Error

From patrice.amiel at thalesgroup.com Mon Jul 1 09:31:26 2019 From: patrice.amiel at thalesgroup.com (AMIEL Patrice) Date: Mon, 1 Jul 2019 13:31:26 +0000 Subject: [keycloak-user] How to achieve "service continuity" with KeyCloak in Standalone Cluster mode ? In-Reply-To: References: Message-ID: Thanks Dimitri, You are right, the shutdown was not working properly: the SIGTERM signal was not reaching the JBoss process. To help other members of the community, here is what I did: I first set the LAUNCH_JBOSS_IN_BACKGROUND envvar so that the JBoss java process that is launched by the standalone.sh script is run in background. The "trap" commands are then automatically set to forward the various signals received by the standalone.sh process to the JBoss process. I then updated my own Docker entrypoint shell script to have the same behavior (run standalone.sh un background, get the process id, and define the traps). At the end, SIGTERM sent by Kubernetes is correctly received by JBoss that exists properly the cluster. Now, the cluster is more stable (much less errors encountered when scaling down, no more exception stack traces, and the cluster is not de-stabilized when an instance is stopped: less API calls falling into error), but it is still not perfect : I still encounter some errors during the scaling down transitions, even when setting the "owner" field of the "distributed-cache" descriptions to "2". Indeed, I realizes that most (almost all) of the requests are processed by a single KeyCloak instance (often the oldest one) while I don't have any session affinity (Session Affinity = None) on the Kubernetes Service: why ? As a consequence, when killing ("kubectl delete pod") the instance that is receiving (almost) none of the request, I don't have errors; but when deleting the instance that is processing (almost) all the requests, then I have errors! Again, setting the "owner" field of the "distributed-cache" description to "2" (expecting the cache data are duplicated on the 2 nodes) does not change things: I still have errors... I tries to set the 'mode="SYNC"' like this: But the process does not start, with the following error: 13:17:32,080 ERROR [org.jboss.as.controller] (Controller Boot Thread) OPVDX001: Validation error in standalone-ha.xml -------------------------------- | | 338: | 339: | 340: | ^^^^ 'mode' isn't an allowed attribute for the 'distributed-cache' element | | Attributes allowed here are: capacity-factor, | consistent-hash-strategy, l1-lifespan, owners, segments | | 341: | 342: | 343: | | 'mode' is allowed on elements: | - server > profile > {urn:jboss:domain:infinispan:7.0}subsystem > cache-container > local-cache > transaction Where should I put the "mode" instead? Any idea on why I still have some errors? Thanks for your valuable help. Patrice PS: By the way, I fear there is a bug in the standalone.sh (but I'm not sure): the trap definitions are the following: trap "kill -HUP $JBOSS_PID" HUP trap "kill -TERM $JBOSS_PID" INT trap "kill -QUIT $JBOSS_PID" QUIT trap "kill -PIPE $JBOSS_PID" PIPE trap "kill -TERM $JBOSS_PID" TERM Each signal is forwarded to the JBoss process except the INT signal that is changed into a TERM signal ? Shouldn't we have trap "kill -INT $JBOSS_PID" INT instead ? -----Original Message----- From: Dmitry Telegin [mailto:demetrio at carretti.pro] Sent: lundi 24 juin 2019 19:19 To: AMIEL Patrice ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to achieve "service continuity" with KeyCloak in Standalone Cluster mode ? Hello Patrice, Do you experience this even if the node is properly shutdown, i.e. via SIGTERM rather than SIGKILL? Keycloak does seem to properly shutdown caches [1], which, according to Infinispan doc [2], should result in a graceful leave. Do you see messages like this in the log after shutdown has been triggered? 20:14:26,598 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0003: Stopped XXX cache from keycloak container As for replicated caches, the issue might be triggered by mixing caches with different synchronization modes. Could you try to explicitly specify mode="SYNC", like here [3]? [1] https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fblob%2F4.8.3.Final%2Fmodel%2Finfinispan%2Fsrc%2Fmain%2Fjava%2Forg%2Fkeycloak%2Fconnections%2Finfinispan%2FDefaultInfinispanConnectionProviderFactory.java%23L72&data=02%7C01%7Cpatrice.amiel%40gemalto.com%7Cd1eda3ff5bf74dbc390408d6f8c80987%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C1%7C636969935378606026&sdata=axZbKSSTl%2B%2BdsAPFf5Ow79ck328mwc9Uz7vqQm%2FNbfo%3D&reserved=0 [2] https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finfinispan.org%2Fdocs%2Fstable%2Fuser_guide%2Fuser_guide.html%23cache_manager&data=02%7C01%7Cpatrice.amiel%40gemalto.com%7Cd1eda3ff5bf74dbc390408d6f8c80987%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C1%7C636969935378606026&sdata=rTY8QFuuVIT5apHDQv1wvC52w0s1wjkrlzOtshhyTso%3D&reserved=0 [3] https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finfinispan.org%2Fdocs%2Fstable%2Fuser_guide%2Fuser_guide.html%23cache_configuration_declarative&data=02%7C01%7Cpatrice.amiel%40gemalto.com%7Cd1eda3ff5bf74dbc390408d6f8c80987%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C1%7C636969935378606026&sdata=P4io70GsZ%2FOMHxPsO3rWJyB%2FSy2D2mzVrXhQ9TIKJRk%3D&reserved=0 Regards, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Mon, 2019-06-24 at 15:30 +0000, AMIEL Patrice wrote: > Hi all, > > I'm trying to deploy KeyCloak (v 4.8.3-final) in Standalone Cluster mode in order to answer a very specific requirement: get continuity of service 1/ in case of crash of a KeyCloak instance, 2/ during the upgrade of my solution. > However, I unfortunately don't get such results :(, despite the fact the cluster looks to be properly configured. > > First, as I'm deploying KeyCloak in Kubernetes, I configured KeyCloak in Standalone Cluster by using the DNS_PING and a TCP transport for JGroups. Instances of the cluster can discover/see each other and the cluster is working fine as soon as it is used a couple of seconds/minutes after starting the instances. > I've created a simple script that just get in a loop the JWT tokens using the Token endpoint of a Realm, and I always have a 200 Ok status code whatever the KeyCloak instance that is hit through the Kubernetes Service. > > However, coming back to the 2 uses cases I'm interested in, it looks the KeyCloak instances are getting crazy as soon as the cluster is not "stable". By "cluster is not stable", I mean: > > - When scaling down the number of Keycloak instances (whatever it is by killing a Container or by a smart scale down of the Kubernetes Deployment) > > - When performing a rolling update of the Pods > > In both cases, during a particular time, most of the calls to get a JWT return a HTTP 499 status code and KeyCloak logs show the following: > 08:14:56,785 ERROR [org.infinispan.interceptors.impl.InvocationContextInterceptor] (timeout-thread--p13-t1) ISPN000136: Error executing command GetKeyValueCommand, writing keys ISPN000476: Timed out waiting for responses for request 1883 from id-provider-5c55bbd99d-kqr8v > at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) > at org.infinispan.remoting.transport.jgroups.StaggeredRequest.onTimeout(StaggeredRequest.java:64) > at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) > at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > 08:14:56,790 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-992) Uncaught server error: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Time-provider-5c55bbd99d-kqr8v > at org.infinispan.interceptors.impl.AsyncInterceptorChainImpl.invoke(AsyncInterceptorChainImpl.java:259) > at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:479) > at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:472) > at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) > at org.infinispan.cache.impl.EncoderCache.get(EncoderCache.java:659) > at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) > at org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction.get(InfinispanChangelogBasedTransaction.java:120) > at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getLoginFailureEntity(InfinispanUserSessionProvider.java:678) > at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:672) > at org.keycloak.services.managers.DefaultBruteForceProtector.isTemporarilyDisabled(DefaultBruteForceProtector.java:306) > at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:85) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:148) > at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:910) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:554) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:187) > at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > Caused by: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out waiting for responses for request 1883 from id-provider-5c55bbd99d-kqr8v > at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) > at org.infinispan.remoting.transport.jgroups.StaggeredRequest.onTimeout(StaggeredRequest.java:64) > at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) > at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > ... 1 more > Suppressed: org.infinispan.util.logging.TraceException > at org.infinispan.interceptors.impl.SimpleAsyncInvocationStage.get(SimpleAsyncInvocationStage.java:41) > at org.infinispan.interceptors.impl.AsyncInterceptorChainImpl.invoke(AsyncInterceptorChainImpl.java:250) > at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:479) > at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:472) > at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) > at org.infinispan.cache.impl.EncoderCache.get(EncoderCache.java:659) > at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) > at org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction.get(InfinispanChangelogBasedTransaction.java:120) > at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getLoginFailureEntity(InfinispanUserSessionProvider.java:678) > at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:672) > at org.keycloak.services.managers.DefaultBruteForceProtector.isTemporarilyDisabled(DefaultBruteForceProtector.java:306) > at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:85) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:148) > at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:910) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:554) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:187) > at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > ... 1 more > > It looks that the KeyCloak instances that is still alive and receiving the call for generation of the JWT is trying to contact the other instances in order to get some data from the distributed cache... In particular, it tries to contact the instance that is no longer here (because killed, shutdown, rolled...), received a Timeout error, and then terminates the incoming request in error. > As I'm making the same request within a loop, I see the error happening during a couple of seconds (around 10 to 15 secs), i.e. during the time the cluster composition is not stabilized yet. When the re-discovery of the cluster has been performed, the new composition of the cluster is updated, and everything goes back to normal! > > I can understand, from KeyCloak documentation on server caches (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2F4.8%2Fserver_installation%2Findex.html%23_replication&data=02%7C01%7Cpatrice.amiel%40gemalto.com%7Cd1eda3ff5bf74dbc390408d6f8c80987%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C1%7C636969935378606026&sdata=Y5X0sa3QgXcZv98XQOD38i3%2BvjcowL3rZHDfdGsIELk%3D&reserved=0) that "By default, Keycloak only specifies one owner for data. So if that one node goes down that data is lost. This usually means that users will be logged out and will have to login again. You can change the number of nodes that replicate a piece of data by change the owners attribute in the distributed-cache declaration.", but unfortunately, setting the "owner" field to 2 (or more !) for all distributed caches does not remove the issue. > I even tried to change the type of cache from "distributed-cache" to "replicated-cache", but then KeyCloak is not starting: > >

name="offlineSessions"/> >

name="loginFailures"/> > > > > Error during startup: > 15:07:13,942 ERROR [org.infinispan.topology.LocalTopologyManagerImpl] (transport-thread--p14-t10) ISPN000230: Failed to start rebalance for cache authenticationSessions: java.lang.ClassCastException: org.infinispan.distribution.ch.impl.DefaultConsistentHash cannot be cast to org.infinispan.distribution.ch.impl.ReplicatedConsistentHash > at org.infinispan.distribution.ch.impl.SyncReplicatedConsistentHashFactory.union(SyncReplicatedConsistentHashFactory.java:26) > at org.infinispan.topology.LocalTopologyManagerImpl.doHandleRebalance(LocalTopologyManagerImpl.java:512) > at org.infinispan.topology.LocalTopologyManagerImpl.lambda$handleRebalance$3(LocalTopologyManagerImpl.java:475) > at org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175) > at org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37) > at org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47) > at java.lang.Thread.run(Thread.java:748) > > Did I forgot one thing? How to get a real continuity of service with KeyCloak? Is Standalone Cluster mode the good way, and how? > > Thanks a lot for your help. > Patrice > > ________________________________ > This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > s.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cpa > trice.amiel%40gemalto.com%7Cd1eda3ff5bf74dbc390408d6f8c80987%7C37d0a9d > b7c464096bfe31add5b495d6d%7C0%7C1%7C636969935378606026&sdata=l0rOr > rqLoxwu3rTB0UJ4G6Cdqsf8mzzUt6VQWxx6%2FfU%3D&reserved=0 ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. From felipe at hopu.eu Mon Jul 1 10:17:28 2019 From: felipe at hopu.eu (Felipe Roca) Date: Mon, 1 Jul 2019 16:17:28 +0200 Subject: [keycloak-user] Keycloak demo 6.0.0 Message-ID: Hi, I am trying to set up the example in Server development - 8.3 Authenticator SPI Walk Through, the implementation of an authenticator that requires that a user enter in the answer to a secret question. The documentation assures this code is available in examples/providers/authenticator but it is not in the github repository and I can't find the keycloak-demo-6.0.0.[zip|tar.gz], where I assume this code may be. Could anyone point me to the url to download this version of distribution files? Thank you very much for your time and efforts, Best regards, -- Felipe Roca Blaya Software Engineer - HOP Ubiquitous S.L. www.hopu.eu C/Luis Bu?uel 6 30562, Ceut?, Murcia. Spain - logo_hop - face Twitter google vimeo linkedin From bruno at abstractj.org Mon Jul 1 12:41:54 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 1 Jul 2019 13:41:54 -0300 Subject: [keycloak-user] Keycloak demo 6.0.0 In-Reply-To: References: Message-ID: <20190701164154.GA27949@abstractj.org> Hi Felipe, I believe this is what you're looking for: https://github.com/keycloak/keycloak/tree/master/examples/providers/authenticator This example, will probably be available in the next release. I hope it helps. On 2019-07-01, Felipe Roca wrote: > Hi, > > I am trying to set up the example in Server development - 8.3 > Authenticator SPI Walk Through, the implementation of an authenticator > that requires that a user enter in the answer to a secret question. > > The documentation assures this code is available in > examples/providers/authenticator but it is not in the github repository > and I can't find the keycloak-demo-6.0.0.[zip|tar.gz], where I assume > this code may be. > > Could anyone point me to the url to download this version of > distribution files? > > Thank you very much for your time and efforts, > Best regards, > > -- > Felipe Roca Blaya > Software Engineer > - > HOP Ubiquitous S.L. > www.hopu.eu > C/Luis Bu?uel 6 > 30562, Ceut?, Murcia. > Spain > - > logo_hop > - > face Twitter > google > vimeo > linkedin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From chris.smith at cmfirstgroup.com Mon Jul 1 14:53:08 2019 From: chris.smith at cmfirstgroup.com (Chris Smith) Date: Mon, 1 Jul 2019 18:53:08 +0000 Subject: [keycloak-user] Using Active Directory as LDAP/Kerberos provider but all managemet from Keycloak In-Reply-To: References: Message-ID: Ok, KC is creating AD users. What I guess is that I need are the set of the Default Active Directory policies that I need to update for a trouble free KC implementation. Active Directory is to serve as the LDAP/Kerberos federation provider. How can a green field Active Directory Forest be setup for the best Keycloak experience and Active Directory maintenance be minimized? ?On 6/28/19, 2:33 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Chris Smith" wrote: I have a client implementing SSO. The plan is to setup a standalone Active Directory forest as the LDAP/Kerberos federation provider. Active directory was chosen because of limited Linux expertise. User self service and registration is strongly desired. I followed the setup and for existing users, authentication works and I can get a Kerberos ticket as a claim. A new user registration always fails. Has anyone done this? LDAP provider is Active Directory Edit Mode is WRITEABLE. Sync Registrations is ON Bind DN is an Active Directory domain administrator Kerberos integration is ON The Kerberos Principle and keytab are for the same user as the Bind DN. 11:33:49,799 WARN [org.keycloak.services] (default task-1) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException: Error creating subcontext [cn=\ ,CN=Users,DC=xxx-sso,DC=com] at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:625) at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:102) at org.keycloak.storage.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:72) at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProvider.java:269) at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.java:147) at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCacheSession.java:768) at org.keycloak.authentication.forms.RegistrationUserCreation.success(RegistrationUserCreation.java:133) at org.keycloak.authentication.FormAuthenticationFlow.processAction(FormAuthenticationFlow.java:251) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) at org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:627) at org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:681) at org.keycloak.services.resources.LoginActionsService.processRegister(LoginActionsService.java:661) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748) Caused by: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00002071: UpdErr: DSID-030503CF, problem 6005 (ENTRY_EXISTS), data 0 ]; remaining name 'cn=\ ,CN=Users,DC=xxx-sso,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:607) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:604) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:759) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:737) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:604) ... 82 more 11:33:49,946 WARN [org.keycloak.events] (default task-1) type=REGISTER_ERROR, realmId=XXX-SSO, clientId=xxx-sso, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, register_method=form, redirect_uri=http://localhost:9080/xxx-sso/kc, code_id=223fbcfb-4946-43c2-b483-5bd104e4f239, email=newUser at something.com, username=a.new.user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mdailous at forensiclogic.com Mon Jul 1 18:09:48 2019 From: mdailous at forensiclogic.com (Michael Dailous) Date: Mon, 1 Jul 2019 22:09:48 +0000 Subject: [keycloak-user] Keycloak 6.0.1 caching authentication information for login form? Message-ID: We're seeing an issue where the login form is being pre-populated with the last user's login information, including password. Apparently, this is happening on a browser that hasn't previously logged in to the Keycloak server. Has there been any updates to the latest version that might cause this issue? Thank you, Michael From adityamamid9 at gmail.com Mon Jul 1 18:18:35 2019 From: adityamamid9 at gmail.com (Aditya mamidala) Date: Mon, 1 Jul 2019 18:18:35 -0400 Subject: [keycloak-user] Getting this exception Caused by: javax.persistence.EntityExistsException: A different object with the same identifier value was already associated with the session : [org.keycloak.storage.jpa.entity.FederatedUserRoleMappingEntity#org.keycloak.storage.jpa.entity.FederatedUserRoleMappingEntity$Key@e3a03493] Message-ID: We are trying to authenticate an existing user via Keycloak so implemented a custom SPI and added the custom SPI as User Federation "Getting a different object with the same identifier value was already associated with the session exception" when trying to add a user with role from a custom SPI to Keycloak database Please find the exception message *Caused by: javax.persistence.EntityExistsException: A different object with the same identifier value was already associated with the session : [org.keycloak.storage.jpa.entity.FederatedUserRoleMappingEntity#org.keycloak.storage.jpa.entity.FederatedUserRoleMappingEntity$Key at e3a03493]* We are trying to use Keycloak *6.0.1* for authentication and using the custom provider to authenticate the users the user details are are in custom provider using Storage provider SPI @Override public UserModel getUserByUsername(String username, RealmModel realm) { UserModel userModel = new UserAdapter(session, realm, model, repository.findUserByUsernameOrEmail(username)); RoleModel roleModel = realm.getRole("user"); * // Adding the 'user' RoleModel to the UserModel object* userModel.grantRole(roleModel); return userModel; } The exception is happening when adding the "user" role and the realm this user is trying to add has role 'user' when i don't add the user role web application is redirected to keycloak web page for adding the user .... Realm containing the user role also there are no existing users fin the realm [image: Screen Shot 2019-07-01 at 4.46.39 PM.png] Newbie to Keycloak. Appreciate the community guidance in resolving the issue please. Thanks, Aditya -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2019-07-01 at 4.46.39 PM.png Type: image/png Size: 45716 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190701/c54583f4/attachment-0001.png From shivaprasadtp8 at gmail.com Tue Jul 2 03:18:29 2019 From: shivaprasadtp8 at gmail.com (Shiva Prasad Thagadur Prakash) Date: Tue, 2 Jul 2019 10:18:29 +0300 Subject: [keycloak-user] [keycloak-users] [jackson-databind] is default typing enabled in keycloak Message-ID: Hi guys, I was looking into CVE-2019-12814 and CVE-2019-12086. These are related to default typing in jackson-databind. *Is default typing enabled in keylock?* When I searched in code base I didn't see it enabled but I wanted to be sure and hence mailed you guys! Thanks, Shiva From craig at baseventure.com Tue Jul 2 08:32:28 2019 From: craig at baseventure.com (Craig Setera) Date: Tue, 2 Jul 2019 07:32:28 -0500 Subject: [keycloak-user] Reset credentials link without tab_id parameter Message-ID: We have a need to jump into the reset credentials flow from outside the Keycloak login page. When initiating from the login page, the URL looks like the following: https://keycloak-host/auth/realms/fm/login-actions/reset-credentials?client_id=my-client-id&tab_id=NH3L9bohxcU However, when initiating the forgotten password flow, we don't have access to the tab_id, so we have been using: https://keycloak-host/auth/realms/fm/login-actions/reset-credentials?client_id=my-client-id While this works to change the password, it ends up resulting with the account management user interface at the end, and saving from there causes an internal server error. The user-facing results are definitely not ideal. Is there any way to make this work properly if not launching from the login page? I don't see anything in the Javascript adapter documentation relative to reset credentials flow, so I don't know if there is any way to form that URL? Any help appreciated. Craig ================================= *Craig Setera* *Chief Technology Officer* From kyriakos.stefanidis at fokus.fraunhofer.de Tue Jul 2 08:32:59 2019 From: kyriakos.stefanidis at fokus.fraunhofer.de (Stefanidis, Kyriakos) Date: Tue, 2 Jul 2019 12:32:59 +0000 Subject: [keycloak-user] obtaining RTP by resource name In-Reply-To: References: <2846dd01201f4d3ea6fd9d731cfc9884@fokus.fraunhofer.de> Message-ID: <8645abf6a1d14f7395f06c2abe28c6b5@fokus.fraunhofer.de> So, if I understand right: Regarding user managed resources Regarding RTP requests without ticket Owner of a resource: - Can get RTP for a resource by ID - Can get RTP for a resource by Name - Can get RTP for all resources (including the specific resource) User with access rights to a resource given by the owner: - Can get RTP for a resource by ID - Can get RTP for all resources (including the specific resource) Why is only the request by name not permitted? Kyriakos Stefanidis From: Pedro Igor Silva Sent: 24 June 2019 15:12 To: Stefanidis, Kyriakos Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] obtaining RTP by resource name Hi, You should be able to obtain a user-owned resource by name if the bearer token is referencing the owner as the subject. Which version of Keycloak are you using? I did not find any specific test for this but adding one that does exactly what you described (I can be missing something though) it works as expected. On Fri, Jun 21, 2019 at 10:32 AM Stefanidis, Kyriakos > wrote: Hello all, ...more specifically people that use keycloak authorization services. While dealing with RTPs (without permission tickets) for both user and centrally managed resources we encountered an inconsistent behavior and would like to know if it is considered a bug or works as intended (and why) The story: When a resource is owned by the resource provider (a client), you can get a RTP by providing either the resource id (uuid) or the resource name in the "permissions" parameter. Ex. "res1" is owned by "client.id" and given "update" scope permission to user "usr" via policy/permission combo $TOKEN is the access token for user "usr" curl -X POST \ https://something/auth/realms/something/protocol/openid-connect/token \ -H "Authorization: Bearer $TOKEN" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=client.id" \ --data "permission=res1.id#scope" //correct RTP with "update" for "res1" OR --data "permission=res1.name#scope" //correct RTP with "update" for "res1" When a resource is owned by a user, you can only get a RTP by providing the resource id (uuid) in the "permission" parameter. Requesting by name returns an "Resource with id [res2.name] does not exist." Ex. "res2" is owned by "usr" and has an "update" scope $TOKEN is the access token for user "usr" curl -X POST \ https://something/auth/realms/something/protocol/openid-connect/token \ -H "Authorization: Bearer $TOKEN" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=client.id" \ --data "permission=res2.id#scope" //correct RTP with "update" for "res1" OR --data "permission=res2.name#scope" //"Resource with id [res2.name] does not exist." The interesting thing is that If you request a RTP without specific "permission" property, keycloak returns the correct RTP with "update" for both res1 and res2 as it should. Our tests also shown that this behavior does not rely on the "user managed" property but only the "owner" property Is this supposed to happen? If yes, why? If no, which one of the two is the buggy behavior? The behavior for the user owned or the client owned resource? The main reason for this email is that the fact that you can obtain RTP based on resource name is immensely helpful for us since the other clients (other than the resource provider) cannot get the resource id from keycloak but they do know what they are looking for (the resource name). Not being able to get RTP based on resource name for user owned resources, forces us to use a generic RTP for all resources every time which could become a burden if a user can access a very large number of resources. Best regards, Kyriakos Stefanidis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Jul 2 09:08:03 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 2 Jul 2019 10:08:03 -0300 Subject: [keycloak-user] obtaining RTP by resource name In-Reply-To: <8645abf6a1d14f7395f06c2abe28c6b5@fokus.fraunhofer.de> References: <2846dd01201f4d3ea6fd9d731cfc9884@fokus.fraunhofer.de> <8645abf6a1d14f7395f06c2abe28c6b5@fokus.fraunhofer.de> Message-ID: You got it right. And sorry for not understanding that you are talking about accessing "shared" resources, where the resource was granted by the owner to a different user and you want to obtain permissions for this resource as the user. We changed this behavior as you can see here https://issues.jboss.org/browse/KEYCLOAK-10020. Could you check if that JIRA describes your problem? Also, if you can achieve what you want using the latest version of Keycloak? Regards. Pedro Igor On Tue, Jul 2, 2019 at 9:34 AM Stefanidis, Kyriakos < kyriakos.stefanidis at fokus.fraunhofer.de> wrote: > So, if I understand right: > > > > Regarding user managed resources > > Regarding RTP requests without ticket > > > > Owner of a resource: > > - Can get RTP for a resource by ID > > - Can get RTP for a resource by Name > > - Can get RTP for all resources (including the specific resource) > > > User with access rights to a resource given by the owner: > > - Can get RTP for a resource by ID > > - Can get RTP for all resources (including the specific resource) > > > > Why is only the request by name not permitted? > > > > Kyriakos Stefanidis > > > > > > *From:* Pedro Igor Silva > *Sent:* 24 June 2019 15:12 > *To:* Stefanidis, Kyriakos > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] obtaining RTP by resource name > > > > Hi, > > > > You should be able to obtain a user-owned resource by name if the bearer > token is referencing the owner as the subject. Which version of Keycloak > are you using? > > > > I did not find any specific test for this but adding one that does exactly > what you described (I can be missing something though) it works as expected. > > > > On Fri, Jun 21, 2019 at 10:32 AM Stefanidis, Kyriakos < > kyriakos.stefanidis at fokus.fraunhofer.de> wrote: > > Hello all, > ...more specifically people that use keycloak authorization services. > > While dealing with RTPs (without permission tickets) for both user and > centrally managed resources we encountered an inconsistent behavior and > would like to know if it is considered a bug or works as intended (and why) > > The story: > > When a resource is owned by the resource provider (a client), you can get > a RTP by providing either the resource id (uuid) or the resource name in > the "permissions" parameter. > > Ex. > "res1" is owned by "client.id" and given "update" scope permission to > user "usr" via policy/permission combo > $TOKEN is the access token for user "usr" > curl -X POST \ > https://something/auth/realms/something/protocol/openid-connect/token \ > -H "Authorization: Bearer $TOKEN" \ > --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ > --data "audience=client.id" \ > --data "permission=res1.id#scope" //correct RTP with "update" for "res1" > OR > --data "permission=res1.name#scope" //correct RTP with "update" for > "res1" > > > When a resource is owned by a user, you can only get a RTP by providing > the resource id (uuid) in the "permission" parameter. Requesting by name > returns an "Resource with id [res2.name] does not exist." > > Ex. > "res2" is owned by "usr" and has an "update" scope > $TOKEN is the access token for user "usr" > > curl -X POST \ > https://something/auth/realms/something/protocol/openid-connect/token \ > -H "Authorization: Bearer $TOKEN" \ > --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ > --data "audience=client.id" \ > --data "permission=res2.id#scope" //correct RTP with "update" for "res1" > OR > --data "permission=res2.name#scope" //"Resource with id [res2.name] > does not exist." > > The interesting thing is that If you request a RTP without specific > "permission" property, keycloak returns the correct RTP with "update" for > both res1 and res2 as it should. > > Our tests also shown that this behavior does not rely on the "user > managed" property but only the "owner" property > > Is this supposed to happen? > > If yes, why? > > If no, which one of the two is the buggy behavior? The behavior for the > user owned or the client owned resource? > > The main reason for this email is that the fact that you can obtain RTP > based on resource name is immensely helpful for us since the other clients > (other than the resource provider) cannot get the resource id from keycloak > but they do know what they are looking for (the resource name). Not being > able to get RTP based on resource name for user owned resources, forces us > to use a generic RTP for all resources every time which could become a > burden if a user can access a very large number of resources. > > Best regards, > Kyriakos Stefanidis > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From kyriakos.stefanidis at fokus.fraunhofer.de Tue Jul 2 09:11:13 2019 From: kyriakos.stefanidis at fokus.fraunhofer.de (Stefanidis, Kyriakos) Date: Tue, 2 Jul 2019 13:11:13 +0000 Subject: [keycloak-user] obtaining RTP by resource name In-Reply-To: References: <2846dd01201f4d3ea6fd9d731cfc9884@fokus.fraunhofer.de> <8645abf6a1d14f7395f06c2abe28c6b5@fokus.fraunhofer.de> Message-ID: <5514158e3f49432c8233c72814e02936@fokus.fraunhofer.de> Aha. It seems fixed in 6.0.0 and we are still using 4.8.3.Final Time for an upgrade! Thanks for all the help ? Kyriakos Stefanidis From: Pedro Igor Silva Sent: 02 July 2019 15:08 To: Stefanidis, Kyriakos Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] obtaining RTP by resource name You got it right. And sorry for not understanding that you are talking about accessing "shared" resources, where the resource was granted by the owner to a different user and you want to obtain permissions for this resource as the user. We changed this behavior as you can see here https://issues.jboss.org/browse/KEYCLOAK-10020. Could you check if that JIRA describes your problem? Also, if you can achieve what you want using the latest version of Keycloak? Regards. Pedro Igor On Tue, Jul 2, 2019 at 9:34 AM Stefanidis, Kyriakos > wrote: So, if I understand right: Regarding user managed resources Regarding RTP requests without ticket Owner of a resource: - Can get RTP for a resource by ID - Can get RTP for a resource by Name - Can get RTP for all resources (including the specific resource) User with access rights to a resource given by the owner: - Can get RTP for a resource by ID - Can get RTP for all resources (including the specific resource) Why is only the request by name not permitted? Kyriakos Stefanidis From: Pedro Igor Silva > Sent: 24 June 2019 15:12 To: Stefanidis, Kyriakos > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] obtaining RTP by resource name Hi, You should be able to obtain a user-owned resource by name if the bearer token is referencing the owner as the subject. Which version of Keycloak are you using? I did not find any specific test for this but adding one that does exactly what you described (I can be missing something though) it works as expected. On Fri, Jun 21, 2019 at 10:32 AM Stefanidis, Kyriakos > wrote: Hello all, ...more specifically people that use keycloak authorization services. While dealing with RTPs (without permission tickets) for both user and centrally managed resources we encountered an inconsistent behavior and would like to know if it is considered a bug or works as intended (and why) The story: When a resource is owned by the resource provider (a client), you can get a RTP by providing either the resource id (uuid) or the resource name in the "permissions" parameter. Ex. "res1" is owned by "client.id" and given "update" scope permission to user "usr" via policy/permission combo $TOKEN is the access token for user "usr" curl -X POST \ https://something/auth/realms/something/protocol/openid-connect/token \ -H "Authorization: Bearer $TOKEN" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=client.id" \ --data "permission=res1.id#scope" //correct RTP with "update" for "res1" OR --data "permission=res1.name#scope" //correct RTP with "update" for "res1" When a resource is owned by a user, you can only get a RTP by providing the resource id (uuid) in the "permission" parameter. Requesting by name returns an "Resource with id [res2.name] does not exist." Ex. "res2" is owned by "usr" and has an "update" scope $TOKEN is the access token for user "usr" curl -X POST \ https://something/auth/realms/something/protocol/openid-connect/token \ -H "Authorization: Bearer $TOKEN" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=client.id" \ --data "permission=res2.id#scope" //correct RTP with "update" for "res1" OR --data "permission=res2.name#scope" //"Resource with id [res2.name] does not exist." The interesting thing is that If you request a RTP without specific "permission" property, keycloak returns the correct RTP with "update" for both res1 and res2 as it should. Our tests also shown that this behavior does not rely on the "user managed" property but only the "owner" property Is this supposed to happen? If yes, why? If no, which one of the two is the buggy behavior? The behavior for the user owned or the client owned resource? The main reason for this email is that the fact that you can obtain RTP based on resource name is immensely helpful for us since the other clients (other than the resource provider) cannot get the resource id from keycloak but they do know what they are looking for (the resource name). Not being able to get RTP based on resource name for user owned resources, forces us to use a generic RTP for all resources every time which could become a burden if a user can access a very large number of resources. Best regards, Kyriakos Stefanidis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Ondrej.Scerba at zoomint.com Tue Jul 2 10:13:15 2019 From: Ondrej.Scerba at zoomint.com (Ondrej Scerba) Date: Tue, 2 Jul 2019 14:13:15 +0000 Subject: [keycloak-user] Is it possible to invalidate token in Spring Security Adapter In-Reply-To: References: <71b6316ae93141b9ae7cde41d8e19f7f@zoomint.com> Message-ID: <53badc397b8143bb860d9a1c8469ddcc@zoomint.com> Hi, Is there any example available, how can be remote introspection implemented with Keycloak Spring Security Adapter? Thanks, Ondrej From: Pedro Igor Silva Sent: Thursday, June 27, 2019 14:43 To: Ondrej Scerba Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Is it possible to invalidate token in Spring Security Adapter Hi, If you are using bearer tokens, the adapter only performs local validation based on a specific set of claims and signature. If you need to revoke tokens and propagate the revocation to your resource servers, you should consider introspecting the token using the token introspection endpoint. However, our adapters don't provide the support for choosing between local/remote introspection. Local introspection and validation are enough for most people but depending on your requirements/constraints you may want to use the introspection endpoint. Regards. Pedro Igor On Thu, Jun 27, 2019 at 8:51 AM Ondrej Scerba > wrote: Hi, Is it possible to invalidate token in "offline validator" in Spring Security Adapater? Thanks, Ondrej _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Jul 2 10:27:58 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 2 Jul 2019 11:27:58 -0300 Subject: [keycloak-user] Is it possible to invalidate token in Spring Security Adapter In-Reply-To: <53badc397b8143bb860d9a1c8469ddcc@zoomint.com> References: <71b6316ae93141b9ae7cde41d8e19f7f@zoomint.com> <53badc397b8143bb860d9a1c8469ddcc@zoomint.com> Message-ID: Hi, More details here https://www.keycloak.org/docs/latest/securing_apps/index.html#_token_introspection_endpoint and here https://tools.ietf.org/html/rfc7662#section-2.1. It is basically an HTTP request to the introspection endpoint where you pass the token you want to introspect and some credentials/bearer token so that the client (your app) making the request can be authenticated. On Tue, Jul 2, 2019 at 11:22 AM Ondrej Scerba wrote: > Hi, > > > > Is there any example available, how can be remote introspection > implemented with Keycloak Spring Security Adapter? > > Thanks, > Ondrej > > > > *From:* Pedro Igor Silva > *Sent:* Thursday, June 27, 2019 14:43 > *To:* Ondrej Scerba > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Is it possible to invalidate token in > Spring Security Adapter > > > > Hi, > > > > If you are using bearer tokens, the adapter only performs local validation > based on a specific set of claims and signature. If you need to revoke > tokens and propagate the revocation to your resource servers, you should > consider introspecting the token using the token introspection endpoint. > > > > However, our adapters don't provide the support for choosing between > local/remote introspection. Local introspection and validation are enough > for most people but depending on your requirements/constraints you may want > to use the introspection endpoint. > > > > Regards. > > Pedro Igor > > > > On Thu, Jun 27, 2019 at 8:51 AM Ondrej Scerba > wrote: > > Hi, > > Is it possible to invalidate token in "offline validator" in Spring > Security Adapater? > > Thanks, > Ondrej > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From Rob.Resendez at cpsi.com Tue Jul 2 12:52:24 2019 From: Rob.Resendez at cpsi.com (Rob Resendez) Date: Tue, 2 Jul 2019 16:52:24 +0000 Subject: [keycloak-user] Alternative first broker login for linking only Message-ID: <3cbacd7bbad74f42937da231ef23b5bf@cpsi.com> We have a use case that is sort of a hybrid of the typical IDP login (First Broker Login) and "linking only" via the UMA app. That is to say, we'd like the login form to enumerate IDP buttons, but instead of falling into "Create User If Unique" execution, we would need to fall into some flow similar to the "Handle Existing Account" merge/link process. Can anyone advise whether there are existing executions I can compose or ought to consult in some way? Thanks in advance Rob Resendez [cid:CPSINew_8e504092-fab6-4ce3-ab1f-37d711ec8192.PNG] Electronic Mail Confidentiality Notice: This electronic mail message and all attachments may contain confidential information belonging to the sender or the intended recipient. This information is intended ONLY for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution (electronic or otherwise), forwarding or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by telephone, facsimile, or email to arrange for the return of the electronic mail, attachments, or documents. -------------- next part -------------- A non-text attachment was scrubbed... Name: CPSINew_8e504092-fab6-4ce3-ab1f-37d711ec8192.PNG Type: image/png Size: 9997 bytes Desc: CPSINew_8e504092-fab6-4ce3-ab1f-37d711ec8192.PNG Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190702/ecb59e8a/attachment.png From chris.smith at cmfirstgroup.com Tue Jul 2 15:42:32 2019 From: chris.smith at cmfirstgroup.com (Chris Smith) Date: Tue, 2 Jul 2019 19:42:32 +0000 Subject: [keycloak-user] SQL Server integrated authorization Message-ID: My keycloak instance is planned to use SQL Server for its database. It will be running on a Windows Server in an Active Directory domain I'd like to not embed the User/Password in the standalone.xml file. To enable this, the driver requires a windows dll to perform the db connection authentication. So, I'm looking for the best way to accomplish this. I'd rather not add -Djava.library.path= as a parameter when invoking standalone.bat Is there a way to configure it in the module created for the JDBC driver jar? From sven.voigt at gmail.com Tue Jul 2 15:55:52 2019 From: sven.voigt at gmail.com (Sven Voigt) Date: Tue, 02 Jul 2019 19:55:52 +0000 Subject: [keycloak-user] Setup of role model with two layers in keycloak Message-ID: Hello there! I'm part of a frontend project and I need some help to bring our authorization model into keycloak. We're building on node.js and the whole project uses stateless micro services - both in our frontend middleware and for the whole backend services we use. The frontend uses the standard JS adapter for session and token management. So far we have identified four roles: travel agent, back office, configurator and data security officer. That's easy so far. My problem is how to model the next authorization layer we need. For example: For the travel agents we want to be able to grant per person whether he can see specific customer data or is able to cancel orders. There are about 6-8 options for the travel agents. Thus, for the back office there shall be options for stock operations or different views on orders and so on. Like the backend we don't persist any data! That's why I have store all the things in keycloak and find a way to easily bring these information back to our middleware. Here's what I tried / thought of so far: * Use groups for the first layer and roles for the second one. --> doesn't work because the groups don't get exposed in the token. * Use realm roles for the upper and attributes for the lower hierarchy. --> attributes are not included in the access token. * Use realm roles for the upper and client roles on the lower hierarchy. --> works, but we have to make sure that roles on the second layer are definitely associated with only one role on the first layer. I don't know how yet. * Use roles for the first layer and resources on the second one. --> That seems to get very close to what we need. But at the moment I can't figure out the correct approach with all these policies and permissions... Thanks for any help and please let me know, if I shall provide some further information. Sven From hossein.doutaghy at gmail.com Tue Jul 2 16:22:26 2019 From: hossein.doutaghy at gmail.com (Hossein Doutaghy) Date: Tue, 2 Jul 2019 16:22:26 -0400 Subject: [keycloak-user] Is communication between keycloak instances and the distributed infinispan caches secure ? Message-ID: Hi, Does it use TLS to encrypt data sync between Keycloak instances when the Infinispan caches are synced? Does those caches contain sensitive data? There does not seem to be much documentation that indicates the communication between keycloak and the distributed infinispan caches is secure. Moe Doutaghy From corentin.dupont at gmail.com Tue Jul 2 16:28:21 2019 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Tue, 2 Jul 2019 22:28:21 +0200 Subject: [keycloak-user] resource ids In-Reply-To: References: Message-ID: Hi Pedro, What I wondered is why the name (beside the ID) should be unique? Regarding type, my point was that in my app resources with different types can have the same ID. On Thu, Jun 27, 2019 at 2:53 PM Pedro Igor Silva wrote: > Hi Corentin, > > One of the main reasons to allow setting the ID is to make easier to map > resources managed by Keycloak to those you are protecting in your app. > > The IDs must be unique. > > It is not clear to me why the type is not enough? > > On Thu, Jun 27, 2019 at 5:28 AM Corentin Dupont > wrote: > >> Hi guys, >> I discovered that you can provide your own id when creating resources: >> >> curl -X POST " >> http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" >> -H >> "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" >> -d >> '{*"_id": "123-456"*, "type": "test", "name":"test", >> >> "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", >> "ownerManagedAccess": true}' >> >> This is very practical for synchronizing the resources with my own >> database. >> After some investigation, I found: >> - the ID should be unique >> - the name should be unique >> >> Is that correct? The resource type is not used in the unicity. >> In my application database, resources with different types are stored in >> different collections, so two resources with different types *can* have >> the >> same ID. >> How do you suggest to solve this in Keycloak? Providing a keycloak ID of >> the form - for example? e.g. sensor-123 and project-123 would >> not >> collide. >> >> Cheers >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From davidkarlsen at gmail.com Tue Jul 2 16:37:12 2019 From: davidkarlsen at gmail.com (David Karlsen) Date: Tue, 2 Jul 2019 22:37:12 +0200 Subject: [keycloak-user] Wrong redirect url from KK In-Reply-To: References: Message-ID: No-one experienced this? Should report a bug? s?n. 30. jun. 2019 kl. 20:25 skrev David Karlsen : > I do IDP logon with request to redirect to > https://myhost.mydomain/somecontext/#/login > > but the redirect received is: > > https://myhost.mydomain/somecontext/?code=somecode&state=somestate#/login > > notice how the fragment comes at the end, and the parameters in-between. > Is this a known issue? I would guess it is quite common for angular-apps > to want to be redirected back into a well known route. > > -- > -- > David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen > -- -- David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen From orivat at janua.fr Wed Jul 3 02:56:11 2019 From: orivat at janua.fr (Rivat Olivier) Date: Wed, 3 Jul 2019 08:56:11 +0200 Subject: [keycloak-user] Keycloak demo 6.0.0 In-Reply-To: References: Message-ID: <927fd4f8-bcaf-c178-d38b-9cded44203f8@janua.fr> Hi Felipe, You may find the authenticator examples in the 4.7? keycloak github https://github.com/keycloak/keycloak/tree/4.7.0.Final/examples/providers Regards, Olivier Rivat Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr Le 01/07/2019 ? 16:17, Felipe Roca a ?crit?: > Hi, > > I am trying to set up the example in Server development - 8.3 > Authenticator SPI Walk Through, the implementation of an authenticator > that requires that a user enter in the answer to a secret question. > > The documentation assures this code is available in > examples/providers/authenticator but it is not in the github repository > and I can't find the keycloak-demo-6.0.0.[zip|tar.gz], where I assume > this code may be. > > Could anyone point me to the url to download this version of > distribution files? > > Thank you very much for your time and efforts, > Best regards, > From orivat at janua.fr Wed Jul 3 02:56:32 2019 From: orivat at janua.fr (Rivat Olivier) Date: Wed, 3 Jul 2019 08:56:32 +0200 Subject: [keycloak-user] Keycloak demo 6.0.0 In-Reply-To: References: Message-ID: Hi Felipe, You may find the authenticator examples in the 4.7? keycloak github https://github.com/keycloak/keycloak/tree/4.7.0.Final/examples/providers Regards, Olivier Rivat Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr Le 01/07/2019 ? 16:17, Felipe Roca a ?crit?: > Hi, > > I am trying to set up the example in Server development - 8.3 > Authenticator SPI Walk Through, the implementation of an authenticator > that requires that a user enter in the answer to a secret question. > > The documentation assures this code is available in > examples/providers/authenticator but it is not in the github repository > and I can't find the keycloak-demo-6.0.0.[zip|tar.gz], where I assume > this code may be. > > Could anyone point me to the url to download this version of > distribution files? > > Thank you very much for your time and efforts, > Best regards, > From blazej.adamczyk at gmail.com Wed Jul 3 03:42:21 2019 From: blazej.adamczyk at gmail.com (=?UTF-8?Q?B=C5=82a=C5=BCej?= Adamczyk) Date: Wed, 03 Jul 2019 09:42:21 +0200 Subject: [keycloak-user] User Storage SPI/LDAP Provider and groups Message-ID: <1562139741.5532.0.camel@gmail.com> Hi all,? I want to extend user AND GROUP scheme with my own custom attributes and data model to fit it to the use case. I see several options here: 1) Extend the existing Keycloak entities with custom attributes (very simple, but the attribute bag pattern seems to generic here?)? 2) Use the User Storage API to map my own user/group entities to Keycloak (similarily like the quickstart "user-storage-jpa") ???2.1) Use import strategy - this probably would work well but it seems it is overcomplicating the architecutre (two schemas, synchronization etc.) ???2.2) Use non-import strategy - this seems more relevant for my need but I have a need to override not only users but also groups. And finally the question: 2.2 seems fine but after looking through the interfaces and looking through the ldap code I'm not sure how groups are working in federated example when import is off.? The code seems to relate everywhere to existing keycloak groups, the only place which I could find the groups are created is in GroupLDAPStorageMapper (updateKeycloakGroupTree.., and syncDataFrom.. methods). These are called by specific REST sync URL or by the import strategy (which in 2.2 is off).? Are the groups somehow automatically created when a group mapper is on and import off? If so, how is the groups view in console working - is it showing all LDAP groups? Or just those which were automatically imported when user groups were accessed? Also, can you please generally suggest which of the above options (1, 2.1 or 2.2) is better in my scenario and why? --? Best regards, Blazej Adamczyk From lists at merit.unu.edu Wed Jul 3 04:55:22 2019 From: lists at merit.unu.edu (mj) Date: Wed, 3 Jul 2019 10:55:22 +0200 Subject: [keycloak-user] ldap federation working | test connection / authentication buttons failing Message-ID: Hi, Keycloak 6.0.1, LDAP federation is working, users can logon and are updated automatically regularly from ldap: > 2019-07-02 17:39:49,761 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users from LDAP to local store: realm: our_realm, federation provider: our_realm-ad, last sync time: Mon Jul 01 17:39:43 CEST > 2019-07-02 17:39:50,067 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users finished: 3 imported users, 22 updated users In keycloak, the configured ldap uri is ldap://localhost:389, where a haproxy instance is listening that talks ldaps to our DCs. The 'problem': in the keycloak GUI, the buttons 'Test authentication' and 'Test connection' do not work: "Error! Error when trying to connect to LDAP. See server.log for details." But nothing logged in server.log, and haproxy does not even log a connection attempt at all. Anyone else seeing this..? MJ From lilian.benoit at lbenoit.fr Wed Jul 3 08:49:43 2019 From: lilian.benoit at lbenoit.fr (Lilian BENOIT) Date: Wed, 03 Jul 2019 14:49:43 +0200 Subject: [keycloak-user] SQL Server integrated authorization In-Reply-To: References: Message-ID: Hello Chris, Best way is defined new module. Documentation for that is : https://www.keycloak.org/docs/latest/server_installation/index.html#package-the-jdbc-driver LB. Le 02/07/2019 21:42, Chris Smith a ?crit?: > My keycloak instance is planned to use SQL Server for its database. > It will be running on a Windows Server in an Active Directory domain > I'd like to not embed the User/Password in the standalone.xml file. > To enable this, the driver requires a windows dll to perform the db > connection authentication. > > So, I'm looking for the best way to accomplish this. > > I'd rather not add -Djava.library.path= as a parameter > when invoking standalone.bat > > Is there a way to configure it in the module created for the JDBC > driver jar? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mah124 at mail.aub.edu Wed Jul 3 10:47:14 2019 From: mah124 at mail.aub.edu (Mohammad Haj Hussein (Student)) Date: Wed, 3 Jul 2019 14:47:14 +0000 Subject: [keycloak-user] add my email to the list Message-ID: Dear Keycloak, Please add my email to the list. Regards, Mohammad Haj Hussein From l.lech at ringler.ch Wed Jul 3 11:15:12 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Wed, 3 Jul 2019 15:15:12 +0000 Subject: [keycloak-user] Logging in using REST-API to realm with customized browser flow Message-ID: <5E48B917000C984B86B77170F441903A18A163C1@exch.ringler.ch> Hello, I've created custom browser flow with additional 2fa step (based on https://github.com/gwallet/keycloak-sms-authenticator). If I log in using browser, I'm challenged to enter the code sent by SMS. However, I was able to log in using REST-API, bypassing the extra security. Is it some misconfiguration or known behavior? Custom flow is chosen under Authentication->Bindings. Best regards, Lukasz Lech From Lasse.Jahn at student.hpi.uni-potsdam.de Wed Jul 3 13:27:36 2019 From: Lasse.Jahn at student.hpi.uni-potsdam.de (Jahn, Lasse) Date: Wed, 3 Jul 2019 17:27:36 +0000 Subject: [keycloak-user] Permission Handling After Keycloak 4.5.0 Message-ID: <06991864-6F77-4F28-9397-5F067C5020E2@student.hpi.uni-potsdam.de> Hey everyone, I'm running Keycloak Server Version 4.5.0.Final according to the dockerfile from jboss shown in the dockerhub [1] with only changed keycloak version. (Took the tools from [2]) During developing I noticed that there is an Endpoint missing that I wanted to use (request a group list which have specific client role, for users this enpoint exists GET /{realm}/clients/{id}/roles/{role-name}/users In Keycloak 6.0 this also exists for groups. GET /{realm}/clients/{id}/roles/{role-name}/groups So I thought why not migrating to 6.0. After successful upgrade I realized that there is no permission tab?! I wanted to handle the permissions of a user to be a client admin as explained in the documentation [3] but this was not possible. I thougth that maybe that the docker image does not include everything, so I downloaded all at the keycloak.org available server distributions and run them via standalone.sh (4.8, 5.0, 6.0) all with the same result, there is no permission Tab ?! Is the documentation not updated and there is a way to enable the permission tab or how can I fullfill the mentioned scenario (client admin which is allowed to map roles) ? Regards Lasse [1] https://hub.docker.com/r/jboss/keycloak/dockerfile [2] https://github.com/jboss-dockerfiles/keycloak/tree/4.5.0.Final/server [3] https://www.keycloak.org/docs/latest/server_admin/index.html#managing-one-specific-client Viele Gr??e Lasse Jahn From bruno at abstractj.org Wed Jul 3 15:28:00 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 3 Jul 2019 16:28:00 -0300 Subject: [keycloak-user] add my email to the list In-Reply-To: References: Message-ID: You are already subscribed, otherwise you should not be able to send e-mail to keycloak-user. On Wed, Jul 3, 2019 at 11:56 AM Mohammad Haj Hussein (Student) wrote: > > Dear Keycloak, > > Please add my email to the list. > > Regards, > Mohammad Haj Hussein > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From thomas.darimont at googlemail.com Wed Jul 3 19:06:29 2019 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 4 Jul 2019 01:06:29 +0200 Subject: [keycloak-user] Identity First authentication flow and trick for extension specific theme resources Message-ID: Hello Keycloak-Users, I made some progress with a Google-like Identity First authentication flow and found some interesting tricks that I wanted to share. In my keycloak-extension-playground repository, I added an example extension which supports a multi-step Identity first authentication mechanism as Google and others provide. See: https://github.com/thomasdarimont/keycloak-extension-playground/tree/master/auth-identity-first-extension The authentication flow works as follows: Instead of asking for username AND password on the login screen I only ask for the username. A password is then asked in a consecutive step. This enables additional user-specific authentication steps. You can find a short demo-gif in this tweet: https://twitter.com/thomasdarimont/status/1146552622943559682 - The example features two authenticators 'SelectUserAuthenticatorForm' and 'PasswordAuthenticatorForm'. SelectUserAuthenticatorForm: Shows a form to enter the username (or email) and provides a mechanism for resolving a user based on the given username. PasswordAuthenticatorForm: Based on the selected user, a password form is shown - The forms are sent asynchronously via AJAX without reloading the login page - The authentication process can be aborted/restarted via by clicking 'cancel' on the password form Now comes a nice trick, I learned while I was looking for a way to ship custom extension specific js/css/img resources with an authenticator without(!) having to customize a realm login theme. As you might now, one can have authenticator/extension specific templates that are shipped in the extension jar within the 'theme-resources/template' folder. This works fine if you can do everything in an .ftl template, but falls short, when you need extension specific css/js/img. However, if you also ship a CUSTOM extension specific theme within the extension, then one can access resources provided by this theme! In my case: I created a theme folder with a login theme, named like the extension: extension: auth-identity-first-extension theme-name: auth-identity-first-extension-theme The resulting folder structure looks like this: auth-identity-first-extension/src/main/resources/theme/auth-identity-first-extension-theme/login/resources The 'resources' folder contains sub-folders for 'js' and 'css' resources combined with a META-INF/keycloak-themes.json descriptor. See: https://github.com/thomasdarimont/keycloak-extension-playground/tree/master/auth-identity-first-extension/src/main/resources/theme/auth-identity-first-extension-theme/login/resources auth-identity-first-extension/src/main/resources/META-INF/keycloak-themes.json: { "themes": [ { "name": "auth-identity-first-extension-theme", "types": [ "login"] } ]} This allows to refer to the extension specific theme resources from within a template, e.g. in the 'select-user-form.ftl' template this looks like: We effectively define a custom theme within the extension jar just for the sake of exposing extension specific resources. I know that this feels a bit like a hack (because it is), but seems to work quite well ;-) Note that the extension specific theme also shows up within the realm theme selection, but you can ignore this. I hope that's useful for you too :) Cheers, Thomas From l.lech at ringler.ch Thu Jul 4 04:45:29 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Thu, 4 Jul 2019 08:45:29 +0000 Subject: [keycloak-user] Disable logging in via REST API Message-ID: <5E48B917000C984B86B77170F441903A18A16479@exch.ringler.ch> Hello, How to disable logging into Keycloak via REST API, without affecting logging in via browser? Which URLs I need to block? I have problem finding out that information... Best regards, Lukasz Lech From cedric at couralet.eu Thu Jul 4 05:15:00 2019 From: cedric at couralet.eu (=?utf-8?q?cedric=40couralet=2Eeu?=) Date: Thu, 04 Jul 2019 11:15:00 +0200 Subject: [keycloak-user] =?utf-8?q?Permission_Handling_After_Keycloak_4=2E?= =?utf-8?b?NS4w?= In-Reply-To: <06991864-6F77-4F28-9397-5F067C5020E2@student.hpi.uni-potsdam.de> Message-ID: <37e2-5d1dc380-89-31e10500@254995754> Le Mercredi, Juillet 03, 2019 19:27 CEST, "Jahn, Lasse" a ?crit: > Hey everyone, > > I'm running Keycloak Server Version 4.5.0.Final according to the dockerfile from jboss shown in the dockerhub [1] with only changed keycloak version. (Took the tools from [2]) > [...] > Is the documentation not updated and there is a way to enable the permission tab or how can I fullfill the mentioned scenario (client admin which is allowed to map roles) ? > You have to explicitly enable the feature : https://www.keycloak.org/docs/latest/server_installation/index.html#profiles Basically, to just enable this tab, lauching keycloak with -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled should be enough. Regards, C?dric Couralet > > Regards > Lasse > From lists at merit.unu.edu Thu Jul 4 06:52:21 2019 From: lists at merit.unu.edu (mj) Date: Thu, 4 Jul 2019 12:52:21 +0200 Subject: [keycloak-user] ldap federation working | test connection / authentication buttons failing In-Reply-To: References: Message-ID: <19c1d216-e6a1-6065-541e-1728798e3c32@merit.unu.edu> Hi, Off list, someone asked me to check if ldap://127.0.0.1:389 would work better than ldap://localhost:389, but it doesn't. But I am now also trying to fill in actual remote ldap servers, and they also don't work. Again nothing at all logged in server.log Do the test buttons work for others here? MJ On 7/3/19 10:55 AM, mj wrote: > Hi, > > Keycloak 6.0.1, LDAP federation is working, users can logon and are > updated automatically regularly from ldap: > >> 2019-07-02 17:39:49,761 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users from LDAP to local store: realm: our_realm, federation provider: our_realm-ad, last sync time: Mon Jul 01 17:39:43 CEST > 2019-07-02 17:39:50,067 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users finished: 3 imported users, 22 updated users > > In keycloak, the configured ldap uri is ldap://localhost:389, where a > haproxy instance is listening that talks ldaps to our DCs. > > The 'problem': in the keycloak GUI, the buttons 'Test authentication' > and 'Test connection' do not work: > > "Error! Error when trying to connect to LDAP. See server.log for details." > > But nothing logged in server.log, and haproxy does not even log a > connection attempt at all. > > Anyone else seeing this..? > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From demetrio at carretti.pro Thu Jul 4 07:28:50 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Thu, 04 Jul 2019 14:28:50 +0300 Subject: [keycloak-user] Disable logging in via REST API In-Reply-To: <5E48B917000C984B86B77170F441903A18A16479@exch.ringler.ch> References: <5E48B917000C984B86B77170F441903A18A16479@exch.ringler.ch> Message-ID: Hi Lucasz, This is probably related to your yesterday's posting, correct? Could you please elaborate on what you mean by "logging into Keycloak via REST API"? Cheers, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Thu, 2019-07-04 at 08:45 +0000, Lukasz Lech wrote: > Hello, > > How to disable logging into Keycloak via REST API, without affecting logging in via browser? > > Which URLs I need to block? > > I have problem finding out that information... > > Best regards, > Lukasz Lech > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From demetrio at carretti.pro Thu Jul 4 07:45:55 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Thu, 04 Jul 2019 14:45:55 +0300 Subject: [keycloak-user] Permission Handling After Keycloak 4.5.0 In-Reply-To: <06991864-6F77-4F28-9397-5F067C5020E2@student.hpi.uni-potsdam.de> References: <06991864-6F77-4F28-9397-5F067C5020E2@student.hpi.uni-potsdam.de> Message-ID: <73806f03959e46de1813b9ecdce8c2b02010894c.camel@carretti.pro> Hi Lasse, In addition to what C?dric suggested, please also mind that beginning with 4.5, Keycloak Docker image uses standalone-ha.xml by default instead of standalone.xml, so if you made any changes there, you will need to update the -ha.xml file. Cheers, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Wed, 2019-07-03 at 17:27 +0000, Jahn, Lasse wrote: > Hey everyone, > > I'm running Keycloak Server Version 4.5.0.Final according to the dockerfile from jboss shown in the dockerhub [1] with only changed keycloak version. (Took the tools from [2]) > > During developing I noticed that there is an Endpoint missing that I wanted to use (request a group list which have specific client role, for users this enpoint exists > > GET /{realm}/clients/{id}/roles/{role-name}/users > > In Keycloak 6.0 this also exists for groups. > GET /{realm}/clients/{id}/roles/{role-name}/groups > > So I thought why not migrating to 6.0. After successful upgrade I realized that there is no permission tab?! > I wanted to handle the permissions of a user to be a client admin as explained in the documentation [3] but this was not possible. > > I thougth that maybe that the docker image does not include everything, so I downloaded all at the keycloak.org available server distributions and run them via standalone.sh (4.8, 5.0, 6.0) all with the same result, there is no permission Tab ?! > > Is the documentation not updated and there is a way to enable the permission tab or how can I fullfill the mentioned scenario (client admin which is allowed to map roles) ? > > > Regards > Lasse > > [1] https://hub.docker.com/r/jboss/keycloak/dockerfile > [2] https://github.com/jboss-dockerfiles/keycloak/tree/4.5.0.Final/server > [3] https://www.keycloak.org/docs/latest/server_admin/index.html#managing-one-specific-client > > > > Viele Gr??e > Lasse Jahn > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From cedric at couralet.eu Thu Jul 4 07:50:59 2019 From: cedric at couralet.eu (=?utf-8?q?cedric=40couralet=2Eeu?=) Date: Thu, 04 Jul 2019 13:50:59 +0200 Subject: [keycloak-user] =?utf-8?q?ldap_federation_working_=7C_test_connec?= =?utf-8?q?tion_/_authentication_buttons_failing?= In-Reply-To: <19c1d216-e6a1-6065-541e-1728798e3c32@merit.unu.edu> Message-ID: <89d-5d1de800-3-1074ad00@21899244> Le Jeudi, Juillet 04, 2019 12:52 CEST, mj a ?crit: > Hi, > > Off list, someone asked me to check if ldap://127.0.0.1:389 would work > better than ldap://localhost:389, but it doesn't. > > But I am now also trying to fill in actual remote ldap servers, and they > also don't work. Again nothing at all logged in server.log > > Do the test buttons work for others here? Hello, It works for me with keycloak 6.0.1. The button sends a request to https:///auth/admin/realms//testLDAPConnection, can you try examining the response you have with this request (in the browser dev tools for instance) ? Regards, C?dric Couralet > MJ > > On 7/3/19 10:55 AM, mj wrote: > > Hi, > > > > Keycloak 6.0.1, LDAP federation is working, users can logon and are > > updated automatically regularly from ldap: > > > >> 2019-07-02 17:39:49,761 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users from LDAP to local store: realm: our_realm, federation provider: our_realm-ad, last sync time: Mon Jul 01 17:39:43 CEST > 2019-07-02 17:39:50,067 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users finished: 3 imported users, 22 updated users > > > > In keycloak, the configured ldap uri is ldap://localhost:389, where a > > haproxy instance is listening that talks ldaps to our DCs. > > > > The 'problem': in the keycloak GUI, the buttons 'Test authentication' > > and 'Test connection' do not work: > > > > "Error! Error when trying to connect to LDAP. See server.log for details." > > > > But nothing logged in server.log, and haproxy does not even log a > > connection attempt at all. > > > > Anyone else seeing this..? > > > > MJ > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From l.lech at ringler.ch Thu Jul 4 08:09:24 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Thu, 4 Jul 2019 12:09:24 +0000 Subject: [keycloak-user] Disable logging in via REST API In-Reply-To: References: <5E48B917000C984B86B77170F441903A18A16479@exch.ringler.ch> Message-ID: <5E48B917000C984B86B77170F441903A18A16537@exch.ringler.ch> Hello, I'm using keycloak-admin-client library, which AFAIK uses https://www.keycloak.org/docs-api/5.0/rest-api/index.html directly. I've found out, that 'Direct Grant' flow is triggered and I could create an org.keycloak.authentication.Authenticator that would always call context.failure(), effectively blocking login through REST API for the realm... This what bothers me is that I have problems finding any documentation how does that Authenticator work and I'm extending the project someone has written and looking what is happening. Best regards, Lukasz Lech -----Original Message----- From: Dmitry Telegin [mailto:demetrio at carretti.pro] Sent: Donnerstag, 4. Juli 2019 13:29 To: Lukasz Lech ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Disable logging in via REST API Hi Lucasz, This is probably related to your yesterday's posting, correct? Could you please elaborate on what you mean by "logging into Keycloak via REST API"? Cheers, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Thu, 2019-07-04 at 08:45 +0000, Lukasz Lech wrote: > Hello, > > How to disable logging into Keycloak via REST API, without affecting logging in via browser? > > Which URLs I need to block? > > I have problem finding out that information... > > Best regards, > Lukasz Lech > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From l.lech at ringler.ch Thu Jul 4 11:12:33 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Thu, 4 Jul 2019 15:12:33 +0000 Subject: [keycloak-user] Support for totp in REST client (org.keycloak.admin.client.Keycloak) Message-ID: <5E48B917000C984B86B77170F441903A18A16588@exch.ringler.ch> Hello, I was under impression, that activating TOTP will makes the account unable to use with REST api, but then I've found that people describe how to do that and that is actually supported through 'totp' parameter to the API call. The parameter would have to be added to org.keycloak.admin.client.token.TokenManager:grantToken() method. Rather through some interface for TOTP generator than the one-time code. Were there already any plans to extend the library (keycloak-admin-client) to support TOTP? To my understanding the code like that should work: if (PASSWORD.equals(accessTokenGrantType)) { form.param("username", config.getUsername()) .param("password", config.getPassword()); if (config.getTotpGenerator() != null) { form.param("totp", config.getTotpGenerator().getToken()); } } The caller would have to provide the implementation of TotpGenerator compliant with Keycloak settings and set the secret from otp configuration QR code... Best regards, Lukasz Lech From orivat at janua.fr Thu Jul 4 13:46:38 2019 From: orivat at janua.fr (Rivat Olivier) Date: Thu, 4 Jul 2019 19:46:38 +0200 Subject: [keycloak-user] (UMA) How is it possible to approve pending request via REST API calls Message-ID: Hi, I am playing with auth_uma_photoz example. 1. I have created some album resources for alice (album a5). 2. Jdoe has made a request to access to alice album 3. Through Rest API calls, I can see that there is a pending request on a5 resource owned by alice access_token_alice=$(curl -d "client_id=photoz-restful-api" -d "client_secret=secret"? -d "username=alice" -d "password=alice" -d "grant_type=password" http://localhost:8180/auth/realms/photoz/protocol/openid-connect/token | jq -r .access_token) ?curl http://localhost:8180/auth/realms/photoz/authz/protection/permission/ticket?owner=alice -H 'Authorization: Bearer '$access_token_alice | jq ? % Total??? % Received % Xferd? Average Speed?? Time??? Time Time? Current ???????????????????????????????? Dload? Upload?? Total?? Spent Left? Speed 100?? 258? 100?? 258??? 0???? 0? 86000????? 0 --:--:-- --:--:-- --:--:-- 86000 [ ? { ??? "id": "29505d42-da8d-46f5-afe2-f90e35845192", ??? "owner": "11f3314e-f1c6-40a9-912b-d6f9d0c5a177", ??? "resource": "dee953ef-1df8-4787-9d32-ce4e407da010", ??? "scope": "0dc735d5-1ecc-466d-ba9e-e59f8ad563e4", ??? "granted": false, ??? "requester": "dceb398e-9f68-4077-8073-ca53137cccb3" ? } ] So my question: What should be the command syntax to approve this request from Jdoe (I.e set "granted":true) using teh REST API. I have made several trials, quite unsuccessful, and haven't found any hint in the keycloak doc. Regards, Olivier From orivat at janua.fr Thu Jul 4 14:18:25 2019 From: orivat at janua.fr (Rivat Olivier) Date: Thu, 4 Jul 2019 20:18:25 +0200 Subject: [keycloak-user] (UMA) How is it possible to approve pending request via REST API calls In-Reply-To: References: Message-ID: <29d23b89-a452-23c9-c2a6-3771e8c288dd@janua.fr> Hi, Just found the answer: To approve a pending request ?curl -v -X PUT http://localhost:8180/auth/realms/photoz/authz/protection/permission/ticket -H 'Authorization: Bearer '$access_token_alice -H 'Content-Type: application/json' -d '{ ??? "id": "5c067c34-129a-4d1e-8911-4591ed29962c", ??? "owner": "11f3314e-f1c6-40a9-912b-d6f9d0c5a177", ??? "resource": "dee953ef-1df8-4787-9d32-ce4e407da010", ??? "scope": "0dc735d5-1ecc-466d-ba9e-e59f8ad563e4", ??? "granted": true, ??? "requester": "dceb398e-9f68-4077-8073-ca53137cccb3" ? }' TO revoke an approval ?curl -v -X PUT http://localhost:8180/auth/realms/photoz/authz/protection/permission/ticket -H 'Authorization: Bearer '$access_token_alice -H 'Content-Type: application/json' -d '{ ??? "id": "5c067c34-129a-4d1e-8911-4591ed29962c", ??? "owner": "11f3314e-f1c6-40a9-912b-d6f9d0c5a177", ??? "resource": "dee953ef-1df8-4787-9d32-ce4e407da010", ??? "scope": "0dc735d5-1ecc-466d-ba9e-e59f8ad563e4", ??? "granted": false, ??? "requester": "dceb398e-9f68-4077-8073-ca53137cccb3" ? }' -v It works great now !!! Regards, Olivier Le 04/07/2019 ? 19:46, Rivat Olivier a ?crit?: > Hi, > > I am playing with auth_uma_photoz example. > > 1. I have created some album resources for alice (album a5). > 2. Jdoe has made a request to access to alice album > > 3. Through Rest API calls, I can see that there is a pending request > on a5 resource owned by alice > > > > access_token_alice=$(curl -d "client_id=photoz-restful-api" -d > "client_secret=secret"? -d "username=alice" -d "password=alice" -d > "grant_type=password" > http://localhost:8180/auth/realms/photoz/protocol/openid-connect/token > | jq -r .access_token) > > > ?curl > http://localhost:8180/auth/realms/photoz/authz/protection/permission/ticket?owner=alice > -H 'Authorization: Bearer '$access_token_alice | jq > ? % Total??? % Received % Xferd? Average Speed?? Time??? Time Time? > Current > ???????????????????????????????? Dload? Upload?? Total?? Spent Left? > Speed > 100?? 258? 100?? 258??? 0???? 0? 86000????? 0 --:--:-- --:--:-- > --:--:-- 86000 > [ > ? { > ??? "id": "29505d42-da8d-46f5-afe2-f90e35845192", > ??? "owner": "11f3314e-f1c6-40a9-912b-d6f9d0c5a177", > ??? "resource": "dee953ef-1df8-4787-9d32-ce4e407da010", > ??? "scope": "0dc735d5-1ecc-466d-ba9e-e59f8ad563e4", > ??? "granted": false, > ??? "requester": "dceb398e-9f68-4077-8073-ca53137cccb3" > ? } > ] > > > So my question: > What should be the command syntax to approve this request from Jdoe > (I.e set "granted":true) using teh REST API. > I have made several trials, quite unsuccessful, and haven't found any > hint in the keycloak doc. > > Regards, > Olivier > From andrew.martel at indexexchange.com Thu Jul 4 16:50:16 2019 From: andrew.martel at indexexchange.com (Andrew Martel) Date: Thu, 4 Jul 2019 20:50:16 +0000 Subject: [keycloak-user] KEYCLOAK-3205 Message-ID: Hello, My company is waiting on the functionality to have encrypted client secrets: https://github.com/keycloak/keycloak-community/blob/master/design/secure-credentials-store.md. Would someone be able to provide me with a timeline on when this will be released? Thanks, Andrew Martel CONFIDENTIALITY NOTICE AND DISCLAIMER : This telecommunication, including any and all attachments, contains confidential information intended only for the person(s) to whom it is addressed. Any dissemination, distribution, copying or disclosure is strictly prohibited and is not a waiver of confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail and delete the message from your inbox and deleted items folders. This telecommunication does not constitute an express or implied agreement to conduct transactions by electronic means, nor does it constitute a contract offer, a contract amendment or an acceptance of a contract offer. Contract terms contained in this telecommunication are subject to legal review and the completion of formal documentation and are not binding until same is confirmed in writing and has been signed by an authorized signatory. From bruno at abstractj.org Thu Jul 4 18:56:14 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 4 Jul 2019 19:56:14 -0300 Subject: [keycloak-user] KEYCLOAK-3205 In-Reply-To: References: Message-ID: <20190704225614.GA27142@abstractj.org> Hi Andrew, the team started to look at this, but we cannot commit with any dates yet. To keep track of the work just keep an eye on: https://issues.jboss.org/browse/KEYCLOAK-3205 On 2019-07-04, Andrew Martel wrote: > Hello, > > My company is waiting on the functionality to have encrypted client secrets: https://github.com/keycloak/keycloak-community/blob/master/design/secure-credentials-store.md. > > Would someone be able to provide me with a timeline on when this will be released? > > Thanks, > Andrew Martel > > > CONFIDENTIALITY NOTICE AND DISCLAIMER : This telecommunication, including any and all attachments, contains confidential information intended only for the person(s) to whom it is addressed. Any dissemination, distribution, copying or disclosure is strictly prohibited and is not a waiver of confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail and delete the message from your inbox and deleted items folders. This telecommunication does not constitute an express or implied agreement to conduct transactions by electronic means, nor does it constitute a contract offer, a contract amendment or an acceptance of a contract offer. Contract terms contained in this telecommunication are subject to legal review and the completion of formal documentation and are not binding until same is confirmed in writing and has been signed by an authorized signatory. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From lists at merit.unu.edu Fri Jul 5 03:52:14 2019 From: lists at merit.unu.edu (mj) Date: Fri, 5 Jul 2019 09:52:14 +0200 Subject: [keycloak-user] ldap federation working | test connection / authentication buttons failing In-Reply-To: <89d-5d1de800-3-1074ad00@21899244> References: <89d-5d1de800-3-1074ad00@21899244> Message-ID: <090c1cb7-f702-704a-7491-ee15616b5cb0@merit.unu.edu> Hi C?dric, I edited the request for our installation, and the browser dev tools said: > Error loading this URI: Could not load the source for https:///auth/admin/realms/OUR_REALM/testLDAPConnection. > [Exception... "Component returned failure code: 0x80470002 (NS_BASE_STREAM_CLOSED) [nsIInputStream.available]" nsresult: "0x80470002 (NS_BASE_STREAM_CLOSED)" location: "JS frame :: resource://devtools/shared/DevToolsUtils.js :: onResponse :: line 555" data: no] > Stack: onResponse at resource://devtools/shared/DevToolsUtils.js:555:34 > onStopRequest at resource://gre/modules/NetUtil.jsm:123:17 > Line: 555, column: 0 Does the above mean anything to you..? We appreciated your response, many thanks! MJ On 7/4/19 1:50 PM, cedric at couralet.eu wrote: > Le Jeudi, Juillet 04, 2019 12:52 CEST, mj a ?crit: > >> Hi, >> >> Off list, someone asked me to check if ldap://127.0.0.1:389 would work >> better than ldap://localhost:389, but it doesn't. >> >> But I am now also trying to fill in actual remote ldap servers, and they >> also don't work. Again nothing at all logged in server.log >> >> Do the test buttons work for others here? > > Hello, > > It works for me with keycloak 6.0.1. > The button sends a request to https:///auth/admin/realms//testLDAPConnection, can you try examining the response you have with this request (in the browser dev tools for instance) ? > > Regards, > C?dric Couralet > > > >> MJ > > > >> >> On 7/3/19 10:55 AM, mj wrote: >>> Hi, >>> >>> Keycloak 6.0.1, LDAP federation is working, users can logon and are >>> updated automatically regularly from ldap: >>> >>>> 2019-07-02 17:39:49,761 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users from LDAP to local store: realm: our_realm, federation provider: our_realm-ad, last sync time: Mon Jul 01 17:39:43 CEST > 2019-07-02 17:39:50,067 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users finished: 3 imported users, 22 updated users >>> >>> In keycloak, the configured ldap uri is ldap://localhost:389, where a >>> haproxy instance is listening that talks ldaps to our DCs. >>> >>> The 'problem': in the keycloak GUI, the buttons 'Test authentication' >>> and 'Test connection' do not work: >>> >>> "Error! Error when trying to connect to LDAP. See server.log for details." >>> >>> But nothing logged in server.log, and haproxy does not even log a >>> connection attempt at all. >>> >>> Anyone else seeing this..? >>> >>> MJ >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From cedric at couralet.eu Fri Jul 5 03:56:46 2019 From: cedric at couralet.eu (=?utf-8?q?cedric=40couralet=2Eeu?=) Date: Fri, 05 Jul 2019 09:56:46 +0200 Subject: [keycloak-user] =?utf-8?q?ldap_federation_working_=7C_test_connec?= =?utf-8?q?tion_/_authentication_buttons_failing?= In-Reply-To: <090c1cb7-f702-704a-7491-ee15616b5cb0@merit.unu.edu> Message-ID: <1dfc-5d1f0280-13-65641a00@212219095> Hi, sorry for the stupid question, but did you change the hostname for the keycloak server (instead of ) ? That log would mean your browser can't connect to you keycloak, this would be really strange considering you access the admin interface. Also that request needs some context (auth,...) so it is easier to click on the button with the developpers tools opened and see what is the response. C?dric Le Vendredi, Juillet 05, 2019 09:52 CEST, mj a ?crit: > Hi C?dric, > > I edited the request for our installation, and the browser dev tools said: > > > Error loading this URI: Could not load the source for https:///auth/admin/realms/OUR_REALM/testLDAPConnection. > > [Exception... "Component returned failure code: 0x80470002 (NS_BASE_STREAM_CLOSED) [nsIInputStream.available]" nsresult: "0x80470002 (NS_BASE_STREAM_CLOSED)" location: "JS frame :: resource://devtools/shared/DevToolsUtils.js :: onResponse :: line 555" data: no] > > Stack: onResponse at resource://devtools/shared/DevToolsUtils.js:555:34 > > onStopRequest at resource://gre/modules/NetUtil.jsm:123:17 > > Line: 555, column: 0 > > Does the above mean anything to you..? > > We appreciated your response, many thanks! > > MJ > > On 7/4/19 1:50 PM, cedric at couralet.eu wrote: > > Le Jeudi, Juillet 04, 2019 12:52 CEST, mj a ?crit: > > > >> Hi, > >> > >> Off list, someone asked me to check if ldap://127.0.0.1:389 would work > >> better than ldap://localhost:389, but it doesn't. > >> > >> But I am now also trying to fill in actual remote ldap servers, and they > >> also don't work. Again nothing at all logged in server.log > >> > >> Do the test buttons work for others here? > > > > Hello, > > > > It works for me with keycloak 6.0.1. > > The button sends a request to https:///auth/admin/realms//testLDAPConnection, can you try examining the response you have with this request (in the browser dev tools for instance) ? > > > > Regards, > > C?dric Couralet > > > > > > > >> MJ > > > > > > > >> > >> On 7/3/19 10:55 AM, mj wrote: > >>> Hi, > >>> > >>> Keycloak 6.0.1, LDAP federation is working, users can logon and are > >>> updated automatically regularly from ldap: > >>> > >>>> 2019-07-02 17:39:49,761 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users from LDAP to local store: realm: our_realm, federation provider: our_realm-ad, last sync time: Mon Jul 01 17:39:43 CEST > 2019-07-02 17:39:50,067 INFO [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (Timer-2) Sync changed users finished: 3 imported users, 22 updated users > >>> > >>> In keycloak, the configured ldap uri is ldap://localhost:389, where a > >>> haproxy instance is listening that talks ldaps to our DCs. > >>> > >>> The 'problem': in the keycloak GUI, the buttons 'Test authentication' > >>> and 'Test connection' do not work: > >>> > >>> "Error! Error when trying to connect to LDAP. See server.log for details." > >>> > >>> But nothing logged in server.log, and haproxy does not even log a > >>> connection attempt at all. > >>> > >>> Anyone else seeing this..? > >>> > >>> MJ > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From lists at merit.unu.edu Fri Jul 5 04:07:32 2019 From: lists at merit.unu.edu (mj) Date: Fri, 5 Jul 2019 10:07:32 +0200 Subject: [keycloak-user] ldap federation working | test connection / authentication buttons failing In-Reply-To: <1dfc-5d1f0280-13-65641a00@212219095> References: <1dfc-5d1f0280-13-65641a00@212219095> Message-ID: <04695f5e-c5cc-8f5f-4b7a-1e68bcab7c1c@merit.unu.edu> Hi, On 7/5/19 9:56 AM, cedric at couralet.eu wrote: > Hi, sorry for the stupid question, but did you change the hostname for the keycloak server (instead of ) ? Haha, yes, I did change it of course :-) Ok, so, did it straight from the admin console, with dev tools open. That gives more info: > XML Parsing Error: no root element found > Location: https:///auth/admin/realms/OUR_REALM/testLDAPConnection?action=testConnection&bindCredential=**********&bindDn=cn%3Dsearch_etc******&componentId=e7159941-88ee-4cd3-9b61-936896ed580c&connectionTimeout=&connectionUrl=ldap:%2F%2Flocalhost:389&useTruststoreSpi=never > Line Number 1, Column 1: Obviously also the bindDN is obfuscated, and actually is how we configured it. So, XML parsing error..? Thanks again! MJ From orivat at janua.fr Fri Jul 5 07:40:18 2019 From: orivat at janua.fr (Rivat Olivier) Date: Fri, 5 Jul 2019 13:40:18 +0200 Subject: [keycloak-user] RPT tokens can still be used after approval revokation Message-ID: <9e73d11e-ed0b-0f45-855a-465fa44042f4@janua.fr> Hi, I have the following use case 1) alice is creating some resouces (a5 for example) 2) jdoe is asking to access a5 3) alice approves request for Jdoe to access a5 4) Jdoe is getting an rpt token and now can access to a5 (so far so good) 5) Alice is revoking Jdoe access right for a5 6) RPT token of Jdoe is still valid (it has no yet expired) ---> Joe can access to alice a5 resource without any problem For me it sounds like a bug. I was expecting Jdoe no longer being able to access alice A5 resource? (after revokation from alice). Regards, Olivier From orivat at janua.fr Fri Jul 5 07:55:28 2019 From: orivat at janua.fr (Rivat Olivier) Date: Fri, 5 Jul 2019 13:55:28 +0200 Subject: [keycloak-user] RPT tokens can still be used after approval revokation In-Reply-To: <9e73d11e-ed0b-0f45-855a-465fa44042f4@janua.fr> References: <9e73d11e-ed0b-0f45-855a-465fa44042f4@janua.fr> Message-ID: <452ab804-c1ee-4ff7-1e4e-65661a4e7ea0@janua.fr> Hi, I have the following use case 1) alice is creating some resouces (a5 for example) 2) jdoe is asking to access a5 3) alice approves request for Jdoe to access a5 4) Jdoe is getting an rpt token and now can access to a5 (so far so good) 5) Alice is revoking Jdoe access right for a5 6) RPT token of Jdoe is still valid (it has no yet expired) ---> Joe can access to alice a5 resource without any problem For me it sounds like a bug. I was expecting Jdoe no longer being able to access alice A5 resource? (after revokation from alice). Do you conform my understanding, or is this the normal expected behavior ? Regards, Olivier From sblanc at redhat.com Fri Jul 5 08:12:05 2019 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 5 Jul 2019 14:12:05 +0200 Subject: [keycloak-user] RPT tokens can still be used after approval revokation In-Reply-To: <452ab804-c1ee-4ff7-1e4e-65661a4e7ea0@janua.fr> References: <9e73d11e-ed0b-0f45-855a-465fa44042f4@janua.fr> <452ab804-c1ee-4ff7-1e4e-65661a4e7ea0@janua.fr> Message-ID: Pedro can confirm but if I'm not wrong an RPT is like any other access token and will be valid until it expired (5 minutes by default). Especially with an RPT where the verification can be completely made offline. You can push a "not before" from the console to invalidate immediatly the token. On Fri, Jul 5, 2019 at 2:09 PM Rivat Olivier wrote: > > > Hi, > > I have the following use case > > 1) alice is creating some resouces (a5 for example) > 2) jdoe is asking to access a5 > 3) alice approves request for Jdoe to access a5 > 4) Jdoe is getting an rpt token and now can access to a5 (so far so good) > 5) Alice is revoking Jdoe access right for a5 > > 6) RPT token of Jdoe is still valid (it has no yet expired) > ---> Joe can access to alice a5 resource without any problem > > For me it sounds like a bug. I was expecting Jdoe no longer being able > to access alice A5 resource (after revokation from alice). > Do you conform my understanding, or is this the normal expected behavior ? > > Regards, > Olivier > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jonesy at sydow.org Fri Jul 5 08:39:50 2019 From: jonesy at sydow.org (JTK) Date: Fri, 5 Jul 2019 07:39:50 -0500 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References:

Message-ID: Just now getting back to this due to the holiday week, but I don't believe we need the chain loaded on the ELB on the smart card, as it's a pass-through and the certs in question that are on the smart card are loaded into the KeyCloak keystore, and once a user launches the KeyCloak interface it should reference the internal KeyCloak keystore to verify the chain. I would only need the certs on the ELB if we were requiring user certs prior to the KeyCloak website, which we aren't. It looks like I'm back to square one. Thoughts? On Fri, Jun 28, 2019 at 11:41 AM JTK wrote: > Obviously the certs are not loaded on the ELB as I need them. > openssl s_client -servername keycloak.domainhere.net -connect > keycloak.domainhere.net:8443 > 2>/dev/null | egrep "subject=|issuer=|notAfter=" > subject=CN = keycloak.domainhere.net > issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon > > I'm waiting on feedback from our internal team to find out when they can > load the Root CA/Intermediate certs on the proxy. It might not be until > next week, but I will update when I get a chance. > > Thanks! > > On Fri, Jun 28, 2019 at 10:57 AM Nalyvayko, Peter > wrote: > >> Run the command "openssl s_client -connect :" where host and >> port are the Keycloak's host and the port number (e.g. >> login.mycompany.com:443) and verify that the list of certificates >> listed under "Acceptable CA client certificate names" is not empty and that >> the CA names match the client cert's issuer >> >> >> ________________________________________ >> From: JTK [jonesy at sydow.org] >> Sent: Friday, June 28, 2019 11:27 AM >> To: Nalyvayko, Peter >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on >> KeyCloak version 4.8.3.Final >> >> Here is the standalone.xml file if anyone can sport or locate any obvious >> errors associated with it. >> >> https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5peZuGfU8cw= >> >> Authentication flow: >> https://imgur.com/tZYj9N9 (Bindings) >> https://imgur.com/3v2HYtW (Flows) >> >> On Fri, Jun 28, 2019 at 9:13 AM JTK > jonesy at sydow.org>> wrote: >> I'll look into it. I'm sure it's something simple, but it's just not >> clicking. As of now I'm only testing my CAC and so there is a Root CA along >> with an intermediate CA which I have loaded into Keycloak. >> This is the steps I used: >> >> keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer >> >> keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks >> -file Email-CA-1.cer >> >> ... >> >> Just for clarity and sanity check, with our current IdP, we only need to >> load the public certs (Root/Intermediate) and as long as they are loaded, >> any user certificate that is presented would be trusted if the chain is >> loaded for that user certificate. We do not have access to the private keys >> for the certificates loaded to the keystore.jks - I just want to make sure >> that's not the issue. >> >> >> At this point in time, I'd love to see ERROR in the server.log file, but >> I just get INFO. >> >> tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR" >> >> The output of the above command has no output. >> >> >> This is some of the output: >> >> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished >> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { >> 99, 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 } >> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** >> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake >> state: finished[20] >> 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and >> SHA1 hashes: len = 16 >> 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C >> 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... >> 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext >> before ENCRYPTION: len = 16 >> 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C >> 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... >> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3, >> WRITE: TLSv1.2 Handshake, length = 40 >> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server >> session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384] >> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: >> length = 6 >> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 >> 01 01 ...... >> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: >> length = 45 >> 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 >> 28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O >> 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 >> 25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w....... >> 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F >> 33 D2 CA D3 C5 FA A5 05 54 $...3.......T >> >> etc >> >> >> Here is the output of keystore.jks >> >> keytool -list -v -keystore keycloak.jks | grep DoD >> Enter keystore password: password >> Owner: CN=Root CA, OU=PKI, O=Company, C=US >> Issuer: CN=Root CA, OU=PKI, O=Company, C=US >> Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US >> Issuer: CN=Root CA, OU=PKI, O=Company, C=US >> >> >> Sows the Root CA and the Intermediate CA (CA-1) >> >> >> On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter > > wrote: >> We have successfully tested and deployed the CAC card & X509 auth without >> any issues. One suggestion is In the SSL debug output search for a list of >> CA authorities the KC server sends back to the client as a part of mutual >> SSL handshake. For the mutual SSL to kick in, the client certificates >> registered on the client machine must be signed by one of the CAs from >> that list. >> >> For example, say your trusted store has a CA cert with the Subject: >> CN=cert_auth >> >> Then you should be prompted to select a cert only if your client cert's >> issuer (the cert used to sign the client cert) matches the subject above. >> >> You may also try troubleshooting using "openssl s_client" to avoid >> digging through thousands of lines of SSL debug output >> >> I hope it makes sense and helps :) >> >> Cheers >> >> --Peter >> >> ________________________________________ >> From: JTK [jonesy at sydow.org] >> Sent: Friday, June 28, 2019 9:17 AM >> To: Nalyvayko, Peter >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on >> KeyCloak version 4.8.3.Final >> >> Thanks, I enabled the debug option for ssl in >> ../keycloak/bin/standalone.conf >> if [ "x$JAVA_OPTS" = "x" ]; then >> JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M >> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" >> JAVA_OPTS="$JAVA_OPTS >> -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS >> -Djava.awt.headless=true -Djavax.net.debug=ssl" >> >> I am seeing no errors in the logs related to certificates. I do see the >> root CA I'm trying to use along with the intermediate. >> I am using a client certificate, but I'm providing it via a card reader >> on my computer. So I'm presenting a token on a smart card per say and not a >> soft cert loaded on my system. >> Would this make a difference? Should I be seeing any sort of error output >> in the logs if the certs were loaded wrong or any other JAVA related issue? >> I can post the debug output, but it's quite line. >> - >> Note, we currently use a commercial based IdP which accepts our smart >> card with tokens on them, so I assumed Keycloak by default would see a >> certificate loaded locally or via the smart card reader. >> >> >> On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter > > pnalyvayko at agi.com>>> wrote: >> One possible reason you are not getting prompted is that the intermediate >> or root certs in your trust store do not match the intermediate or root >> certs used to sign the client certificates registered on your client >> machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, >> see https://access.redhat.com/solutions/973783 for more info. >> >> ________________________________________ >> From: keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org>> keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org>> [ >> keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org>> keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org>>] on behalf of JTK [ >> jonesy at sydow.org> jonesy at sydow.org>>] >> Sent: Thursday, June 27, 2019 2:00 PM >> To: keycloak-user at lists.jboss.org> >> keycloak-user at lists.jboss.org>> >> Subject: [keycloak-user] Not being prompted for x509 User Certs on >> KeyCloak version 4.8.3.Final >> >> I've read through all the documentation I can find online both with the >> official documents and everything else I could find and I believe I have >> everything setup, with additional logging turned on, but I'm not getting >> any type of prompt for a x509 certificate when logging in. >> >> Here is the excerpts from the standalone.xml file where ssl-realm was >> added to the management security-realms and under the subsystem. >> >> >> >> ...... >> >> >> >> > relative-to="jboss.server.config.dir" keystore-password="mypass"/> >> >> >> >> > relative-to="jboss.server.config.dir" keystore-password="mypass"/> >> >> >> ...... >> >> > default-server="default-server" default-virtual-host="default-host" >> default-servlet-container="default" default-security-domain="other"> >> >> >> > redirect-socket="https" enable-http2="true"/> >> > security-realm="ssl-realm" verify-client="REQUESTED"/> >> >> >> > directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/> >> >> >> >> I've setup the Authentication Flows for the Browser to have x509/Validate >> Username Form above the new Browser flow and it's required. >> Everything is setup per the KeyCloak documentation to include the binding >> settings. >> >> The only thing I'm not sure about is if the keycloak.jks and >> truststore.jks >> files are the issue. >> I have enabled extra logging as best I know, but I'm not seeing anything >> in >> the logs of any relevance when trying to authenticate into the Keycloak >> Realm. >> >> Can anyone assist? We are looking to most likely purchase this as a >> product >> through RedHat SSO if it works well to get the support we need, but I've >> been hung up on this for a few weeks and I know it shouldn't be this hard. >> >> Thanks, >> J >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org> >> keycloak-user at lists.jboss.org>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From remko at FreeBSD.org Fri Jul 5 09:25:23 2019 From: remko at FreeBSD.org (Remko Lodder) Date: Fri, 5 Jul 2019 15:25:23 +0200 Subject: [keycloak-user] Set which user can authenticate at which client In-Reply-To: References: Message-ID: <7BD6C43D-D14B-4B99-A844-58D3C6DC0A3C@FreeBSD.org> Hello, > On 23 Jun 2019, at 21:37, Remko Lodder wrote: > > Signed PGP part > Hi, > > I am new to Keycloak and first of all I would like to thank you and all contributors for all your hard work. > I have little experience with Keycloak and it?s usage so please put me on the correct track in case I am off :-) > > So: For a customer and my own environment I am implementing Keycloak. I am consolidating our users in one > Realm and have added a multitude of clients (both saml as oidc). I would like to be able to place selectors on users > when importing them or setting it manually, that someone has access to for example gitlab. I found that Okta has > probably want I am looking for described here: > > https://help.okta.com/en/prod/Content/Topics/Directory/group-assign-app.htm > > Now, is there something like that also in Keycloak? I would like users to be part of a group, or role, or whatever > and that way control who has access where, without needing to fiddle with the application on the back (I can do > that for targetting specific roles, like admin, manager, read-write, read-only, etc). > > I was not able to find something similar .. so probably I overlooked it or didn?t understand the documentation :-) > > Any pointers/suggestions/this is not an option right now? > > Thanks & Again, thank you all, > Remko > > Is someone able help me with this? I know I can check the role on the client (like in NGINX) but I would like to set which users can authenticate at which client, without the client even knowing who the users actually are. That way I can create one big realm and provision my users that aren feed them through LDAP. Cheers Remko -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190705/09192d29/attachment.bin From juan.vanegas at netuxtecnologia.com Fri Jul 5 15:15:13 2019 From: juan.vanegas at netuxtecnologia.com (Juan Camilo Vanegas) Date: Fri, 5 Jul 2019 14:15:13 -0500 Subject: [keycloak-user] Keycloak policy enforcer for bearer-only client Message-ID: Hi. I am developing a Node.js web app that uses Keycloak as authentication service. I already have two clients: public client for the web app (app-web) and bearer-only for the API (app-api). On the app-api I use resources, scopes, policies, and permissions to control the access. To check the permissions, I am using the keycloak.enforcer(...) from the keycloak-connectmodule (npm keycloak-connect ). When I try to check permission, the server always returns 403 Access denied response. But if I change app-api from bearer-only to confidential (keeping the same keycloak.json configuration file), the client works fine and is capable to check permissions. This problem seems to be because a bearer-only client cannot obtain tokens from the server (keycloak similar question ). My question is: Is this a normal behavior of Keycloak? Why allow the Authorization tab in bearer-only clients if you cannot use the keycloak.enforcer? Am I missing some configuration? Thanks for your help. Stackoverflow question: https://stackoverflow.com/questions/56906984/keycloak-policy-enforcer-bearer-only-client From almeidaraf at gmail.com Fri Jul 5 16:39:53 2019 From: almeidaraf at gmail.com (Rafael Almeida) Date: Fri, 5 Jul 2019 21:39:53 +0100 Subject: [keycloak-user] Serving SPA + API with keycloak-gatekeeper Message-ID: Hello, I think I must be missing something. I have a SPA and a backend. Currently, for simplicity, they are being served together from the same hostname (and server). I was able to configure keycloak-gatekeeper in front of it and everything seemed to work well at first. The / (root), which serves my SPA, redirects the user and, after they login, all endpoints become available. However, if the user logs out and still have the SPA loaded, the javascript will attempt to make requests to the API, but it will be unauthorized at this time. The API, however, instead of giving out a helpful 401, will respond with a 307. Understandable. I looked into the gatekeeper's docs and there is a no-redirects option. However, it's a global one, rather than per endpoint. That means that the only option to get the behaviour I want is to have two gatekeepers, one for the API and the other for the SPA, both sharing the same encryption key (so that they use the same session). They also need to be behind the same load balancer so they share hostnames. I think that'd work but it seems rather cumbersome. What am I missing? Am I doing things in a very unusual way? How else could I set this up? Thanks, Rafael From srinivas.nangunoori at microfocus.com Sun Jul 7 12:36:57 2019 From: srinivas.nangunoori at microfocus.com (Srinivas Nangunoori) Date: Sun, 7 Jul 2019 16:36:57 +0000 Subject: [keycloak-user] keycloak 2.5.5-final with bc-fips-1.0.1.jar Message-ID: Hi Experts, We want to integrate bc-fips in our application. We have changed our standalone.xml (Wildfly) to use BCKFS keystore and changed java.security to use security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider and keystore.type=bcfks Copied bc-fips-1.0.1.jar to jre/lib/ext /modules/system/layers/base/org/bouncycastle/fips But when I start my application, I see following error, Caused by: java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider at org.keycloak.common.util.PemUtils.(PemUtils.java:41) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:63) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:137) at org.keycloak.adapters.undertow.KeycloakServletExtension.handleDeployment(KeycloakServletExtension.java:135) at io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions(DeploymentManagerImpl.java:252) at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:152) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) Not sure what I am missing. Could any one help me here. -Srini From sylvain.malnuit at lyra-network.com Mon Jul 8 04:12:20 2019 From: sylvain.malnuit at lyra-network.com (Sylvain Malnuit) Date: Mon, 8 Jul 2019 10:12:20 +0200 (CEST) Subject: [keycloak-user] Contributions Message-ID: <2037353038.3420649.1562573540124.JavaMail.zimbra@lyra-network.com> Hi, I want to share with you my contributions to Keycloak: * https://github.com/malys/rh-sso-email-with-attachment: extension to attach files located in theme repository to email * https://github.com/malys/keycloak-groovy-helpers: high level groovy script using Java Admin API to script configuration and actions. I use it to automate deployment * https://github.com/malys/rh-sso-rest_federation: a generic REST federation supporting role, attributes and many options (I will probably include it in Ansible plugin) * https://github.com/malys/rh-sso-listener-log: Generate detailed logs for audit Feel free to use it, fork it or improve it. Bye Sylvain From stelios.kyprou at hellasdirect.gr Mon Jul 8 05:01:30 2019 From: stelios.kyprou at hellasdirect.gr (Stelios Kyprou) Date: Mon, 8 Jul 2019 12:01:30 +0300 Subject: [keycloak-user] Public and Bearer-only role propagation Message-ID: Hello guys, I am trying to work with the following setup, with the goal of eventually propagating Keycloak roles from the public client (front-end) to Spring Security Roles of a bearer-only client (back-end): Client Name Client Type Client Role Full Scope Allowed portals-frontend public TEST_ROLE FALSE portals-backend bearer-only VERSIONS: *Spring Boot:* org.keycloak:keycloak-spring-boot-2-starter:4.0.0.Final org.springframework.boot:spring-boot-starter-security:2.1.4.RELEASE *Angular:* angular: 7 "keycloak-angular": "6.1.0" *Keycloak Server:* 4.0.0.Final My Angular app is using *portals-frontend *client My Spring-Boot-2 app is using *portals-backend *client When running this setup, the back-end verifies the token, but it does not map the *portals-frontend* client Roles into *spring security principal.deatils.roles*. The only way I managed to do this is two ways; 1. Set *Full Scope allowed* to *true. (*I don't like this since we can't restrict the roles in each client token*)* 2. Use the same KC client in the back-end as the one used in the front-end app. (This means that new front-end apps that will need different rights, therefore a new client, will not be able to use the same back-end service) *QUESTION:* Is there a 3rd way, where I keep my configuration as is, and manage to map KC Roles into spring security's *principal.details.roles *list in the back-end and include the front-end client roles? Thanks in advance! P.S: *Additional context:* The Spring-Boot-2 configurations is: keycloak: realm: internal-portals bearer-only: true auth-server-url: ssl-required: external resource: portals-backend confidential-port: 0 principal-attribute: preferred_username use-resource-role-mappings: true With the following security config: @KeycloakConfiguration class SecurityConfig(private val securityProperties: SecurityProperties) : KeycloakWebSecurityConfigurerAdapter() { @Bean fun keycloakConfigResolver(): KeycloakConfigResolver { return KeycloakSpringBootConfigResolver() } @Autowired @Throws(Exception::class) fun configureGlobal(auth: AuthenticationManagerBuilder) { val keycloakAuthenticationProvider = keycloakAuthenticationProvider() keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(SimpleAuthorityMapper()) auth.authenticationProvider(keycloakAuthenticationProvider) } @Bean override fun sessionAuthenticationStrategy(): SessionAuthenticationStrategy { return NullAuthenticatedSessionStrategy() } ... } From andrew.martel at indexexchange.com Mon Jul 8 10:45:48 2019 From: andrew.martel at indexexchange.com (Andrew Martel) Date: Mon, 8 Jul 2019 14:45:48 +0000 Subject: [keycloak-user] KEYCLOAK-3205 In-Reply-To: <20190704225614.GA27142@abstractj.org> References: <20190704225614.GA27142@abstractj.org> Message-ID: Ok, thank you for the response. I'll watch the ticket as suggested. I'm looking forward to seeing this released. Regards, Andrew -----Original Message----- From: Bruno Oliveira Sent: Thursday, July 4, 2019 6:56 PM To: Andrew Martel Cc: keycloak-user at lists.jboss.org; Hynek Mlnarik Subject: Re: [keycloak-user] KEYCLOAK-3205 Hi Andrew, the team started to look at this, but we cannot commit with any dates yet. To keep track of the work just keep an eye on: https://issues.jboss.org/browse/KEYCLOAK-3205 On 2019-07-04, Andrew Martel wrote: > Hello, > > My company is waiting on the functionality to have encrypted client secrets: https://github.com/keycloak/keycloak-community/blob/master/design/secure-credentials-store.md. > > Would someone be able to provide me with a timeline on when this will be released? > > Thanks, > Andrew Martel > > > CONFIDENTIALITY NOTICE AND DISCLAIMER : This telecommunication, including any and all attachments, contains confidential information intended only for the person(s) to whom it is addressed. Any dissemination, distribution, copying or disclosure is strictly prohibited and is not a waiver of confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail and delete the message from your inbox and deleted items folders. This telecommunication does not constitute an express or implied agreement to conduct transactions by electronic means, nor does it constitute a contract offer, a contract amendment or an acceptance of a contract offer. Contract terms contained in this telecommunication are subject to legal review and the completion of formal documentation and are not binding until same is confirmed in writing and has been signed by an authorized signatory. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From M.Notarnicola at klopotek.it Mon Jul 8 12:02:03 2019 From: M.Notarnicola at klopotek.it (Notarnicola, Mara) Date: Mon, 8 Jul 2019 16:02:03 +0000 Subject: [keycloak-user] FW: Override "native" Keycloak providers In-Reply-To: <7D37129B-790A-41F1-9616-BF35B5D22EAA@contoso.com> References: <7D37129B-790A-41F1-9616-BF35B5D22EAA@contoso.com> Message-ID: Hi all, I'm using keycloak 6.0.1 and I'm facing the same issue, are there some update about this request? ---- Notarnicola, Mara Software Engineer Klopotek Software & Technology Services Italia srl Via Federico II di Svevia, 4481 70023 ? Gioia del Colle (BA) https://www.klopotek.com -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Jerry Saravia Sent: Tuesday, March 26, 2019 9:19 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Override "native" Keycloak providers Hello, Disclaimer: This might be a keycloak dev mailing list question. We?ve been using version 3.4.3 for a while now and are attempting to upgrade to 4.8 and we?ve run into some issues. Summary: We have created our own providers with the same PROVIDER_ID as some of the built in providers. For example, PasswordCredentialProvider has a provider id of ?keycloak-password? and we created our own with the same id that gets loaded after the native one. This worked because in 3.4.3 providers that were using the same id would still have their factories added to the factory map. See this link here for 3.4.3 changes: https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L100 These are the 4.8 changes https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/java/org/keycloak/provider/ProviderManager.java#L96-L99 In 4.8, the fully qualified class name (FQCN) is not longer used. Instead it uses the provider id and the spi name. I can no longer use the same PROVIDER_ID as the native providers to ?override? them, but sometimes there is code that gets the provider specifically by id. For example, in the UpdatePassword required action we have this: PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID); In 3.4.3 because our provider was loaded we were able to inject into code that normally isn?t overridable. We did the same for the OIDCLoginProtocolFactory to alter some token endpoint behavior even the UpdatePassword required action itself rather than making a brand new required action that is a ?second rate? because it isn?t native to Keycloak. Is there a solution for this in 4.8.3? I see this change was made in 4.0.0.Beta1 according to some of the history. J Jerry Saravia Software Engineer T(516) 603-6914 M516-603-6914 virginpulse.com |virginpulse.com/global-challenge 492 Old Connecticut Path, Framingham, MA 01701, USA Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. v2.48 From pnalyvayko at agi.com Mon Jul 8 12:02:20 2019 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Mon, 8 Jul 2019 16:02:20 +0000 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References:

Message-ID: Can you confirm that the SSL termination is handled by individual Keycloak instances? From: JTK Sent: Friday, July 5, 2019 8:40 AM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final Just now getting back to this due to the holiday week, but I don't believe we need the chain loaded on the ELB on the smart card, as it's a pass-through and the certs in question that are on the smart card are loaded into the KeyCloak keystore, and once a user launches the KeyCloak interface it should reference the internal KeyCloak keystore to verify the chain. I would only need the certs on the ELB if we were requiring user certs prior to the KeyCloak website, which we aren't. It looks like I'm back to square one. Thoughts? On Fri, Jun 28, 2019 at 11:41 AM JTK > wrote: Obviously the certs are not loaded on the ELB as I need them. openssl s_client -servername keycloak.domainhere.net -connect keycloak.domainhere.net:8443 2>/dev/null | egrep "subject=|issuer=|notAfter=" subject=CN = keycloak.domainhere.net issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon I'm waiting on feedback from our internal team to find out when they can load the Root CA/Intermediate certs on the proxy. It might not be until next week, but I will update when I get a chance. Thanks! On Fri, Jun 28, 2019 at 10:57 AM Nalyvayko, Peter > wrote: Run the command "openssl s_client -connect :" where host and port are the Keycloak's host and the port number (e.g. login.mycompany.com:443) and verify that the list of certificates listed under "Acceptable CA client certificate names" is not empty and that the CA names match the client cert's issuer ________________________________________ From: JTK [jonesy at sydow.org] Sent: Friday, June 28, 2019 11:27 AM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final Here is the standalone.xml file if anyone can sport or locate any obvious errors associated with it. https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5peZuGfU8cw= Authentication flow: https://imgur.com/tZYj9N9 (Bindings) https://imgur.com/3v2HYtW (Flows) On Fri, Jun 28, 2019 at 9:13 AM JTK >> wrote: I'll look into it. I'm sure it's something simple, but it's just not clicking. As of now I'm only testing my CAC and so there is a Root CA along with an intermediate CA which I have loaded into Keycloak. This is the steps I used: keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks -file Email-CA-1.cer ... Just for clarity and sanity check, with our current IdP, we only need to load the public certs (Root/Intermediate) and as long as they are loaded, any user certificate that is presented would be trusted if the chain is loaded for that user certificate. We do not have access to the private keys for the certificates loaded to the keystore.jks - I just want to make sure that's not the issue. At this point in time, I'd love to see ERROR in the server.log file, but I just get INFO. tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR" The output of the above command has no output. This is some of the output: 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99, 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 } 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake state: finished[20] 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and SHA1 hashes: len = 16 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext before ENCRYPTION: len = 16 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2 Handshake, length = 40 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384] 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 6 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 01 01 ...... 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 45 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w....... 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F 33 D2 CA D3 C5 FA A5 05 54 $...3.......T etc Here is the output of keystore.jks keytool -list -v -keystore keycloak.jks | grep DoD Enter keystore password: password Owner: CN=Root CA, OU=PKI, O=Company, C=US Issuer: CN=Root CA, OU=PKI, O=Company, C=US Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US Issuer: CN=Root CA, OU=PKI, O=Company, C=US Sows the Root CA and the Intermediate CA (CA-1) On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter >> wrote: We have successfully tested and deployed the CAC card & X509 auth without any issues. One suggestion is In the SSL debug output search for a list of CA authorities the KC server sends back to the client as a part of mutual SSL handshake. For the mutual SSL to kick in, the client certificates registered on the client machine must be signed by one of the CAs from that list. For example, say your trusted store has a CA cert with the Subject: CN=cert_auth Then you should be prompted to select a cert only if your client cert's issuer (the cert used to sign the client cert) matches the subject above. You may also try troubleshooting using "openssl s_client" to avoid digging through thousands of lines of SSL debug output I hope it makes sense and helps :) Cheers --Peter ________________________________________ From: JTK [jonesy at sydow.org>] Sent: Friday, June 28, 2019 9:17 AM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org

> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final Thanks, I enabled the debug option for ssl in ../keycloak/bin/standalone.conf if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Djava.awt.headless=true -Djavax.net.debug=ssl" I am seeing no errors in the logs related to certificates. I do see the root CA I'm trying to use along with the intermediate. I am using a client certificate, but I'm providing it via a card reader on my computer. So I'm presenting a token on a smart card per say and not a soft cert loaded on my system. Would this make a difference? Should I be seeing any sort of error output in the logs if the certs were loaded wrong or any other JAVA related issue? I can post the debug output, but it's quite line. - Note, we currently use a commercial based IdP which accepts our smart card with tokens on them, so I assumed Keycloak by default would see a certificate loaded locally or via the smart card reader. On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter >>>> wrote: One possible reason you are not getting prompted is that the intermediate or root certs in your trust store do not match the intermediate or root certs used to sign the client certificates registered on your client machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, see https://access.redhat.com/solutions/973783 for more info. ________________________________________ From: keycloak-user-bounces at lists.jboss.org

>> [keycloak-user-bounces at lists.jboss.org

>>] on behalf of JTK [jonesy at sydow.org>>>] Sent: Thursday, June 27, 2019 2:00 PM To: keycloak-user at lists.jboss.org

>> Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final I've read through all the documentation I can find online both with the official documents and everything else I could find and I believe I have everything setup, with additional logging turned on, but I'm not getting any type of prompt for a x509 certificate when logging in. Here is the excerpts from the standalone.xml file where ssl-realm was added to the management security-realms and under the subsystem.

......

I've setup the Authentication Flows for the Browser to have x509/Validate Username Form above the new Browser flow and it's required. Everything is setup per the KeyCloak documentation to include the binding settings. The only thing I'm not sure about is if the keycloak.jks and truststore.jks files are the issue. I have enabled extra logging as best I know, but I'm not seeing anything in the logs of any relevance when trying to authenticate into the Keycloak Realm. Can anyone assist? We are looking to most likely purchase this as a product through RedHat SSO if it works well to get the support we need, but I've been hung up on this for a few weeks and I know it shouldn't be this hard. Thanks, J _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org

>> https://lists.jboss.org/mailman/listinfo/keycloak-user From jonesy at sydow.org Mon Jul 8 12:05:31 2019 From: jonesy at sydow.org (JTK) Date: Mon, 8 Jul 2019 11:05:31 -0500 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References:

Message-ID: Yes, there is no proxy, just a ELB with pass-through. I'm wondering if I have something misconfigured in the config file. On Mon, Jul 8, 2019, 11:02 AM Nalyvayko, Peter wrote: > Can you confirm that the SSL termination is handled by individual Keycloak > instances? > > > > *From:* JTK > *Sent:* Friday, July 5, 2019 8:40 AM > *To:* Nalyvayko, Peter > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > > > Just now getting back to this due to the holiday week, but I don't believe > we need the chain loaded on the ELB on the smart card, as it's a > pass-through and the certs in question that are on the smart card are > loaded into the KeyCloak keystore, and once a user launches the KeyCloak > interface it should reference the internal KeyCloak keystore to verify the > chain. I would only need the certs on the ELB if we were requiring user > certs prior to the KeyCloak website, which we aren't. > > It looks like I'm back to square one. Thoughts? > > > > > > On Fri, Jun 28, 2019 at 11:41 AM JTK wrote: > > Obviously the certs are not loaded on the ELB as I need them. > openssl s_client -servername keycloak.domainhere.net -connect > keycloak.domainhere.net:8443 > 2>/dev/null | egrep "subject=|issuer=|notAfter=" > subject=CN = keycloak.domainhere.net > issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon > > > > I'm waiting on feedback from our internal team to find out when they can > load the Root CA/Intermediate certs on the proxy. It might not be until > next week, but I will update when I get a chance. > > > > Thanks! > > > > On Fri, Jun 28, 2019 at 10:57 AM Nalyvayko, Peter > wrote: > > Run the command "openssl s_client -connect :" where host and > port are the Keycloak's host and the port number (e.g. > login.mycompany.com:443) and verify that the list of certificates listed > under "Acceptable CA client certificate names" is not empty and that the CA > names match the client cert's issuer > > > ________________________________________ > From: JTK [jonesy at sydow.org] > Sent: Friday, June 28, 2019 11:27 AM > To: Nalyvayko, Peter > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > Here is the standalone.xml file if anyone can sport or locate any obvious > errors associated with it. > > https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5peZuGfU8cw= > > Authentication flow: > https://imgur.com/tZYj9N9 (Bindings) > https://imgur.com/3v2HYtW (Flows) > > On Fri, Jun 28, 2019 at 9:13 AM JTK jonesy at sydow.org>> wrote: > I'll look into it. I'm sure it's something simple, but it's just not > clicking. As of now I'm only testing my CAC and so there is a Root CA along > with an intermediate CA which I have loaded into Keycloak. > This is the steps I used: > > keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer > > keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks > -file Email-CA-1.cer > > ... > > Just for clarity and sanity check, with our current IdP, we only need to > load the public certs (Root/Intermediate) and as long as they are loaded, > any user certificate that is presented would be trusted if the chain is > loaded for that user certificate. We do not have access to the private keys > for the certificates loaded to the keystore.jks - I just want to make sure > that's not the issue. > > > At this point in time, I'd love to see ERROR in the server.log file, but I > just get INFO. > > tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR" > > The output of the above command has no output. > > > This is some of the output: > > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99, > 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 } > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake > state: finished[20] > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and > SHA1 hashes: len = 16 > 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C > 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... > 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext > before ENCRYPTION: len = 16 > 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C > 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3, > WRITE: TLSv1.2 Handshake, length = 40 > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server > session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384] > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length > = 6 > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 > 01 01 ...... > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length > = 45 > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 > 28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O > 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 > 25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w....... > 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F > 33 D2 CA D3 C5 FA A5 05 54 $...3.......T > > etc > > > Here is the output of keystore.jks > > keytool -list -v -keystore keycloak.jks | grep DoD > Enter keystore password: password > Owner: CN=Root CA, OU=PKI, O=Company, C=US > Issuer: CN=Root CA, OU=PKI, O=Company, C=US > Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US > Issuer: CN=Root CA, OU=PKI, O=Company, C=US > > > Sows the Root CA and the Intermediate CA (CA-1) > > > On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter > wrote: > We have successfully tested and deployed the CAC card & X509 auth without > any issues. One suggestion is In the SSL debug output search for a list of > CA authorities the KC server sends back to the client as a part of mutual > SSL handshake. For the mutual SSL to kick in, the client certificates > registered on the client machine must be signed by one of the CAs from > that list. > > For example, say your trusted store has a CA cert with the Subject: > CN=cert_auth > > Then you should be prompted to select a cert only if your client cert's > issuer (the cert used to sign the client cert) matches the subject above. > > You may also try troubleshooting using "openssl s_client" to avoid > digging through thousands of lines of SSL debug output > > I hope it makes sense and helps :) > > Cheers > > --Peter > > ________________________________________ > From: JTK [jonesy at sydow.org] > Sent: Friday, June 28, 2019 9:17 AM > To: Nalyvayko, Peter > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > Thanks, I enabled the debug option for ssl in > ../keycloak/bin/standalone.conf > if [ "x$JAVA_OPTS" = "x" ]; then > JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" > JAVA_OPTS="$JAVA_OPTS > -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS > -Djava.awt.headless=true -Djavax.net.debug=ssl" > > I am seeing no errors in the logs related to certificates. I do see the > root CA I'm trying to use along with the intermediate. > I am using a client certificate, but I'm providing it via a card reader on > my computer. So I'm presenting a token on a smart card per say and not a > soft cert loaded on my system. > Would this make a difference? Should I be seeing any sort of error output > in the logs if the certs were loaded wrong or any other JAVA related issue? > I can post the debug output, but it's quite line. > - > Note, we currently use a commercial based IdP which accepts our smart card > with tokens on them, so I assumed Keycloak by default would see a > certificate loaded locally or via the smart card reader. > > > On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter pnalyvayko at agi.com>>> wrote: > One possible reason you are not getting prompted is that the intermediate > or root certs in your trust store do not match the intermediate or root > certs used to sign the client certificates registered on your client > machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, > see https://access.redhat.com/solutions/973783 for more info. > > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org>> [ > keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org>>] on behalf of JTK [ > jonesy at sydow.org jonesy at sydow.org>>] > Sent: Thursday, June 27, 2019 2:00 PM > To: keycloak-user at lists.jboss.org > keycloak-user at lists.jboss.org>> > Subject: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > I've read through all the documentation I can find online both with the > official documents and everything else I could find and I believe I have > everything setup, with additional logging turned on, but I'm not getting > any type of prompt for a x509 certificate when logging in. > > Here is the excerpts from the standalone.xml file where ssl-realm was > added to the management security-realms and under the subsystem. > > > > ...... > > > > relative-to="jboss.server.config.dir" keystore-password="mypass"/> > > > > relative-to="jboss.server.config.dir" keystore-password="mypass"/> > > > ...... > > default-server="default-server" default-virtual-host="default-host" > default-servlet-container="default" default-security-domain="other"> > > > redirect-socket="https" enable-http2="true"/> > security-realm="ssl-realm" verify-client="REQUESTED"/> > > > directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/> > > > > I've setup the Authentication Flows for the Browser to have x509/Validate > Username Form above the new Browser flow and it's required. > Everything is setup per the KeyCloak documentation to include the binding > settings. > > The only thing I'm not sure about is if the keycloak.jks and truststore.jks > files are the issue. > I have enabled extra logging as best I know, but I'm not seeing anything in > the logs of any relevance when trying to authenticate into the Keycloak > Realm. > > Can anyone assist? We are looking to most likely purchase this as a product > through RedHat SSO if it works well to get the support we need, but I've > been hung up on this for a few weeks and I know it shouldn't be this hard. > > Thanks, > J > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > keycloak-user at lists.jboss.org>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From craig at baseventure.com Mon Jul 8 12:34:47 2019 From: craig at baseventure.com (Craig Setera) Date: Mon, 8 Jul 2019 11:34:47 -0500 Subject: [keycloak-user] Allowed SAML audiences? Message-ID: If I have a SAML identity provider setup, what would the allowed audience values look like by default? Is there any place in the UI that I can see the allowed audience values? Thanks, Craig ================================= *Craig Setera* *Chief Technology Officer* From lrozenblyum at gmail.com Tue Jul 9 03:56:04 2019 From: lrozenblyum at gmail.com (Leonid Rozenblyum) Date: Tue, 9 Jul 2019 10:56:04 +0300 Subject: [keycloak-user] Single Logout in Identity brokering mode In-Reply-To: References: Message-ID: 1) Most likely keycloak cannot execute 3'd party log-out without browser interaction when the 3'd party Idp is not supporting backchannel logout, right? so HttpServletRequest.logout() documentation should be extended to mention this limitation That's why redirect solution works 3) why is Spring Security adapter exposing '/sso/logout' endpoint as a logout handler? is it a third 'unofficial' way to log-out? it looks like it does a little bit less than HttpServletRequest.logout() because HttpServletRequest.logout() also invokes SecurityContextLogoutHandler after KeycloakLogoutHandler (while /sso/logout directly invokes KeycloakLogoutHandler) On Fri, May 17, 2019 at 10:46 AM Leonid Rozenblyum wrote: > Hello! > > I'm working on Single Logout in Identity broker mode. > > App -> Keycloak (OpenIdConnect) > Keycloak -> 3'd party (SAML) > > Documentation to keycloak states that there are 2 ways to execute logout. > 1) HttpServletRequest.logout(). > 2) redirect the browser to > http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri > > If I execute 2) it indeed causes Keycloak send SAML Logout request to the > 3'd party Idp. > However if I execute 1) SAML logout request is not sent thus 3'd party > session is still valid. > > (I see that by enabling trace logging in keycloak and by fact that user is > still logged in) > > Is it something by design/misconfiguration at my side or a bug? > > > From lrozenblyum at gmail.com Tue Jul 9 04:39:36 2019 From: lrozenblyum at gmail.com (Leonid Rozenblyum) Date: Tue, 9 Jul 2019 11:39:36 +0300 Subject: [keycloak-user] Persistent sessions Message-ID: Hello! I saw these questions in the mailing list 2017 and earlier but would like to double check. We'd like to enable persistent session feature of WildFly in Keycloak (in non-HA environment) By doing this in standalone.xml It looks like the feature is not working correctly with keycloak: after keycloak reboot the sessions look lossed. Is it a misconfiguration at my side or a totally not supported feature by keycloak? Thanks in advance for explanation From manuel.waltschek at prisma-solutions.at Tue Jul 9 07:27:39 2019 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Tue, 9 Jul 2019 11:27:39 +0000 Subject: [keycloak-user] SAML Logout Response 403 Forbidden Message-ID: <30a0462454694938bfe0d03e51093eef@prisma-solutions.at> Hello, I am still trying to logout from my wildfly10 keycloak saml client application. I already described my issues in https://lists.jboss.org/pipermail/keycloak-user/2019-June/018550.html Quick summary: I am trying to logout by calling private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String contextPath = req.getContextPath(); resp.sendRedirect(contextPath + "?GLO=true"); } from a servlet. I am getting a LogoutResponse from my keycloak IdP with the following status code: It seems, that the client cannot handle this response and therefore redirects to a page with content ErrorForbidden with status code 403 Forbidden. I would appreciate any further help, thank you in advance, regards [Logo] Manuel Waltschek BSc. +43 660 86655 47 manuel.waltschek at prisma-solutions.at https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 M?dling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6418 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190709/a5f57d5d/attachment.png From yurexus at gmail.com Tue Jul 9 08:21:39 2019 From: yurexus at gmail.com (Iurii) Date: Tue, 9 Jul 2019 15:21:39 +0300 Subject: [keycloak-user] How to allow only tokens with a specific claim at identity brokering in KeyCloak? Message-ID: Hello, I am using KeyCloak with two external identity providers configured for identity brokering. There is a requirement to not allow accessing the application protected with KeyCloak if the token issued by one of the external identity providers doesn't contain a specific claim. In other words - if external IdP "A" issues a token without claim "xxx" equal to "yyy", KeyCloak must not allow logging in. Is it possible to configure this in KeyCloak, or I will have to modify the application protected with KeyCloak to check this condition? Thanks! From psilva at redhat.com Tue Jul 9 08:33:29 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 9 Jul 2019 09:33:29 -0300 Subject: [keycloak-user] Keycloak policy enforcer for bearer-only client In-Reply-To: References: Message-ID: Hi Juan, It is the expected behavior but also a UI issue. You should not have access to that tab when the client is bearer-only. I've created https://issues.jboss.org/browse/KEYCLOAK-10808. On Fri, Jul 5, 2019 at 4:42 PM Juan Camilo Vanegas < juan.vanegas at netuxtecnologia.com> wrote: > Hi. > > I am developing a Node.js web app that uses Keycloak as authentication > service. I already have two clients: public client for the web app > (app-web) and bearer-only for the API (app-api). On the app-api I use > resources, scopes, policies, and permissions to control the access. > > To check the permissions, I am using the keycloak.enforcer(...) from the > keycloak-connectmodule (npm keycloak-connect > ). When I try to check > permission, the server always returns 403 Access denied response. But if I > change app-api from bearer-only to confidential (keeping the same > keycloak.json configuration file), the client works fine and is capable to > check permissions. > > This problem seems to be because a bearer-only client cannot obtain tokens > from the server (keycloak similar question > < > http://keycloak-user.88327.x6.nabble.com/keycloak-user-can-we-use-authorization-with-bearer-only-td2123.html > > > ). > > My question is: Is this a normal behavior of Keycloak? Why allow the > Authorization tab in bearer-only clients if you cannot use the > keycloak.enforcer? Am I missing some configuration? > > Thanks for your help. > > > Stackoverflow question: > > https://stackoverflow.com/questions/56906984/keycloak-policy-enforcer-bearer-only-client > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From juan.vanegas at netuxtecnologia.com Tue Jul 9 08:58:15 2019 From: juan.vanegas at netuxtecnologia.com (Juan Camilo Vanegas) Date: Tue, 9 Jul 2019 07:58:15 -0500 Subject: [keycloak-user] Keycloak policy enforcer for bearer-only client In-Reply-To: References:

Message-ID: Hi Pedro. Thanks for your help. So basically, if you need to protect your resources on the back-end, you should use a confidential client, but the keycloak.json configuration file should have the bearer-only key set to true, to you avoid redirecting the user to the login page and instead send a 403 Access denied response. Is this correct? Best regards, El mar., 9 jul. 2019 a las 7:33, Pedro Igor Silva () escribi?: > Hi Juan, > > It is the expected behavior but also a UI issue. You should not have > access to that tab when the client is bearer-only. I've created > https://issues.jboss.org/browse/KEYCLOAK-10808. > > On Fri, Jul 5, 2019 at 4:42 PM Juan Camilo Vanegas < > juan.vanegas at netuxtecnologia.com> wrote: > >> Hi. >> >> I am developing a Node.js web app that uses Keycloak as authentication >> service. I already have two clients: public client for the web app >> (app-web) and bearer-only for the API (app-api). On the app-api I use >> resources, scopes, policies, and permissions to control the access. >> >> To check the permissions, I am using the keycloak.enforcer(...) from the >> keycloak-connectmodule (npm keycloak-connect >> ). When I try to check >> permission, the server always returns 403 Access denied response. But if I >> change app-api from bearer-only to confidential (keeping the same >> keycloak.json configuration file), the client works fine and is capable to >> check permissions. >> >> This problem seems to be because a bearer-only client cannot obtain tokens >> from the server (keycloak similar question >> < >> http://keycloak-user.88327.x6.nabble.com/keycloak-user-can-we-use-authorization-with-bearer-only-td2123.html >> > >> ). >> >> My question is: Is this a normal behavior of Keycloak? Why allow the >> Authorization tab in bearer-only clients if you cannot use the >> keycloak.enforcer? Am I missing some configuration? >> >> Thanks for your help. >> >> >> Stackoverflow question: >> >> https://stackoverflow.com/questions/56906984/keycloak-policy-enforcer-bearer-only-client >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From psilva at redhat.com Tue Jul 9 09:06:04 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 9 Jul 2019 10:06:04 -0300 Subject: [keycloak-user] Keycloak policy enforcer for bearer-only client In-Reply-To: References:

Message-ID: +1 On Tue, Jul 9, 2019 at 9:58 AM Juan Camilo Vanegas < juan.vanegas at netuxtecnologia.com> wrote: > Hi Pedro. > > Thanks for your help. So basically, if you need to protect your resources > on the back-end, you should use a confidential client, but the > keycloak.json configuration file should have the bearer-only key set to > true, to you avoid redirecting the user to the login page and instead send > a 403 Access denied response. Is this correct? > > Best regards, > > El mar., 9 jul. 2019 a las 7:33, Pedro Igor Silva () > escribi?: > >> Hi Juan, >> >> It is the expected behavior but also a UI issue. You should not have >> access to that tab when the client is bearer-only. I've created >> https://issues.jboss.org/browse/KEYCLOAK-10808. >> >> On Fri, Jul 5, 2019 at 4:42 PM Juan Camilo Vanegas < >> juan.vanegas at netuxtecnologia.com> wrote: >> >>> Hi. >>> >>> I am developing a Node.js web app that uses Keycloak as authentication >>> service. I already have two clients: public client for the web app >>> (app-web) and bearer-only for the API (app-api). On the app-api I use >>> resources, scopes, policies, and permissions to control the access. >>> >>> To check the permissions, I am using the keycloak.enforcer(...) from the >>> keycloak-connectmodule (npm keycloak-connect >>> ). When I try to check >>> permission, the server always returns 403 Access denied response. But if >>> I >>> change app-api from bearer-only to confidential (keeping the same >>> keycloak.json configuration file), the client works fine and is capable >>> to >>> check permissions. >>> >>> This problem seems to be because a bearer-only client cannot obtain >>> tokens >>> from the server (keycloak similar question >>> < >>> http://keycloak-user.88327.x6.nabble.com/keycloak-user-can-we-use-authorization-with-bearer-only-td2123.html >>> > >>> ). >>> >>> My question is: Is this a normal behavior of Keycloak? Why allow the >>> Authorization tab in bearer-only clients if you cannot use the >>> keycloak.enforcer? Am I missing some configuration? >>> >>> Thanks for your help. >>> >>> >>> Stackoverflow question: >>> >>> https://stackoverflow.com/questions/56906984/keycloak-policy-enforcer-bearer-only-client >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > From lists at merit.unu.edu Tue Jul 9 09:56:00 2019 From: lists at merit.unu.edu (lists) Date: Tue, 9 Jul 2019 15:56:00 +0200 Subject: [keycloak-user] [solved] Re: ldap federation working | test connection / authentication buttons failing In-Reply-To: <89d-5d1de800-3-1074ad00@21899244> References: <89d-5d1de800-3-1074ad00@21899244> Message-ID: <49cfa5ee-911c-99ec-852e-1f9f61dc597f@merit.unu.edu> Hi all, Just wanted to let you know the solution for my issue: I used custom themes. Appearantly themes do a bit more than 'just some formatting' because with the default 6.0.1 themes, the buttons started working again. So, now I recreated my themes, based on the default 6.0.1 themes, and everything works again now. I hope posting this here will help someone with a similar issue in the future. :-) Thanks for making keycloak as great as it it is! :-) MJ From prasus at gmail.com Tue Jul 9 10:12:59 2019 From: prasus at gmail.com (Prasad Kris) Date: Tue, 9 Jul 2019 19:42:59 +0530 Subject: [keycloak-user] Question regarding Token lifecycle in Keycloak Message-ID: Greetings, We are using Keycloak as our OIDC IdP for the internal applications and also for our kubernetes infrastructure, this setup is working great so far. We have the Session Idle Timeout set to 7 days currently and the Session Max Duration is set to 14 days and it works as expected for most of the user's but few users are having issues and have reported that their session is getting expired so fast. when checked in the admin UI, I see that multiple active sessions from those user accounts, but they have been presented with the login screen. I checked the logs and other configurations but couldn't notice any issues, so I believe that this has to do something in the user end as the settings are working fine for the majority of the user accounts.. but would like to know the root cause/more details first before coming to a conclusion. I would appreciate if someone could guide me to grab more details which will help to figure out the root cause of this issue, Cheers From clehingue at gmail.com Tue Jul 9 11:01:31 2019 From: clehingue at gmail.com (Christophe Lehingue) Date: Tue, 9 Jul 2019 17:01:31 +0200 Subject: [keycloak-user] How to do ? Message-ID: Hello, When registering a user, and that the latter declines the "terms & conditions": I would like to delete his data (when he clicked the button labeled "decline"). Do you have any idea how I could do without modifying JAVA KEYCLOAK? I was thinking of a SQL triger, but is there a simplest way to do that? Regards, Christophe ======= IN FRENCH ====== Bonjour, Lors de l'inscription d'un utilisateur, et que ce dernier d?cline les "terms & conditions" : je souhaiterais supprimer ses donn?es (quand il a cliqu? sur le bouton intitul? "d?cline"). Avez-vous une id?e de comment je pourrais faire sans modifier les souces JAVA KEYCLOAK ? J'avais penser ? un triger SQL, mais y a t'il un moyen plus simple pour faire cela ? Cordialement, Christophe From srinivas.nangunoori at microfocus.com Tue Jul 9 12:38:14 2019 From: srinivas.nangunoori at microfocus.com (Srinivas Nangunoori) Date: Tue, 9 Jul 2019 16:38:14 +0000 Subject: [keycloak-user] Keycloak bc-fips compliant Message-ID: Hi Experts, Is keycloak bc-fips compliant? If yes, which version? Please help/guide us... Thanks in advance. -Srini From chris.smith at cmfirstgroup.com Tue Jul 9 19:38:25 2019 From: chris.smith at cmfirstgroup.com (Chris Smith) Date: Tue, 9 Jul 2019 23:38:25 +0000 Subject: [keycloak-user] SQL Server integrated authorization In-Reply-To: References: Message-ID: I carefully read the latest SQL Server JDBC docs and putting the auth dll in the System path is sufficient. The SQL server module now works with integrate security -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Chris Smith Sent: Tuesday, July 2, 2019 2:43 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] SQL Server integrated authorization My keycloak instance is planned to use SQL Server for its database. It will be running on a Windows Server in an Active Directory domain I'd like to not embed the User/Password in the standalone.xml file. To enable this, the driver requires a windows dll to perform the db connection authentication. So, I'm looking for the best way to accomplish this. I'd rather not add -Djava.library.path= as a parameter when invoking standalone.bat Is there a way to configure it in the module created for the JDBC driver jar? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ysun at applause.com Tue Jul 9 21:30:15 2019 From: ysun at applause.com (Yifei Sun) Date: Tue, 9 Jul 2019 21:30:15 -0400 Subject: [keycloak-user] User Redis as distributed caching store Message-ID: Hi guys, I am trying to setup Redis as cache store for Keycloak 6.0.1. It seems Wildfly doesn't support Redis in its Infinispan subsystem, and a workaround might be using a custom caching store. Has anyone done that yet? Any help/information will be greatly appreciated. Thanks! From abychkova_box at mail.ru Wed Jul 10 02:33:26 2019 From: abychkova_box at mail.ru (=?UTF-8?B?0JDQu9C40L3QsCDQkNC70LXQutGB0LDQvdC00YDQvtCy0L3QsCDQk9GA0L4=?= =?UTF-8?B?0LzQvtCy0LA=?=) Date: Wed, 10 Jul 2019 09:33:26 +0300 Subject: [keycloak-user] =?utf-8?q?Keycloak_6=2E0=2E1_=22UUID_LDAP_attribu?= =?utf-8?q?te=22_property_processed_correctly_only_with_=22ObjectGUID=22_v?= =?utf-8?q?alue=2E?= Message-ID: <1562740406.804609987@f475.i.mail.ru> Hi, I have User Federation to connect with?our Azure AD through LDAP. When?I have the default value ?objectGUID? for UUID LDAP attribute ?property it processed correctly and in LDAP_ID user?attribute?I can see correct UUID formate. Though, if?user UUID provided not in ?objectGUID? but?in ?msDS-AzureADObjectId? LDAP-attribute it doesn?t work. In this case, when I set??msDS-AzureADObjectId??value into? UUID LDAP attribute ?property?I get incorrect string value?in?LDAP_ID. It looks like KC can correctly process UUID only if it comes in??objectGUID? attribute. In other cases, we get an incorrect result. ? So, the?problem in?org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java:675 where?KC has hardcode action for ?objectGUID? value and other fields processed as a plain?string. Also,??objectGUID? always gets from LDAP as a binary field but??msDS-AzureADObjectId? doesn't?and I need to create user-attribute-ldap-mapper to mark this attribute as binary. ? The way I fixed it locally:? * create user-attribute-ldap-mapper for ?msDS-AzureADObjectId??LDAP-attribute +?mark this attribute as binary. * set? UUID LDAP attribute ?property to??msDS-AzureADObjectId? * fix condition from?org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java:675 to? if (this.config.isActiveDirectory() && entryUUID instanceof byte[]) ? Is it a bug and can we expect?a?fix in future versions of KC? ------- Regards Alina Gromova From bruno at abstractj.org Wed Jul 10 14:52:19 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 10 Jul 2019 15:52:19 -0300 Subject: [keycloak-user] Contributions In-Reply-To: <2037353038.3420649.1562573540124.JavaMail.zimbra@lyra-network.com> References: <2037353038.3420649.1562573540124.JavaMail.zimbra@lyra-network.com> Message-ID: <20190710185219.GC10813@abstractj.org> Thanks for sharing Sylvain. On 2019-07-08, Sylvain Malnuit wrote: > Hi, > I want to share with you my contributions to Keycloak: > * https://github.com/malys/rh-sso-email-with-attachment: extension to attach files located in theme repository to email > * https://github.com/malys/keycloak-groovy-helpers: high level groovy script using Java Admin API to script configuration and actions. I use it to automate deployment > * https://github.com/malys/rh-sso-rest_federation: a generic REST federation supporting role, attributes and many options (I will probably include it in Ansible plugin) > * https://github.com/malys/rh-sso-listener-log: Generate detailed logs for audit > > Feel free to use it, fork it or improve it. > > Bye > > Sylvain > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From rakhshan at gmail.com Wed Jul 10 18:16:10 2019 From: rakhshan at gmail.com (Arash Rakhshan) Date: Wed, 10 Jul 2019 15:16:10 -0700 Subject: [keycloak-user] Attaching Role to an Entity Message-ID: Hello team, I am a new fan and after writing my own solution painfully we are hoping to convert to KeyCloak. First, thank you all for your efforts and supporting this project. I have gone through the tutorials and terminology, however, I can not seem to mold a suitable model for my authorization use case through Keycloak concepts. Please consider this use scenario: - You provide a SaaS solution for Car Dealerships. - Every dealership inherits a set of default roles upon creation e.g. admin, manager, sales, accountant,..) - Dealership could add/remove permissions to the default roles. - Dealership can define their own custom roles. - A dealership has multiple vendors and each vendor has a couple of roles (admin, accountant, vendor) - A dealership has numerous departments and each department may have their own roles for that department In my built-in model, I have a table that connects a Role to a Principal (an entity) and the ACLs (or permissions) are assigned to the roles. The Principal could be "DealershipA", "DealershipB", "Vendor1" and "Department0". Now my questions is: What is the best practice to implement this scenario in Keycloak. - How would you connect/assign a role to an entity? - Would you consider a Dealership, Vendor or a Department a Resource or a Client or what? Thank you in advance for all your help, From leandronunes85 at gmail.com Thu Jul 11 06:53:39 2019 From: leandronunes85 at gmail.com (Leandro Nunes) Date: Thu, 11 Jul 2019 11:53:39 +0100 Subject: [keycloak-user] Kubernetes deployments Message-ID: Hi fellow Keycloak users! My team is now looking at deploying a KC cluster to GCP. We wanted to leverage the infrastructure as much as possible but we?re struggling to come up with a good strategy to deploy different SPIs to a KC cluster when it is running in k8s. If we understand it correctly in such environments one does not simply take a single SPI and deploy it to the cluster; instead every time we want to install an SPI we?ll need to build a new (docker?) image that contains KC itself, the new (version of the) SPI and all other pre-existing SPIs. Is this understanding correct? Did you come up with better/leaner approaches to solving this? What is your experience around these issues? As always, any help is much appreciated! Leandro Nunes From chris.smith at cmfirstgroup.com Thu Jul 11 13:56:19 2019 From: chris.smith at cmfirstgroup.com (Chris Smith) Date: Thu, 11 Jul 2019 17:56:19 +0000 Subject: [keycloak-user] Keycloak self registration and Active Directory issues Message-ID: My requirements are 1. Active Directory federation (really only as a Kerberos Server... I have a Windoze Only requirement imposed on me) 2. Keycloak self-regestration for users 3. Application and user maintenance done in as much Out Of Box Keycloak as possible 4. Application Admins should never have access to AD management. I've set as many AD password policies as I can easily find or google to be as permissive as possible Policy Enforce password history, 0 passwords remembered, 0 Maximum password age, 0 Minimum password age, 0 days Minimum password length, 1 characters Password must meet complexity requirements, Disabled Store passwords using reversible encryption, Not Defined I've set KC password policies Minimum Length 8 Uppercase Characters 1 Lowercase Characters 1 Expire Password 30 Special Characters 1 Not Username Not Recently Used 25 Digits 1 KC Authentication Required Action Update Password disabled So when a new user users self-registration, in AD, the user account is set to require password Change Any advice on how to Change that In Active Directory I remove the "Require password Change" on the user account The KC user login fails with "invalid User or Password" error If I try to Change the new Users Password in the KC Console, Error! Could not modify attribute for DN [CN=xxx.yyyy,CN=Users,DC=xxx-sso,DC=com] Any Advice on what is going on? From ryans at jlab.org Thu Jul 11 16:44:25 2019 From: ryans at jlab.org (Ryan Slominski) Date: Thu, 11 Jul 2019 20:44:25 +0000 Subject: [keycloak-user] Reverse Proxy Keycloak - Kerberos SPNEGO breaks Message-ID: Hi all, Any tips setting up Kerberos SPNEGO with Keycloak if Keycloak is reverse proxied? I have everything working if I access the Keycloak host directly, but if I access via a reverse proxy the SPENGO doesn't work. I assume this has to do with Kerberos SPNEGO strict hostname and principal naming. I have even tried setting the password/key (and kvno) the same for both HTTP/proxy.example.com and HTTP/keycloak.example.com principals. I've also updated the /etc/krb5.conf libdefaults ignore_acceptor_hostname = true, but that seems to be ignored by Keycloak. In fact, Keycloak appears to require a hard-coded principal name, which isn't going to match the requested service principal name when requests go through the reverse proxy. Has anyone dealt with this before? Oddly, this isn't a problem for Windows Active Directory principals / SPNs (Micrsoft implementation) - if setspn.exe configures same principal to both hostnames. Just MIT Kerberos KDC and principals seem to have a problem with reverse proxies (Red Hat Identity Manager / FreeIPA wrapper around MIT Kerberos). Ryan From ysun at applause.com Fri Jul 12 10:38:49 2019 From: ysun at applause.com (Yifei Sun) Date: Fri, 12 Jul 2019 10:38:49 -0400 Subject: [keycloak-user] Cannot add custom Key2StringMapper for JDBC cache store Message-ID: Hi Guys, I am trying to add JDBC cache store via standalone-ha.xml in Keycloak 6.0.1, which has WildFly 16 and Infinispan 9.4.x subsystem. I managed to add the configuration to bind tables in Mysql db, but got the "org.infinispan.persistence.keymappers.UnsupportedKeyTypeException: Unsupported key type" when it tried to save the session. I checked out Infinispan and WF documentations, but the solution they gave, e.g. add "..." , does not work. Any help would be appreciated. Thanks!! From ysun at applause.com Fri Jul 12 10:41:19 2019 From: ysun at applause.com (Yifei Sun) Date: Fri, 12 Jul 2019 10:41:19 -0400 Subject: [keycloak-user] Cannot add custom Key2StringMapper for JDBC cache store In-Reply-To: References: Message-ID: Resend my previous email... Hi Guys, I am trying to add JDBC cache store via standalone-ha.xml in Keycloak 6.0.1, which has WildFly 16 and Infinispan 9.4.x subsystem. I managed to add the configuration to bind tables in Mysql db, but got the "org.infinispan.persistence.keymappers.UnsupportedKeyTypeException: Unsupported key type" when it tried to save the session. I checked out Infinispan and WF documentations, but the solution they gave, e.g. add "..." , does not work. Any help would be appreciated. Thanks!! From enzo.veltri at gmail.com Fri Jul 12 12:12:35 2019 From: enzo.veltri at gmail.com (Enzo Veltri) Date: Fri, 12 Jul 2019 18:12:35 +0200 Subject: [keycloak-user] CORS issue with Angular Keycloak and Kong Message-ID: Hello, I'm stuck in some CORS problems with a Angular APP. First of all this is my error: "Access to XMLHttpRequest at 'KEYCLOAK_ADDRESS/auth/realms/kong-integration/protocol/openid-connect/auth?response_type=code&client_id=kong&state=51afb0a302eaade545d648ee234ac9c0&redirect_uri=http//KONG_ADDRESS/projects%2F&nonce=5828968bed9a3d5427bed214c482b7a1&scope=openid' (redirected from 'http://KONG_ADDRESS/projects?username=c') from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource." Here is my architecture I have as gateway KONG + OIDC Plugin (https://github.com/nokia/kong-oidc) in a docker-machine located ad KONG_ADDRESS An Identity Management as Keycloak that is located at KEYCLOAK_ADDRESS; An Angular APP that uses the keycloak-angular library ( https://www.npmjs.com/package/keycloak-angular) located at localhost:4200 A Rest API, developed with Restlet, deployed on a tomcat on TOMCAT_ADDRESS/projects I've configured Kong to work with Keycloak using this tutorial ( https://www.jerney.io/secure-apis-kong-keycloak-1/) and everything works fine till I'm interacting with the secured API using the browser or Postman. When I call the secured endpoint KONG/projects, I'm redirected to the login page of Keycloak and then, after submitting the right credentials, I receive the correct response. Problems come when I'm trying to do everything using an Angular APP. It looks like that everything is fine with the /auth and /authenticate calls to KEYCLOAK_ADDRESS made by the initialization of the plugin ( https://www.npmjs.com/package/keycloak-angular#setup), and the /token and the /account calls made by HttpClientInterceptor ( https://www.npmjs.com/package/keycloak-angular#httpclient-interceptor) and the AuthGuard (https://www.npmjs.com/package/keycloak-angular#authguard). Problems come when the APP try to access to the resource at KONG/projects. It looks like there are a lot of jumps in the request: KONG redirects to KEYCLOAK and KEYCLOAK send a 204 No Content. I've added to the Keycloak client the web origins for KONG_ADDRESS and http://localhost:4200 that is my Angular APP. Do you have any idea about the problem? I think is something related to the origin 'null' in the console log, or is something related to my setup. Maybe I'm missing some details about the process. -- Enzo From chamila.sujeewa at gmail.com Sun Jul 14 22:21:25 2019 From: chamila.sujeewa at gmail.com (Chamila de Alwis) Date: Mon, 15 Jul 2019 14:21:25 +1200 Subject: [keycloak-user] Realm based multi-tenancy Message-ID: Hi, I have a KeyCloak deployment where KeyCloak Realms are used as a way to differentiate users among different tenants. The components that currently interact with KeyCloak does so through intermediate router that selects the IdP configuration based on a request path segment (request credentials from the realm using a pre-decided segment in the received path as the realm name). This story works fine with OIDC clients created in each Realm. There is a 3rd party service access that needs to be done through KeyCloak as well. However this 3rd party service doesn't support any kind of realm discovery method (path, header etc). It only works with a single IdP configuration at a time. This doesn't match with the per-realm client configuration model that is there at the moment, because multiple client configurations cannot be dynamically mapped to different host names or path segments. As a workaround, I'm in the process of trying the following approach. I've created a "federator" realm that has the clients in other realms as Identity Providers. The client in the federator realm will act as an identity broker on behalf of the other realms. However, the approach shows all the organizations available at the login screen. This is something sub-optimal for my use case since the list of organizations is made public to any user redirected to the login page. At the moment I'm looking into the customization of the login page, however that also would make upgrades harder. Is there a way to workaround this limitation that the 3rd party service has? Are there any known patterns that you may have employed in similar situations? (The other mail threads that I could find deal in situations where the client code is also changeable, like the use of the KeyCloakConfigResolver extension point [1]. This is not usable in my case, as the 3rd party code is out of my control) Furthermore, is there a way to authenticate users across Realms using only one client configuration? Appreciate your help in this. [1] - https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy Thanks! Regards, Chamila Blog: medium.com/@chamilad From mnuttallsmith at flowtraders.com Mon Jul 15 03:34:23 2019 From: mnuttallsmith at flowtraders.com (Mark Nuttall-Smith) Date: Mon, 15 Jul 2019 07:34:23 +0000 Subject: [keycloak-user] transient SSL certificate errors to AD/LDAPS Message-ID: Hi, I've configured Keycloak to talk to an AD server using LDAPS. Everything works perfectly most of the time, but there are rare, transient errors caused by the following exception: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ... 12 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 18 more Normally retrying the same query allows a user to log in again successfully (browser caches complicate things though). We add the certificates to the keystore using the following approach in our kubernetes helm chart: -------------------- extraArgs: "-Djavax.net.ssl.trustStore=/opt/cacerts/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dkeycloak.import=/opt/import/realm.json" # This init container adds the certificates for the AD domain controllers to a keystore using a mounted ad-cacerts volume. # The same volume with the keystore is then mounted and used by the main keycloak container extraInitContainers: | - name: cacerts-init image: openjdk:8-jre command: - bash args: - -c - | cat $JAVA_HOME/lib/security/cacerts > /opt/cacerts/cacerts; for host in `getent ahosts mycompany.local | awk '{print $1}' | uniq`; do echo | openssl s_client -connect ${host}:3269 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${host}.cer ; keytool -keystore /opt/cacerts/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ${host} -file ${host}.cer done volumeMounts: - name: ad-cacerts mountPath: /opt/cacerts extraVolumes: | - name: ad-cacerts emptyDir: {} extraVolumeMounts: | - name: ad-cacerts mountPath: /opt/cacerts ----------------------- Does anyone have an idea what could be the cause of these transient errors? Thanks, Mark Mark Nuttall-Smith Software Engineer [http://www.flowtraders.com/img/FlowTraders.png] Flow Traders T: +31 20 799 8753 F: +31 20 799 6780 Jacob Bontiusplaats 9 1018 LL Amsterdam Netherlands www.flowtraders.com Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders's prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. From mnuttallsmith at flowtraders.com Mon Jul 15 05:11:00 2019 From: mnuttallsmith at flowtraders.com (Mark Nuttall-Smith) Date: Mon, 15 Jul 2019 09:11:00 +0000 Subject: [keycloak-user] transient SSL certificate errors to AD/LDAPS In-Reply-To: <7F214C6E-BE11-49F5-A40E-38283358328B@m800.com> References: <7F214C6E-BE11-49F5-A40E-38283358328B@m800.com> Message-ID: <1f0a852c4920492bb3b3d27522f43f51@NL-EXMB13-02.nl.flowtraders.local> Hi, Thanks for the suggestion, but only server side certificates are required for our AD set up. Mark Nuttall-Smith Software Engineer Flow Traders T: +31 20 799 8753 F: +31 20 799 6780 Jacob Bontiusplaats 9 1018 LL Amsterdam Netherlands www.flowtraders.com -----Original Message----- From: Nick Su [mailto:nicksu at m800.com] Sent: Monday, July 15, 2019 9:40 AM To: Mark Nuttall-Smith Subject: Re: [keycloak-user] transient SSL certificate errors to AD/LDAPS Hi Does your LDAPS server require client verification as well? I came across a similar issue months before, and fixed by providing a trust store and keystore respectively to java > On 15 Jul 2019, at 3:34 PM, Mark Nuttall-Smith wrote: > > Hi, > > I've configured Keycloak to talk to an AD server using LDAPS. Everything works perfectly most of the time, but there are rare, transient errors caused by the following exception: > > Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > at sun.security.validator.Validator.validate(Validator.java:262) > at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) > ... 12 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target > at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > ... 18 more > > Normally retrying the same query allows a user to log in again successfully (browser caches complicate things though). > > We add the certificates to the keystore using the following approach in our kubernetes helm chart: > > -------------------- > extraArgs: "-Djavax.net.ssl.trustStore=/opt/cacerts/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dkeycloak.import=/opt/import/realm.json" > > # This init container adds the certificates for the AD domain controllers to a keystore using a mounted ad-cacerts volume. > # The same volume with the keystore is then mounted and used by the main keycloak container > extraInitContainers: | > - name: cacerts-init > image: openjdk:8-jre > command: > - bash > args: > - -c > - | > cat $JAVA_HOME/lib/security/cacerts > /opt/cacerts/cacerts; > for host in `getent ahosts mycompany.local | awk '{print $1}' | uniq`; do > echo | openssl s_client -connect ${host}:3269 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${host}.cer ; > keytool -keystore /opt/cacerts/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ${host} -file ${host}.cer > done > volumeMounts: > - name: ad-cacerts > mountPath: /opt/cacerts > > extraVolumes: | > - name: ad-cacerts > emptyDir: {} > > extraVolumeMounts: | > - name: ad-cacerts > mountPath: /opt/cacerts > ----------------------- > > Does anyone have an idea what could be the cause of these transient errors? > > Thanks, Mark > > Mark Nuttall-Smith > Software Engineer > > [http://www.flowtraders.com/img/FlowTraders.png] > > Flow Traders > > T: +31 20 799 8753 > F: +31 20 799 6780 > > Jacob Bontiusplaats 9 > 1018 LL Amsterdam > Netherlands > www.flowtraders.com > > Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders's prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders?s prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. From yy8402 at icloud.com Mon Jul 15 11:03:22 2019 From: yy8402 at icloud.com (Yang Yang) Date: Mon, 15 Jul 2019 23:03:22 +0800 Subject: [keycloak-user] Redirect issue with HTTPS and Proxy Message-ID: <0C6736D5-3F64-4B6D-8CDA-9C5501CBAAD8@icloud.com> Hello, I am trying to make keycloak work behind a Nginx proxy with HTTPS, but got an redirect issue. Could you help to shed some light? 1. keycloak in standalone mode is installed on local_ip_a and public_ip_a, while Nginx is on local_ip_b and public_ip_b. local_ip_a and local_ip_b are in the same subnet. 2. keycloak works fine with https when I reach it with local_ip_a or public_ip_a, following guide here ...

... 3. my nginx configuration for keycloak is as below: ? server { listen 8443 ssl; ... location /auth/ { proxy_pass https://local_ip_a:8443/auth/; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } ? 4. I set the fixed provide following this :

request

5. I was able to get the keycloak welcome page at https://public_ip_b:8443/auth/, but when accessing https://public_ip_b:8443/auth/admin, I was redirected to https://public_ip_b:8443/auth/admin/master/console/ and then to the following address: https://local_ip_a:8443/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fpublic_ip_b%3A8443%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=c0047434-9a34-4fee-8b18-ae9f2c696683&response_mode=fragment&response_type=code&scope=openid&nonce=c5fb0f27-2a0a-4248-9833-6655f9c29f7e 6. The keycloak message tells: 22:19:44,848 WARN [org.keycloak.events] (default task-16) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress= local_ip_b, error=invalid_redirect_uri, redirect_uri=https://public_ip_b:8443/auth/admin/master/console/ 7. I tried to add https://public_ip_b:8443/auth/* to security-admin-console setting, but got no luck? From Aditya.Bhole at veritas.com Mon Jul 15 13:23:06 2019 From: Aditya.Bhole at veritas.com (Aditya Bhole) Date: Mon, 15 Jul 2019 17:23:06 +0000 Subject: [keycloak-user] Trust between two standalone Keycloak Instances Message-ID: Hello, I?m new to Keycloak and building a prototype SSO framework for my company. The use case is that my company has 3 clients; A, B and C. Now each client is going to have its own Keycloak instance; KA, KB and KC. Now what I want is when I login through client A I should be logged into client B and C as well. And same goes for all the clients. So for this to happen, is there a way of establishing trust between these three Keycloak instances KA, KB and KC? I?ve successfully established an SSO by using KA as a broker and KB as an IDP. But this is only a master slave kind-of an architecture. When I log in to A, I?m automatically logged into B. But if I log into B, I won?t be automatically logged into A. Is it possible for KA to be a broker for KB and KB to be a broker for KA at the same time? TL;DR : Is there a way where Keycloak only acts as a broker and trust is established between multiple such Keycloak instances? I hope my question makes sense. Please point me in the right direction if I?m looking at this in the wrong way. Thanks, Aditya From ssilvert at redhat.com Mon Jul 15 14:31:26 2019 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 15 Jul 2019 14:31:26 -0400 Subject: [keycloak-user] Trust between two standalone Keycloak Instances In-Reply-To: References: Message-ID: Why do you need each to have its own Keycloak instance?? A usual setup would define all three clients in the same realm under the same Keycloak instance. On 7/15/2019 1:23 PM, Aditya Bhole wrote: > Hello, > > I?m new to Keycloak and building a prototype SSO framework for my company. The use case is that my company has 3 clients; A, B and C. Now each client is going to have its own Keycloak instance; KA, KB and KC. Now what I want is when I login through client A I should be logged into client B and C as well. And same goes for all the clients. So for this to happen, is there a way of establishing trust between these three Keycloak instances KA, KB and KC? > I?ve successfully established an SSO by using KA as a broker and KB as an IDP. But this is only a master slave kind-of an architecture. When I log in to A, I?m automatically logged into B. But if I log into B, I won?t be automatically logged into A. Is it possible for KA to be a broker for KB and KB to be a broker for KA at the same time? > TL;DR : > Is there a way where Keycloak only acts as a broker and trust is established between multiple such Keycloak instances? > > I hope my question makes sense. Please point me in the right direction if I?m looking at this in the wrong way. > > Thanks, > Aditya > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jonesy at sydow.org Mon Jul 15 17:47:53 2019 From: jonesy at sydow.org (JTK) Date: Mon, 15 Jul 2019 16:47:53 -0500 Subject: [keycloak-user] Not being prompted for x509 User Certs In-Reply-To: