING, works in Wildflys, but does not
work in Keycloaks. 

I always have 2 instances on localhost (browser thus sends them the same 
JSESSIONID).?? On both I have deployed a testing clustering webapp, with 
which to test, if sessions are replicated. But Keycloaks do not pass 
sessions to each other. I can see that when the page from the second 
instance is reloaded in browser, it sends Set-Cookie header with another 
cookie, as it obviously does not know the JSESSIONID from the first 
instance.

With Wildflys the same does work.

Can you tell me, is there any reason, why this is the case, when Keycloak 
uses Wildfly ?

Thank you. With regards V. Havlik.

From subodhcjoshi82 at gmail.com  Thu Jan 31 06:23:43 2019
From: subodhcjoshi82 at gmail.com (Subodh Joshi)
Date: Thu, 31 Jan 2019 16:53:43 +0530
Subject: [keycloak-user] keycloak bearer token error - Didn't find publicKey
	for specified kid
In-Reply-To: <CA+5RKs3CWJE6NW80zksLbqn2ipqCnWXhNV=hQ11snEKB3t69yg@mail.gmail.com>
References: <CA+5RKs2hHV7jMNMJGd86JEqZnE=8185dXB+cPdm-+3yxGYGaow@mail.gmail.com>
	<CA+5RKs3CWJE6NW80zksLbqn2ipqCnWXhNV=hQ11snEKB3t69yg@mail.gmail.com>
Message-ID: <CAFss9rp6BbMQtWgua3GANyz0z0QkfvqA6rya8tFuwyp6x8Q2iA@mail.gmail.com>

Hi
I have configured keycloak4.5 with Wildfly(With LoadBalancer) and able get
the token , but when I am using that token for to get response from rest
service getting below error :
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*HTTP/1.1 401 Unauthorized*
*Cache-Control: no-cache, no-store, must-revalidate, private*
*X-Powered-By: Undertow/1*
*X-XSS-Protection: 1; mode=block*
*Server: WildFly/11*
*X-Frame-Options: SAMEORIGIN*
*Date: Wed, 30 Jan 2019 07:42:45 GMT*
*Connection: keep-alive*
*WWW-Authenticate: Bearer realm="demorealm", error="invalid_token",
error_description="Didn't find publicKey for specified kid"*
*X-Content-Type-Options: nosniff*
*Content-Type: text/html;charset=UTF-8*
*Content-Length: 71*

*<html><head><title>Error</title></head><body>Unauthorized</body></html>*
*------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------*

*Can anyone help me here please what configuration I am missing , I am
struggling for so many days to solve this problem but couldn't get any
solution .*








-- 
Subodh Chandra Joshi
subodh1_joshi82 at yahoo.co.in
http://www.trendsinnews.com

From K.Buler at adbglobal.com  Thu Jan 31 07:02:07 2019
From: K.Buler at adbglobal.com (Karol Buler)
Date: Thu, 31 Jan 2019 12:02:07 +0000
Subject: [keycloak-user] keycloak bearer token error - Didn't find
 publicKey for specified kid
In-Reply-To: <CAFss9rp6BbMQtWgua3GANyz0z0QkfvqA6rya8tFuwyp6x8Q2iA@mail.gmail.com>
References: <CA+5RKs2hHV7jMNMJGd86JEqZnE=8185dXB+cPdm-+3yxGYGaow@mail.gmail.com>
	<CA+5RKs3CWJE6NW80zksLbqn2ipqCnWXhNV=hQ11snEKB3t69yg@mail.gmail.com>
	<CAFss9rp6BbMQtWgua3GANyz0z0QkfvqA6rya8tFuwyp6x8Q2iA@mail.gmail.com>
Message-ID: <dfb77f65-c904-14cc-300c-88213413e97a@adbglobal.com>

We had the same problem.

In few words your application doesn't trust the Keycloak if you have
Keycloak with SSL behind the LoadBalancer. You need to configure
"truststore.jks" for your application. This truststore need to contains
Keycloak's certificate.

BR, Karol

On 31.01.2019 12:23, Subodh Joshi wrote:
> Hi
> I have configured keycloak4.5 with Wildfly(With LoadBalancer) and able get
> the token , but when I am using that token for to get response from rest
> service getting below error :
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *HTTP/1.1 401 Unauthorized*
> *Cache-Control: no-cache, no-store, must-revalidate, private*
> *X-Powered-By: Undertow/1*
> *X-XSS-Protection: 1; mode=block*
> *Server: WildFly/11*
> *X-Frame-Options: SAMEORIGIN*
> *Date: Wed, 30 Jan 2019 07:42:45 GMT*
> *Connection: keep-alive*
> *WWW-Authenticate: Bearer realm="demorealm", error="invalid_token",
> error_description="Didn't find publicKey for specified kid"*
> *X-Content-Type-Options: nosniff*
> *Content-Type: text/html;charset=UTF-8*
> *Content-Length: 71*
>
> *<html><head><title>Error</title></head><body>Unauthorized</body></html>*
> *------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------*
>
> *Can anyone help me here please what configuration I am missing , I am
> struggling for so many days to solve this problem but couldn't get any
> solution .*
>
>
>
>
>
>
>
>
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.


From kapilkumarjoshi001 at gmail.com  Thu Jan 31 07:23:21 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Thu, 31 Jan 2019 17:53:21 +0530
Subject: [keycloak-user] Configuring Admin Access Control or
 realm-management client role for LDAP user in keycloak via imported
 realm.json configuration
In-Reply-To: <CAMLZ2vkWq=HeR_qB2L_sDEVN6GCMbRbhm7MuhrgYpkMEjESw9Q@mail.gmail.com>
References: <CAMLZ2vmku1QGqvXTYJOs2BXxUHHSHvFmOMepPE7ZG41bD03itQ@mail.gmail.com>
	<b0e3c8be-b9f3-cac0-333e-f22b739a9e3a@redhat.com>
	<CAMLZ2vk0z6sbOqQeakyWnPQ4SNYMjtu+SdErzHDMEgok=80ALA@mail.gmail.com>
	<CAMLZ2v=OMQBLdAsiDucbdL+u0GVV_5MnGLaSMM=m1D6EvCBtmA@mail.gmail.com>
	<387bbdad-2554-2117-49bf-9d1ce8ec6144@redhat.com>
	<CAMLZ2vkWq=HeR_qB2L_sDEVN6GCMbRbhm7MuhrgYpkMEjESw9Q@mail.gmail.com>
Message-ID: <CAMLZ2v=d3PzVtnA1ZjyS567jaEn-QzJOTuzCFJBo36qufMi+fQ@mail.gmail.com>

On Thu, 31 Jan 2019, 17:53 kapil joshi, <kapilkumarjoshi001 at gmail.com>
wrote:

> Hi Marek,
>
>
> Thanks for the reply, actually we see one ldaprealm.json in the LDAP
> integration with keycloak example. But even there we saw entries only for
> role-ldap-mapper.
>
> Can someone in your team provide a sample for hardcoded-ldap-mapper
>
> Thanks
> Kapil
>
>
> On 31 Jan 2019 17:21, "Marek Posolda" <mposolda at redhat.com> wrote:
>
> I am not sure about the JSON format from the top of my head. I suggest to
> create things manually in admin console, then export it to JSON, so you can
> see proper JSON format. See keycloak documentation for Export/Import for
> more details.
>
> Marek
>
> On 31/01/2019 07:19, kapil joshi wrote:
>
> Hi Marek,
>
> I was trying to import realm.json which contains following entry, to
> include hardcoded-ldap-mapper in keycloak, for realm-management role of
> manage-users, but its failing to import, can you give us a small example of
> such entry in realm.json which we can follow on.
>
> // snippet of realm.json
>
>  *          {*
> *              "name": "administrator",*
>               *"federationMapperType"**: "hardcoded-ldap-role-mapper",*
> *"**federationProviderDisplayName"*
> * : "ldap", *
> *              "subComponents": {},*
> *              "config": {*
> *                "role": [*
> *                  "realm-management.manage-users"*
> *                ]*
> *              }*
> *           }*
>
>
> *Thanks *
> *Kapil*
>
> On Tue, Jan 29, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
> wrote:
>
>> Hi Marek,
>>
>> First of all thanks for your response,  it works !!! . I tried mapping a
>> client role (i.e realm-management roles), few observations:
>> 1) I was not able to save the configuration was getting below attached
>> error message.
>> [image: image.png]
>>
>> But then i saw there is already a bug filed on this issue.
>> So applied the work around, and was able to get the client role added for
>> LDAP imported user.
>>
>> Thanks again,
>> Kapil
>>
>>
>>
>> On Tue, Jan 29, 2019 at 1:43 AM Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> Yes, this should be doable with hardcoded-ldap-role-mapper if I
>>> understand your use-case correctly (See tab "mappers" in the admin console
>>> when you're on the page with the details of LDAP provider).
>>>
>>> Marek
>>>
>>> On 28/01/2019 10:24, kapil joshi wrote:
>>>
>>> Hi All,
>>>
>>> Can we assign realm-management client roles for users imported from LDAP in
>>> Keycloak.
>>> Currently we are trying to set up LDAP based user federation using by
>>> importing a realm.json, configured with LDAP related configuration. Have
>>> attached it to this email.
>>> Basically the requirement is when we login to the client using the LDAP
>>> credentials, the user should be able to access user-management and
>>> view-realm client(i.e accessing the admin console) from client side.
>>>
>>> Thanks
>>> Kapil
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>
>

From mposolda at redhat.com  Thu Jan 31 07:29:37 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 31 Jan 2019 13:29:37 +0100
Subject: [keycloak-user] Configuring Admin Access Control or
 realm-management client role for LDAP user in keycloak via imported
 realm.json configuration
In-Reply-To: <CAMLZ2v=d3PzVtnA1ZjyS567jaEn-QzJOTuzCFJBo36qufMi+fQ@mail.gmail.com>
References: <CAMLZ2vmku1QGqvXTYJOs2BXxUHHSHvFmOMepPE7ZG41bD03itQ@mail.gmail.com>
	<b0e3c8be-b9f3-cac0-333e-f22b739a9e3a@redhat.com>
	<CAMLZ2vk0z6sbOqQeakyWnPQ4SNYMjtu+SdErzHDMEgok=80ALA@mail.gmail.com>
	<CAMLZ2v=OMQBLdAsiDucbdL+u0GVV_5MnGLaSMM=m1D6EvCBtmA@mail.gmail.com>
	<387bbdad-2554-2117-49bf-9d1ce8ec6144@redhat.com>
	<CAMLZ2vkWq=HeR_qB2L_sDEVN6GCMbRbhm7MuhrgYpkMEjESw9Q@mail.gmail.com>
	<CAMLZ2v=d3PzVtnA1ZjyS567jaEn-QzJOTuzCFJBo36qufMi+fQ@mail.gmail.com>
Message-ID: <10413131-a933-750c-084d-76feb63ee682@redhat.com>

I suggest to try the export/import as I mentioned already. I hope this 
can give you a hint how the JSON should look like.

Regards,
Marek

On 31/01/2019 13:23, kapil joshi wrote:
>
> On Thu, 31 Jan 2019, 17:53 kapil joshi, <kapilkumarjoshi001 at gmail.com 
> <mailto:kapilkumarjoshi001 at gmail.com>> wrote:
>
>     Hi Marek,
>
>
>     Thanks for the reply, actually we see one ldaprealm.json in the
>     LDAP integration with keycloak example. But even there we saw
>     entries only for role-ldap-mapper.
>
>     Can someone in your team provide a sample for hardcoded-ldap-mapper
>
>     Thanks
>     Kapil
>
>
>     On 31 Jan 2019 17:21, "Marek Posolda" <mposolda at redhat.com
>     <mailto:mposolda at redhat.com>> wrote:
>
>         I am not sure about the JSON format from the top of my head. I
>         suggest to create things manually in admin console, then
>         export it to JSON, so you can see proper JSON format. See
>         keycloak documentation for Export/Import for more details.
>
>         Marek
>
>         On 31/01/2019 07:19, kapil joshi wrote:
>>         Hi?Marek,
>>
>>         I was trying to import realm.json which contains following
>>         entry, to include hardcoded-ldap-mapper in keycloak, for
>>         realm-management role of manage-users, but its failing to
>>         import, can you give us a small example of such entry in
>>         realm.json which we can follow on.
>>
>>         // snippet of realm.json
>>
>>         *? ? ? ? {*
>>         *? ? ? ? ? ? "name": "administrator",*
>>         ***"federationMapperType"**: "hardcoded-ldap-role-mapper",*
>>         *"**federationProviderDisplayName"**: "ldap",
>>         *
>>         *? ? ? ? ? ? "subComponents": {},*
>>         *? ? ? ? ? ? "config": {*
>>         *? ? ? ? ? ? ? "role": [*
>>         *"realm-management.manage-users"*
>>         *? ? ? ? ? ? ? ]*
>>         *? ? ? ? ? ? }*
>>         *? ? ? ? ?}*
>>         *
>>         *
>>         *
>>         *
>>         *Thanks *
>>         *Kapil*
>>
>>         On Tue, Jan 29, 2019 at 2:38 PM kapil joshi
>>         <kapilkumarjoshi001 at gmail.com
>>         <mailto:kapilkumarjoshi001 at gmail.com>> wrote:
>>
>>             Hi Marek,
>>
>>             First of all thanks for your response, it works !!! . I
>>             tried mapping a client role (i.e realm-management roles),
>>             few observations:
>>             1) I was not able to save the configuration was getting
>>             below attached error message.
>>             image.png
>>
>>             But then i saw there is already a bug filed on this issue.
>>             So applied the work around, and was able to get the
>>             client role added for LDAP imported user.
>>
>>             Thanks again,
>>             Kapil
>>
>>
>>
>>             On Tue, Jan 29, 2019 at 1:43 AM Marek Posolda
>>             <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>>                 Yes, this should be doable with
>>                 hardcoded-ldap-role-mapper if I understand your
>>                 use-case correctly (See tab "mappers" in the admin
>>                 console when you're on the page with the details of
>>                 LDAP provider).
>>
>>                 Marek
>>
>>                 On 28/01/2019 10:24, kapil joshi wrote:
>>>                 Hi All,
>>>
>>>                 Can we assign realm-management client roles for users imported from LDAP in
>>>                 Keycloak.
>>>                 Currently we are trying to set up LDAP based user federation using by
>>>                 importing a realm.json, configured with LDAP related configuration. Have
>>>                 attached it to this email.
>>>                 Basically the requirement is when we login to the client using the LDAP
>>>                 credentials, the user should be able to access user-management and
>>>                 view-realm client(i.e accessing the admin console) from client side.
>>>
>>>                 Thanks
>>>                 Kapil
>>>
>>>                 _______________________________________________
>>>                 keycloak-user mailing list
>>>                 keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>


From slaskawi at redhat.com  Thu Jan 31 07:36:13 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Thu, 31 Jan 2019 13:36:13 +0100
Subject: [keycloak-user] TCPPING problem.
In-Reply-To: <132L.4OIY.4yZG0TU0L{r.1SKjNt@seznam.cz>
References: <132L.4OIY.4yZG0TU0L{r.1SKjNt@seznam.cz>
Message-ID: <CAA9R9O5MbMXbufNbk+hvKjZGoFufKAw=GmxTEv2rCNL2VNXGjw@mail.gmail.com>

Hey Vaclav,

Could you please send us your configuration xml (make sure you're using
standalone-ha.xml) and output of your logs?

Thanks,
Sebastian

On Thu, Jan 31, 2019 at 12:04 PM Vaclav Havlik <Johny.Dee at seznam.cz> wrote:

> Dears,
> I would like to ask a question.
>
> I have Wildfly, version   WildFly Full 14.0.1.Final(http://14.0.1.final)
> (WildFly Core 6.0.2.Final(http://6.0.2.final))    .
> And then I have Keycloak, version Keycloak 4.7.0.Final(http://4.7.0.final)
>
> (WildFly Core 6.0.2.Final(http://6.0.2.final))  .
>
> Static cluster configuration, using TCPPING, works in Wildflys, but does
> not
> work in Keycloaks.
>
> I always have 2 instances on localhost (browser thus sends them the same
> JSESSIONID).   On both I have deployed a testing clustering webapp, with
> which to test, if sessions are replicated. But Keycloaks do not pass
> sessions to each other. I can see that when the page from the second
> instance is reloaded in browser, it sends Set-Cookie header with another
> cookie, as it obviously does not know the JSESSIONID from the first
> instance.
>
> With Wildflys the same does work.
>
> Can you tell me, is there any reason, why this is the case, when Keycloak
> uses Wildfly ?
>
> Thank you. With regards V. Havlik.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From david-kc-users at dnorth.net  Thu Jan 31 07:56:07 2019
From: david-kc-users at dnorth.net (David North)
Date: Thu, 31 Jan 2019 12:56:07 +0000
Subject: [keycloak-user] OAuth2 extensions - oob vs oob:auto
Message-ID: <ac31ebd6-5a8e-1bd5-7f80-1ff05b25cbb4@dnorth.net>

Hi,

I am working on a desktop application which wants to access various APIs 
secured by OAuth2 using Keycloak.

The workflow I am trying to support is that the application will show an 
embedded browser widget with the Keycloak login page, and once the user 
is logged in, my application will extract the OAuth token and use it.

I don't want my application to have to listen on a local port and use a 
redirect URI of http://localhost:port, so the OAuth extension which 
allows a redirect URI of urn:ietf:wg:oauth:2.0:oob:auto seems ideal.

The documentation at https://www.keycloak.org/docs/4.0/securing_apps/ 
says Keycloak only supports the urn:ietf:wg:oauth:2.0:oob variant, where 
the user has to copy/paste the code manually into the app. However, 
confusingly the documentation also claims:

"When this redirect uri is used Keycloak displays a page with the code 
in the title and in a box on the page."

The code is not in the title (which just says "Success code") - if it 
were then it would be easy for my application to extract, and the 
behaviour would be equivalent to urn:ietf:wg:oauth:2.0:oob:auto

Would there be any objection to a bug and patch to:

* Treat urn:ietf:wg:oauth:2.0:oob:auto as an alias for 
urn:ietf:wg:oauth:2.0:oob

* Put the code in the page title as well as a box on the page?

Thanks,

David


From lkamal at gmail.com  Thu Jan 31 08:29:54 2019
From: lkamal at gmail.com (Kamal Mettananda)
Date: Thu, 31 Jan 2019 18:59:54 +0530
Subject: [keycloak-user] When realm count reaches around 470,
	Keycloak basically becomes unstable
Message-ID: <CAHdm9fm1xEwwJnauOw5T6=9ghNsfiFsHC8CGrc8xjT_6J7eFmw@mail.gmail.com>

Hi all

We are having a Keycloak 4.8.1.Final deployed on a k8 cluster with two
nodes with default settings. Backend database is PostgreSQL.

We are increasing the number of realms in Keycloak to figure out if
Keycloak can support a larger number of realms; these creations are done
sequentially.

However, when the quantity of realms reach around 470, it makes keycloak
basically unusable with admin GUI not loading at all and requests taking
too long to execute.

Below is a summary of the time taken. We have not added any users into the
realms.

+--------------+----------+------------+------------+------------+
|  Operation   | 0 realms | 100 realms | 250 realms | 350 realms |
+--------------+----------+------------+------------+------------+
| Create realm |     1104 |       3739 |       8659 |      11535 |
| Get realm    |      128 |        961 |       3067 |       3853 |
| Get token    |      636 |       1159 |       2714 |       3197 |
| Get roles    |      127 |       1037 |       3034 |       3649 |
+--------------+----------+------------+------------+------------+

Are there any known limitations or an optimal number of realms for a
Keycloak deployment?

Thanks

From tim.hedlund at outlook.com  Thu Jan 31 08:49:51 2019
From: tim.hedlund at outlook.com (Tim Hedlund)
Date: Thu, 31 Jan 2019 13:49:51 +0000
Subject: [keycloak-user] Force certain realm users to login via IDP
Message-ID: <SN4PR0801MB3821FFD45DAA7F48CB0C318CF8910@SN4PR0801MB3821.namprd08.prod.outlook.com>

We are looking into using IDP (Azure AD) for login. Some users (admins) will then authenticate there. The need for this is that Keycloak admins (user management in certain realm) will need to authenticate via two factor because of company policies. So I've already setup a working integration with AD. The problem now is that pre-existing users that already had a login and password in Keycloak must no longer be able to use login/password. This is to force IDP (two factor) login.

I've tried to "Disable Credentials" for "password" for such a user but still he could login.

I'm thinking of a solution where we script a custom browser flow action where we check is the user is a admin and then denies him if using password.

Any thoughts or suggestions?

Regards
Tim


From kapilkumarjoshi001 at gmail.com  Thu Jan 31 09:40:09 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Thu, 31 Jan 2019 20:10:09 +0530
Subject: [keycloak-user] Configuring Admin Access Control or
 realm-management client role for LDAP user in keycloak via imported
 realm.json configuration
In-Reply-To: <10413131-a933-750c-084d-76feb63ee682@redhat.com>
References: <CAMLZ2vmku1QGqvXTYJOs2BXxUHHSHvFmOMepPE7ZG41bD03itQ@mail.gmail.com>
	<b0e3c8be-b9f3-cac0-333e-f22b739a9e3a@redhat.com>
	<CAMLZ2vk0z6sbOqQeakyWnPQ4SNYMjtu+SdErzHDMEgok=80ALA@mail.gmail.com>
	<CAMLZ2v=OMQBLdAsiDucbdL+u0GVV_5MnGLaSMM=m1D6EvCBtmA@mail.gmail.com>
	<387bbdad-2554-2117-49bf-9d1ce8ec6144@redhat.com>
	<CAMLZ2vkWq=HeR_qB2L_sDEVN6GCMbRbhm7MuhrgYpkMEjESw9Q@mail.gmail.com>
	<CAMLZ2v=d3PzVtnA1ZjyS567jaEn-QzJOTuzCFJBo36qufMi+fQ@mail.gmail.com>
	<10413131-a933-750c-084d-76feb63ee682@redhat.com>
Message-ID: <CAMLZ2vmABD7BX9B88u8Li2im8J8MtEj9TkNQUf9kO4w+fi3iwg@mail.gmail.com>

Hi Marek,

Actually we tried that, but the it still doesn't work. Not even "
directAccessGrantsEnabled": true, value under realm.json.
We tried importing realm.json with "directAccessGrantsEnabled": true value
under clients section, it isnt working there too.
Would be great if someone could guide us what to do or may be what are
missing.

Thanks & regards
Kapil

On Thu, 31 Jan 2019, 17:59 Marek Posolda, <mposolda at redhat.com> wrote:

> I suggest to try the export/import as I mentioned already. I hope this can
> give you a hint how the JSON should look like.
>
> Regards,
> Marek
>
> On 31/01/2019 13:23, kapil joshi wrote:
>
>
> On Thu, 31 Jan 2019, 17:53 kapil joshi, <kapilkumarjoshi001 at gmail.com>
> wrote:
>
>> Hi Marek,
>>
>>
>> Thanks for the reply, actually we see one ldaprealm.json in the LDAP
>> integration with keycloak example. But even there we saw entries only for
>> role-ldap-mapper.
>>
>> Can someone in your team provide a sample for hardcoded-ldap-mapper
>>
>> Thanks
>> Kapil
>>
>>
>> On 31 Jan 2019 17:21, "Marek Posolda" <mposolda at redhat.com> wrote:
>>
>> I am not sure about the JSON format from the top of my head. I suggest to
>> create things manually in admin console, then export it to JSON, so you can
>> see proper JSON format. See keycloak documentation for Export/Import for
>> more details.
>>
>> Marek
>>
>> On 31/01/2019 07:19, kapil joshi wrote:
>>
>> Hi Marek,
>>
>> I was trying to import realm.json which contains following entry, to
>> include hardcoded-ldap-mapper in keycloak, for realm-management role of
>> manage-users, but its failing to import, can you give us a small example of
>> such entry in realm.json which we can follow on.
>>
>> // snippet of realm.json
>>
>>  *          {*
>> *              "name": "administrator",*
>>               *"federationMapperType"**: "hardcoded-ldap-role-mapper",*
>> *"**federationProviderDisplayName"*
>> * : "ldap", *
>> *              "subComponents": {},*
>> *              "config": {*
>> *                "role": [*
>> *                  "realm-management.manage-users"*
>> *                ]*
>> *              }*
>> *           }*
>>
>>
>> *Thanks *
>> *Kapil*
>>
>> On Tue, Jan 29, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
>> wrote:
>>
>>> Hi Marek,
>>>
>>> First of all thanks for your response,  it works !!! . I tried mapping a
>>> client role (i.e realm-management roles), few observations:
>>> 1) I was not able to save the configuration was getting below attached
>>> error message.
>>> [image: image.png]
>>>
>>> But then i saw there is already a bug filed on this issue.
>>> So applied the work around, and was able to get the client role added
>>> for LDAP imported user.
>>>
>>> Thanks again,
>>> Kapil
>>>
>>>
>>>
>>> On Tue, Jan 29, 2019 at 1:43 AM Marek Posolda <mposolda at redhat.com>
>>> wrote:
>>>
>>>> Yes, this should be doable with hardcoded-ldap-role-mapper if I
>>>> understand your use-case correctly (See tab "mappers" in the admin console
>>>> when you're on the page with the details of LDAP provider).
>>>>
>>>> Marek
>>>>
>>>> On 28/01/2019 10:24, kapil joshi wrote:
>>>>
>>>> Hi All,
>>>>
>>>> Can we assign realm-management client roles for users imported from LDAP in
>>>> Keycloak.
>>>> Currently we are trying to set up LDAP based user federation using by
>>>> importing a realm.json, configured with LDAP related configuration. Have
>>>> attached it to this email.
>>>> Basically the requirement is when we login to the client using the LDAP
>>>> credentials, the user should be able to access user-management and
>>>> view-realm client(i.e accessing the admin console) from client side.
>>>>
>>>> Thanks
>>>> Kapil
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>
>>
>

From chris.smith at cmfirstgroup.com  Thu Jan 31 10:13:40 2019
From: chris.smith at cmfirstgroup.com (Chris Smith)
Date: Thu, 31 Jan 2019 15:13:40 +0000
Subject: [keycloak-user] GSS Credential delegation works for Internet
 Explorer but not for Chrome?
In-Reply-To: <CY4PR22MB024856E91D7DDACFF37DE16098900@CY4PR22MB0248.namprd22.prod.outlook.com>
References: <CY4PR22MB024856E91D7DDACFF37DE16098900@CY4PR22MB0248.namprd22.prod.outlook.com>
Message-ID: <CY4PR22MB0248C66B77FDEC6977C23B2898910@CY4PR22MB0248.namprd22.prod.outlook.com>

I was able to make Chrome delegate a GSS Credential.
In Chrome for Windows, it required using the windows registry editor.
http://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
Sent: Thursday, January 31, 2019 2:11 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] GSS Credential delegation works for Internet Explorer but not for Chrome?

I have Keycloak setup to authenticate to an Active Directory domain using LDAP/Kerberos

I have set Windows Internet options for SSO

Both Internet Explorer and Chrome successfully perform Authentication.

I have a requirement for a Delegated GSSCredential and have configured Keycloak and my Active Directory domain controller to perform this task

When I run my web app using  Internet Explorer as my browser, in the servlet I successfully get a Delegated GSSCredential from the Access Token.

When I run my web app using  Chrome as my browser, in the servlet I fail to get a Delegated GSSCredential from the Access Token.

Why the difference and what do I need to set to allow Chrome to be used as a fully supported browser?

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From titorenko at dtg.technology  Thu Jan 31 10:47:20 2019
From: titorenko at dtg.technology (Alexey Titorenko)
Date: Thu, 31 Jan 2019 18:47:20 +0300
Subject: [keycloak-user] Custom ClaimInformationPointProvider for Spring
	Boot not called.
Message-ID: <E61BFB7F-D57C-4784-B099-EB778B873DFF@dtg.technology>

Hello guys!

Can someone help me please with the following problem.

I need to configure context based access control for my REST-service, when attributes of the protected resources are pushed to Keycloak server for policy evaluation. Protected service is built on Spring Boot. 

I?ve configured the system and all works fine with OOTB Claim Information Point provider ?claims?. But I need a custom one. And this custom CIP is not working. I see from the debug logging, that policy enforcer calls ?getName()? and ?init()? on my CIP Factory, but _never_ calls ?create()?, thus, never instantiates the CIP.

Below are application.properties for Spring boot and CIP config file. My custom CIP Provider has ?document? name. I call both /documents/- Get an

Thank you, 
Alexey

application.properties
----------------------------------
svc.name=docs-uma
server.port = 8085
keycloak.realm=DemoApp
keycloak.auth-server-url=http://localhost:8180/auth
keycloak.ssl-required=external
keycloak.resource=docs-svc-uma
keycloak.cors=true
keycloak.use-resource-role-mappings=true
keycloak.verify-token-audience=false
keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a
keycloak.confidential-port=0
keycloak.bearer-only=true

keycloak.securityConstraints[0].securityCollections[0].name = secured operation
keycloak.securityConstraints[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents
keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/

keycloak.securityConstraints[1].securityCollections[0].name = admin operation
keycloak.securityConstraints[1].authRoles[0] = admin
keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin
keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/

logging.level.org.keycloak=DEBUG
logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG

# policy enforcer
keycloak.policy-enforcer-config.lazy-load-paths=true
keycloak.policy-enforcer-config.on-deny-redirect-to=/public

keycloak.policy-enforcer-config.paths[0].name=Public Resources
keycloak.policy-enforcer-config.paths[0].path=/*

keycloak.policy-enforcer-config.paths[1].name=Document creation
keycloak.policy-enforcer-config.paths[1].path=/documents/*
keycloak.policy-enforcer-config.paths[1].methods[0].method=POST
keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method}

keycloak.policy-enforcer-config.paths[2].name=Document List
keycloak.policy-enforcer-config.paths[2].path=/documents
keycloak.policy-enforcer-config.paths[2].methods[0].method=GET
keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method}
keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method}
        
keycloak.policy-enforcer-config.paths[3].name=Admin Resources
keycloak.policy-enforcer-config.paths[3].path=/admin/*
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri}
keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri}


META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory
------------------------------------------------------------------------
dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory


From jdennis at redhat.com  Thu Jan 31 10:50:00 2019
From: jdennis at redhat.com (John Dennis)
Date: Thu, 31 Jan 2019 10:50:00 -0500
Subject: [keycloak-user] Incomplete ClientRepresentation returned from
 /{realm}/clients REST endpoint
Message-ID: <f9ab5511-96c4-12e0-95eb-7aa499d5018f@redhat.com>

A GET on the /{realm}/clients REST endpoint is supposed to return an 
array of ClientRepresentation JSON objects. This is documented here:

https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clients_resource

According to the REST documentation 
(https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clientrepresentation) 
a ClientRepresentation is supposed to contain the following top level keys:

access
adminUrl
attributes
authenticationFlowBindingOverrides
authorizationServicesEnabled
authorizationSettings
baseUrl
bearerOnly
clientAuthenticatorType
clientId
consentRequired
defaultClientScopes
defaultRoles
description
directAccessGrantsEnabled
enabled
frontchannelLogout
fullScopeAllowed
id
implicitFlowEnabled
name
nodeReRegistrationTimeout
notBefore
optionalClientScopes
origin
protocol
protocolMappers
publicClient
redirectUris
registeredNodes
registrationAccessToken
rootUrl
secret
serviceAccountsEnabled
standardFlowEnabled
surrogateAuthRequired
webOrigins

However when authenticated as the admin in the master realm on Keycloak 
version 4.8.2.Final a GET on /{realm}/clients returns 
ClientRepresentation's containing only these keys:

access
attributes
authenticationFlowBindingOverrides
bearerOnly
clientAuthenticatorType
clientId
consentRequired
defaultClientScopes
directAccessGrantsEnabled
enabled
frontchannelLogout
fullScopeAllowed
id
implicitFlowEnabled
nodeReRegistrationTimeout
notBefore
optionalClientScopes
protocol
publicClient
redirectUris
serviceAccountsEnabled
standardFlowEnabled
surrogateAuthRequired
webOrigins

This means the following keys are omitted from the ClientRepresentation. 
Why?

adminUrl
authorizationServicesEnabled
authorizationSettings
baseUrl
defaultRoles
description
name
origin
protocolMappers
registeredNodes
registrationAccessToken
rootUrl
secret

As far as I can tell the documented ClientRepresentation closely matches 
what is in the code here:

https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/idm/ClaimRepresentation.java

I believe this is the method used to return the ClientRepresentation 
from the REST endpoint:

https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44e7b519533/services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java#L98

The conversion from model to representation occurs here:

https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44e7b519533/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java#L528

I don't see anything which is dropping the missing keys in the returned 
ClientRepresentation.

Is something filtering the result?

The context for the question arises from this: We were creating a client 
via a PUT and allowing Keycloak to generate the client secret, we then 
wanted to extract the client secret from the ClientRepresentation but 
it's absent. I can also undersand why the client secret might be omitted 
for security reasons (although I did find that seems to replace that 
value with "**********", but that's not happening either, it's just 
absent). That's when we noticed it wasn't just the client secret that 
was missign but 12 other keys as well.

-- 
John Dennis

From kapilkumarjoshi001 at gmail.com  Thu Jan 31 11:58:23 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Thu, 31 Jan 2019 22:28:23 +0530
Subject: [keycloak-user] Configuring Admin Access Control or
 realm-management client role for LDAP user in keycloak via imported
 realm.json configuration
In-Reply-To: <CAMLZ2vmABD7BX9B88u8Li2im8J8MtEj9TkNQUf9kO4w+fi3iwg@mail.gmail.com>
References: <CAMLZ2vmku1QGqvXTYJOs2BXxUHHSHvFmOMepPE7ZG41bD03itQ@mail.gmail.com>
	<b0e3c8be-b9f3-cac0-333e-f22b739a9e3a@redhat.com>
	<CAMLZ2vk0z6sbOqQeakyWnPQ4SNYMjtu+SdErzHDMEgok=80ALA@mail.gmail.com>
	<CAMLZ2v=OMQBLdAsiDucbdL+u0GVV_5MnGLaSMM=m1D6EvCBtmA@mail.gmail.com>
	<387bbdad-2554-2117-49bf-9d1ce8ec6144@redhat.com>
	<CAMLZ2vkWq=HeR_qB2L_sDEVN6GCMbRbhm7MuhrgYpkMEjESw9Q@mail.gmail.com>
	<CAMLZ2v=d3PzVtnA1ZjyS567jaEn-QzJOTuzCFJBo36qufMi+fQ@mail.gmail.com>
	<10413131-a933-750c-084d-76feb63ee682@redhat.com>
	<CAMLZ2vmABD7BX9B88u8Li2im8J8MtEj9TkNQUf9kO4w+fi3iwg@mail.gmail.com>
Message-ID: <CAMLZ2vkPdoR5kas0r930XdcXo-qwSFpM-iR23Bqb5Nux-G1x_w@mail.gmail.com>

Hi Marek,

Found the solution,

it was square brackets of array given was causing this issue. On removal of
square brackets it worked. We need to just give one role for each mapper.

*{*
*              "name": "administrator",*
              *"federationMapperType"**:"hardcoded-ldap-role-mapper",*
*"**federationProviderDisplayName"*
* : "ldap",*
*              "subComponents": {},*
*              "config": {*
*                "role": [*
*                  "realm-management.manage-users"*
*                ]*
*              }*
*           }*

Solution :
  *{*
*              "name": "administrator",*
              *"federationMapperType"**:"hardcoded-ldap-role-mapper",*
*"**federationProviderDisplayName"** : "ldap",*
*              "config": {*
*                "role":** "realm-management.manage-users"*
*              }*
*           }*


*Thanks*
*Kapil*

On Thu, Jan 31, 2019 at 8:10 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
wrote:

> Hi Marek,
>
> Actually we tried that, but the it still doesn't work. Not even "
> directAccessGrantsEnabled": true, value under realm.json.
> We tried importing realm.json with "directAccessGrantsEnabled": true
> value under clients section, it isnt working there too.
> Would be great if someone could guide us what to do or may be what are
> missing.
>
> Thanks & regards
> Kapil
>
> On Thu, 31 Jan 2019, 17:59 Marek Posolda, <mposolda at redhat.com> wrote:
>
>> I suggest to try the export/import as I mentioned already. I hope this
>> can give you a hint how the JSON should look like.
>>
>> Regards,
>> Marek
>>
>> On 31/01/2019 13:23, kapil joshi wrote:
>>
>>
>> On Thu, 31 Jan 2019, 17:53 kapil joshi, <kapilkumarjoshi001 at gmail.com>
>> wrote:
>>
>>> Hi Marek,
>>>
>>>
>>> Thanks for the reply, actually we see one ldaprealm.json in the LDAP
>>> integration with keycloak example. But even there we saw entries only for
>>> role-ldap-mapper.
>>>
>>> Can someone in your team provide a sample for hardcoded-ldap-mapper
>>>
>>> Thanks
>>> Kapil
>>>
>>>
>>> On 31 Jan 2019 17:21, "Marek Posolda" <mposolda at redhat.com> wrote:
>>>
>>> I am not sure about the JSON format from the top of my head. I suggest
>>> to create things manually in admin console, then export it to JSON, so you
>>> can see proper JSON format. See keycloak documentation for Export/Import
>>> for more details.
>>>
>>> Marek
>>>
>>> On 31/01/2019 07:19, kapil joshi wrote:
>>>
>>> Hi Marek,
>>>
>>> I was trying to import realm.json which contains following entry, to
>>> include hardcoded-ldap-mapper in keycloak, for realm-management role of
>>> manage-users, but its failing to import, can you give us a small example of
>>> such entry in realm.json which we can follow on.
>>>
>>> // snippet of realm.json
>>>
>>>  *          {*
>>> *              "name": "administrator",*
>>>               *"federationMapperType"**: "hardcoded-ldap-role-mapper",*
>>> *"**federationProviderDisplayName"*
>>> * : "ldap", *
>>> *              "subComponents": {},*
>>> *              "config": {*
>>> *                "role": [*
>>> *                  "realm-management.manage-users"*
>>> *                ]*
>>> *              }*
>>> *           }*
>>>
>>>
>>> *Thanks *
>>> *Kapil*
>>>
>>> On Tue, Jan 29, 2019 at 2:38 PM kapil joshi <
>>> kapilkumarjoshi001 at gmail.com> wrote:
>>>
>>>> Hi Marek,
>>>>
>>>> First of all thanks for your response,  it works !!! . I tried mapping
>>>> a client role (i.e realm-management roles), few observations:
>>>> 1) I was not able to save the configuration was getting below attached
>>>> error message.
>>>> [image: image.png]
>>>>
>>>> But then i saw there is already a bug filed on this issue.
>>>> So applied the work around, and was able to get the client role added
>>>> for LDAP imported user.
>>>>
>>>> Thanks again,
>>>> Kapil
>>>>
>>>>
>>>>
>>>> On Tue, Jan 29, 2019 at 1:43 AM Marek Posolda <mposolda at redhat.com>
>>>> wrote:
>>>>
>>>>> Yes, this should be doable with hardcoded-ldap-role-mapper if I
>>>>> understand your use-case correctly (See tab "mappers" in the admin console
>>>>> when you're on the page with the details of LDAP provider).
>>>>>
>>>>> Marek
>>>>>
>>>>> On 28/01/2019 10:24, kapil joshi wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>> Can we assign realm-management client roles for users imported from LDAP in
>>>>> Keycloak.
>>>>> Currently we are trying to set up LDAP based user federation using by
>>>>> importing a realm.json, configured with LDAP related configuration. Have
>>>>> attached it to this email.
>>>>> Basically the requirement is when we login to the client using the LDAP
>>>>> credentials, the user should be able to access user-management and
>>>>> view-realm client(i.e accessing the admin console) from client side.
>>>>>
>>>>> Thanks
>>>>> Kapil
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>

From speechkey at gmail.com  Thu Jan 31 12:13:08 2019
From: speechkey at gmail.com (Artem Grebenkin)
Date: Thu, 31 Jan 2019 18:13:08 +0100
Subject: [keycloak-user] Custom Authenticator
Message-ID: <CAAcYni=-bm85xMc5UePz1cD2H-xsSh4BUyUdNMPHNLbT7=aTaQ@mail.gmail.com>

Hi folks,

I have following use case. There is a service which creates ("registers") a
user in keycloak over REST API. After that I would like to login the user
automatically. So I need some kind of link which I can return to the
browser and which will login the user and redirect them back to some
location.

Where I have to look? Can somebody give me some advice and some keywords.

Thanks for your help
Artem

From Ondrej.Scerba at zoomint.com  Thu Jan 31 12:18:18 2019
From: Ondrej.Scerba at zoomint.com (Ondrej Scerba)
Date: Thu, 31 Jan 2019 17:18:18 +0000
Subject: [keycloak-user] OWASP check
Message-ID: <f12390abce964a78b310529c139de182@zoomint.com>

Hi,

Lastest Keycloak version (4.8.3.Final) contains several potential security issues related to jackson-databind library. All isues should be resolved, when you update jackson-databind to version 2.9.8 or higher.

Could you please fix it?

Thanks,
Ondrej



From tom at spicule.co.uk  Thu Jan 31 15:57:30 2019
From: tom at spicule.co.uk (Tom Barber)
Date: Thu, 31 Jan 2019 15:57:30 -0500
Subject: [keycloak-user] Expose role attributes in Keycloak javascript
	adapter
Message-ID: <CADibaRx5FrDRFCOKdG2zEg-fovPcygpHbJutosRP32+xcOjr6g@mail.gmail.com>

Hi folks,

We?ve got some attributes in the Keycloak roles. Is there a way to release
them with a user using the Javascript adapter?

Thanks

Tom

-- 


Spicule Limited is registered in England & Wales. Company Number: 
09954122. Registered office: First Floor, Telecom House, 125-135 Preston 
Road, Brighton, England, BN1 6AF. VAT No. 251478891.




All engagements 
are subject to Spicule Terms and Conditions of Business. This email and its 
contents are intended solely for the individual to whom it is addressed and 
may contain information that is confidential, privileged or otherwise 
protected from disclosure, distributing or copying. Any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Spicule Limited. The company accepts no 
liability for any damage caused by any virus transmitted by this email. If 
you have received this message in error, please notify us immediately by 
reply email before deleting it from your system. Service of legal notice 
cannot be effected on Spicule Limited by email.

From craig at baseventure.com  Thu Jan 31 17:55:31 2019
From: craig at baseventure.com (Craig Setera)
Date: Thu, 31 Jan 2019 16:55:31 -0600
Subject: [keycloak-user] Rest Extension?
Message-ID: <CAPVdwjqdp1pz0p=9qHps9R-_NbDqR_=Gcnp_Tbg225YW45aPnQ@mail.gmail.com>

I was in the process of creating a new REST extension per the current
developer docs at
https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest
,  however, I noticed I had to pull in the keycloak-server-spi-private
module and also I'm seeing the following in the logs:

keycloak_1             | 22:49:44,975 WARN  [org.keycloak.services] (MSC
service thread 1-1) KC-SERVICES0047: bv-user-invitation
(com.baseventure.keycloak.userinvite.rest.UserInvitationActionTokenResourceProviderFactory)
is implementing the internal SPI realm-restapi-extension. This SPI is
internal and may change without notice

Should this have me concerned about the long term viability of this feature?

Craig

=================================
*Craig Setera*

*Chief Technology Officer*

From madhura.nishshanka at gmail.com  Thu Jan 31 23:10:07 2019
From: madhura.nishshanka at gmail.com (madhura nishshanka)
Date: Fri, 1 Feb 2019 09:40:07 +0530
Subject: [keycloak-user] Remove realm in HA environment throw
 org.keycloak.models.ModelException:
 javax.persistence.OptimisticLockException
Message-ID: <CAF8MQahMG++70x_DFMfU4KyfhuiBctOft-2F7pfjztGBPn0XcQ@mail.gmail.com>

Hi All,

I am getting "org.keycloak.models.ModelException:
javax.persistence.OptimisticLockException: Batch update returned unexpected
row count from update [0]; actual row count: 0; expected: 1" When a realm
is delte from keycloak java admin client. This occurs in a HA environment
when we do a performance test. Can someone please help me on this?

I am using keycloak  4.8.1 final.

Full exception
11:56:25,452 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-2) Uncaught server error: org.keycloak.models.ModelException:
javax.persistence.OptimisticLockException: Batch update returned unexpected
row count from update [0]; actual row count: 0; expected: 1
        at
org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)
        at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51)
        at com.sun.proxy.$Proxy99.flush(Unknown Source)
        at
org.keycloak.models.jpa.JpaRealmProvider.removeRole(JpaRealmProvider.java:320)
        at
org.keycloak.models.jpa.JpaRealmProvider.removeClient(JpaRealmProvider.java:567)
        at
*org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:153)*
        at
org.keycloak.models.cache.infinispan.RealmCacheSession.removeRealm(RealmCacheSession.java:486)
        at
org.keycloak.services.managers.RealmManager.removeRealm(RealmManager.java:248)
        at
org.keycloak.services.resources.admin.RealmAdminResource.deleteRealm(RealmAdminResource.java:453)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
        at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
        at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
        at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
        at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
        at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
        at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
        at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
        at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.persistence.OptimisticLockException: Batch update returned
unexpected row count from update [0]; actual row count: 0; expected: 1
        at
org.hibernate.internal.ExceptionConverterImpl.wrapStaleStateException(ExceptionConverterImpl.java:238)
        at
org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:93)
        at
org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181)
        at
org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188)
        at org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1460)
        at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1440)
        at sun.reflect.GeneratedMethodAccessor483.invoke(Unknown Source)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49)
        ... 78 more
Caused by: org.hibernate.StaleStateException: Batch update returned
unexpected row count from update [0]; actual row count: 0; expected: 1
        at
org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:67)
        at
org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:54)
        at
org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:46)
        at
org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3478)
        at
org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3735)
        at
org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:99)
        at
org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:604)
        at
org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:478)
        at
org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:356)
        at
org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
        at org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1454)
        ... 83 more

Thanks
Madhura

From lkamal at gmail.com  Thu Jan 31 23:39:41 2019
From: lkamal at gmail.com (Kamal Mettananda)
Date: Fri, 1 Feb 2019 10:09:41 +0530
Subject: [keycloak-user] Release notes for 4.8.1, 4.8.2 & 4.8.3
Message-ID: <CAHdm9fnvRvD5uK49=1w_w5-QNXpuzTfmE31dhi=HcdRRXHQEhg@mail.gmail.com>

Hi all

I am trying to figure out the changes in 4.8.3 vs 4.8.1. However, in the
release notes page (
https://www.keycloak.org/docs/latest/release_notes/index.html) I can only
see some information about 4.8.0.

Could someone please point me to a location where I can figure out the
features and fixes?

Thanks
Kamal Mettananda
www.digizol.com