From nils at rhocas.de Sat Jun 1 02:30:38 2019 From: nils at rhocas.de (Nils Christian Ehmke) Date: Sat, 1 Jun 2019 08:30:38 +0200 Subject: [keycloak-user] Occasionally Bad Requests In-Reply-To: <4734e1b7-a606-dcf5-ae8e-44fc99dc0ab7@bmiag.de> References: <4734e1b7-a606-dcf5-ae8e-44fc99dc0ab7@bmiag.de> Message-ID: <034ace7f-7dbd-35cf-0022-a65f62c95c90@rhocas.de> Hi, We are having an issue with Keycloak in our application. The user gets occasionally a "bad request" error. This can be easily forced by opening multiple tabs to the application which load concurrently (so this might be an issue with concurrent requests). If the error occurs, the browser stops at an url of the form .../sso/login?state=... Some details about our application that might be important: * We use the Spring Boot Keycloak adapter multiple times in the same JVM as we start multiple embedded Tomcats. * The error seems to occur only when using a link from one of these embedded Tomcats to another. * The application is behind an Apache which handles SSL and acts as a (reverse) proxy. Can you give us any hints and possible reasons? Or maybe a hint how to approach the problem? Thanks and best regards, ? Nils From matthew.broadhead at nbmlaw.co.uk Sat Jun 1 04:02:47 2019 From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead) Date: Sat, 1 Jun 2019 10:02:47 +0200 Subject: [keycloak-user] UserRepresentation enabled Boolean In-Reply-To: <1bcaeb6e-009e-e120-f28b-07eef26c0872@redhat.com> References: <1bcaeb6e-009e-e120-f28b-07eef26c0872@redhat.com> Message-ID: <88530998-9b75-d90d-b8ce-7d0ffb04da41@nbmlaw.co.uk> it is not only affecting JSF.? i am using TomEE which uses Johnzon and it is not converting properly to JSON. the way you are doing the getters and setters seems wrong.? it should be get and set for a Boolean object, and is and set for a boolean primitive On 15/11/2017 15:57, Marek Posolda wrote: > Interesting issue. Not sure if we're going to change something in the > UserRepresentation class just because JSF limitations. Maybe the > possibility is: > > - Create some custom JSF renderer/handler/component (not sure what > exactly, didn't work with the JSF in last few years) to be able to > deal with it > > - Create some wrapper/delegate object around Keycloak > UserRepresentation and pass that one to JSF. For example something like: > > public class MyUser { > > ?? private final UserRepresentation delegate; > > ?? public MyUser(UserRepresentation kcUser) { > ???? delegate = kcUser; > ?? } > > ??? public String getFirstName() { > ??????? // Just delegate to the underlying object > ??????? return delegate.getFirstName(); > ??? } > > ??? // Convert "is" to "get" > ??? public Boolean getEnabled() { > ??????? return deelgate.isEnabled(); > ??? } > > ??? // All the others... > > } > > Marek > > On 14/11/17 13:05, Matthew Broadhead wrote: >> org.keycloak.representations.idm.UserRepresentation >> (https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/idm/UserRepresentation.java) >> >> has a property enabled which is of type java.lang.Boolean. Technically >> this should have getters and setters of getEnabled and setEnabled.? A >> type boolean would have isEnabled and setEnabled. This stops it from >> working with JSF >> (https://stackoverflow.com/questions/14400222/boolean-properties-starting-with-is-does-not-work) >> >> >> >> This also applies to totp and emailVerified in the same class. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From ahmadzadehasl at outlook.com Sat Jun 1 06:28:09 2019 From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl) Date: Sat, 1 Jun 2019 10:28:09 +0000 Subject: [keycloak-user] Keycloak, SpringBoot, and Swagger-UI In-Reply-To: References: Message-ID: Hi, Can anybody help to resolve this problem? ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Ali Ahmadzadeh Asl Sent: Tuesday, May 21, 2019 5:23 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Keycloak, SpringBoot, and Swagger-UI Hi Dears I have a Spring Boot project which uses Swagger-UI library for describing and testing REST services. Everything was ok until I added Keycloak library and settings to my project. The Keycloak settings are: keycloak.realm=my-realm keycloak.resource=my-app keycloak.ssl-required=external keycloak.enable-basic-auth=true keycloak.autodetect-bearer-only=true keycloak.use-resource-role-mappings=true keycloak.principal-attribute=preferred_username keycloak.auth-server-url=http://localhost:8080/auth keycloak.credentials.secret=f3776b88-2600-44fa-83ec-67cb72fa0000 keycloak.policy-enforcer-config.on-deny-redirect-to=/access-denied keycloak.securityConstraints[0].authRoles[0] = USER keycloak.securityConstraints[0].securityCollections[0].name = default keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /* Now, when a logged in user wants to see Swagger-UI page using a URL like http://127.0.0.1:6060/swagger-ui.html, a message containing bellow text and a text box shown: "Unable to infer base url. This is common when using dynamic servlet registration or when the API is behind an API Gateway. The base url is the root of where all the swagger resources are served. For e.g. if the api is available at http://example.org/api/v2/api-docs then the base url is http://example.org/api/. Please enter the location manually: " But the JSON of services' definitions is accessible from http://127.0.0.1:6060/v2/api-docs address. Can anybody help me to solve this problem? What is the reason for this matter? How can I resolve? Thanks From ahmadzadehasl at outlook.com Sat Jun 1 06:33:47 2019 From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl) Date: Sat, 1 Jun 2019 10:33:47 +0000 Subject: [keycloak-user] Help for using Keycloak in Spring Boot In-Reply-To: References: , , <1557351594.3565.8.camel@carretti.pro>, Message-ID: Hi, Can anybody help to do this matter? I want to define a security constraint for allowing any user (even unauthenticated users) to view and access some pages, something like this: keycloak.securityConstraints[0].authRoles[0] = none keycloak.securityConstraints[0].securityCollections[0].name = default keycloak.securityConstraints[0].securityCollections[0].patterns[0] = / How is this possible? ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Ali Ahmadzadeh Asl Sent: Tuesday, May 14, 2019 2:31 PM To: Dmitry Telegin; Michal Hajas; Sebastien Blanc Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot Hi Dmitry, Based on the previous emails, I have only one problem now. When I set the config 'on-deny-redirect-to' in application.properties file, I have to define at least one securityConstraints in this file too. How can I define this securityConstraints as a permit all constraint? something like this: keycloak.securityConstraints[0].authRoles[0] = none keycloak.securityConstraints[0].securityCollections[0].name = default keycloak.securityConstraints[0].securityCollections[0].patterns[0] = / ________________________________ From: Dmitry Telegin Sent: Thursday, May 9, 2019 2:09 AM To: Ali Ahmadzadeh Asl; Michal Hajas; Sebastien Blanc Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot Hello Ali, It would be helpful if you could share your application.properties (scrubbing the secrets, if any) as well as authorization settings in Keycloak. Please also mind that security constraints (role-based) and authorization are separate concepts, in the sense that they are configured and enforced differently. Cheers, Dmitry Telegin Opensource IAM consultant https://www.linkedin.com/in/d-telegin On Tue, 2019-05-07 at 08:08 +0000, Ali Ahmadzadeh Asl wrote: > Hi guys, > > Thank you Michal, Thank you Sebastien. As you know, in the application.properties file of this project there is a keycloak.securityConstraints which enforce visitors for having role "user", when I remove this securityConstraints and run the project, every requests redirects to "/accessDenied" page, though based on permissions defined in admin panel, url / is public. > > If I have to define at least one securityConstraints in application.properties (which in my opinion, is not a good constraint), how can I define it as a public patterns without any role constraint? > > > ________________________________ > > From: Michal Hajas > Sent: Tuesday, May 7, 2019 11:27 AM > To: Sebastien Blanc > Cc: Ali Ahmadzadeh Asl; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot > > Hi Ali, > > as far as I understand, you have to specify securityContrains (it is also in authz quickstart: https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-springboot/src/main/resources/application.properties#L10) so that Keycloak know about your resources. You can specify your permissions and policies afterward. > > Michal > > > > On Tue, May 7, 2019 at 7:24 AM Sebastien Blanc > wrote: > Hi Ali, > > Have you tried this quickstart that shows how tu use the authz service from KC https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot > Also make sure you enable the policy enforcer on the app side in the configuration , i.e : > keycloak.policy-enforcer-config.on-deny-redirect-to=/accessDenied > > sebi > > > > On Tue, May 7, 2019 at 7:07 AM Ali Ahmadzadeh Asl > wrote: > > Hi Michal, > > I'm configured my server exactly like this tutorial, but I'm not defined any keycloak.securityConstraints in application.properties file, I want to define permissions and policies in Keycloak admin panel. Does this require any special setting? Do anybody have any sample or tutorial for this? > ________________________________ > > > From: Michal Hajas > > Sent: Monday, May 6, 2019 12:09 PM > To: Ali Ahmadzadeh Asl > > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Help for using Keycloak in Spring Boot > > Hi Ali, > > it looks like you have wrongly configured Spring Boot Keycloak adapter. Make sure you configured everything which is shown here (especially the part with security constraints): https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter > > Michal > > > > On Sat, May 4, 2019 at 2:21 PM Ali Ahmadzadeh Asl >> wrote: > Hi > First of all, excuse me for poor English. > > I am trying to use Keycloak in Spring Boot 2, I read many articles about this matter, such as follow link: > https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/spring-boot-adapter.html > > > There was an issue that i can't resolve it. Resource and policy and permissions defined in admin panel for client, does not any effect on my server. For example I defined a resource for URL pattern /rest/* and a policy for having ROLE_REST, also I defined a permission for mapping this resource and policy. > > But after running the server, I can use rest services without any limitation and authentication. > Now the question is: How can I manage Spring Boot application security and permissions from Keycloak admin panel? > > Thank you > > > _______________________________________________ > keycloak-user mailing list > > > keycloak-user at lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From fabio.ebner at lumera.com.br Sun Jun 2 11:14:16 2019 From: fabio.ebner at lumera.com.br (Fabio Ebner) Date: Sun, 2 Jun 2019 12:14:16 -0300 Subject: [keycloak-user] Client Admin javascript Message-ID: There is one javascript client framework to keycloak? tks From siddiq_sa at yahoo.com Sun Jun 2 15:50:21 2019 From: siddiq_sa at yahoo.com (Siddiq Syed) Date: Sun, 2 Jun 2019 19:50:21 +0000 (UTC) Subject: [keycloak-user] SAML Response Retrieval using Jsoup for Keycloak References: <534006127.8480361.1559505021885.ref@mail.yahoo.com> Message-ID: <534006127.8480361.1559505021885@mail.yahoo.com> Hi ., I am trying to retrieve SAML Assertion by invoking the URL() to get the AWS temporary credentials.? I can do is successfully when trying to invoke it from the browser but when I am trying to invoke it programatically using Jsoup I am getting the below error. "You took too long to login. Login process starting from beginning." Here are the steps that I am following: Invoking the URL?http://testserver:8082/auth/realms/master/protocol/saml/clients/amazon-aws?to get the Cookie(AUTH_SESSION_ID,KC_RESTART)? and get the URL? http://testserver:8090/auth/realms/master/login-actions/authenticate?session_code=m-Mizx00Jjw9ClaNZ40J7MrQMMuAo7IGu8C7RIAZrr0&execution=3782c908-276a-454f-bc4d-39f7cfa210b8&client_id=urn%3Aamazon%3Awebservices&tab_id=ix8DWcw4yLE? Once I get this I am invoking the Login-action url as show below by passing the username,password and the cookie to the request. http://vmdcstestlemswsapp1.dcs.ga.gov:8090/auth/realms/master/login-actions/authenticate?session_code=m-Mizx00Jjw9ClaNZ40J7MrQMMuAo7IGu8C7RIAZrr0&execution=3782c908-276a-454f-bc4d-39f7cfa210b8&client_id=urn%3Aamazon%3Awebservices&tab_id=ix8DWcw4yLE I am getting the error "You took too long to login. Login process starting from beginning." The same steps works from the browser but when getting it from jsoup it is giving me the error. Is there any setting that I am missing that I need to configure to retrieve SAML Response. -Siddiq., From rof20004 at gmail.com Sun Jun 2 19:18:48 2019 From: rof20004 at gmail.com (Rodolfo) Date: Sun, 2 Jun 2019 19:18:48 -0400 Subject: [keycloak-user] Keycloak LDAP dynamic mappers values Message-ID: Hi all, I have integrated my Keycloak instance with LDAP, I need to create user with some attributes that not exists in create user form, like uidNumber and etc. The uidNumber and homeDirectory need to be created dinamically, my question is: 1. Can I create hardcoded-ldap-user-attribute that get the value dinamically? 2. I can create more fields in create user form? Thanks and Regards Rodolfo Azevedo From vinogradov.a.i.93 at gmail.com Mon Jun 3 00:23:33 2019 From: vinogradov.a.i.93 at gmail.com (=?UTF-8?B?0JDQu9C10LrRgdC10Lkg0JLQuNC90L7Qs9GA0LDQtNC+0LI=?=) Date: Mon, 3 Jun 2019 11:23:33 +0700 Subject: [keycloak-user] [Keycloak-admin-client] An error message when changing password. In-Reply-To: References: Message-ID: So, thanks to demetrio at carretti.pro, my problem has solved by upgrading to the new version of keycloak-admin-client (4.8.3.Final) and Resteasy(3.6.3.Final). Note, that version of keycloak-admin-client (3.4.3.Final) and Resteasy(3.1.4.Final) has that problem. -- Best regards, Vinogradov Alexey vinogradov.a.i.93 at gmail.com +7 983 311 38 40 ??, 27 ??? 2019 ?., 14:51 ??????? ?????????? : > Hello everyone. > > I have a question about REST API of the Keycloak. When I attempt to change > password via REST API of user to that password that not meets security > constraints of Keycloak, I recieve BadRequestError without additional > information of what goes wrong. But when I change password in > Administration console I see an exact error. > > So, how can I get a exact problem what wrong with my password? > > My usecase is that: > I have a frontend (html/css) that communicates with a backend that > communicates with the Keycloak. An user wants to change password of his/her > account so he/she click on button on some form, and makes a request to > backend to change password. A backend processes that request and ask > Keycloak to change user password. In case that password doesn't meet > security constraint I want to provide to user exact error. > > Thanks to all. > -- > -- > Best regards, > Vinogradov Alexey > vinogradov.a.i.93 at gmail.com > +7 983 311 38 40 > From orivat at janua.fr Mon Jun 3 05:01:33 2019 From: orivat at janua.fr (Olivier Rivat) Date: Mon, 3 Jun 2019 11:01:33 +0200 Subject: [keycloak-user] Need to start nip.io for keycloak on minikube (kubernetes) Message-ID: <0aec7fc6-b8e2-d2cd-d804-920a76b5f2bf@janua.fr> Hi, I am trying to? follow tutorial/video from stian. https://github.com/stianst/demo-kubernetes I have installed minikube on my linux laptop, but cannot find how to use nip.io for the demo. to resolve the environnment variable |KEYCLOAK_HOST||BACKEND_HOST||||FRONTEND_HOS|T || |export MINIKUBE_IP=`minikube ip` export KEYCLOAK_HOST=keycloak.$MINIKUBE_IP.nip.io export BACKEND_HOST=backend.$MINIKUBE_IP.nip.io export FRONTEND_HOST=frontend.$MINIKUBE_IP.nip.io| I have tried to install nip.io also as follows, but it is conflicting with laptop systemd-resolved https://github.com/resmo/nip.io docker run -d -p 0.0.0.0:53:53/tcp -p 0.0.0.0:53:53/udp --name nip.io nip.io 8cc8e05678d02a61299bf60a3116759e93a39113da875216163b7c6fba725ce1 docker: Error response from daemon: driver failed programming external connectivity on endpoint nip.io (5117952d0ba0d91fe81404537bd1abc7674dfd49f4ec9ce4c587af6c7e7d84d9): Error starting userland proxy: listen tcp 0.0.0.0:53: bind: address already in use. I guess my minikube is certainly not correct, but cannot figure whta is missing to have nip.io working on my minikube cluster. Tkx for your help Regards, Olivier Rivat -- Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr From testoauth55 at gmail.com Mon Jun 3 05:50:15 2019 From: testoauth55 at gmail.com (Bruce Wings) Date: Mon, 3 Jun 2019 15:20:15 +0530 Subject: [keycloak-user] How to handle timeout for external IDP providers Message-ID: I have configured external SAML IDP (Okta) with keycloak. Now one of my the apps(unchangeable) is directly connected to same SAML provider & need SAML token when it's api is called from my app. Since keycloak provides a way to retrieve SAML token through API : /auth/realms/myRealm/broker/ping/token I have obtained this SAML token and used for my API. But there is 1 problem. Supoose expiry time of SAML token is 1 hour. And keycloak refresh token expiry is 2 hour. My keycloak OIDC token will remain valid till 2 hours and following URL : /auth/realms/myRealm/broker/ping/token will keep giving expired SAML token (from 1 hour to 2 hour). What is the best way to go around this issue? From mareklindner at neomailbox.ch Mon Jun 3 07:29:25 2019 From: mareklindner at neomailbox.ch (Marek Lindner) Date: Mon, 03 Jun 2019 19:29:25 +0800 Subject: [keycloak-user] theme customization: organizing 'My Resources' Message-ID: <2880937.QikU1eX6rS@rousseau> Hi, with a theme customization I am trying to organize the various resources shared via UMA by essentially grouping them by type or uri. After poking in the keycloak sources and searching on the internet, I haven't yet found a way to access the resource type or uri via the ftl theme engine. Can this information be added to the theme HTML via ftl or is there another mechanism to make the 'My resources' pages more user friendly ? Thanks, Marek -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190603/b190ea62/attachment.bin From nick.stolwijk at gmail.com Mon Jun 3 08:12:23 2019 From: nick.stolwijk at gmail.com (Nick Stolwijk) Date: Mon, 3 Jun 2019 14:12:23 +0200 Subject: [keycloak-user] Botched exporting a realm and reimporting it into another server Message-ID: Hello list, I tried to export a realm from one server and importing it into another. This went badly and I'm trying to recover. What I did: Old server: /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/opt/jboss/keycloak-export.json -Dkeycloak.migration.realmName=my_realm -Djboss.socket.binding.port-offset=1000 New server: /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/opt/jboss/keycloak-export.json -Djboss.socket.binding.port-offset=1000 This went well, but I don't see the realm in the new server UI. When I try to export it from the new server it seems to be there. When I try to re-add the realm through the UI it complains about duplicate entries. (Which is logical) How can I remove the botched import or fix the import so that it shows up? With regards, Nick Stolwijk ~~~ Try to leave this world a little better than you found it and, when your turn comes to die, you can die happy in feeling that at any rate you have not wasted your time but have done your best ~~~ Lord Baden-Powell From psilva at redhat.com Mon Jun 3 08:22:19 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 3 Jun 2019 09:22:19 -0300 Subject: [keycloak-user] theme customization: organizing 'My Resources' In-Reply-To: <2880937.QikU1eX6rS@rousseau> References: <2880937.QikU1eX6rS@rousseau> Message-ID: Hi Marek, We don't expose type and URI but I also think we should make them available. If you could create a JIRA or send a PR with the necessary changes [2] to expose these properties, that would be great. We are currently working on the new account console [1] which provides a REST API that should give you more flexibility on how to customize it. [1] https://issues.jboss.org/browse/KEYCLOAK-8060 [2] https://github.com/keycloak/keycloak/blob/5a9bfea419f37267afb656ea4bfce1ff1489384f/services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java#L222 On Mon, Jun 3, 2019 at 8:40 AM Marek Lindner wrote: > Hi, > > with a theme customization I am trying to organize the various resources > shared via UMA by essentially grouping them by type or uri. After poking > in > the keycloak sources and searching on the internet, I haven't yet found a > way > to access the resource type or uri via the ftl theme engine. > Can this information be added to the theme HTML via ftl or is there > another > mechanism to make the 'My resources' pages more user friendly ? > > Thanks, > Marek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Chirag.Unnadkat at cerillion.com Mon Jun 3 10:35:02 2019 From: Chirag.Unnadkat at cerillion.com (Chirag Unnadkat) Date: Mon, 3 Jun 2019 14:35:02 +0000 Subject: [keycloak-user] X509 Direct Grant with client certificate In-Reply-To: References: Message-ID: Hi, Has anyone else faced a similar issue, and/or managed to resolve something similar? Kind Regards, Chirag Unnadkat Business Analyst Cerillion plc E. ??chirag.unnadkat at cerillion.com T. 0207 9276029 W.??www.cerillion.com Addr.?? 25 Bedford Street, London, WC2E 9ES, UK -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Chirag Unnadkat Sent: 28 May 2019 16:03 To: keycloak-user at lists.jboss.org Subject: Caution -Identified as Possible Scam - [keycloak-user] X509 Direct Grant with client certificate Hi, Is it possible to pass the same client certificate in a token request with different login credentials? My current setup doesn't seem to allow this and I can't find any documentation saying this is not possible I have configured an X509 Direct grant flow using X509/Validate Username(X.509 Config) This is configured to take the Subjects Common Name, with the attribute "NAME" I have configured a trust store with 1 certificate (want to share this across users) When I add the Subject Common Name to user 1's attribute, they then require the key pair to generate a token, however once I share the same attribute details to user 2, both user 1 and 2 stop working. Maybe I am missing some configuration that will allow my users to share the same certificate I ideally do not want to have one certificate per user as this will get out of hand to manage, as the population of the realm increases Kind Regards, Chirag Unnadkat Business Analyst Cerillion plc E. chirag.unnadkat at cerillion.com T. 0207 9276029 W. https://clicktime.symantec.com/3Dkjz73Ak7RQtTbSctftLHd6H2?u=www.cerillion.com Addr. 25 Bedford Street, London, WC2E 9ES, UK ________________________________ Cerillion Technologies Limited is a limited liability company registered in England No. 3849601 with Registered Office at 25 Bedford Street, London WC2E 9ES. VAT registration No. 743 8054 29. Website https://clicktime.symantec.com/3Dkjz73Ak7RQtTbSctftLHd6H2?u=www.cerillion.com This email and any attachments with it are intended for the addressee only. It is confidential and may be the subject of legal and/or professional privilege. If you have received this email in error please notify the sender, destroy any copies and delete from your computer systems as any use, disclosure, dissemination, forwarding, printing or copying is strictly prohibited. The content may be personal or contain personal opinions and cannot be taken as an expression of Cerillion's position. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Cerillion reserves the right to monitor all incoming and outgoing mail. Whilst every care has been taken to check this outgoing email for viruses, it is your responsibility to carry out any checks upon receipt. ________________________________ _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://clicktime.symantec.com/3R2MaYpXaCBqfdVw3He1gdp6H2?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user From nick.stolwijk at gmail.com Mon Jun 3 10:41:54 2019 From: nick.stolwijk at gmail.com (Nick Stolwijk) Date: Mon, 3 Jun 2019 16:41:54 +0200 Subject: [keycloak-user] Botched exporting a realm and reimporting it into another server In-Reply-To: References: Message-ID: Some more information. If I do an export at the new server, it seems the imported realm is present. I just cannot see it inside the UI or with the kcadm tool. Only applicable results: $ grep -H my_realm * master-realm.json: " my_realm-realm" : [ { my_realm-realm.json: "realm" : " my_realm", Can I give more relevant information? With regards, Nick Stolwijk ~~~ Try to leave this world a little better than you found it and, when your turn comes to die, you can die happy in feeling that at any rate you have not wasted your time but have done your best ~~~ Lord Baden-Powell On Mon, Jun 3, 2019 at 2:12 PM Nick Stolwijk wrote: > Hello list, > > I tried to export a realm from one server and importing it into another. > This went badly and I'm trying to recover. > > What I did: > Old server: > /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=export > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=/opt/jboss/keycloak-export.json > -Dkeycloak.migration.realmName=my_realm > -Djboss.socket.binding.port-offset=1000 > > New server: > /opt/jboss/keycloak/bin/standalone.sh -Dkeycloak.migration.action=import > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=/opt/jboss/keycloak-export.json > -Djboss.socket.binding.port-offset=1000 > > This went well, but I don't see the realm in the new server UI. When I try > to export it from the new server it seems to be there. When I try to re-add > the realm through the UI it complains about duplicate entries. (Which is > logical) > > How can I remove the botched import or fix the import so that it shows up? > > With regards, > > Nick Stolwijk > > ~~~ Try to leave this world a little better than you found it and, when > your turn comes to die, you can die happy in feeling that at any rate you > have not wasted your time but have done your best ~~~ > > Lord Baden-Powell > From Ori.Doolman at cyberark.com Mon Jun 3 11:54:33 2019 From: Ori.Doolman at cyberark.com (Ori Doolman) Date: Mon, 3 Jun 2019 15:54:33 +0000 Subject: [keycloak-user] How to get the role -> permissions for an authenticated user In-Reply-To: References: Message-ID: Hi Pedro, Did you check this? I have created a Jira issue: https://issues.jboss.org/browse/KEYCLOAK-10443 Thanks , Ori. -----Original Message----- From: Ori Doolman Sent: Saturday, June 1, 2019 12:10 AM To: Ori Doolman ; Pedro Igor Silva Cc: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] How to get the role -> permissions for an authenticated user Hi Pedro, I almost got it all working, but I think I bumped into bug... :( Please confirm if this is a bug or an expected behavior. I'm using latest Keycloak v6.01. I believe you can reproduce it as well. I have created: 1. Resource R with scopes S1, S2. 2. User based policy P1 for user1 3. User based policy P2 for user2 4. scope-based permission SBP1 for R1+S1 mapped to policy P1 (granting user1 access to R1:S1) 5. scope-based permission SBP2 for R1+S2 mapped to policy P2 (granting user2 access to R1:S2) When I request an RTP, everything is as expected. User1 token returns R1:S1 and user2 token returns R1:S2. But, if I add to SBP1 also S2, I expect that user1 will have access to both R1:S1 and R1:S2. However, I still get only R1:S1. This seems like a bug. If I revert the change and add to SBP2 also S1, I expect that user2 will have access to both R1:S1 and R1:S2. However, in this case I get access_denied and no scopes at all. This is really inconsistent and seems like a bug. Here is how I send the RPT request: POST /auth/realms/epm-account1/protocol/openid-connect/token HTTP/1.1 Host: localhost:8180 Content-Type: application/x-www-form-urlencoded Authorization: Bearer User-Agent: PostmanRuntime/7.13.0 Accept: */* Cache-Control: no-cache Postman-Token: ca36fc4e-d551-4525-a406-9afe674b1312,3731c4f2-6e71-475d-a6bf-171b6dc6b0cc Host: localhost:8180 accept-encoding: gzip, deflate content-length: 99 Connection: keep-alive cache-control: no-cache grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&audience=epm-web&permission=R1 Please check that. Thanks, Ori. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Ori Doolman Sent: Friday, May 31, 2019 8:48 PM To: Pedro Igor Silva Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Pedro, 1. How do I obtain the pushed claims in my JS policy code? Is it by $evaluation.getContext().getAttribes() ? Do you have an example? 2. Is there any way to debug the JS policy? Or at least print to logs from the policy code? Ori. From: Pedro Igor Silva Sent: Friday, May 31, 2019 8:32 PM To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Here it is https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_authorization-5Fservices_index.html-23-5Fservice-5Fpushing-5Fclaims&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=r9TiD3Glkd7ZsS7Ariwvs4caS0Z-Z4M2qWzZ29ymRw4&e= . FYI, you can also use client roles in your policies. On Fri, May 31, 2019 at 11:14 AM Ori Doolman > wrote: We have thousands of accounts , therefore option 1 is not feasible. As for 2nd option, if I configure accounts as resource, and my app's permissions as scopes per account/resource (all 200 app's permissions), I expect to get in RPT different permissions if I am user A role R1 or user B role R2. In the same time, user A has difderent role on other account. This is why I cannot use realm roles. Is there any way to push claims when I request for an RPT? The only thing I saw is requesting for specific permission/scope. What I'm really missing in KC is a way to represent this relatively simple model of different user permissions per account. (Users and accounts relation is Many to many). Get Outlook for Android From: Pedro Igor Silva > Sent: Friday, May 31, 2019 1:02:05 PM To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user I see. In this case, you could write a JS policy that checks both the account and the role. Where the account could be passed to your policy as a claim. The issue here is that you will end up with a quite huge policy depending on how many accounts you have. The second approach would be to manage accounts as resources and have those permissions for each resource. You would need to provisioning logic in your application to create the resource + permissions when a new account is created. Permissions could then be obtained based on a per-account basis. On Thu, May 30, 2019 at 6:58 PM Ori Doolman < Ori.Doolman at cyberark.com> wrote: Thanks Pedro, But the definition below is exactly what I tried to do and got stuck. This is because the ?manager permissions? (A, B, C) is given only for role manager and *for account 1*. For account 2, the same user will have totally different permissions. I don?t have the accounts configured in Keycloak. Even if I configure an account as a resource, this account will have scopes X,Y,Z for user 1 and scopes A, B, C for user 2. See my problem? Ori. From: Pedro Igor Silva > Sent: Friday, May 31, 2019 12:51 AM To: Ori Doolman > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Would be the account a resource and permissions their corresponding scopes/actions that can be performed on an account ? If a role implies access to some scopes/actions you can perform on an account (which is a resource), you could write "scope-based policies" such as: * "Manager Permission" is defined for scopes A, B and C with a role-policy that enforces "manager" role * "Regular Permission" is defined for scopes X, Y and Z with a role-policy that enforces "regular" role With this setup, if the user has both manager and regular roles access shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the scopes granted will depend on the role assigned to the user. On Thu, May 30, 2019 at 6:29 PM Ori Doolman > wrote: Hi Pedro and all, I managed to use get an RPT given an access token. My problem is that I cannot find a good way to model my application's permission in Keycloak. Maybe you or someone else can help with that, since I think it is a pretty standard model: I have many "accounts" and many users. I have several roles in my application, each represents a set of allowed permissions. Each user is assigned a role *per account*. That means that one user can be a "manager" user for account 1 (with effective permissions a,b,c) and a "regular" user for account 2 (with effective permissions x, y, z). So as you see, my user roles (and permissions) is always in the context of an account. This is why I cannot just configure static client roles and use them for policies. My permissions always depend on the data, the account context. What is the best way (if any) to model this kind of permissions in Keycloak? Thanks, Ori. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org > On Behalf Of Ori Doolman Sent: Thursday, May 23, 2019 9:35 PM To: Pedro Igor Silva > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Ok Pedro, I think I got it. Thanks a lot for thr clarification. My current plan is to make the exchange in API-GW. I get 2 advantages: 1) No change in client application and no need to involve client with server side authorization. 2) I need to make sure access token is still valid and user did not performed logout. API-GW seems the correct place to do that. So in a single call to KC I get both token validation and token exchange. I will try that and update the forum if succeeded. I think this is a typical classic deployment and such a documented solution can assist a lot of people. Ori. Get Outlook for Android ________________________________ From: Pedro Igor Silva > Sent: Thursday, May 23, 2019 6:58:41 PM To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user On Thu, May 23, 2019 at 12:21 PM Ori Doolman >> wrote: Hi Pedro, Thanks for the prompt response :) Yes, I need RBAC only at the moment. When you said my web application should make the token exchange, do you mean client side (javascript ) or server side? Client-side I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token. Not sure if API-GW is better but you can replace the access token with permissions (sent by the client) in the authorization header. It is just an access token + permissions. Pretty much the original + permissions. Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information. It doesn't sounds like the optimal approach. Yes, you would need a per session exchange. Ori. Get Outlook for Android ________________________________ From: Pedro Igor Silva >> Sent: Thursday, May 23, 2019 5:49:11 PM To: Ori Doolman Cc: keycloak-user at lists.jboss.org> Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type. However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token. Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization. On Thu, May 23, 2019 at 11:23 AM Ori Doolman >> wrote: Hi, I have a web application (Angular) which calls a REST API in a Java microservice. In my application, which manages books, I have a "regular" and "admin" roles. "regular" is allowed to execute API readBook. "admin" is allowed to execute APIs readBook, deleteBook, createBook. The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities. I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions. When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization. 1. What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created? Or is there any other recommended way to "map" the roles into the effective permissions at runtime? Maybe keep the role->permissions in my current DB and load them to service cache ? 2. I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way? 1. Another alternative I thought of: have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role. This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token. Thanks, Ori. ---------------------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=x__KjPALrAcG7r37jUZN413sy1vZuicMESK4aIunX8Y&e= From psilva at redhat.com Mon Jun 3 13:18:44 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 3 Jun 2019 14:18:44 -0300 Subject: [keycloak-user] How to get the role -> permissions for an authenticated user In-Reply-To: References: Message-ID: Yeah, it seems like an issue. You should get the same results. However, what you mentioned here is not how it is supposed to work though: "If I add to SBP1 also S2, I expect that user1 will have access to both R1:S1 and R1:S2. However, I still get only R1:S1. This seems like a bug." If you have conflicting permissions, like SBP1 granting access to S1 and S2 + SBP2 denying S2 to user1, the user should get S1 only. I'll update the JIRA to this info and we can discuss there. Thanks for creating the issue. On Mon, Jun 3, 2019 at 12:55 PM Ori Doolman wrote: > Hi Pedro, > > Did you check this? > I have created a Jira issue: > https://issues.jboss.org/browse/KEYCLOAK-10443 > > Thanks , > Ori. > > > -----Original Message----- > From: Ori Doolman > Sent: Saturday, June 1, 2019 12:10 AM > To: Ori Doolman ; Pedro Igor Silva < > psilva at redhat.com> > Cc: keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] How to get the role -> permissions for an > authenticated user > > Hi Pedro, > > I almost got it all working, but I think I bumped into bug... :( Please > confirm if this is a bug or an expected behavior. > I'm using latest Keycloak v6.01. I believe you can reproduce it as well. > > I have created: > 1. Resource R with scopes S1, S2. > 2. User based policy P1 for user1 > 3. User based policy P2 for user2 > 4. scope-based permission SBP1 for R1+S1 mapped to policy P1 (granting > user1 access to R1:S1) 5. scope-based permission SBP2 for R1+S2 mapped to > policy P2 (granting user2 access to R1:S2) > > When I request an RTP, everything is as expected. User1 token returns > R1:S1 and user2 token returns R1:S2. > > But, if I add to SBP1 also S2, I expect that user1 will have access to > both R1:S1 and R1:S2. However, I still get only R1:S1. > This seems like a bug. > > If I revert the change and add to SBP2 also S1, I expect that user2 will > have access to both R1:S1 and R1:S2. However, in this case I get > access_denied and no scopes at all. > This is really inconsistent and seems like a bug. > > > > Here is how I send the RPT request: > > POST /auth/realms/epm-account1/protocol/openid-connect/token HTTP/1.1 > Host: localhost:8180 > Content-Type: application/x-www-form-urlencoded > Authorization: Bearer > User-Agent: PostmanRuntime/7.13.0 > Accept: */* > Cache-Control: no-cache > Postman-Token: > ca36fc4e-d551-4525-a406-9afe674b1312,3731c4f2-6e71-475d-a6bf-171b6dc6b0cc > Host: localhost:8180 > accept-encoding: gzip, deflate > content-length: 99 > Connection: keep-alive > cache-control: no-cache > > > grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&audience=epm-web&permission=R1 > > > > Please check that. > > Thanks, > Ori. > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> On Behalf Of Ori Doolman > Sent: Friday, May 31, 2019 8:48 PM > To: Pedro Igor Silva > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to get the role -> permissions for an > authenticated user > > Pedro, > > > 1. How do I obtain the pushed claims in my JS policy code? Is it by > $evaluation.getContext().getAttribes() ? > Do you have an example? > 2. Is there any way to debug the JS policy? Or at least print to logs > from the policy code? > > Ori. > > > From: Pedro Igor Silva > Sent: Friday, May 31, 2019 8:32 PM > To: Ori Doolman > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to get the role -> permissions for an > authenticated user > > Here it is > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_authorization-5Fservices_index.html-23-5Fservice-5Fpushing-5Fclaims&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=r9TiD3Glkd7ZsS7Ariwvs4caS0Z-Z4M2qWzZ29ymRw4&e= > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_authorization-5Fservices_index.html-23-5Fservice-5Fpushing-5Fclaims&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=VpmEgxz6IZ1he2ux3cbu2pAyhj-nfSMnGDRLVwx_yTE&s=e7b4-UeT69rQhxr9i27zb8tg7U6glgVtrW-mN4_1-ig&e= > >. > > FYI, you can also use client roles in your policies. > > On Fri, May 31, 2019 at 11:14 AM Ori Doolman > wrote: > We have thousands of accounts , therefore option 1 is not feasible. > As for 2nd option, if I configure accounts as resource, and my app's > permissions as scopes per account/resource (all 200 app's permissions), I > expect to get in RPT different permissions if I am user A role R1 or user B > role R2. In the same time, user A has difderent role on other account. This > is why I cannot use realm roles. > Is there any way to push claims when I request for an RPT? > The only thing I saw is requesting for specific permission/scope. > What I'm really missing in KC is a way to represent this relatively simple > model of different user permissions per account. > (Users and accounts relation is Many to many). > > > > Get Outlook for Android< > https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=VpmEgxz6IZ1he2ux3cbu2pAyhj-nfSMnGDRLVwx_yTE&s=zsNuqb67PJ74IM1TKTvQ6rV-pzSG6efFQiP6W_cMHdo&e= > > > > From: Pedro Igor Silva > > Sent: Friday, May 31, 2019 1:02:05 PM > To: Ori Doolman > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to get the role -> permissions for an > authenticated user > > I see. In this case, you could write a JS policy that checks both the > account and the role. Where the account could be passed to your policy as a > claim. The issue here is that you will end up with a quite huge policy > depending on how many accounts you have. > The second approach would be to manage accounts as resources and have > those permissions for each resource. You would need to provisioning logic > in your application to create the resource + permissions when a new account > is created. Permissions could then be obtained based on a per-account basis. > On Thu, May 30, 2019 at 6:58 PM Ori Doolman < Ori.Doolman at cyberark.com > > wrote: > Thanks Pedro, > But the definition below is exactly what I tried to do and got stuck. > This is because the ?manager permissions? (A, B, C) is given only for role > manager and *for account 1*. For account 2, the same user will have > totally different permissions. > I don?t have the accounts configured in Keycloak. > Even if I configure an account as a resource, this account will have > scopes X,Y,Z for user 1 and scopes A, B, C for user 2. > > See my problem? > > Ori. > > > From: Pedro Igor Silva > > Sent: Friday, May 31, 2019 12:51 AM > To: Ori Doolman >> > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to get the role -> permissions for an > authenticated user > > Would be the account a resource and permissions their corresponding > scopes/actions that can be performed on an account ? > > If a role implies access to some scopes/actions you can perform on an > account (which is a resource), you could write "scope-based policies" such > as: > > * "Manager Permission" is defined for scopes A, B and C with a role-policy > that enforces "manager" role > * "Regular Permission" is defined for scopes X, Y and Z with a role-policy > that enforces "regular" role > > With this setup, if the user has both manager and regular roles access > shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the > scopes granted will depend on the role assigned to the user. > > On Thu, May 30, 2019 at 6:29 PM Ori Doolman > wrote: > Hi Pedro and all, > I managed to use get an RPT given an access token. > My problem is that I cannot find a good way to model my application's > permission in Keycloak. > Maybe you or someone else can help with that, since I think it is a pretty > standard model: > I have many "accounts" and many users. > I have several roles in my application, each represents a set of allowed > permissions. > Each user is assigned a role *per account*. > That means that one user can be a "manager" user for account 1 (with > effective permissions a,b,c) and a "regular" user for account 2 (with > effective permissions x, y, z). > So as you see, my user roles (and permissions) is always in the context of > an account. > This is why I cannot just configure static client roles and use them for > policies. My permissions always depend on the data, the account context. > What is the best way (if any) to model this kind of permissions in > Keycloak? > Thanks, > Ori. > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org> < > keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org>> On Behalf Of Ori Doolman > Sent: Thursday, May 23, 2019 9:35 PM > To: Pedro Igor Silva > > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to get the role -> permissions for an > authenticated user Ok Pedro, I think I got it. Thanks a lot for thr > clarification. > My current plan is to make the exchange in API-GW. > I get 2 advantages: > 1) No change in client application and no need to involve client with > server side authorization. > 2) I need to make sure access token is still valid and user did not > performed logout. API-GW seems the correct place to do that. So in a single > call to KC I get both token validation and token exchange. > I will try that and update the forum if succeeded. I think this is a > typical classic deployment and such a documented solution can assist a lot > of people. > Ori. > Get Outlook for Android< > https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=hiPvWoZ4YnB3lDZZxL_d8b-vGB5H0to2rJICMngePqY&e= > > ________________________________ > From: Pedro Igor Silva > > Sent: Thursday, May 23, 2019 6:58:41 PM > To: Ori Doolman > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to get the role -> permissions for an > authenticated user > > > On Thu, May 23, 2019 at 12:21 PM Ori Doolman Ori.Doolman at cyberark.com>>> wrote: > Hi Pedro, > Thanks for the prompt response :) > Yes, I need RBAC only at the moment. > When you said my web application should make the token exchange, do you > mean client side (javascript ) or server side? > Client-side > I can also make it from API-GW which is even better I think. what is the > common practice to send it to the server? I cannot use the Authorization > header since it alteady contains the access token. > > Not sure if API-GW is better but you can replace the access token with > permissions (sent by the client) in the authorization header. It is just an > access token + permissions. Pretty much the original + permissions. > > Also, it means that I will have to make this call once per session (after > login) rather than once in a process lifetime, since the roles->permissions > mapping is pretty much static information. > It doesn't sounds like the optimal approach. > Yes, you would need a per session exchange. > > Ori. > Get Outlook for Android< > https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=kd7NLazIlAUReoX4xn1Isinku-QmPbxzujKjkg5CF78&s=kSulN2o1ygvKOHFKkrsYVnKZdGvuWpqYi8uwdhUudUc&e= > > > ________________________________ > From: Pedro Igor Silva >>> > Sent: Thursday, May 23, 2019 5:49:11 PM > To: Ori Doolman > Cc: keycloak-user at lists.jboss.org > keycloak-user at lists.jboss.org>> > Subject: Re: [keycloak-user] How to get the role -> permissions for an > authenticated user There is no way to automatically set the permissions > (from a client authorization settings) when an access token is issued. Like > you said, you need another call to the token endpoint using the > uma-grant-type. > However, your web application will make that call only once in order to > exchange the access token with another one with the permissions you need to > access your backend. Your client should also be able to perform incremental > authorization and limit the numbers of permissions within the token. > Using a pure RBAC approach also works for your case, I think. Although you > are limited to RBAC (thus tied with the roles you are using to protect > resources) and not able to use resource-based authorization. > On Thu, May 23, 2019 at 11:23 AM Ori Doolman Ori.Doolman at cyberark.com>>> wrote: > Hi, > I have a web application (Angular) which calls a REST API in a Java > microservice. > In my application, which manages books, I have a "regular" and "admin" > roles. > "regular" is allowed to execute API readBook. > "admin" is allowed to execute APIs readBook, deleteBook, createBook. > The mapping between the user roles to the permissions (book:read , > book:create, book:delete) is currently in my app DB. I guess I can migrate > all roles and permissions into Keycloak using the > resources/permissions/policies entities. > I get an access token in the client (using code flow or implicit flow). > The token contains the current user roles. But not the permissions. > When I call my REST API I send the access token to my REST endpoint in the > http header. The token contains the user roles, but not the user > permissions. In fact, what I really need is the user permissions for > checking authorization. > > > 1. What is the best practice of getting the user permissions in my REST > service? Can I have them become part of the JWT access token when the token > is created? > Or is there any other recommended way to "map" the roles into the > effective permissions at runtime? > Maybe keep the role->permissions in my current DB and load them to service > cache ? > 2. I want to avoid calling Keycloak for every REST API call because > this will result bad performance. From what I read, if I want to use > Keycloak authorization services I must call Keycloak for every API request > and get the permissions (an RPT token). Is that the only way? > > > 1. Another alternative I thought of: > have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles > "book:read" , "book:create", "book:delete" and for the "Regulars" group I > will add only "book:read" role. > This way, if a user belongs to the admins group, he will have all the > permissions (roles) in the JWT access token. > > Thanks, > Ori. > ---------------------------------------------------------------------- > _______________________________________________ > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. > If you are not an intended recipient of this e-mail, do not duplicate or > redistribute it by any means. Please delete it and any attachments and > notify the sender that you have received it in error. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > keycloak-user at lists.jboss.org>> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=C06JksmJ3-aEjipshrthQDy_e_8SFfiWTVg3xaAAi90&s=h3yWPfEVBy7AdTCBc2za37uwC0fzq34oyXd6IxbksNU&e= > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=x__KjPALrAcG7r37jUZN413sy1vZuicMESK4aIunX8Y&e= > From Ori.Doolman at cyberark.com Mon Jun 3 15:07:29 2019 From: Ori.Doolman at cyberark.com (Ori Doolman) Date: Mon, 3 Jun 2019 19:07:29 +0000 Subject: [keycloak-user] How to get the role -> permissions for an authenticated user In-Reply-To: References: , Message-ID: Hi Pedro, "If you have conflicting permissions, like SBP1 granting access to S1 and S2 + SBP2 denying S2 to user1, the user should get S1 only." I agree, but in the example I provided I used two different users in the policy. User1 is allowed for all scopes of R1 in SBP1. User2 is allowed for all scopes of R1 in SBP2. I didn't even test the case you mentioned because it failed with a more simple one. No doubt it should be also added to automation tests after the fix. Thanks a lot for addressing this issue. Ori. Get Outlook for Android ________________________________ From: Pedro Igor Silva Sent: Monday, June 3, 2019 8:18:44 PM To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Yeah, it seems like an issue. You should get the same results. However, what you mentioned here is not how it is supposed to work though: "If I add to SBP1 also S2, I expect that user1 will have access to both R1:S1 and R1:S2. However, I still get only R1:S1. This seems like a bug." If you have conflicting permissions, like SBP1 granting access to S1 and S2 + SBP2 denying S2 to user1, the user should get S1 only. I'll update the JIRA to this info and we can discuss there. Thanks for creating the issue. On Mon, Jun 3, 2019 at 12:55 PM Ori Doolman > wrote: Hi Pedro, Did you check this? I have created a Jira issue: https://issues.jboss.org/browse/KEYCLOAK-10443 Thanks , Ori. -----Original Message----- From: Ori Doolman Sent: Saturday, June 1, 2019 12:10 AM To: Ori Doolman >; Pedro Igor Silva > Cc: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] How to get the role -> permissions for an authenticated user Hi Pedro, I almost got it all working, but I think I bumped into bug... :( Please confirm if this is a bug or an expected behavior. I'm using latest Keycloak v6.01. I believe you can reproduce it as well. I have created: 1. Resource R with scopes S1, S2. 2. User based policy P1 for user1 3. User based policy P2 for user2 4. scope-based permission SBP1 for R1+S1 mapped to policy P1 (granting user1 access to R1:S1) 5. scope-based permission SBP2 for R1+S2 mapped to policy P2 (granting user2 access to R1:S2) When I request an RTP, everything is as expected. User1 token returns R1:S1 and user2 token returns R1:S2. But, if I add to SBP1 also S2, I expect that user1 will have access to both R1:S1 and R1:S2. However, I still get only R1:S1. This seems like a bug. If I revert the change and add to SBP2 also S1, I expect that user2 will have access to both R1:S1 and R1:S2. However, in this case I get access_denied and no scopes at all. This is really inconsistent and seems like a bug. Here is how I send the RPT request: POST /auth/realms/epm-account1/protocol/openid-connect/token HTTP/1.1 Host: localhost:8180 Content-Type: application/x-www-form-urlencoded Authorization: Bearer User-Agent: PostmanRuntime/7.13.0 Accept: */* Cache-Control: no-cache Postman-Token: ca36fc4e-d551-4525-a406-9afe674b1312,3731c4f2-6e71-475d-a6bf-171b6dc6b0cc Host: localhost:8180 accept-encoding: gzip, deflate content-length: 99 Connection: keep-alive cache-control: no-cache grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&audience=epm-web&permission=R1 Please check that. Thanks, Ori. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org > On Behalf Of Ori Doolman Sent: Friday, May 31, 2019 8:48 PM To: Pedro Igor Silva > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Pedro, 1. How do I obtain the pushed claims in my JS policy code? Is it by $evaluation.getContext().getAttribes() ? Do you have an example? 2. Is there any way to debug the JS policy? Or at least print to logs from the policy code? Ori. From: Pedro Igor Silva > Sent: Friday, May 31, 2019 8:32 PM To: Ori Doolman > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Here it is https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_authorization-5Fservices_index.html-23-5Fservice-5Fpushing-5Fclaims&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=r9TiD3Glkd7ZsS7Ariwvs4caS0Z-Z4M2qWzZ29ymRw4&e= . FYI, you can also use client roles in your policies. On Fri, May 31, 2019 at 11:14 AM Ori Doolman >> wrote: We have thousands of accounts , therefore option 1 is not feasible. As for 2nd option, if I configure accounts as resource, and my app's permissions as scopes per account/resource (all 200 app's permissions), I expect to get in RPT different permissions if I am user A role R1 or user B role R2. In the same time, user A has difderent role on other account. This is why I cannot use realm roles. Is there any way to push claims when I request for an RPT? The only thing I saw is requesting for specific permission/scope. What I'm really missing in KC is a way to represent this relatively simple model of different user permissions per account. (Users and accounts relation is Many to many). Get Outlook for Android From: Pedro Igor Silva >> Sent: Friday, May 31, 2019 1:02:05 PM To: Ori Doolman Cc: keycloak-user at lists.jboss.org> Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user I see. In this case, you could write a JS policy that checks both the account and the role. Where the account could be passed to your policy as a claim. The issue here is that you will end up with a quite huge policy depending on how many accounts you have. The second approach would be to manage accounts as resources and have those permissions for each resource. You would need to provisioning logic in your application to create the resource + permissions when a new account is created. Permissions could then be obtained based on a per-account basis. On Thu, May 30, 2019 at 6:58 PM Ori Doolman < Ori.Doolman at cyberark.com>> wrote: Thanks Pedro, But the definition below is exactly what I tried to do and got stuck. This is because the ?manager permissions? (A, B, C) is given only for role manager and *for account 1*. For account 2, the same user will have totally different permissions. I don?t have the accounts configured in Keycloak. Even if I configure an account as a resource, this account will have scopes X,Y,Z for user 1 and scopes A, B, C for user 2. See my problem? Ori. From: Pedro Igor Silva >> Sent: Friday, May 31, 2019 12:51 AM To: Ori Doolman >> Cc: keycloak-user at lists.jboss.org> Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Would be the account a resource and permissions their corresponding scopes/actions that can be performed on an account ? If a role implies access to some scopes/actions you can perform on an account (which is a resource), you could write "scope-based policies" such as: * "Manager Permission" is defined for scopes A, B and C with a role-policy that enforces "manager" role * "Regular Permission" is defined for scopes X, Y and Z with a role-policy that enforces "regular" role With this setup, if the user has both manager and regular roles access shall be granted to account and scopes A, B, C, X, Y, and Z. Otherwise, the scopes granted will depend on the role assigned to the user. On Thu, May 30, 2019 at 6:29 PM Ori Doolman >> wrote: Hi Pedro and all, I managed to use get an RPT given an access token. My problem is that I cannot find a good way to model my application's permission in Keycloak. Maybe you or someone else can help with that, since I think it is a pretty standard model: I have many "accounts" and many users. I have several roles in my application, each represents a set of allowed permissions. Each user is assigned a role *per account*. That means that one user can be a "manager" user for account 1 (with effective permissions a,b,c) and a "regular" user for account 2 (with effective permissions x, y, z). So as you see, my user roles (and permissions) is always in the context of an account. This is why I cannot just configure static client roles and use them for policies. My permissions always depend on the data, the account context. What is the best way (if any) to model this kind of permissions in Keycloak? Thanks, Ori. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org> >> On Behalf Of Ori Doolman Sent: Thursday, May 23, 2019 9:35 PM To: Pedro Igor Silva >> Cc: keycloak-user at lists.jboss.org> Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user Ok Pedro, I think I got it. Thanks a lot for thr clarification. My current plan is to make the exchange in API-GW. I get 2 advantages: 1) No change in client application and no need to involve client with server side authorization. 2) I need to make sure access token is still valid and user did not performed logout. API-GW seems the correct place to do that. So in a single call to KC I get both token validation and token exchange. I will try that and update the forum if succeeded. I think this is a typical classic deployment and such a documented solution can assist a lot of people. Ori. Get Outlook for Android ________________________________ From: Pedro Igor Silva >> Sent: Thursday, May 23, 2019 6:58:41 PM To: Ori Doolman Cc: keycloak-user at lists.jboss.org> Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user On Thu, May 23, 2019 at 12:21 PM Ori Doolman >>>> wrote: Hi Pedro, Thanks for the prompt response :) Yes, I need RBAC only at the moment. When you said my web application should make the token exchange, do you mean client side (javascript ) or server side? Client-side I can also make it from API-GW which is even better I think. what is the common practice to send it to the server? I cannot use the Authorization header since it alteady contains the access token. Not sure if API-GW is better but you can replace the access token with permissions (sent by the client) in the authorization header. It is just an access token + permissions. Pretty much the original + permissions. Also, it means that I will have to make this call once per session (after login) rather than once in a process lifetime, since the roles->permissions mapping is pretty much static information. It doesn't sounds like the optimal approach. Yes, you would need a per session exchange. Ori. Get Outlook for Android ________________________________ From: Pedro Igor Silva >>>> Sent: Thursday, May 23, 2019 5:49:11 PM To: Ori Doolman Cc: keycloak-user at lists.jboss.org>>> Subject: Re: [keycloak-user] How to get the role -> permissions for an authenticated user There is no way to automatically set the permissions (from a client authorization settings) when an access token is issued. Like you said, you need another call to the token endpoint using the uma-grant-type. However, your web application will make that call only once in order to exchange the access token with another one with the permissions you need to access your backend. Your client should also be able to perform incremental authorization and limit the numbers of permissions within the token. Using a pure RBAC approach also works for your case, I think. Although you are limited to RBAC (thus tied with the roles you are using to protect resources) and not able to use resource-based authorization. On Thu, May 23, 2019 at 11:23 AM Ori Doolman >>>> wrote: Hi, I have a web application (Angular) which calls a REST API in a Java microservice. In my application, which manages books, I have a "regular" and "admin" roles. "regular" is allowed to execute API readBook. "admin" is allowed to execute APIs readBook, deleteBook, createBook. The mapping between the user roles to the permissions (book:read , book:create, book:delete) is currently in my app DB. I guess I can migrate all roles and permissions into Keycloak using the resources/permissions/policies entities. I get an access token in the client (using code flow or implicit flow). The token contains the current user roles. But not the permissions. When I call my REST API I send the access token to my REST endpoint in the http header. The token contains the user roles, but not the user permissions. In fact, what I really need is the user permissions for checking authorization. 1. What is the best practice of getting the user permissions in my REST service? Can I have them become part of the JWT access token when the token is created? Or is there any other recommended way to "map" the roles into the effective permissions at runtime? Maybe keep the role->permissions in my current DB and load them to service cache ? 2. I want to avoid calling Keycloak for every REST API call because this will result bad performance. From what I read, if I want to use Keycloak authorization services I must call Keycloak for every API request and get the permissions (an RPT token). Is that the only way? 1. Another alternative I thought of: have 2 user groups "Admins" and "Regulars". For "Admins" I will add roles "book:read" , "book:create", "book:delete" and for the "Regulars" group I will add only "book:read" role. This way, if a user belongs to the admins group, he will have all the permissions (roles) in the JWT access token. Thanks, Ori. ---------------------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=5zurlkdmAWhsCMoYAVGUC1BNE8h1T4tFgpNVHb5eIr8&s=0rwHXNe4URgjDInU-A39bq3_yWW9rk_S713f0f0PvI8&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=mENXb5Bdwuq4jDZ4om9xiFtVy2nUvbmifEzSL0VNmew&s=x__KjPALrAcG7r37jUZN413sy1vZuicMESK4aIunX8Y&e= From simao.sfos at gmail.com Mon Jun 3 16:25:28 2019 From: simao.sfos at gmail.com (=?UTF-8?B?U2ltw6NvIFNpbHZh?=) Date: Mon, 3 Jun 2019 21:25:28 +0100 Subject: [keycloak-user] Authentication in services Message-ID: Hi there, I'm trying to implement a feature and I don't know how. I have my keycloak running on local network in 192.168.X.Y:A and I have a website on 192.168.X.Y:B, in other words, same IP, different ports. What I want is to redirect the 192.168.X.Y:B to the keycloak authentication page and then redirect back to website. How should I do that? Best regards, Sim?o Silva From siddiq_sa at yahoo.com Mon Jun 3 16:52:46 2019 From: siddiq_sa at yahoo.com (Siddiq Syed) Date: Mon, 3 Jun 2019 20:52:46 +0000 (UTC) Subject: [keycloak-user] Browser Login vs Application Login(AWS SAML SSO) References: <1413956611.71671.1559595166162.ref@mail.yahoo.com> Message-ID: <1413956611.71671.1559595166162@mail.yahoo.com> Hi., I did the SSO setup for Amazon AWS using SAML and Keycloak., How to set up SSO for Amazon AWS using SAML and Keycloak | | | | | | | | | | | How to set up SSO for Amazon AWS using SAML and Keycloak A step-by-step guide on how to set up SSO for Amazon AWS using SAML protocol and Keycloak as Identity Provider | | | This works fine when I login with the browser using the url (http://testserver/auth/realms/master/protocol/saml/clients/amazon-aws) which re-directs me to AWS., But when I am doing programmatic(using jsoup) to get the SAML Response for AWS credentials this give me the below error? ?"You took too long to login. Login process starting from beginning." Is there any setting in the Keycloak server for login timeout from non-browser call ? Please help. -Siddiq., From pnalyvayko at agi.com Mon Jun 3 19:43:42 2019 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Mon, 3 Jun 2019 23:43:42 +0000 Subject: [keycloak-user] X509 Direct Grant with client certificate In-Reply-To: References: , Message-ID: Hi Chirag, Can you expound on what you mean by "sharing the same attribute details"? X509 Direct grant relies on mutual TLS, i.e. a client certificate to find a unique user, so having more than a single user associated with the same certificate will cause an authentication error. ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Chirag Unnadkat [Chirag.Unnadkat at cerillion.com] Sent: Monday, June 3, 2019 10:35 AM To: Chirag Unnadkat; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] X509 Direct Grant with client certificate Hi, Has anyone else faced a similar issue, and/or managed to resolve something similar? Kind Regards, Chirag Unnadkat Business Analyst Cerillion plc E. chirag.unnadkat at cerillion.com T. 0207 9276029 W. www.cerillion.com Addr. 25 Bedford Street, London, WC2E 9ES, UK -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Chirag Unnadkat Sent: 28 May 2019 16:03 To: keycloak-user at lists.jboss.org Subject: Caution -Identified as Possible Scam - [keycloak-user] X509 Direct Grant with client certificate Hi, Is it possible to pass the same client certificate in a token request with different login credentials? My current setup doesn't seem to allow this and I can't find any documentation saying this is not possible I have configured an X509 Direct grant flow using X509/Validate Username(X.509 Config) This is configured to take the Subjects Common Name, with the attribute "NAME" I have configured a trust store with 1 certificate (want to share this across users) When I add the Subject Common Name to user 1's attribute, they then require the key pair to generate a token, however once I share the same attribute details to user 2, both user 1 and 2 stop working. Maybe I am missing some configuration that will allow my users to share the same certificate I ideally do not want to have one certificate per user as this will get out of hand to manage, as the population of the realm increases Kind Regards, Chirag Unnadkat Business Analyst Cerillion plc E. chirag.unnadkat at cerillion.com T. 0207 9276029 W. https://clicktime.symantec.com/3Dkjz73Ak7RQtTbSctftLHd6H2?u=www.cerillion.com Addr. 25 Bedford Street, London, WC2E 9ES, UK ________________________________ Cerillion Technologies Limited is a limited liability company registered in England No. 3849601 with Registered Office at 25 Bedford Street, London WC2E 9ES. VAT registration No. 743 8054 29. Website https://clicktime.symantec.com/3Dkjz73Ak7RQtTbSctftLHd6H2?u=www.cerillion.com This email and any attachments with it are intended for the addressee only. It is confidential and may be the subject of legal and/or professional privilege. If you have received this email in error please notify the sender, destroy any copies and delete from your computer systems as any use, disclosure, dissemination, forwarding, printing or copying is strictly prohibited. The content may be personal or contain personal opinions and cannot be taken as an expression of Cerillion's position. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Cerillion reserves the right to monitor all incoming and outgoing mail. Whilst every care has been taken to check this outgoing email for viruses, it is your responsibility to carry out any checks upon receipt. ________________________________ _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://clicktime.symantec.com/3R2MaYpXaCBqfdVw3He1gdp6H2?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Shweta.Shetty at Teradata.com Mon Jun 3 19:50:12 2019 From: Shweta.Shetty at Teradata.com (Shetty, Shweta) Date: Mon, 3 Jun 2019 23:50:12 +0000 Subject: [keycloak-user] Token retrieval failed when client password contains special characters Message-ID: We filed this bug when we are using special charaters in our client secret https://issues.jboss.org/browse/KEYCLOAK-10453 Is this a known issue with keycloak, any heads up is appreciated. Shweta From lasse.jahn at student.hpi.de Tue Jun 4 04:23:40 2019 From: lasse.jahn at student.hpi.de (Lasse Jahn) Date: Tue, 4 Jun 2019 10:23:40 +0200 Subject: [keycloak-user] Policy Enforcing for nodejs REST Api In-Reply-To: References: <2563f366-cdc6-cdad-6ae9-04db5a482536@student.hpi.de> Message-ID: Hey Pedro, sorry for the really late reply. There've been some other issues I had to fix first before I could come back to authorization. But now I try to get this done. Unfortunately I don't really get the thing with the resources and the regarding URIs. I want the keycloak enforcer middleware only called at the one point, like I explained. Based on the called route (e.g. /api/users or api/devices) I would like to have only the permissions of the resource evaluated. I guess somehow I just miss a thing and it should be easy possible. What I did: 1. Created 2 resources (users, devices with URIs "/api/users" or "/api/devices" 2. Created 2 permission and policy (users grant always, devices deny always) 3. Added the keycloak enforcer middleware before the router. **** ??? app.use('/api', keycloak.enforcer(['users', 'devices']), routes); **** Unfortunately when I access /api/devices this is allowed. I would like to create resources on the client and have one policy per each to decide. Is it possible, that the enforcer checks which resource is requested and uses only that one. If not what is the URI of a resource for? Regards Lasse On 15.05.19 19:55, Pedro Igor Silva wrote: > > > On Wed, May 15, 2019 at 8:52 AM Lasse Jahn > wrote: > > Hi Pedro, > > thanks for the quick reply. So I got it working now, that the > resource I created is enforcing the one policy. For a single > resource this is great. > > Later on I would like to have an multi tenant solution, short > explanation what I mean: > > Different companies have the same functionality but maybe want to > change the restriction for there self. But still with only one > backend application running. So each company should get one realm > with the backend application registered as a client. When they > call the api? the backend should enforce the policies of the > company specific client. > > Therefore I have 2 questions: > > 1. Is it possible to configure the enforcer to enforce all > policies for all resources only depending on the requested on the > path. So I only to have to add the middleware once before the > express router. So for example we have a route /api/devices and > /api/users (GET,POST,DELETE each). Both are represented by a > resource in the keycloak admin console. > > I would like to have something like this: > > router.js > > **** > > const express = require('express'); > const router = express.Router(); > const users = require('../controllers/users.controller'); > const devices = require('../controllers/devices.controller'); > > router.post('/users/', users.create); > router.delete('/users/', users.deleteAll); > router.get('/users/', users.findAll); > > router.post('/devices/', devies.create); > router.delete('/devices/', devicese.deleteAll); > router.get('/devices/', devices.findAll); > > module.exports = router; > > **** > > > app.js > > **** > > .... //all from before > > app.use('/api', keycloak.enforcer(__SOME_CONFIG__), routes); > > **** > > > I dont want to write keycloak.enforcer(...) to each line of users > or devices... > > Maybe this can done by the claims and the context information? But > if yes I don't get how. > > Yes, by using claims you are allowed to use them in your policies. > Here is an example: > https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/config/quickstart-realm.json#L90. > More details here > https://www.keycloak.org/docs/latest/authorization_services/index.html#examples. > Your keycloak.enforce would be similar to > https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177. > > > 2. For now the solution is only single tenant, but If I want to > have it multi tenant and have realm per company with similar > clients (only different in policies and permissions). Do you have > an idea how I can solve the problem that the keycloak object is > configured realm specific? > I would probably build a middleware which checks for a custom HTTP > header or looks for a subdomain for referencing the company. > Depending on the company I would set the keycloak object. > Do you think this can work ? Or do you have a better idea? > > AFAIK, this is how you do it. So that accordingly with the request you > build a new Keycloak object using a specific realm. > > > Some suggestions for your documentation: > > - Could you somewhere describe what the middleware option > protected is doing? The Logout, ... options are explained, but the > protected I couldn't find. > - Your default resource is called 'Default Resource' but in the > example the resource is renamed to 'resource' the rest is > untouched and default config. Maybe a comment or adjustment of the > example might be helpful. > > Thanks for the feedback. Feel free to create a JIRA so that we can > track and plan the improvements you are proposing. > > > Regards, > Lasse > > On 14.05.19 20:33, Pedro Igor Silva wrote: >> Hi, >> >> We've added more docs to NodeJS PEP recently [1]. They should be >> available in the next release. Please, let me know if that is >> enough or if we need to add more information. >> >> In your case, this code: >> >> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); >> >> Would be: >> >> app.use('/api', >> keycloak.enforcer('{resource_name}:{resource_scope}'), routes); >> >> If you have a resource in Keycloak called "foo" and a scope >> associated with this resource called "bar", the code would be: >> >> app.use('/api', keycloak.enforcer('foo:bar'), routes); >> >> Hope it helps. >> >> [1] https://github.com/keycloak/keycloak-documentation/pull/654 >> >> On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse wrote: >> >> Hello, >> >> It's the first time writing to keycloak mailing list (I hope >> this is the correct one?) so excuse if I forget to provide >> some information or any other mistakes .. >> Sorry for the text wall. >> >> Shortly what I try to do (maybe I got something completely >> wrong): >> I create a backend (node.js Bearer Only) which shall offer an >> REST api. Partially it is used via a frontend >> (keycloak-clients) or directly by some devices. >> In general I try to create an application with a lot of CRUD. >> User Management is done in keycloak and only I forward these >> requests to the admin REST Api. Other stuff like the devices >> ... I store in a separate database. >> So the backend is the abstraction layer for frontend and >> other use-cases. >> >> So far so good, but for the beginning it was enough to check >> weather the request comes from an authenticated person or >> not, so all handled via keycloak.protect() The Token from the >> authenticated person was passed >> But now I'd want to offer different authorization level (can >> differ due to reasons of multitenancy, why I want to solve >> this via policies and co in admin-console inside the client >> configuariton) because the normal user shall have access to >> only some routes and the management shall have full access to >> the api, but of course don't need the keycloak admin access. >> So I enabled the service account for my backend client and >> gave this one the realm-admin role so the client has access >> to everything and I can handle the authorization inside the >> backend client it self (using policies, permissions, .. >> inside the admin-console). >> (Just in case no one gets what I'm talking about. Fixing [1] >> should help me fixing my issue I guess) >> >> Setup >> - node.js application using express >> - registered as single client in keycloak admin-console >> (confidential, but config inside the code is bearer-only) >> - Keycloak is running in a docker-container (version 4.5) >> - all services are running in a docker-compose network and >> are behind a reverse proxy for common uri >> - enabled Authorization in client and changed the default >> policy to Negative to always deny => to see if it is enforced) >> >> My Problem >> I don't understand how to use the policies, permissions and >> Co I created in the admin-console inside the backend it self. >> How do I enforce that these are used? >> I tried to check different examples and documentation, but >> could get it working. >> The last thing I found was that the entitlement api was >> removed, but a policy-enforcer was added to the nodejs >> adapter. In the documentation for the policy-enforcer [2] I >> couldn't find a documentation of the middleware >> (keycloak.enforcer({}) [3][4]). >> >> My Code >> >> ***** >> app.js >> >> const express = require('express'); >> const app = express(); >> const Keycloak = require('keycloak-connect'); >> const session = require('express-session'); >> const routes = require('./routes/index'); >> >> >> const kcConfig = { >> ? ? 'realm': 'master', >> ? ? 'bearer-only': true, >> ? ? 'auth-server-url': >> `https://DOMAIN/auth`, >> ? ? 'ssl-required': 'all', >> ? ? 'resource': 'fm-backend', >> ? ? 'credentials': { >> ? ? ? ? secret: 'SOME_SECRET', >> ? ? }, >> ? ? 'confidential-port': 0, >> ? ? 'policy-enforcer': { ? ? ? //tried with an without this, >> changed nothing >> ? ? ? ? 'enforcement-mode': 'ENFORCING', >> ? ? }, >> }; >> >> const memoryStore = new session.MemoryStore(); >> const keycloak = new Keycloak({ memoryStore }, kcConfig); >> >> app.use(keycloak.middleware({ logout: '/api/logout', >> protected: '/api/gates' })); >> >> // used before, worked for well for authentication >> app.use('/api', keycloak.protect(), routes); >> >> // now unfortunately I don't understand how to use >> keycloak.enforcer() middleware >> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); >> >> module.exports = app; >> >> ***** >> >> [1] >> https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application >> [2] >> https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview >> [3] >> https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc >> [4] >> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js >> >> >> Any Help is appreciated :) >> >> >> With kind regards >> Lasse >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From luke at code-house.org Tue Jun 4 05:15:12 2019 From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=) Date: Tue, 4 Jun 2019 11:15:12 +0200 Subject: [keycloak-user] Custom REST endpoint not associated with a specific REALM In-Reply-To: References: Message-ID: Hey Michalel, Based on my earlier experiences I can tell you that RealmResourceProvider SPI which you used does not distinguish realm resources and realms they will be actually pulled in. Its worth to remember that when RealmResourceProvider returns a null instead of valid resource object HTTP request will end up with 404 code. You need to combine both KeycloakContext [1] and configuration mechanism [2] to achieve final result. First will let you obtain current realm via getRealm method while second will bring flexibility through init(Scope) method call. For example if your config parameter is called LIID: @Override public void init(Scope config) { config.get("LIID", "some-fallback-value"); } This is all pseudo code, but I'm sure you will be able to find your way. [1]: https://github.com/keycloak/keycloak/blob/6.0.1/server-spi/src/main/java/org/keycloak/models/KeycloakContext.java [2]: https://github.com/keycloak/keycloak-documentation/blob/6.0.1/server_installation/topics/config-subsystem/configure-spi-providers.adoc Cheers, ?ukasz -- Code-House http://code-house.org On 30.05.2019 19:45, Michael Dailous wrote: > Hi, > > We are looking to implement a REST endpoint that will be used to query the REALM information associated with a specified user. The REST endpoint will be publicly available and used as part of the Authentication process, identifying which Keycloak REALM should be used during the client authentication process. We've created REST endpoints that are available through a REALM, such as "/auth/realms/master/admin-extensions/...". Those specific REALMs are accessed post authentication. For this REST endpoint, we're looking to access it generically pre authentication. > Is it possible to create a custom REST endpoint that's not associated with a specific REALM? > > Thanks, > Michael > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Jun 4 07:13:15 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Jun 2019 13:13:15 +0200 Subject: [keycloak-user] Need to start nip.io for keycloak on minikube (kubernetes) In-Reply-To: <0aec7fc6-b8e2-d2cd-d804-920a76b5f2bf@janua.fr> References: <0aec7fc6-b8e2-d2cd-d804-920a76b5f2bf@janua.fr> Message-ID: Been a while since I played with this, but I didn't install nip.io separately. I think I just enabled ingress add-on and configured it to use nip.io. On Mon, 3 Jun 2019, 11:03 Olivier Rivat, wrote: > Hi, > > I am trying to follow tutorial/video from stian. > https://github.com/stianst/demo-kubernetes > > I have installed minikube on my linux laptop, but cannot find how to use > nip.io for the demo. > to resolve the environnment variable > > |KEYCLOAK_HOST||BACKEND_HOST||||FRONTEND_HOS|T > || > > |export MINIKUBE_IP=`minikube ip` export > KEYCLOAK_HOST=keycloak.$MINIKUBE_IP.nip.io export > BACKEND_HOST=backend.$MINIKUBE_IP.nip.io export > FRONTEND_HOST=frontend.$MINIKUBE_IP.nip.io| > > > I have tried to install nip.io also as follows, but it is conflicting > with laptop systemd-resolved > > https://github.com/resmo/nip.io > > docker run -d -p 0.0.0.0:53:53/tcp -p 0.0.0.0:53:53/udp --name nip.io > nip.io > 8cc8e05678d02a61299bf60a3116759e93a39113da875216163b7c6fba725ce1 > docker: Error response from daemon: driver failed programming external > connectivity on endpoint nip.io > (5117952d0ba0d91fe81404537bd1abc7674dfd49f4ec9ce4c587af6c7e7d84d9): > Error starting userland proxy: listen tcp 0.0.0.0:53: bind: address > already in use. > > I guess my minikube is certainly not correct, but cannot figure whta is > missing to have nip.io working on my minikube cluster. > Tkx for your help > > > > Regards, > > Olivier Rivat > > > > > > -- > > > < > http://www.janua.fr/images/LogoSignature.gif> > > > > Olivier Rivat > CTO > orivat at janua.fr > Gsm: +33(0)682 801 609 > T?l: +33(0)489 829 238 > Fax: +33(0)955 260 370 > http://www.janua.fr > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From rafatov10 at gmail.com Tue Jun 4 07:44:48 2019 From: rafatov10 at gmail.com (Rafael Tovar.) Date: Tue, 4 Jun 2019 13:44:48 +0200 Subject: [keycloak-user] Role-Based Policy with nodejs adapter, single role validation Message-ID: Hi all, Is there any way to check only the policies associated to an specific role with the nodejs adapter? Example: Imagine an user with 2 realm roles: admin and guest. How could i check the resources available only for the guest role? Thanks, Rafael. From psilva at redhat.com Tue Jun 4 08:06:30 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 4 Jun 2019 09:06:30 -0300 Subject: [keycloak-user] Policy Enforcing for nodejs REST Api In-Reply-To: References: <2563f366-cdc6-cdad-6ae9-04db5a482536@student.hpi.de> Message-ID: Differently than other adapters, the NodeJS adapter does not fetch resources from the server, so you need to use the enforcer on each route: app.get('/api/users', keycloak.enforcer(['users']) app.get('/api/devices', keycloak.enforcer(['devices']) Please, create an RFE if you the current behavior is not enough for you. On Tue, Jun 4, 2019 at 5:23 AM Lasse Jahn wrote: > Hey Pedro, > > sorry for the really late reply. There've been some other issues I had to > fix first before I could come back to authorization. But now I try to get > this done. > > Unfortunately I don't really get the thing with the resources and the > regarding URIs. > > I want the keycloak enforcer middleware only called at the one point, like > I explained. Based on the called route (e.g. /api/users or api/devices) I > would like to have only the permissions of the resource evaluated. > > I guess somehow I just miss a thing and it should be easy possible. > > > What I did: > 1. Created 2 resources (users, devices with URIs "/api/users" or > "/api/devices" > 2. Created 2 permission and policy (users grant always, devices deny > always) > 3. Added the keycloak enforcer middleware before the router. > > **** > app.use('/api', keycloak.enforcer(['users', 'devices']), routes); > **** > > Unfortunately when I access /api/devices this is allowed. > > I would like to create resources on the client and have one policy per > each to decide. Is it possible, that the enforcer checks which resource is > requested and uses only that one. > > If not what is the URI of a resource for? > > > Regards Lasse > > > On 15.05.19 19:55, Pedro Igor Silva wrote: > > > > On Wed, May 15, 2019 at 8:52 AM Lasse Jahn > wrote: > >> Hi Pedro, >> >> thanks for the quick reply. So I got it working now, that the resource I >> created is enforcing the one policy. For a single resource this is great. >> >> Later on I would like to have an multi tenant solution, short explanation >> what I mean: >> >> Different companies have the same functionality but maybe want to change >> the restriction for there self. But still with only one backend application >> running. So each company should get one realm with the backend application >> registered as a client. When they call the api the backend should enforce >> the policies of the company specific client. >> >> Therefore I have 2 questions: >> >> 1. Is it possible to configure the enforcer to enforce all policies for >> all resources only depending on the requested on the path. So I only to >> have to add the middleware once before the express router. So for example >> we have a route /api/devices and /api/users (GET,POST,DELETE each). Both >> are represented by a resource in the keycloak admin console. >> >> I would like to have something like this: >> >> router.js >> >> **** >> >> const express = require('express'); >> const router = express.Router(); >> const users = require('../controllers/users.controller'); >> const devices = require('../controllers/devices.controller'); >> >> router.post('/users/', users.create); >> router.delete('/users/', users.deleteAll); >> router.get('/users/', users.findAll); >> >> router.post('/devices/', devies.create); >> router.delete('/devices/', devicese.deleteAll); >> router.get('/devices/', devices.findAll); >> >> module.exports = router; >> >> **** >> >> >> app.js >> >> **** >> >> .... //all from before >> >> app.use('/api', keycloak.enforcer(__SOME_CONFIG__), routes); >> >> **** >> >> >> I dont want to write keycloak.enforcer(...) to each line of users or >> devices... >> >> Maybe this can done by the claims and the context information? But if yes >> I don't get how. >> > Yes, by using claims you are allowed to use them in your policies. Here is > an example: > https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/config/quickstart-realm.json#L90. > More details here > https://www.keycloak.org/docs/latest/authorization_services/index.html#examples > . > > Your keycloak.enforce would be similar to > https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177 > . > >> >> 2. For now the solution is only single tenant, but If I want to have it >> multi tenant and have realm per company with similar clients (only >> different in policies and permissions). Do you have an idea how I can solve >> the problem that the keycloak object is configured realm specific? >> I would probably build a middleware which checks for a custom HTTP header >> or looks for a subdomain for referencing the company. Depending on the >> company I would set the keycloak object. >> Do you think this can work ? Or do you have a better idea? >> > AFAIK, this is how you do it. So that accordingly with the request you > build a new Keycloak object using a specific realm. > > >> >> Some suggestions for your documentation: >> >> - Could you somewhere describe what the middleware option protected is >> doing? The Logout, ... options are explained, but the protected I couldn't >> find. >> - Your default resource is called 'Default Resource' but in the example >> the resource is renamed to 'resource' the rest is untouched and default >> config. Maybe a comment or adjustment of the example might be helpful. >> > Thanks for the feedback. Feel free to create a JIRA so that we can track > and plan the improvements you are proposing. > >> >> Regards, >> Lasse >> On 14.05.19 20:33, Pedro Igor Silva wrote: >> >> Hi, >> >> We've added more docs to NodeJS PEP recently [1]. They should be >> available in the next release. Please, let me know if that is enough or if >> we need to add more information. >> >> In your case, this code: >> >> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); >> >> Would be: >> >> app.use('/api', keycloak.enforcer('{resource_name}:{resource_scope}'), >> routes); >> >> If you have a resource in Keycloak called "foo" and a scope associated >> with this resource called "bar", the code would be: >> >> app.use('/api', keycloak.enforcer('foo:bar'), routes); >> >> Hope it helps. >> >> [1] https://github.com/keycloak/keycloak-documentation/pull/654 >> >> On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse wrote: >> >>> Hello, >>> >>> It's the first time writing to keycloak mailing list (I hope this is the >>> correct one?) so excuse if I forget to provide some information or any >>> other mistakes .. >>> Sorry for the text wall. >>> >>> Shortly what I try to do (maybe I got something completely wrong): >>> I create a backend (node.js Bearer Only) which shall offer an REST api. >>> Partially it is used via a frontend (keycloak-clients) or directly by some >>> devices. >>> In general I try to create an application with a lot of CRUD. User >>> Management is done in keycloak and only I forward these requests to the >>> admin REST Api. Other stuff like the devices ... I store in a separate >>> database. >>> So the backend is the abstraction layer for frontend and other use-cases. >>> >>> So far so good, but for the beginning it was enough to check weather the >>> request comes from an authenticated person or not, so all handled via >>> keycloak.protect() The Token from the authenticated person was passed >>> But now I'd want to offer different authorization level (can differ due >>> to reasons of multitenancy, why I want to solve this via policies and co in >>> admin-console inside the client configuariton) because the normal user >>> shall have access to only some routes and the management shall have full >>> access to the api, but of course don't need the keycloak admin access. >>> So I enabled the service account for my backend client and gave this one >>> the realm-admin role so the client has access to everything and I can >>> handle the authorization inside the backend client it self (using policies, >>> permissions, .. inside the admin-console). >>> (Just in case no one gets what I'm talking about. Fixing [1] should help >>> me fixing my issue I guess) >>> >>> Setup >>> - node.js application using express >>> - registered as single client in keycloak admin-console (confidential, >>> but config inside the code is bearer-only) >>> - Keycloak is running in a docker-container (version 4.5) >>> - all services are running in a docker-compose network and are behind a >>> reverse proxy for common uri >>> - enabled Authorization in client and changed the default policy to >>> Negative to always deny => to see if it is enforced) >>> >>> My Problem >>> I don't understand how to use the policies, permissions and Co I created >>> in the admin-console inside the backend it self. How do I enforce that >>> these are used? >>> I tried to check different examples and documentation, but could get it >>> working. >>> The last thing I found was that the entitlement api was removed, but a >>> policy-enforcer was added to the nodejs adapter. In the documentation for >>> the policy-enforcer [2] I couldn't find a documentation of the middleware >>> (keycloak.enforcer({}) [3][4]). >>> >>> My Code >>> >>> ***** >>> app.js >>> >>> const express = require('express'); >>> const app = express(); >>> const Keycloak = require('keycloak-connect'); >>> const session = require('express-session'); >>> const routes = require('./routes/index'); >>> >>> >>> const kcConfig = { >>> 'realm': 'master', >>> 'bearer-only': true, >>> 'auth-server-url': `https://DOMAIN/auth`, >>> 'ssl-required': 'all', >>> 'resource': 'fm-backend', >>> 'credentials': { >>> secret: 'SOME_SECRET', >>> }, >>> 'confidential-port': 0, >>> 'policy-enforcer': { //tried with an >>> without this, changed nothing >>> 'enforcement-mode': 'ENFORCING', >>> }, >>> }; >>> >>> const memoryStore = new session.MemoryStore(); >>> const keycloak = new Keycloak({ memoryStore }, kcConfig); >>> >>> app.use(keycloak.middleware({ logout: '/api/logout', protected: >>> '/api/gates' })); >>> >>> // used before, worked for well for authentication >>> app.use('/api', keycloak.protect(), routes); >>> >>> // now unfortunately I don't understand how to use keycloak.enforcer() >>> middleware >>> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); >>> >>> module.exports = app; >>> >>> ***** >>> >>> [1] >>> https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application >>> [2] >>> https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview >>> [3] >>> https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc >>> [4] >>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js >>> >>> >>> Any Help is appreciated :) >>> >>> >>> With kind regards >>> Lasse >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From psilva at redhat.com Tue Jun 4 08:07:34 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 4 Jun 2019 09:07:34 -0300 Subject: [keycloak-user] Role-Based Policy with nodejs adapter, single role validation In-Reply-To: References: Message-ID: Hi, No support for that, evaluation is based on a token representing the subject. Regards. On Tue, Jun 4, 2019 at 8:51 AM Rafael Tovar. wrote: > Hi all, > Is there any way to check only the policies associated to an specific role > with the nodejs adapter? > > Example: > Imagine an user with 2 realm roles: admin and guest. > How could i check the resources available only for the guest role? > > Thanks, > Rafael. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Lasse.Jahn at student.hpi.uni-potsdam.de Tue Jun 4 08:46:56 2019 From: Lasse.Jahn at student.hpi.uni-potsdam.de (Jahn, Lasse) Date: Tue, 4 Jun 2019 12:46:56 +0000 Subject: [keycloak-user] Policy Enforcing for nodejs REST Api In-Reply-To: References: <2563f366-cdc6-cdad-6ae9-04db5a482536@student.hpi.de> , Message-ID: So just to make it sure, if I use the node adapter the resource URIs in the keycloak admin console are not used yet? I would have thought that the backend sends a request to keycloak sending the - bearer token (for all credentials and user information...) - request object (to have the requested resource) And then keycloak evaluates and only answers grant or deny ?! Is this decision maid inside the adapter or keycloak? On 4. Jun 2019, at 14:06, Pedro Igor Silva > wrote: Differently than other adapters, the NodeJS adapter does not fetch resources from the server, so you need to use the enforcer on each route: app.get('/api/users', keycloak.enforcer(['users']) app.get('/api/devices', keycloak.enforcer(['devices']) Please, create an RFE if you the current behavior is not enough for you. On Tue, Jun 4, 2019 at 5:23 AM Lasse Jahn > wrote: Hey Pedro, sorry for the really late reply. There've been some other issues I had to fix first before I could come back to authorization. But now I try to get this done. Unfortunately I don't really get the thing with the resources and the regarding URIs. I want the keycloak enforcer middleware only called at the one point, like I explained. Based on the called route (e.g. /api/users or api/devices) I would like to have only the permissions of the resource evaluated. I guess somehow I just miss a thing and it should be easy possible. What I did: 1. Created 2 resources (users, devices with URIs "/api/users" or "/api/devices" 2. Created 2 permission and policy (users grant always, devices deny always) 3. Added the keycloak enforcer middleware before the router. **** app.use('/api', keycloak.enforcer(['users', 'devices']), routes); **** Unfortunately when I access /api/devices this is allowed. I would like to create resources on the client and have one policy per each to decide. Is it possible, that the enforcer checks which resource is requested and uses only that one. If not what is the URI of a resource for? Regards Lasse On 15.05.19 19:55, Pedro Igor Silva wrote: On Wed, May 15, 2019 at 8:52 AM Lasse Jahn > wrote: Hi Pedro, thanks for the quick reply. So I got it working now, that the resource I created is enforcing the one policy. For a single resource this is great. Later on I would like to have an multi tenant solution, short explanation what I mean: Different companies have the same functionality but maybe want to change the restriction for there self. But still with only one backend application running. So each company should get one realm with the backend application registered as a client. When they call the api the backend should enforce the policies of the company specific client. Therefore I have 2 questions: 1. Is it possible to configure the enforcer to enforce all policies for all resources only depending on the requested on the path. So I only to have to add the middleware once before the express router. So for example we have a route /api/devices and /api/users (GET,POST,DELETE each). Both are represented by a resource in the keycloak admin console. I would like to have something like this: router.js **** const express = require('express'); const router = express.Router(); const users = require('../controllers/users.controller'); const devices = require('../controllers/devices.controller'); router.post('/users/', users.create); router.delete('/users/', users.deleteAll); router.get('/users/', users.findAll); router.post('/devices/', devies.create); router.delete('/devices/', devicese.deleteAll); router.get('/devices/', devices.findAll); module.exports = router; **** app.js **** .... //all from before app.use('/api', keycloak.enforcer(__SOME_CONFIG__), routes); **** I dont want to write keycloak.enforcer(...) to each line of users or devices... Maybe this can done by the claims and the context information? But if yes I don't get how. Yes, by using claims you are allowed to use them in your policies. Here is an example: https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/config/quickstart-realm.json#L90. More details here https://www.keycloak.org/docs/latest/authorization_services/index.html#examples. Your keycloak.enforce would be similar to https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177. 2. For now the solution is only single tenant, but If I want to have it multi tenant and have realm per company with similar clients (only different in policies and permissions). Do you have an idea how I can solve the problem that the keycloak object is configured realm specific? I would probably build a middleware which checks for a custom HTTP header or looks for a subdomain for referencing the company. Depending on the company I would set the keycloak object. Do you think this can work ? Or do you have a better idea? AFAIK, this is how you do it. So that accordingly with the request you build a new Keycloak object using a specific realm. Some suggestions for your documentation: - Could you somewhere describe what the middleware option protected is doing? The Logout, ... options are explained, but the protected I couldn't find. - Your default resource is called 'Default Resource' but in the example the resource is renamed to 'resource' the rest is untouched and default config. Maybe a comment or adjustment of the example might be helpful. Thanks for the feedback. Feel free to create a JIRA so that we can track and plan the improvements you are proposing. Regards, Lasse On 14.05.19 20:33, Pedro Igor Silva wrote: Hi, We've added more docs to NodeJS PEP recently [1]. They should be available in the next release. Please, let me know if that is enough or if we need to add more information. In your case, this code: app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); Would be: app.use('/api', keycloak.enforcer('{resource_name}:{resource_scope}'), routes); If you have a resource in Keycloak called "foo" and a scope associated with this resource called "bar", the code would be: app.use('/api', keycloak.enforcer('foo:bar'), routes); Hope it helps. [1] https://github.com/keycloak/keycloak-documentation/pull/654 On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse wrote: Hello, It's the first time writing to keycloak mailing list (I hope this is the correct one?) so excuse if I forget to provide some information or any other mistakes .. Sorry for the text wall. Shortly what I try to do (maybe I got something completely wrong): I create a backend (node.js Bearer Only) which shall offer an REST api. Partially it is used via a frontend (keycloak-clients) or directly by some devices. In general I try to create an application with a lot of CRUD. User Management is done in keycloak and only I forward these requests to the admin REST Api. Other stuff like the devices ... I store in a separate database. So the backend is the abstraction layer for frontend and other use-cases. So far so good, but for the beginning it was enough to check weather the request comes from an authenticated person or not, so all handled via keycloak.protect() The Token from the authenticated person was passed But now I'd want to offer different authorization level (can differ due to reasons of multitenancy, why I want to solve this via policies and co in admin-console inside the client configuariton) because the normal user shall have access to only some routes and the management shall have full access to the api, but of course don't need the keycloak admin access. So I enabled the service account for my backend client and gave this one the realm-admin role so the client has access to everything and I can handle the authorization inside the backend client it self (using policies, permissions, .. inside the admin-console). (Just in case no one gets what I'm talking about. Fixing [1] should help me fixing my issue I guess) Setup - node.js application using express - registered as single client in keycloak admin-console (confidential, but config inside the code is bearer-only) - Keycloak is running in a docker-container (version 4.5) - all services are running in a docker-compose network and are behind a reverse proxy for common uri - enabled Authorization in client and changed the default policy to Negative to always deny => to see if it is enforced) My Problem I don't understand how to use the policies, permissions and Co I created in the admin-console inside the backend it self. How do I enforce that these are used? I tried to check different examples and documentation, but could get it working. The last thing I found was that the entitlement api was removed, but a policy-enforcer was added to the nodejs adapter. In the documentation for the policy-enforcer [2] I couldn't find a documentation of the middleware (keycloak.enforcer({}) [3][4]). My Code ***** app.js const express = require('express'); const app = express(); const Keycloak = require('keycloak-connect'); const session = require('express-session'); const routes = require('./routes/index'); const kcConfig = { 'realm': 'master', 'bearer-only': true, 'auth-server-url': `https://DOMAIN/auth`, 'ssl-required': 'all', 'resource': 'fm-backend', 'credentials': { secret: 'SOME_SECRET', }, 'confidential-port': 0, 'policy-enforcer': { //tried with an without this, changed nothing 'enforcement-mode': 'ENFORCING', }, }; const memoryStore = new session.MemoryStore(); const keycloak = new Keycloak({ memoryStore }, kcConfig); app.use(keycloak.middleware({ logout: '/api/logout', protected: '/api/gates' })); // used before, worked for well for authentication app.use('/api', keycloak.protect(), routes); // now unfortunately I don't understand how to use keycloak.enforcer() middleware app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); module.exports = app; ***** [1] https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application [2] https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview [3] https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc [4] https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js Any Help is appreciated :) With kind regards Lasse _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Lasse.Jahn at student.hpi.uni-potsdam.de Tue Jun 4 10:45:29 2019 From: Lasse.Jahn at student.hpi.uni-potsdam.de (Jahn, Lasse) Date: Tue, 4 Jun 2019 14:45:29 +0000 Subject: [keycloak-user] Policy Enforcing for nodejs REST Api In-Reply-To: References: <2563f366-cdc6-cdad-6ae9-04db5a482536@student.hpi.de> <0C526E73-8FCD-4E49-AD27-B2EB705218FD@student.hpi.uni-potsdam.de>, Message-ID: Hmm ok, But is the decision maid in keycloak or inside the keycloak Adapter ? I don?t really get why the adapter has to fetch the resources ? Couldn?t the adapter send the requested url from req object and the decision which resource is meant happens in the keycloak Service itself?! So the policy, permissions, resources only stay inside of keycloak and the adapter only receives a access grant or access deny which he than enforces. Or in other words, that the adapter is only the PEP (policy enforcement point) and keycloak service is the PDP (policy decision point). On 4. Jun 2019, at 14:47, Pedro Igor Silva > wrote: On Tue, Jun 4, 2019 at 9:28 AM Jahn, Lasse > wrote: So just to make it sure, if I use the node adapter the resource URIs in the keycloak admin console are not used yet? Yes. That is why you need to use the enforcer in the route so that you associate a resource with the route/path. In other adapters, the enforcer is capable of fetching and caching resources from the server based on the requested URI. So you don't need to do this association manually. I would have thought that the backend sends a request to keycloak sending the - bearer token (for all credentials and user information...) - request object (to have the requested resource) And then keycloak evaluates and only answers grant or deny ?! Is this decision maid inside the adapter or keycloak? Yes, that is how it works. The missing part is the enforcer using the requested URI to match a resource in Keycloak so that permissions can be enforced. On 4. Jun 2019, at 14:06, Pedro Igor Silva > wrote: Differently than other adapters, the NodeJS adapter does not fetch resources from the server, so you need to use the enforcer on each route: app.get('/api/users', keycloak.enforcer(['users']) app.get('/api/devices', keycloak.enforcer(['devices']) Please, create an RFE if you the current behavior is not enough for you. On Tue, Jun 4, 2019 at 5:23 AM Lasse Jahn > wrote: Hey Pedro, sorry for the really late reply. There've been some other issues I had to fix first before I could come back to authorization. But now I try to get this done. Unfortunately I don't really get the thing with the resources and the regarding URIs. I want the keycloak enforcer middleware only called at the one point, like I explained. Based on the called route (e.g. /api/users or api/devices) I would like to have only the permissions of the resource evaluated. I guess somehow I just miss a thing and it should be easy possible. What I did: 1. Created 2 resources (users, devices with URIs "/api/users" or "/api/devices" 2. Created 2 permission and policy (users grant always, devices deny always) 3. Added the keycloak enforcer middleware before the router. **** app.use('/api', keycloak.enforcer(['users', 'devices']), routes); **** Unfortunately when I access /api/devices this is allowed. I would like to create resources on the client and have one policy per each to decide. Is it possible, that the enforcer checks which resource is requested and uses only that one. If not what is the URI of a resource for? Regards Lasse On 15.05.19 19:55, Pedro Igor Silva wrote: On Wed, May 15, 2019 at 8:52 AM Lasse Jahn > wrote: Hi Pedro, thanks for the quick reply. So I got it working now, that the resource I created is enforcing the one policy. For a single resource this is great. Later on I would like to have an multi tenant solution, short explanation what I mean: Different companies have the same functionality but maybe want to change the restriction for there self. But still with only one backend application running. So each company should get one realm with the backend application registered as a client. When they call the api the backend should enforce the policies of the company specific client. Therefore I have 2 questions: 1. Is it possible to configure the enforcer to enforce all policies for all resources only depending on the requested on the path. So I only to have to add the middleware once before the express router. So for example we have a route /api/devices and /api/users (GET,POST,DELETE each). Both are represented by a resource in the keycloak admin console. I would like to have something like this: router.js **** const express = require('express'); const router = express.Router(); const users = require('../controllers/users.controller'); const devices = require('../controllers/devices.controller'); router.post('/users/', users.create); router.delete('/users/', users.deleteAll); router.get('/users/', users.findAll); router.post('/devices/', devies.create); router.delete('/devices/', devicese.deleteAll); router.get('/devices/', devices.findAll); module.exports = router; **** app.js **** .... //all from before app.use('/api', keycloak.enforcer(__SOME_CONFIG__), routes); **** I dont want to write keycloak.enforcer(...) to each line of users or devices... Maybe this can done by the claims and the context information? But if yes I don't get how. Yes, by using claims you are allowed to use them in your policies. Here is an example: https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/config/quickstart-realm.json#L90. More details here https://www.keycloak.org/docs/latest/authorization_services/index.html#examples. Your keycloak.enforce would be similar to https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177. 2. For now the solution is only single tenant, but If I want to have it multi tenant and have realm per company with similar clients (only different in policies and permissions). Do you have an idea how I can solve the problem that the keycloak object is configured realm specific? I would probably build a middleware which checks for a custom HTTP header or looks for a subdomain for referencing the company. Depending on the company I would set the keycloak object. Do you think this can work ? Or do you have a better idea? AFAIK, this is how you do it. So that accordingly with the request you build a new Keycloak object using a specific realm. Some suggestions for your documentation: - Could you somewhere describe what the middleware option protected is doing? The Logout, ... options are explained, but the protected I couldn't find. - Your default resource is called 'Default Resource' but in the example the resource is renamed to 'resource' the rest is untouched and default config. Maybe a comment or adjustment of the example might be helpful. Thanks for the feedback. Feel free to create a JIRA so that we can track and plan the improvements you are proposing. Regards, Lasse On 14.05.19 20:33, Pedro Igor Silva wrote: Hi, We've added more docs to NodeJS PEP recently [1]. They should be available in the next release. Please, let me know if that is enough or if we need to add more information. In your case, this code: app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); Would be: app.use('/api', keycloak.enforcer('{resource_name}:{resource_scope}'), routes); If you have a resource in Keycloak called "foo" and a scope associated with this resource called "bar", the code would be: app.use('/api', keycloak.enforcer('foo:bar'), routes); Hope it helps. [1] https://github.com/keycloak/keycloak-documentation/pull/654 On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse wrote: Hello, It's the first time writing to keycloak mailing list (I hope this is the correct one?) so excuse if I forget to provide some information or any other mistakes .. Sorry for the text wall. Shortly what I try to do (maybe I got something completely wrong): I create a backend (node.js Bearer Only) which shall offer an REST api. Partially it is used via a frontend (keycloak-clients) or directly by some devices. In general I try to create an application with a lot of CRUD. User Management is done in keycloak and only I forward these requests to the admin REST Api. Other stuff like the devices ... I store in a separate database. So the backend is the abstraction layer for frontend and other use-cases. So far so good, but for the beginning it was enough to check weather the request comes from an authenticated person or not, so all handled via keycloak.protect() The Token from the authenticated person was passed But now I'd want to offer different authorization level (can differ due to reasons of multitenancy, why I want to solve this via policies and co in admin-console inside the client configuariton) because the normal user shall have access to only some routes and the management shall have full access to the api, but of course don't need the keycloak admin access. So I enabled the service account for my backend client and gave this one the realm-admin role so the client has access to everything and I can handle the authorization inside the backend client it self (using policies, permissions, .. inside the admin-console). (Just in case no one gets what I'm talking about. Fixing [1] should help me fixing my issue I guess) Setup - node.js application using express - registered as single client in keycloak admin-console (confidential, but config inside the code is bearer-only) - Keycloak is running in a docker-container (version 4.5) - all services are running in a docker-compose network and are behind a reverse proxy for common uri - enabled Authorization in client and changed the default policy to Negative to always deny => to see if it is enforced) My Problem I don't understand how to use the policies, permissions and Co I created in the admin-console inside the backend it self. How do I enforce that these are used? I tried to check different examples and documentation, but could get it working. The last thing I found was that the entitlement api was removed, but a policy-enforcer was added to the nodejs adapter. In the documentation for the policy-enforcer [2] I couldn't find a documentation of the middleware (keycloak.enforcer({}) [3][4]). My Code ***** app.js const express = require('express'); const app = express(); const Keycloak = require('keycloak-connect'); const session = require('express-session'); const routes = require('./routes/index'); const kcConfig = { 'realm': 'master', 'bearer-only': true, 'auth-server-url': `https://DOMAIN/auth`, 'ssl-required': 'all', 'resource': 'fm-backend', 'credentials': { secret: 'SOME_SECRET', }, 'confidential-port': 0, 'policy-enforcer': { //tried with an without this, changed nothing 'enforcement-mode': 'ENFORCING', }, }; const memoryStore = new session.MemoryStore(); const keycloak = new Keycloak({ memoryStore }, kcConfig); app.use(keycloak.middleware({ logout: '/api/logout', protected: '/api/gates' })); // used before, worked for well for authentication app.use('/api', keycloak.protect(), routes); // now unfortunately I don't understand how to use keycloak.enforcer() middleware app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); module.exports = app; ***** [1] https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application [2] https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview [3] https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc [4] https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js Any Help is appreciated :) With kind regards Lasse _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sidney.beekhoven at info.nl Tue Jun 4 11:19:31 2019 From: sidney.beekhoven at info.nl (Sidney Beekhoven - INFO) Date: Tue, 4 Jun 2019 15:19:31 +0000 Subject: [keycloak-user] LDAP user federation with AD range retrieval Message-ID: Hi Aaron, I created ticket https://issues.jboss.org/browse/KEYCLOAK-8525 back then. That one was closed because there were some other tickets which would hopefully resolve this issue. In the meantime in version 6 some of those other tickets were solved and for us it solves the issue with AD range retrieval. Regards, Sidney Beekhoven This looks to be an issue still in in 5.0.0. Did you end up creating ticket for this? I had to do the same workaround for a similar issue I'm having with larger groups not syncing from AD > Keycloak. Raising the MaxValRange allowed that group to sync as well. -- Aaron Echols On Tue, Oct 9, 2018 at 4:32 AM Sidney Beekhoven > wrote: > Hello, > > We have a keycloak setup (3.4.3.Final) with active directory as a user > federation provider. We ran into an issue with adding a certain role to > users. We got an error message like this: > > Uncaught server error: org.keycloak.models.ModelException: Could not > modify attribute for DN > [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com] > at > org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569) > at > org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110) > at > org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112) > at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181) > at > org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262) > at > org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380) > at > org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316) > at > org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236) > ? > Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error > code 16 - 00000057: LdapErr: DSID-0C090C03, comment: > Error in attribute conversion operation, data 0, v1db1]; remaining name > ?CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com' > at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) > at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) > at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) > at > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277) > at > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192) > at > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181) > at > javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) > at > javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) > > After some investigation the issue is that active directory uses range > retrieval when there are more than 1500 entries in the member (list) > property of a group. See eg > https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/searching-using-range-retrieval > . > When i look at the keycloak source code it looks like keycloak does not > handle/support the range retrieval, so an error happens when trying to add > a user to that role. > > For now we work around the issue by setting the MaxValRange to a higher > value. See > https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-by-using-ntdsutil > for more info about this. > > The real solution would probably be to add support for range retrieval in > the keycloak ldap user federation provider, so i will create a jira ticket > for that. > > Did anyone else maybe run into this issue, and if so had another solution > for it? > > Kind regards, > Sidney Beekhoven From psilva at redhat.com Tue Jun 4 11:23:43 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 4 Jun 2019 12:23:43 -0300 Subject: [keycloak-user] Policy Enforcing for nodejs REST Api In-Reply-To: References: <2563f366-cdc6-cdad-6ae9-04db5a482536@student.hpi.de> <0C526E73-8FCD-4E49-AD27-B2EB705218FD@student.hpi.uni-potsdam.de> Message-ID: On Tue, Jun 4, 2019 at 11:46 AM Jahn, Lasse < Lasse.Jahn at student.hpi.uni-potsdam.de> wrote: > Hmm ok, > But is the decision maid in keycloak or inside the keycloak Adapter ? > The decision is from the server but the enforcement is done by the adapter. > > I don?t really get why the adapter has to fetch the resources ? Couldn?t > the adapter send the requested url from req object and the decision which > resource is meant happens in the keycloak Service itself?! > Your point is correct, but our authorization request is based on the resource/scopes you want to evaluate permissions too. Subject to improvements though. > > So the policy, permissions, resources only stay inside of keycloak and the > adapter only receives a access grant or access deny which he than enforces. > Or in other words, that the adapter is only the PEP (policy enforcement > point) and keycloak service is the PDP (policy decision point). > That is how it works. By fetching resources, I mean obtaining from Keycloak the mappings for URIs <-> Resources IDs so that we can send authorization requests accordingly. > > On 4. Jun 2019, at 14:47, Pedro Igor Silva wrote: > > > > On Tue, Jun 4, 2019 at 9:28 AM Jahn, Lasse < > Lasse.Jahn at student.hpi.uni-potsdam.de> wrote: > >> So just to make it sure, if I use the node adapter the resource URIs in >> the keycloak admin console are not used yet? >> > > Yes. That is why you need to use the enforcer in the route so that you > associate a resource with the route/path. > > In other adapters, the enforcer is capable of fetching and caching > resources from the server based on the requested URI. So you don't need to > do this association manually. > > >> >> I would have thought that the backend sends a request to keycloak sending >> the >> - bearer token (for all credentials and user information...) >> - request object (to have the requested resource) >> >> And then keycloak evaluates and only answers grant or deny ?! >> > >> Is this decision maid inside the adapter or keycloak? >> > > Yes, that is how it works. The missing part is the enforcer using the > requested URI to match a resource in Keycloak so that permissions can be > enforced. > >> >> On 4. Jun 2019, at 14:06, Pedro Igor Silva wrote: >> >> Differently than other adapters, the NodeJS adapter does not fetch >> resources from the server, so you need to use the enforcer on each route: >> >> app.get('/api/users', keycloak.enforcer(['users']) >> app.get('/api/devices', keycloak.enforcer(['devices']) >> >> Please, create an RFE if you the current behavior is not enough for you. >> >> On Tue, Jun 4, 2019 at 5:23 AM Lasse Jahn >> wrote: >> >>> Hey Pedro, >>> >>> sorry for the really late reply. There've been some other issues I had >>> to fix first before I could come back to authorization. But now I try to >>> get this done. >>> >>> Unfortunately I don't really get the thing with the resources and the >>> regarding URIs. >>> >>> I want the keycloak enforcer middleware only called at the one point, >>> like I explained. Based on the called route (e.g. /api/users or >>> api/devices) I would like to have only the permissions of the resource >>> evaluated. >>> >>> I guess somehow I just miss a thing and it should be easy possible. >>> >>> >>> What I did: >>> 1. Created 2 resources (users, devices with URIs "/api/users" or >>> "/api/devices" >>> 2. Created 2 permission and policy (users grant always, devices deny >>> always) >>> 3. Added the keycloak enforcer middleware before the router. >>> >>> **** >>> app.use('/api', keycloak.enforcer(['users', 'devices']), routes); >>> **** >>> >>> Unfortunately when I access /api/devices this is allowed. >>> >>> I would like to create resources on the client and have one policy per >>> each to decide. Is it possible, that the enforcer checks which resource is >>> requested and uses only that one. >>> >>> If not what is the URI of a resource for? >>> >>> >>> Regards Lasse >>> >>> >>> On 15.05.19 19:55, Pedro Igor Silva wrote: >>> >>> >>> >>> On Wed, May 15, 2019 at 8:52 AM Lasse Jahn >>> wrote: >>> >>>> Hi Pedro, >>>> >>>> thanks for the quick reply. So I got it working now, that the resource >>>> I created is enforcing the one policy. For a single resource this is great. >>>> >>>> Later on I would like to have an multi tenant solution, short >>>> explanation what I mean: >>>> >>>> Different companies have the same functionality but maybe want to >>>> change the restriction for there self. But still with only one backend >>>> application running. So each company should get one realm with the backend >>>> application registered as a client. When they call the api the backend >>>> should enforce the policies of the company specific client. >>>> >>>> Therefore I have 2 questions: >>>> >>>> 1. Is it possible to configure the enforcer to enforce all policies for >>>> all resources only depending on the requested on the path. So I only to >>>> have to add the middleware once before the express router. So for example >>>> we have a route /api/devices and /api/users (GET,POST,DELETE each). Both >>>> are represented by a resource in the keycloak admin console. >>>> >>>> I would like to have something like this: >>>> >>>> router.js >>>> >>>> **** >>>> >>>> const express = require('express'); >>>> const router = express.Router(); >>>> const users = require('../controllers/users.controller'); >>>> const devices = require('../controllers/devices.controller'); >>>> >>>> router.post('/users/', users.create); >>>> router.delete('/users/', users.deleteAll); >>>> router.get('/users/', users.findAll); >>>> >>>> router.post('/devices/', devies.create); >>>> router.delete('/devices/', devicese.deleteAll); >>>> router.get('/devices/', devices.findAll); >>>> >>>> module.exports = router; >>>> >>>> **** >>>> >>>> >>>> app.js >>>> >>>> **** >>>> >>>> .... //all from before >>>> >>>> app.use('/api', keycloak.enforcer(__SOME_CONFIG__), routes); >>>> >>>> **** >>>> >>>> >>>> I dont want to write keycloak.enforcer(...) to each line of users or >>>> devices... >>>> >>>> Maybe this can done by the claims and the context information? But if >>>> yes I don't get how. >>>> >>> Yes, by using claims you are allowed to use them in your policies. Here >>> is an example: >>> https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-rest-employee/config/quickstart-realm.json#L90. >>> More details here >>> https://www.keycloak.org/docs/latest/authorization_services/index.html#examples >>> . >>> >>> Your keycloak.enforce would be similar to >>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177 >>> . >>> >>>> >>>> 2. For now the solution is only single tenant, but If I want to have it >>>> multi tenant and have realm per company with similar clients (only >>>> different in policies and permissions). Do you have an idea how I can solve >>>> the problem that the keycloak object is configured realm specific? >>>> I would probably build a middleware which checks for a custom HTTP >>>> header or looks for a subdomain for referencing the company. Depending on >>>> the company I would set the keycloak object. >>>> Do you think this can work ? Or do you have a better idea? >>>> >>> AFAIK, this is how you do it. So that accordingly with the request you >>> build a new Keycloak object using a specific realm. >>> >>> >>>> >>>> Some suggestions for your documentation: >>>> >>>> - Could you somewhere describe what the middleware option protected is >>>> doing? The Logout, ... options are explained, but the protected I couldn't >>>> find. >>>> - Your default resource is called 'Default Resource' but in the example >>>> the resource is renamed to 'resource' the rest is untouched and default >>>> config. Maybe a comment or adjustment of the example might be helpful. >>>> >>> Thanks for the feedback. Feel free to create a JIRA so that we can track >>> and plan the improvements you are proposing. >>> >>>> >>>> Regards, >>>> Lasse >>>> On 14.05.19 20:33, Pedro Igor Silva wrote: >>>> >>>> Hi, >>>> >>>> We've added more docs to NodeJS PEP recently [1]. They should be >>>> available in the next release. Please, let me know if that is enough or if >>>> we need to add more information. >>>> >>>> In your case, this code: >>>> >>>> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); >>>> >>>> Would be: >>>> >>>> app.use('/api', keycloak.enforcer('{resource_name}:{resource_scope}'), >>>> routes); >>>> >>>> If you have a resource in Keycloak called "foo" and a scope associated >>>> with this resource called "bar", the code would be: >>>> >>>> app.use('/api', keycloak.enforcer('foo:bar'), routes); >>>> >>>> Hope it helps. >>>> >>>> [1] https://github.com/keycloak/keycloak-documentation/pull/654 >>>> >>>> On Tue, May 14, 2019 at 1:25 PM Jahn, Lasse wrote: >>>> >>>>> Hello, >>>>> >>>>> It's the first time writing to keycloak mailing list (I hope this is >>>>> the correct one?) so excuse if I forget to provide some information or any >>>>> other mistakes .. >>>>> Sorry for the text wall. >>>>> >>>>> Shortly what I try to do (maybe I got something completely wrong): >>>>> I create a backend (node.js Bearer Only) which shall offer an REST >>>>> api. Partially it is used via a frontend (keycloak-clients) or directly by >>>>> some devices. >>>>> In general I try to create an application with a lot of CRUD. User >>>>> Management is done in keycloak and only I forward these requests to the >>>>> admin REST Api. Other stuff like the devices ... I store in a separate >>>>> database. >>>>> So the backend is the abstraction layer for frontend and other >>>>> use-cases. >>>>> >>>>> So far so good, but for the beginning it was enough to check weather >>>>> the request comes from an authenticated person or not, so all handled via >>>>> keycloak.protect() The Token from the authenticated person was passed >>>>> But now I'd want to offer different authorization level (can differ >>>>> due to reasons of multitenancy, why I want to solve this via policies and >>>>> co in admin-console inside the client configuariton) because the normal >>>>> user shall have access to only some routes and the management shall have >>>>> full access to the api, but of course don't need the keycloak admin access. >>>>> So I enabled the service account for my backend client and gave this >>>>> one the realm-admin role so the client has access to everything and I can >>>>> handle the authorization inside the backend client it self (using policies, >>>>> permissions, .. inside the admin-console). >>>>> (Just in case no one gets what I'm talking about. Fixing [1] should >>>>> help me fixing my issue I guess) >>>>> >>>>> Setup >>>>> - node.js application using express >>>>> - registered as single client in keycloak admin-console (confidential, >>>>> but config inside the code is bearer-only) >>>>> - Keycloak is running in a docker-container (version 4.5) >>>>> - all services are running in a docker-compose network and are behind >>>>> a reverse proxy for common uri >>>>> - enabled Authorization in client and changed the default policy to >>>>> Negative to always deny => to see if it is enforced) >>>>> >>>>> My Problem >>>>> I don't understand how to use the policies, permissions and Co I >>>>> created in the admin-console inside the backend it self. How do I enforce >>>>> that these are used? >>>>> I tried to check different examples and documentation, but could get >>>>> it working. >>>>> The last thing I found was that the entitlement api was removed, but a >>>>> policy-enforcer was added to the nodejs adapter. In the documentation for >>>>> the policy-enforcer [2] I couldn't find a documentation of the middleware >>>>> (keycloak.enforcer({}) [3][4]). >>>>> >>>>> My Code >>>>> >>>>> ***** >>>>> app.js >>>>> >>>>> const express = require('express'); >>>>> const app = express(); >>>>> const Keycloak = require('keycloak-connect'); >>>>> const session = require('express-session'); >>>>> const routes = require('./routes/index'); >>>>> >>>>> >>>>> const kcConfig = { >>>>> 'realm': 'master', >>>>> 'bearer-only': true, >>>>> 'auth-server-url': `https://DOMAIN/auth`, >>>>> 'ssl-required': 'all', >>>>> 'resource': 'fm-backend', >>>>> 'credentials': { >>>>> secret: 'SOME_SECRET', >>>>> }, >>>>> 'confidential-port': 0, >>>>> 'policy-enforcer': { //tried with >>>>> an without this, changed nothing >>>>> 'enforcement-mode': 'ENFORCING', >>>>> }, >>>>> }; >>>>> >>>>> const memoryStore = new session.MemoryStore(); >>>>> const keycloak = new Keycloak({ memoryStore }, kcConfig); >>>>> >>>>> app.use(keycloak.middleware({ logout: '/api/logout', protected: >>>>> '/api/gates' })); >>>>> >>>>> // used before, worked for well for authentication >>>>> app.use('/api', keycloak.protect(), routes); >>>>> >>>>> // now unfortunately I don't understand how to use keycloak.enforcer() >>>>> middleware >>>>> app.use('/api', keycloak.enforcer({WHAT_COMES_HERE}), routes); >>>>> >>>>> module.exports = app; >>>>> >>>>> ***** >>>>> >>>>> [1] >>>>> https://stackoverflow.com/questions/53722033/how-to-enable-policy-enforcing-in-keycloak-for-node-js-application >>>>> [2] >>>>> https://keycloak-docs.github.io/deploy-docs/dev/master/authorization_services/index.html#_enforcer_overview >>>>> [3] >>>>> https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/nodejs-adapter.adoc >>>>> [4] >>>>> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/example/index.js >>>>> >>>>> >>>>> Any Help is appreciated :) >>>>> >>>>> >>>>> With kind regards >>>>> Lasse >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> From ryans at jlab.org Tue Jun 4 16:12:44 2019 From: ryans at jlab.org (Ryan Slominski) Date: Tue, 4 Jun 2019 20:12:44 +0000 Subject: [keycloak-user] Wildfly Client Adapter breaks session persistence In-Reply-To: References: Message-ID: Just to follow up - looks like the distributable attribute is required in web.xml for Wildfly session persistence to work. This was new to me since in GlassFish session persistence worked without the distributable attribute being set in web.xml. I thought this attribute was only for clusters, but apparently not as it is used in standalone mode too. ________________________________ From: Ryan Slominski Sent: Thursday, May 23, 2019 10:58 AM To: keycloak-user Subject: Wildfly Client Adapter breaks session persistence It seems session persistence is broken with the Wildfly Client Adapter. I have: in the standalone.xml file under: This was set using the command: .jboss-cli.sh --connect --command="/subsystem=undertow/servlet-container=default/setting=persistent-sessions:add()" However, if I run the command: .jboss-cli.sh --connect --command="/deployment=myapp.war:redeploy()" My authenticated session is lost and I must re-login. Am I missing something or is this a bug? Ryan From frank.herrmann at modernizingmedicine.com Tue Jun 4 17:28:14 2019 From: frank.herrmann at modernizingmedicine.com (Frank Herrmann) Date: Tue, 4 Jun 2019 17:28:14 -0400 Subject: [keycloak-user] RestEasy NoMessageBodyWriterFoundFailure Message-ID: Hello, I've recently had to extend some of the functionality of RealmsResource.java. I've created my own resource, and, for the most part, is working great. However, one of the rest methods calls realmsResource.getProtocol(...). This generates a resteasy error that it cannot find a message body writer for application/signed-exchange. I'm sure I'm probably just missing a dependency in my module.xml. However, for the life of me, I can't figure it out. Now, I will admit, my Jboss/Wildfly knowledge is limited. Any help would be greatly appreciated. Thanks, -Frank -- FRANK HERRMANN ASSOCIATE SOFTWARE ARCHITECT T: 561-880-2998 x1563 E: frank.herrmann at modmed.com [image: [ Modernizing Medicine ]] [image: [ Facebook ]] [image: [ LinkedIn ]] [image: [ YouTube ]] [image: [ Twitter ]] [image: [ Blog ]] [image: [ Instagram ]] [image: [ MOMENTUM 2019 ]] -- *CONFIDENTIALITY NOTICE:*?This e-mail message may contain material protected by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and other state and federal laws and legal privileges. This message is only for the personal and confidential use of the individuals or organization to whom the message is addressed. If you are an unintended recipient, you?have received this message in error, and any reading, distributing, copying or disclosure is unauthorized and strictly prohibited.? All recipients are hereby notified that any unauthorized receipt does not waive any confidentiality obligations or privileges. If you have received this message in error, please notify the sender immediately?at the above?email?address and?confirm that you have deleted or destroyed the message. From dpaul at cognera.com Wed Jun 5 09:35:10 2019 From: dpaul at cognera.com (David Paul) Date: Wed, 5 Jun 2019 13:35:10 +0000 Subject: [keycloak-user] Upgrade to 6.0.1 - Oracle driver failing to load In-Reply-To: References: , Message-ID: Hi all, I was able to determine that it is 4.5.0 to 4.6.0 that breaks the oracle driver load. Was something changed between those versions that breaks the upgrade process I used (shown in email content below)? I used that same process from: 3.2.1 to 3.4 3.4 to 4.0 4.0 to 4.1 4.1 to 4.2.1 4.2.1 to 4.5 4.5 to 4.6 causes the error I listed in the below email content. My (oracle) linux 7 OS is up to date and I have tried java 7, 8 and openJava 10. Also I used ojdbc7.jar and ojdbc8.jar drivers Has something changed between these versions requiring driver install changes? Dave From: David Paul Sent: Wednesday, May 22, 2019 11:34 AM To: keycloak-user at lists.jboss.org Subject: Upgrade to 6.0.1 - Oracle driver failing to load Hi, I have a working standalone 3.2.1 on linux using Oracle DB 12.1 as its data store that I'm upgrading to 6.0.1. I'm running into a problem getting it to load the oracle driver and I assume I'm missing a step but I have followed the guide here: https://www.keycloak.org/docs/latest/upgrading/index.html I have: unpacked 6.0.1 mv standalone directory to standalone.old cp -R 3.2.1/standalone to 6.0.1/ cp -R 3.2.1/modules/system/layers/keycloak/org/oracle 6.0.1/modules/system/layers/keycloak/org/ cp -R 3.2.1/themes/ 6.0.1/themes/ 6.0.1/bin/jboss-cli.sh -file=bin/migrate-standalone.cli (feedback indicates success on all actions) Made sure migrationStrategy value="update" When I run 6.0.1/bin/standalone.sh I get: ... 09:26:10,588 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 31) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "datasources"), ("jdbc-driver" => "oracle") ]) - failure description: "WFLYJCA0114: Failed to load datasource class: oracle.jdbc.driver.OracleDriver" Again, this works in my 3.2.1 on the same server, so I assume my datasource and driver declaration are correct in standalone.xml file as well as the module.xml and ojdbc8.jar. I also can confirm the datastore is in use for the 3.2.1 install through connecting to the DB store using TOAD for oracle. I have confirmed permissions on the entire Keycloak directory structure are identicle between the 3.2.1 and 6.0.1 locations. Is there another step or declaration of the driver or something that I must do? Thank you for your time, Dave Harriscomputer David Paul Manager, Application Development P: 403-218-2010 x79107 F: 403-218-2012 E: dpaul at cognera.com [cid:cognera_logo_214_d306d615-a7fa-4e98-bd69-dcc2e13056da.png] 530 - 8 Avenue SW Suite 920 Calgary, Alberta T2P 3S8 www.cognera.com This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 23932 bytes Desc: cognera_logo_214_d306d615-a7fa-4e98-bd69-dcc2e13056da.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190605/f7d69243/attachment-0001.png From demetrio at carretti.pro Wed Jun 5 11:17:01 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Wed, 05 Jun 2019 18:17:01 +0300 Subject: [keycloak-user] Upgrade to 6.0.1 - Oracle driver failing to load In-Reply-To: References: , Message-ID: <85094d413c39cc63d0dc82e2643412f3802aef79.camel@carretti.pro> Hello David, The 4.6.0 release featured the upgrade to Wildfly 14, I believe that could be the cause. Just did the following (Keycloak 4.8.3): - added Oracle driver via jboss-cli: module add --name=oracle --resources=/path/to/oracle.com/ojdbc8.jar --dependencies=javax.api,javax.transaction.api - went to Wildfly console (localhost:9990) and added a datasource via the UI. This worked perfectly, and resulted in the following subsystem config (see attachment). I suggest that you check how that is different from what you have currently. Good luck, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Wed, 2019-06-05 at 13:35 +0000, David Paul wrote: > Hi all, > > I was able to determine that it is 4.5.0 to 4.6.0 that breaks the oracle driver load. Was something changed between those versions that breaks the upgrade process I used (shown in email content below)? I used that same process from: > 3.2.1 to 3.4 > 3.4 to 4.0 > 4.0 to 4.1 > 4.1 to 4.2.1 > 4.2.1 to 4.5 > > 4.5 to 4.6 causes the error I listed in the below email content. > My (oracle) linux 7 OS is up to date and I have tried java 7, 8 and openJava 10. Also I used ojdbc7.jar and ojdbc8.jar drivers > > Has something changed between these versions requiring driver install changes? > > Dave > > > > > > > > > > > From: David Paul > Sent: Wednesday, May 22, 2019 11:34 AM > To: keycloak-user at lists.jboss.org > Subject: Upgrade to 6.0.1 - Oracle driver failing to load > > Hi, > > I have a working standalone 3.2.1 on linux using Oracle DB 12.1 as its data store that I'm upgrading to 6.0.1. I'm running into a problem getting it to load the oracle driver and I assume I'm missing a step but I have followed the guide here: > https://www.keycloak.org/docs/latest/upgrading/index.html > > I have: > unpacked 6.0.1 > mv standalone directory to standalone.old > cp -R 3.2.1/standalone to 6.0.1/ > cp -R 3.2.1/modules/system/layers/keycloak/org/oracle 6.0.1/modules/system/layers/keycloak/org/ > cp -R 3.2.1/themes/ 6.0.1/themes/ > 6.0.1/bin/jboss-cli.sh -file=bin/migrate-standalone.cli (feedback indicates success on all actions) > Made sure migrationStrategy value="update" > > When I run 6.0.1/bin/standalone.sh I get: > ... > 09:26:10,588 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 31) WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "datasources"), > ("jdbc-driver" => "oracle") > ]) - failure description: "WFLYJCA0114: Failed to load datasource class: oracle.jdbc.driver.OracleDriver" > > Again, this works in my 3.2.1 on the same server, so I assume my datasource and driver declaration are correct in standalone.xml file as well as the module.xml and ojdbc8.jar. I also can confirm the datastore is in use for the 3.2.1 install through connecting to the DB store using TOAD for oracle. I have confirmed permissions on the entire Keycloak directory structure are identicle between the 3.2.1 and 6.0.1 locations. > > Is there another step or declaration of the driver or something that I must do? > > Thank you for your time, > Dave > > Harriscomputer > > David Paul > Manager, Application Development > P: 403-218-2010 x79107 > F: 403-218-2012 > E: dpaul at cognera.com > > > [cid:cognera_logo_214_d306d615-a7fa-4e98-bd69-dcc2e13056da.png] > > > 530 - 8 Avenue SW Suite 920 > Calgary, Alberta > T2P 3S8 > www.cognera.com > > > This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: datasources.xml Type: application/xml Size: 1399 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190605/54b4f1f4/attachment.rdf From demetrio at carretti.pro Wed Jun 5 11:30:31 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Wed, 05 Jun 2019 18:30:31 +0300 Subject: [keycloak-user] RestEasy NoMessageBodyWriterFoundFailure In-Reply-To: References: Message-ID: Hello Frank, Did you create your resource using Realm Resource SPI? Did you literally extend the org.keycloak.services.resources.RealmsResource class, and invoke parent method getProtocol(...) from the child class? Could you please show the snippet where you actually call getProtocol()? Regards, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Tue, 2019-06-04 at 17:28 -0400, Frank Herrmann wrote: > Hello, > > I've recently had to extend some of the functionality of > RealmsResource.java. I've created my own resource, and, for the most part, > is working great. However, one of the rest methods calls > realmsResource.getProtocol(...). This generates a resteasy error that it > cannot find a message body writer for application/signed-exchange. > > I'm sure I'm probably just missing a dependency in my module.xml. However, > for the life of me, I can't figure it out. Now, I will admit, my > Jboss/Wildfly knowledge is limited. > > Any help would be greatly appreciated. > > Thanks, > > -Frank > > -- > FRANK HERRMANN > ASSOCIATE SOFTWARE ARCHITECT > > T: 561-880-2998 x1563 > > E: frank.herrmann at modmed.com > > > > [image: [ Modernizing Medicine ]] > [image: [ Facebook ]] [image: > [ LinkedIn ]] [image: > [ YouTube ]] [image: [ > Twitter ]] [image: [ Blog ]] > [image: [ Instagram ]] > > > [image: [ MOMENTUM 2019 ]] > From Soroush.Shirali at flexigroup.com.au Wed Jun 5 22:46:32 2019 From: Soroush.Shirali at flexigroup.com.au (Soroush Shirali) Date: Thu, 6 Jun 2019 02:46:32 +0000 Subject: [keycloak-user] repeating reset-password flow in a session Message-ID: Hi All, I have customized Keyclock's authentication flows. The problem is after once go through reset-password. If user click on forgot-password link he would be redirected to login page again as if keycloak does not accept two times resetting a password in a session. So, I have to a new tap in browser to reset the password again. Anybody knows what is the fix? Thanks, Soroush Shirali Software Developer [ph] 08 8232 2828 [at] Soroush.Shirali at flexigroup.com.au [image003] Please consider the environment before printing this e-mail The information contained in this email is confidential. It is intended only for the stated addressee(s) and access to it by any other person is unauthorised. If you are not an addressee, you must not disclose, copy or circulate this information. Such unauthorised use may be unlawful. If you have received this email in error, please inform FlexiGroup Limited immediately and delete it and all copies from your system. While FlexiGroup Limited makes every effort to keep our network free from viruses we take no responsibility for any computer virus which might be transferred by way of this email. The views expressed in this email are those of the sender and may not be representative of the views of FlexiGroup Limited or any subsidiary of the group -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 299 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190606/e49e39ca/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 758 bytes Desc: image002.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190606/e49e39ca/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 12486 bytes Desc: image003.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190606/e49e39ca/attachment-0005.png From rafatov10 at gmail.com Thu Jun 6 07:38:26 2019 From: rafatov10 at gmail.com (Rafael Tovar.) Date: Thu, 6 Jun 2019 13:38:26 +0200 Subject: [keycloak-user] authorizationSettings not in response Message-ID: Hi everybody, I'm trying to get the authorization settings of a client, but its not coming in the response of the request. This is the request im doing: http://localhost:8080/auth/admin/realms/master/clients/c8e32bbc-72e6-4c30-827f-41ee51980433/ and this is the response: { "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", "clientId": "api", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "redirectUris": [ "*" ], "webOrigins": [], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": true, "authorizationServicesEnabled": true, "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { "saml.assertion.signature": "false", "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", "exclude.session.state.from.auth.response": "false", "saml_force_name_id_format": "false", "saml.client.signature": "false", "tls.client.certificate.bound.access.tokens": "false", "saml.authnstatement": "false", "display.on.consent.screen": "false", "saml.onetimeuse.condition": "false" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": true, "nodeReRegistrationTimeout": -1, "protocolMappers": [ { "id": "97330e11-24df-40ce-9335-51d5126d4059", "name": "Client Host", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { "user.session.note": "clientHost", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "clientHost", "jsonType.label": "String" } }, { "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", "name": "Client ID", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { "user.session.note": "clientId", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "clientId", "jsonType.label": "String" } }, { "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", "name": "Client IP Address", "protocol": "openid-connect", "protocolMapper": "oidc-usersessionmodel-note-mapper", "consentRequired": false, "config": { "user.session.note": "clientAddress", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "clientAddress", "jsonType.label": "String" } } ], "defaultClientScopes": [ "web-origins", "role_list", "profile", "roles", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access", "microprofile-jwt" ], "access": { "view": true, "configure": true, "manage": true } } Thanks, Rafael. From psilva at redhat.com Thu Jun 6 08:42:33 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 6 Jun 2019 09:42:33 -0300 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: Message-ID: Hi, Please, append the following path to your URI: " /authz/resource-server/settings". Regards. Pedro Igor On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. wrote: > Hi everybody, > I'm trying to get the authorization settings of a client, but its not > coming in the response of the request. > This is the request im doing: > > http://localhost:8080/auth/admin/realms/master/clients/c8e32bbc-72e6-4c30-827f-41ee51980433/ > > and this is the response: > > { > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > "clientId": "api", > "surrogateAuthRequired": false, > "enabled": true, > "clientAuthenticatorType": "client-secret", > "redirectUris": [ > "*" > ], > "webOrigins": [], > "notBefore": 0, > "bearerOnly": false, > "consentRequired": false, > "standardFlowEnabled": true, > "implicitFlowEnabled": false, > "directAccessGrantsEnabled": true, > "serviceAccountsEnabled": true, > "authorizationServicesEnabled": true, > "publicClient": false, > "frontchannelLogout": false, > "protocol": "openid-connect", > "attributes": { > "saml.assertion.signature": "false", > "saml.force.post.binding": "false", > "saml.multivalued.roles": "false", > "saml.encrypt": "false", > "saml.server.signature": "false", > "saml.server.signature.keyinfo.ext": "false", > "exclude.session.state.from.auth.response": "false", > "saml_force_name_id_format": "false", > "saml.client.signature": "false", > "tls.client.certificate.bound.access.tokens": "false", > "saml.authnstatement": "false", > "display.on.consent.screen": "false", > "saml.onetimeuse.condition": "false" > }, > "authenticationFlowBindingOverrides": {}, > "fullScopeAllowed": true, > "nodeReRegistrationTimeout": -1, > "protocolMappers": [ > { > "id": "97330e11-24df-40ce-9335-51d5126d4059", > "name": "Client Host", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientHost", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientHost", > "jsonType.label": "String" > } > }, > { > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > "name": "Client ID", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientId", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientId", > "jsonType.label": "String" > } > }, > { > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > "name": "Client IP Address", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientAddress", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientAddress", > "jsonType.label": "String" > } > } > ], > "defaultClientScopes": [ > "web-origins", > "role_list", > "profile", > "roles", > "email" > ], > "optionalClientScopes": [ > "address", > "phone", > "offline_access", > "microprofile-jwt" > ], > "access": { > "view": true, > "configure": true, > "manage": true > } > } > > Thanks, > Rafael. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Ori.Doolman at cyberark.com Thu Jun 6 09:22:14 2019 From: Ori.Doolman at cyberark.com (Ori Doolman) Date: Thu, 6 Jun 2019 13:22:14 +0000 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: Message-ID: Great. I was looking for that as well. I don't think it is documented. How do you manipulate the authorization entities by REST API? For example, add a resource or a scope, modify policy etc. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Pedro Igor Silva Sent: Thursday, June 6, 2019 3:43 PM To: Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Hi, Please, append the following path to your URI: " /authz/resource-server/settings". Regards. Pedro Igor On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. wrote: > Hi everybody, > I'm trying to get the authorization settings of a client, but its not > coming in the response of the request. > This is the request im doing: > > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= > > and this is the response: > > { > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > "clientId": "api", > "surrogateAuthRequired": false, > "enabled": true, > "clientAuthenticatorType": "client-secret", > "redirectUris": [ > "*" > ], > "webOrigins": [], > "notBefore": 0, > "bearerOnly": false, > "consentRequired": false, > "standardFlowEnabled": true, > "implicitFlowEnabled": false, > "directAccessGrantsEnabled": true, > "serviceAccountsEnabled": true, > "authorizationServicesEnabled": true, > "publicClient": false, > "frontchannelLogout": false, > "protocol": "openid-connect", > "attributes": { > "saml.assertion.signature": "false", > "saml.force.post.binding": "false", > "saml.multivalued.roles": "false", > "saml.encrypt": "false", > "saml.server.signature": "false", > "saml.server.signature.keyinfo.ext": "false", > "exclude.session.state.from.auth.response": "false", > "saml_force_name_id_format": "false", > "saml.client.signature": "false", > "tls.client.certificate.bound.access.tokens": "false", > "saml.authnstatement": "false", > "display.on.consent.screen": "false", > "saml.onetimeuse.condition": "false" > }, > "authenticationFlowBindingOverrides": {}, > "fullScopeAllowed": true, > "nodeReRegistrationTimeout": -1, > "protocolMappers": [ > { > "id": "97330e11-24df-40ce-9335-51d5126d4059", > "name": "Client Host", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientHost", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientHost", > "jsonType.label": "String" > } > }, > { > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > "name": "Client ID", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientId", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientId", > "jsonType.label": "String" > } > }, > { > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > "name": "Client IP Address", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientAddress", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientAddress", > "jsonType.label": "String" > } > } > ], > "defaultClientScopes": [ > "web-origins", > "role_list", > "profile", > "roles", > "email" > ], > "optionalClientScopes": [ > "address", > "phone", > "offline_access", > "microprofile-jwt" > ], > "access": { > "view": true, > "configure": true, > "manage": true > } > } > > Thanks, > Rafael. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= ---------------------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. From psilva at redhat.com Thu Jun 6 09:25:05 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 6 Jun 2019 10:25:05 -0300 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: Message-ID: The best I can give you right now (sorry for that) is https://github.com/keycloak/keycloak/blob/066bef744f50d369012e1cb408b1c89ebf808fd1/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientResource.java#L209 . >From the AuthorizationResource you have access to everything. On Thu, Jun 6, 2019 at 10:22 AM Ori Doolman wrote: > Great. I was looking for that as well. I don't think it is documented. > How do you manipulate the authorization entities by REST API? > For example, add a resource or a scope, modify policy etc. > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> On Behalf Of Pedro Igor Silva > Sent: Thursday, June 6, 2019 3:43 PM > To: Rafael Tovar. > Cc: keycloak-user > Subject: Re: [keycloak-user] authorizationSettings not in response > > Hi, > > Please, append the following path to your URI: " > /authz/resource-server/settings". > > Regards. > Pedro Igor > > On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. wrote: > > > Hi everybody, > > I'm trying to get the authorization settings of a client, but its not > > coming in the response of the request. > > This is the request im doing: > > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a > > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 > > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG > > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp > > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= > > > > and this is the response: > > > > { > > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > > "clientId": "api", > > "surrogateAuthRequired": false, > > "enabled": true, > > "clientAuthenticatorType": "client-secret", > > "redirectUris": [ > > "*" > > ], > > "webOrigins": [], > > "notBefore": 0, > > "bearerOnly": false, > > "consentRequired": false, > > "standardFlowEnabled": true, > > "implicitFlowEnabled": false, > > "directAccessGrantsEnabled": true, > > "serviceAccountsEnabled": true, > > "authorizationServicesEnabled": true, > > "publicClient": false, > > "frontchannelLogout": false, > > "protocol": "openid-connect", > > "attributes": { > > "saml.assertion.signature": "false", > > "saml.force.post.binding": "false", > > "saml.multivalued.roles": "false", > > "saml.encrypt": "false", > > "saml.server.signature": "false", > > "saml.server.signature.keyinfo.ext": "false", > > "exclude.session.state.from.auth.response": "false", > > "saml_force_name_id_format": "false", > > "saml.client.signature": "false", > > "tls.client.certificate.bound.access.tokens": "false", > > "saml.authnstatement": "false", > > "display.on.consent.screen": "false", > > "saml.onetimeuse.condition": "false" > > }, > > "authenticationFlowBindingOverrides": {}, > > "fullScopeAllowed": true, > > "nodeReRegistrationTimeout": -1, > > "protocolMappers": [ > > { > > "id": "97330e11-24df-40ce-9335-51d5126d4059", > > "name": "Client Host", > > "protocol": "openid-connect", > > "protocolMapper": "oidc-usersessionmodel-note-mapper", > > "consentRequired": false, > > "config": { > > "user.session.note": "clientHost", > > "id.token.claim": "true", > > "access.token.claim": "true", > > "claim.name": "clientHost", > > "jsonType.label": "String" > > } > > }, > > { > > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > > "name": "Client ID", > > "protocol": "openid-connect", > > "protocolMapper": "oidc-usersessionmodel-note-mapper", > > "consentRequired": false, > > "config": { > > "user.session.note": "clientId", > > "id.token.claim": "true", > > "access.token.claim": "true", > > "claim.name": "clientId", > > "jsonType.label": "String" > > } > > }, > > { > > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > > "name": "Client IP Address", > > "protocol": "openid-connect", > > "protocolMapper": "oidc-usersessionmodel-note-mapper", > > "consentRequired": false, > > "config": { > > "user.session.note": "clientAddress", > > "id.token.claim": "true", > > "access.token.claim": "true", > > "claim.name": "clientAddress", > > "jsonType.label": "String" > > } > > } > > ], > > "defaultClientScopes": [ > > "web-origins", > > "role_list", > > "profile", > > "roles", > > "email" > > ], > > "optionalClientScopes": [ > > "address", > > "phone", > > "offline_access", > > "microprofile-jwt" > > ], > > "access": { > > "view": true, > > "configure": true, > > "manage": true > > } > > } > > > > Thanks, > > Rafael. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ > > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb > > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > > ---------------------------------------------------------------------- > _______________________________________________ > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. > If you are not an intended recipient of this e-mail, do not duplicate or > redistribute it by any means. Please delete it and any attachments and > notify the sender that you have received it in error. > From Dominik.Schopper at cofinpro.de Thu Jun 6 11:02:49 2019 From: Dominik.Schopper at cofinpro.de (Dominik Schopper) Date: Thu, 6 Jun 2019 15:02:49 +0000 Subject: [keycloak-user] User has to login twice after Session expiration Message-ID: <24DDBE6D-4EAE-469C-80A4-C22A6464D777@cofinpro.de> Hello, we have a Keycloak 4.8.0.Final Our Angular Frontends have e.g. a 10min idle session timeout When a user logs in (login 1) and the session idles out and the user clicks, he/she gets redirected to the keycloak login page and posts the credentials (login 2) After giving the correct credentials the user gets redirected to the login page again and has to enter the credentials again before being redirected back to the application The http headers for the ?login 1? and ?login 3? response from the server contain set-cookie: KC_RESTART=; Version=1; ?; HttpOnly set-cookie: KEYCLOAK_IDENTITY= ? Version=1; Path=/auth/realms/sparda-n/; HttpOnly set-cookie: KEYCLOAK_SESSION=? Version=1; Expires=Thu, 06-Jun-2019 11:39:31 GMT; Max-Age=7200; Path=/auth/realms/sparda-n/ set-cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie;?; HttpOnly Whereas the second response does only contain set-cookie: AUTH_SESSION_ID=? Does anybody have advice on how to make the ?login 2? work dierectly? Thx Dom From luke at code-house.org Thu Jun 6 16:08:28 2019 From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=) Date: Thu, 6 Jun 2019 22:08:28 +0200 Subject: [keycloak-user] RestEasy NoMessageBodyWriterFoundFailure In-Reply-To: References: Message-ID: <739a76b0-7c9a-f965-9176-4799ad2fb1ea@code-house.org> Dear Frank, This error comes from JAX-RS implementation and has very little to do with Keycloak alone. RestEasy can not find a way to serialize output of method call and reports standard error. When method declares no content type (has no @Produces annotation), and that's case for RealmsResource#getProtocol, content type validation seems to be delayed. Change your client to use "Accept: application/json" to solve the issue. The application/signed-exchange is mentioned only once in Keycloak codebase and I can't find any handler for such content type. Standard RealmResourceProvider implementations works out the box only with JSON representations. If your client requests something else then even if output of method is valid, serialization will fail. Cheers, ?ukasz -- Code-House: http://code-house.org On 04.06.2019 23:28, Frank Herrmann wrote: > Hello, > > I've recently had to extend some of the functionality of > RealmsResource.java. I've created my own resource, and, for the most part, > is working great. However, one of the rest methods calls > realmsResource.getProtocol(...). This generates a resteasy error that it > cannot find a message body writer for application/signed-exchange. > > I'm sure I'm probably just missing a dependency in my module.xml. However, > for the life of me, I can't figure it out. Now, I will admit, my > Jboss/Wildfly knowledge is limited. > > Any help would be greatly appreciated. > > Thanks, > > -Frank > From frank.herrmann at modernizingmedicine.com Thu Jun 6 16:52:40 2019 From: frank.herrmann at modernizingmedicine.com (Frank Herrmann) Date: Thu, 6 Jun 2019 16:52:40 -0400 Subject: [keycloak-user] RestEasy NoMessageBodyWriterFoundFailure In-Reply-To: <739a76b0-7c9a-f965-9176-4799ad2fb1ea@code-house.org> References: <739a76b0-7c9a-f965-9176-4799ad2fb1ea@code-house.org> Message-ID: Thanks, that's exactly what I figured. I added the @Produces annotation to make it work. Fortunately, we found a better way to do what we needed, and will most likely not need this. It was a good learning experience though. Thanks for replying. -Frank On Thu, Jun 6, 2019 at 4:08 PM ?ukasz Dywicki wrote: > Dear Frank, > This error comes from JAX-RS implementation and has very little to do > with Keycloak alone. RestEasy can not find a way to serialize output of > method call and reports standard error. > When method declares no content type (has no @Produces annotation), and > that's case for RealmsResource#getProtocol, content type validation > seems to be delayed. > > Change your client to use "Accept: application/json" to solve the issue. > The application/signed-exchange is mentioned only once in Keycloak > codebase and I can't find any handler for such content type. > > Standard RealmResourceProvider implementations works out the box only > with JSON representations. If your client requests something else then > even if output of method is valid, serialization will fail. > > Cheers, > ?ukasz > -- > Code-House: http://code-house.org > > On 04.06.2019 23:28, Frank Herrmann wrote: > > Hello, > > > > I've recently had to extend some of the functionality of > > RealmsResource.java. I've created my own resource, and, for the most > part, > > is working great. However, one of the rest methods calls > > realmsResource.getProtocol(...). This generates a resteasy error that it > > cannot find a message body writer for application/signed-exchange. > > > > I'm sure I'm probably just missing a dependency in my module.xml. > However, > > for the life of me, I can't figure it out. Now, I will admit, my > > Jboss/Wildfly knowledge is limited. > > > > Any help would be greatly appreciated. > > > > Thanks, > > > > -Frank > > > -- FRANK HERRMANN ASSOCIATE SOFTWARE ARCHITECT T: 561-880-2998 x1563 E: frank.herrmann at modmed.com [image: [ Modernizing Medicine ]] [image: [ Facebook ]] [image: [ LinkedIn ]] [image: [ YouTube ]] [image: [ Twitter ]] [image: [ Blog ]] [image: [ Instagram ]] [image: [ MOMENTUM 2019 ]] -- *CONFIDENTIALITY NOTICE:*?This e-mail message may contain material protected by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations and other state and federal laws and legal privileges. This message is only for the personal and confidential use of the individuals or organization to whom the message is addressed. If you are an unintended recipient, you?have received this message in error, and any reading, distributing, copying or disclosure is unauthorized and strictly prohibited.? All recipients are hereby notified that any unauthorized receipt does not waive any confidentiality obligations or privileges. If you have received this message in error, please notify the sender immediately?at the above?email?address and?confirm that you have deleted or destroyed the message. From lianne_e5 at yahoo.com Thu Jun 6 21:20:14 2019 From: lianne_e5 at yahoo.com (Leslie C) Date: Fri, 7 Jun 2019 01:20:14 +0000 (UTC) Subject: [keycloak-user] Client Credentials flow for external applications References: <1969994726.8173.1559870414077.ref@mail.yahoo.com> Message-ID: <1969994726.8173.1559870414077@mail.yahoo.com> Hi! We're looking into using Keycloak as our auth server for securing our REST APIs.?The?APIs are setup to only be accessed by a limited audience - all trusted external clients. We do not store or maintain user data, so I don't think the "resource owner" concept of OAuth2 applies in our scenario - so we'll be using the Client Credentials authentication flow. I found the following on StackOverflow and just wanted to know your thoughts on whether this is a valid and acceptable implementation of the flow in Keycloak:? Issuing "API keys" using Keycloak I finally found a solution that works well and seems to be "the Keycloak way" to issue credentials to external applications. To create a new set of credentials, add a new Keycloak client and change the following settings: Standard Flow Enabled: OFFDirect Access Grants Enabled: OFFAccess Type: ConfidentialService Accounts Enabled: ONThe external application will use our newly created client's name as the client_id. The client_secret was generated automatically and can be found under the Credentials tab. Granting Client Access to Your ServicesIf your Keycloak-protected services are configured to check the aud claim of incoming Bearer tokens, a second step is necessary. By default, the audience of the JWT tokens that Keycloak issues to your client will be set to your client's name, so they will be rejected by your services. You can use Client Scopes to modify that behavior: Create a new client scopeSelect "Audience Template"Select the service you'd like to grant your external applications access to and click "next"Add the scope to the client you just created (Client Scopes tab)Keycloak will now add your service's name to the aud claim of all JWT tokens it issues to your new client. Check out the Keycloak documentation on Service Accounts for more details. Exchanging Client Credentials for an Access TokenAn external application can now use its credentials to obtain an access token from Keycloak's token endpoint: POST {keycloak-url}/auth/realms/atlas/protocol/openid-connect/token Set the Content-Type header to application/x-www-form-urlencodedAuthenticate the request with Basic Authentication, using your client id as the user and your client secret as the passwordSet grant_type=client_credentials in the request body ? ? ? ? ? ?? Found a similar flow here which is more comprehensive and much closer to what I'm trying to achieve:?https://stackoverflow.com/questions/56186951/keycloak-oauth-2-authentication-flow Our REST APIs are implemented using Mulesoft and honestly, being a beginner myself, I'm not sure how to use the Keycloak adapters to integrate with Mulesoft. I plan to use the available oidc endpoints (/introspection) to just validate the tokens, if this is acceptable. Kindly let me know what you think. If you have any suggestions/alternative solutions in mind, please feel free to share. Appreciate any help I can get. Thanks,Lian From preethinanduk at gmail.com Fri Jun 7 00:26:02 2019 From: preethinanduk at gmail.com (preethi nandakumar) Date: Fri, 7 Jun 2019 09:56:02 +0530 Subject: [keycloak-user] Help to use Keycloak to test SSO feature in our application Message-ID: Hi Folks, I'm new to this group. I'm an automation engineer by profession, the project that I'm working on requires the SSO feature introduced in our application to be tested. Initially we had plans to use okta but then it was decided to use some open source. I assumed keycloak would serve the purpose to me (I'm complete novice, please correct if I'm wrong). How we have used okta: we would configure our applicaton in it , add required users, groups etc. Then we would configure the wellknown url of okta application in our application. So the sso in our application would redirect to okta. Now I want to replace the same with keycloak. I brought up the local host , created a realm , user and client. I assumed the client in keycloak is similar to applications in okta. So configured the redirect url to my application. But when I configured the well known url of keycloak in my application it is not working. https://localhost:8443/auth/realms/demo/.well-known/openid-configuration. Please advice if my decision is right and if so what is that I'm missing in the configuration Thanks and Regards, Preethi From sblanc at redhat.com Fri Jun 7 01:59:17 2019 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 7 Jun 2019 07:59:17 +0200 Subject: [keycloak-user] Help to use Keycloak to test SSO feature in our application In-Reply-To: References: Message-ID: We need more info about your application and more importantly : what is the error exactly ? On Fri, Jun 7, 2019 at 6:29 AM preethi nandakumar wrote: > Hi Folks, > > I'm new to this group. I'm an automation engineer by profession, the > project that I'm working on requires the SSO feature introduced in our > application to be tested. Initially we had plans to use okta but then it > was decided to use some open source. I assumed keycloak would serve the > purpose to me (I'm complete novice, please correct if I'm wrong). > > How we have used okta: we would configure our applicaton in it , add > required users, groups etc. Then we would configure the wellknown url of > okta application in our application. So the sso in our application would > redirect to okta. > > Now I want to replace the same with keycloak. I brought up the local host , > created a realm , user and client. I assumed the client in keycloak is > similar to applications in okta. So configured the redirect url to my > application. But when I configured the well known url of keycloak in my > application it is not working. > > https://localhost:8443/auth/realms/demo/.well-known/openid-configuration. > > Please advice if my decision is right and if so what is that I'm missing in > the configuration > > > Thanks and Regards, > Preethi > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From rafatov10 at gmail.com Fri Jun 7 05:36:53 2019 From: rafatov10 at gmail.com (Rafael Tovar.) Date: Fri, 7 Jun 2019 11:36:53 +0200 Subject: [keycloak-user] Keycloak enforcer nodejs adapter Message-ID: Hi everybody, How can i check if i have access to an specific scope of a resource with the enforcer method? Example: I have the resource 'res:devices' with the scope 'read' and an scope based permission 'devices-read', that permission has associated the resource 'res:devices' and the scope 'read'. Im aplying a role based policy with the admin role to that permission. How can i check that the role admin can access to the scope read of that resource. Thanks, Rafael. From spahr at puzzle.ch Fri Jun 7 07:48:56 2019 From: spahr at puzzle.ch (Ramon Spahr) Date: Fri, 7 Jun 2019 13:48:56 +0200 Subject: [keycloak-user] Keycloak U2F Message-ID: <9f934a6f-8859-d93f-75f9-eb8f2ee063d3@puzzle.ch> Hi, we tested Keycloak U2F from Stian Thorgersen (https://github.com/stianst/keycloak-experimental/tree/master/fido-u2f) and are highly interested. But there are still a few open questions like e.g. self-registration similar to OTP or the fact, that it needs writing access to LDAP (user repository) to enable "U2F registration" action on a user. Is there a roadmap available when U2F will be available for keycloak? Regards, Ramon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190607/bcf75de1/attachment.bin From clehingue at gmail.com Fri Jun 7 09:50:57 2019 From: clehingue at gmail.com (Christophe Lehingue) Date: Fri, 7 Jun 2019 15:50:57 +0200 Subject: [keycloak-user] checked "remember me" Message-ID: Hello, On the login form, sometimes I have the check box "remember me" (once ticked) which is no longer tick when I come back on the login page? Do you have an idea why: the check box "remember me" which was check at the time of the connection is not checked when I come back on this screen? Thank you. ===== IN FRENCH ===== Bonjour, Sur le formulaire de connexion, quand je coche la case ? cocher "se souvenir de moi" (une fois cocher) n'est plus cocher quand je reviens sur la page de connexion ? Avez-vous une id?e pourquoi : la case cocher "se souvenir de moi" qui ?tait cocher au moment de la connexion ne l'est plus quand je reviens sur cet ?cran ? Merci ? vous. From mellen at locoslab.com Fri Jun 7 09:55:30 2019 From: mellen at locoslab.com (David Mellen) Date: Fri, 7 Jun 2019 15:55:30 +0200 Subject: [keycloak-user] Keycloak WildFly Adapter domain mode Message-ID: Hi, I'm trying to install the Keycloak WildFly Adapter on a WildFly Server running in domain mode. I unzipped the |keycloak-wildfly-adapter-dist-6.0.1.zip |in my WildFly home directory and while the server was running I executed |./bin/jboss-cli.sh -c --file=bin/adapter-install.cli|. The Keycloak OpenID Connect Extension installed successfully, but then I get the following error: { ??? "outcome" => "failed", ??? "failure-description" => "WFLYCTL0030: No resource definition is registered for address [(\"subsystem\" => \"keycloak\")]", ??? "rolled-back" => true } Is there something I'm missing? Thanks and best regards, David || From georgi.matev at dominodatalab.com Fri Jun 7 15:48:10 2019 From: georgi.matev at dominodatalab.com (Georgi Matev) Date: Fri, 7 Jun 2019 19:48:10 +0000 Subject: [keycloak-user] Creating a user from a form different than the builtin registration form Message-ID: I?m trying to understand what would be the best option to create a user for one of our realms from a marketing webpage that collects a lot of the user inputs. I realize we can customize the registration page through a theme, but in this particular case the marketing page collects a lot of additional information that feeds into other systems and one of the actions that we want to happen is create a user. Ideally we want to be able to do this on the client side since the page overall submits its info to different system that we do not control. Seems that if we can get our hands on the post URL that will be associated with the built-in registration page form, we can just do a POST to that, but we have not been able to find a good way to get that URL which includes a server side session_code parameter. Any pointers are much appreciated. Thanks, 0Georgi From dvv.nagendra at gmail.com Fri Jun 7 16:16:52 2019 From: dvv.nagendra at gmail.com (Nagendra Darla) Date: Fri, 7 Jun 2019 13:16:52 -0700 Subject: [keycloak-user] Keycloak Offline User Sessions and Online User Sessions Message-ID: Hello Keycloak experts, We have below challenges in out project where we are building User Access Management using Keycloak. 1. *Offline User Sessions:* When a Offline token is used from two different machines, There is only one Session that will be created and session will have the IP address of the machine from where the User Session is first created. Because of this we cannot suspect any suspicious activity by hackers. Should n't we create different sessions even though same offline token is used from different machines. 2. *Why there is no separate REST end point to get only Online User Sessions: *Below REST end point returns all the User Sessions ie., both Offline and Online User Sessions. GET /{realm}/clients/{id}/user-sessions You help is much appreciated ! Thank you, Nagendra Darla From farzad.panahi at gmail.com Fri Jun 7 16:33:21 2019 From: farzad.panahi at gmail.com (Farzad Panahi) Date: Fri, 7 Jun 2019 13:33:21 -0700 Subject: [keycloak-user] Scope Permissions with Resource Type Message-ID: Hi, I have a client authorization set-up like the following: RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA USER_1: USER_GROUP_A USER_2: USER_GROUP_A USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A I want to create permissions to give only SCOPE_READ access (not SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. If I create a resourced based permission then it will give grant access to both scopes. Unfortunately I cannot create a scope based permission because scope permission does not support resource type. It only supports resource. If I want to use scoped based permission then I have to create permission for every single resource in my resource type. I was wondering if there is a reason that scope based permission does not support resource type? Also anyone has any idea how I can achieve my requirement given the limitations that we have? Is there a way to create a policy that grants access only to a certain scope? Cheers Farzad From jeff at sweetjacket.com Fri Jun 7 22:55:46 2019 From: jeff at sweetjacket.com (Jeff Victor) Date: Sat, 8 Jun 2019 04:55:46 +0200 Subject: [keycloak-user] Custom identity provider - Resource not found page shown Message-ID: I'm trying to implement a custom SAML identity provider in keycloak. The use case is that I need to be able to specify the value of Issuer in the SAML authentication request. By default you can see in SAMLIdentityProvider.java that this is currently set by: private String getEntityId(UriInfo uriInfo, RealmModel realm) { return UriBuilder.fromUri(uriInfo.getBaseUri()).path("realms").path(realm.getName()).build().toString(); } So you end up with something like: https://mykeycloakinstance.com/auth/realms/acme So I'm trying to extend SAMLIdentityProvider.java and SAMLIdentityProviderFactory.java and create my own. The idea being that I would add a new text field to the SAML identity provider screen where I could specify the issuer used in the authentication request. I've created a project which you can find here: https://github.com/jeff-sweetjacket/keycloak-custom-saml-idp When I drop this jar into /standalone/deployments it gets picked up and is registered without issue. However, when I try to add this new identity provider through the keycloak admin UI I get a "Resource not found..." page. Here's a relevant stackoverflow question which shows an image of the screen: https://stackoverflow.com/questions/52757115/how-to-have-identity-provider-configuration-page-visible-in-keycloak And an associated issue on this mailing list: https://lists.jboss.org/pipermail/keycloak-user/2018-October/015828.html I've gone through the documentation for creating a custom SPI here: https://www.keycloak.org/docs/latest/server_development/#_providers But I can't find any information about how to create / modify an existing page in keycloak admin such as the add SAML identity provider page. Can anyone point me in the right direction? Thanks, Jeff From farzad.panahi at gmail.com Fri Jun 7 23:48:55 2019 From: farzad.panahi at gmail.com (Farzad Panahi) Date: Fri, 7 Jun 2019 20:48:55 -0700 Subject: [keycloak-user] Keycloak caching issue Message-ID: Hi, I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a load-balancer in front of them. I noticed that sometimes I am getting inconsistent RPTs meaning that I send two queries and the two RPTs returned have different granted permissions in them. So I wend behind the load-balancer and queried each node individually. It turns out that one of the nodes is always returning wrong set of permissions in RPT. If I go to the admin console and clear the realm cache, then both nodes would return the same correct permissions right away. This is so intermittent. I am not sure what is causing this. I cannot find any clue in the logs. There is not much out there. I do not know how to reproduce this. Anyone with similar issue? Any suggestions? Cheers Farzad From r.goyard at groupeonepoint.com Sat Jun 8 01:25:06 2019 From: r.goyard at groupeonepoint.com (=?utf-8?B?UsOpbWkgR09ZQVJE?=) Date: Sat, 8 Jun 2019 05:25:06 +0000 Subject: [keycloak-user] Autenticating Applications AND users Message-ID: Hi guys, We have a Keycloak installed and configured to authenticate our users on a realm. Our users are logged in on a single page application (react application) then we pass the token to a backend application (using HTTP authorisation header) and it works fine ! We have other services / applications (like cron jobs) that need to connect and access the backend application, those services do not have any users. Today we authenticate those services with a single key/value hosted in config files (shared between services and backend app), but we would like to make this applications authenticated on the backend via Keycloak, creating clients on the same realm. I could not find a way to do it in the documentation (or I did not search well) or on Google ? The only way I found was to pass the credentials of the logged in user to other services, but as those services (like cron jobs) are not initiated with a user, how is it possible ? Is it possible to authenticate applications with Keycloak ? If Yes does anyone can give me a link or anything that can help me ? Thanks R?mi From sblanc at redhat.com Sat Jun 8 02:12:03 2019 From: sblanc at redhat.com (Sebastien Blanc) Date: Sat, 8 Jun 2019 08:12:03 +0200 Subject: [keycloak-user] Autenticating Applications AND users In-Reply-To: References: Message-ID: Hi R?mi, Have you looked at service accounts ? https://www.keycloak.org/docs/latest/server_admin/index.html#_service_accounts I think this is what you are looking for. Le sam. 8 juin 2019 ? 07:28, R?mi GOYARD a ?crit : > Hi guys, > > We have a Keycloak installed and configured to authenticate our users on a > realm. > Our users are logged in on a single page application (react application) > then we pass the token to a backend application (using HTTP authorisation > header) and it works fine ! > > We have other services / applications (like cron jobs) that need to > connect and access the backend application, those services do not have any > users. > Today we authenticate those services with a single key/value hosted in > config files (shared between services and backend app), but we would like > to make this applications authenticated on the backend via Keycloak, > creating clients on the same realm. > > I could not find a way to do it in the documentation (or I did not search > well) or on Google ? The only way I found was to pass the credentials of > the logged in user to other services, but as those services (like cron > jobs) are not initiated with a user, how is it possible ? > > Is it possible to authenticate applications with Keycloak ? > > If Yes does anyone can give me a link or anything that can help me ? > > Thanks > > R?mi > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From luke at code-house.org Sat Jun 8 06:59:22 2019 From: luke at code-house.org (=?utf-8?Q?=C5=81ukasz_Dywicki?=) Date: Sat, 8 Jun 2019 12:59:22 +0200 Subject: [keycloak-user] Creating a user from a form different than the builtin registration form In-Reply-To: References: Message-ID: As far I remember there is no way to submit a user registration form within single http call. With Keycloak 3.4 I did a custom extension which allowed one shot user creation. I used internal APIs to launch registration flow. You could potentially employ some kind of middleware which will use admin api to create user records. Cheers, ?ukasz Dywicki -- Code-House: http://code-house.org > On 7 Jun 2019, at 21:48, Georgi Matev wrote: > > I?m trying to understand what would be the best option to create a user for one of our realms from a marketing webpage that collects a lot of the user inputs. I realize we can customize the registration page through a theme, but in this particular case the marketing page collects a lot of additional information that feeds into other systems and one of the actions that we want to happen is create a user. Ideally we want to be able to do this on the client side since the page overall submits its info to different system that we do not control. > > Seems that if we can get our hands on the post URL that will be associated with the built-in registration page form, we can just do a POST to that, but we have not been able to find a good way to get that URL which includes a server side session_code parameter. > > Any pointers are much appreciated. > > Thanks, > 0Georgi > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jason.leach at fullboar.ca Sun Jun 9 19:18:29 2019 From: jason.leach at fullboar.ca (Jason Leach) Date: Sun, 9 Jun 2019 16:18:29 -0700 Subject: [keycloak-user] Putting Keycloak behind a Proxy in Kubernets Message-ID: Hi, I?m using a small k8s cluster on DigitalOcean. I have a DO Loadbalancer that manages my certificates. This goes in to Traefik my reverse proxy. Everything works great, except: When a user is sent an email for verification it fails because of the protocol: 23:13:11,352 WARN [org.keycloak.events] (default task-1) type=EXECUTE_ACTION_TOKEN_ERROR, realmId=test, clientId=null, userId=24406bf4-2b97-4e40-b5d6-4xxxxxxxx, ipAddress=154.5.nnn.nnn, error=not_allowed, reason='Invalid token issuer. Expected 'https://www.xxxca/auth/realms/test', but was 'http://www.xxx.ca/auth/realms/test'', token_id=c96e1531-be72-407e-8c4e-071xxxxxxxxx, action=execute-actions The link itself in the email starts with http that will be redirected to https by the load balancer. No sure where the problem is. Maybe I need to get my proxy Traefik to redirect http to 8443 and use KC?s self-signed certs? Thanks, J. From slaskawi at redhat.com Mon Jun 10 06:07:01 2019 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Mon, 10 Jun 2019 12:07:01 +0200 Subject: [keycloak-user] Keycloak Operator proposal Message-ID: Dear Community, In the near-to-mid future we plan to start working on Keyclaok Operator. Before we dive into the code, we'd like to share our plans with wider audience. A while ago, I created a small design document and issued a Pull Request against the Keycloak Community repo: https://github.com/keycloak/keycloak- community/pull/8 If you are interested in this topic, please grab a cup of coffee and give us some feedback on the PR. Thanks, Sebastian From psilva at redhat.com Mon Jun 10 08:11:38 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 10 Jun 2019 09:11:38 -0300 Subject: [keycloak-user] Keycloak caching issue In-Reply-To: References: Message-ID: Hi, Does it happen after changing anything in your client's authorization settings (eg.: resources, scopes, permissions, etc) ? How are you sending authorization requests? By passing a set of one or more permission parameters, obtaining all permissions or using a UMA ticket ? Regards. Pedro Igor On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi wrote: > Hi, > > I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a > load-balancer in front of them. I noticed that sometimes I am getting > inconsistent RPTs meaning that I send two queries and the two RPTs returned > have different granted permissions in them. > > So I wend behind the load-balancer and queried each node individually. It > turns out that one of the nodes is always returning wrong set of > permissions in RPT. > > If I go to the admin console and clear the realm cache, then both nodes > would return the same correct permissions right away. > > This is so intermittent. I am not sure what is causing this. I cannot find > any clue in the logs. There is not much out there. I do not know how to > reproduce this. > > Anyone with similar issue? Any suggestions? > > Cheers > > Farzad > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Mon Jun 10 08:21:52 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 10 Jun 2019 09:21:52 -0300 Subject: [keycloak-user] Scope Permissions with Resource Type In-Reply-To: References: Message-ID: You can create scope-based permission for a specific scope (without set a resource). Would that help? I think we could also think about merging resource-based permission into scope-based permission so that we only have a single type of permission. Regards. Pedro Igor On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi wrote: > Hi, > > I have a client authorization set-up like the following: > > RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA > RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA > RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA > > USER_1: USER_GROUP_A > USER_2: USER_GROUP_A > > USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A > > I want to create permissions to give only SCOPE_READ access (not > SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. > > If I create a resourced based permission then it will give grant access to > both scopes. > Unfortunately I cannot create a scope based permission because scope > permission does not support resource type. It only supports resource. If I > want to use scoped based permission then I have to create permission for > every single resource in my resource type. > > I was wondering if there is a reason that scope based permission does not > support resource type? > > Also anyone has any idea how I can achieve my requirement given the > limitations that we have? Is there a way to create a policy that grants > access only to a certain scope? > > > Cheers > > Farzad > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ionel.gardais at tech-advantage.com Mon Jun 10 11:32:15 2019 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Mon, 10 Jun 2019 17:32:15 +0200 (CEST) Subject: [keycloak-user] Gatekeeper header sanitization Message-ID: <1904326353.507656.1560180735711.JavaMail.zimbra@tech-advantage.com> Hi list, I'd like to give a try to gatekeeper. Currently our keycloak is behind an haproxy. Are there any headers sanitization required for incoming requests ? What if a request comes in with a crafted X-Auth-* entries ? Thanks, Ionel -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 From jason.leach at fullboar.ca Mon Jun 10 12:52:29 2019 From: jason.leach at fullboar.ca (Jason Leach) Date: Mon, 10 Jun 2019 09:52:29 -0700 Subject: [keycloak-user] Where does the email URL come from? Message-ID: <0273B435-F63A-40F0-88CC-85966DF59FC0@fullboar.ca> Hi, I?m having a problem with the email verification URL sent out by Keycloak. It shows as HTTP where as I would expect HTTPS; Keycloak is also expecting it to be HTTPS. Its probably because KC is behind a proxy (I have PROXY_ADDRESS_FORWARDING = true) on k8s. Everything else works great. Any help figuring out how this is set or disabling the check would be great. J. From farzad.panahi at gmail.com Mon Jun 10 15:35:55 2019 From: farzad.panahi at gmail.com (Farzad Panahi) Date: Mon, 10 Jun 2019 12:35:55 -0700 Subject: [keycloak-user] Keycloak caching issue In-Reply-To: References: Message-ID: Hi Pedro, I think I can say that it happens after changing the authorization settings. For instance I add resources/policies/permissions. To get the permissions (in Kotlin): - I get the access token from KeycloakSecurityContext accessToken = getKeycloakSecurityContext().tokenString - Create AuthzClient and send access token and an instance of AuthorizaionRequest to it and extract the RPT: rpt = authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token - Then using the AuthzClient again I call the introspect RPT API to get the guts of RPT and get the permissions: permissions = authzClient.protection().introspectRequestingPartyToken(rpt).permissions It is this permissions object that is not consistent between two nodes. Cheers Farzad On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva wrote: > Hi, > > Does it happen after changing anything in your client's authorization > settings (eg.: resources, scopes, permissions, etc) ? > > How are you sending authorization requests? By passing a set of one or > more permission parameters, obtaining all permissions or using a UMA ticket > ? > > Regards. > Pedro Igor > > On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi > wrote: > >> Hi, >> >> I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a >> load-balancer in front of them. I noticed that sometimes I am getting >> inconsistent RPTs meaning that I send two queries and the two RPTs >> returned >> have different granted permissions in them. >> >> So I wend behind the load-balancer and queried each node individually. It >> turns out that one of the nodes is always returning wrong set of >> permissions in RPT. >> >> If I go to the admin console and clear the realm cache, then both nodes >> would return the same correct permissions right away. >> >> This is so intermittent. I am not sure what is causing this. I cannot find >> any clue in the logs. There is not much out there. I do not know how to >> reproduce this. >> >> Anyone with similar issue? Any suggestions? >> >> Cheers >> >> Farzad >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From farzad.panahi at gmail.com Mon Jun 10 15:43:58 2019 From: farzad.panahi at gmail.com (Farzad Panahi) Date: Mon, 10 Jun 2019 12:43:58 -0700 Subject: [keycloak-user] Scope Permissions with Resource Type In-Reply-To: References: Message-ID: Hi Pedro, If I create a scope-based permission without specifying the resource, then that permission will apply to all the resources. For instance in the example I mentioned in my previous email: I want to create permissions to give only SCOPE_READ access (not SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. If I grant a permission for SCOPE_READ without specifying the resource then basically I am granting SCOPE_READ to all the resources which is not what I want. I want to only give SCOPE_READ to a specific set of resources. I think as you mentioned merging resource-based and scope-based permissions is a good idea and would work better. But now that we do not have this feature is there any other way to accomplish this somehow using policies or something else? Cheers Farzad On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva wrote: > You can create scope-based permission for a specific scope (without set a > resource). Would that help? > > I think we could also think about merging resource-based permission into > scope-based permission so that we only have a single type of permission. > > Regards. > Pedro Igor > > On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi > wrote: > >> Hi, >> >> I have a client authorization set-up like the following: >> >> RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >> RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >> RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >> >> USER_1: USER_GROUP_A >> USER_2: USER_GROUP_A >> >> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A >> >> I want to create permissions to give only SCOPE_READ access (not >> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >> >> If I create a resourced based permission then it will give grant access to >> both scopes. >> Unfortunately I cannot create a scope based permission because scope >> permission does not support resource type. It only supports resource. If I >> want to use scoped based permission then I have to create permission for >> every single resource in my resource type. >> >> I was wondering if there is a reason that scope based permission does not >> support resource type? >> >> Also anyone has any idea how I can achieve my requirement given the >> limitations that we have? Is there a way to create a policy that grants >> access only to a certain scope? >> >> >> Cheers >> >> Farzad >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From georgi.matev at dominodatalab.com Mon Jun 10 15:45:02 2019 From: georgi.matev at dominodatalab.com (Georgi Matev) Date: Mon, 10 Jun 2019 19:45:02 +0000 Subject: [keycloak-user] Creating a user from a form different than the builtin registration form In-Reply-To: References: Message-ID: Thanks. That's what I thought. We were hoping to avoid having to create a separate server side component that an use the admin API. ?On 6/8/19, 3:59 AM, "?ukasz Dywicki" wrote: As far I remember there is no way to submit a user registration form within single http call. With Keycloak 3.4 I did a custom extension which allowed one shot user creation. I used internal APIs to launch registration flow. You could potentially employ some kind of middleware which will use admin api to create user records. Cheers, ?ukasz Dywicki -- Code-House: http://code-house.org > On 7 Jun 2019, at 21:48, Georgi Matev wrote: > > I?m trying to understand what would be the best option to create a user for one of our realms from a marketing webpage that collects a lot of the user inputs. I realize we can customize the registration page through a theme, but in this particular case the marketing page collects a lot of additional information that feeds into other systems and one of the actions that we want to happen is create a user. Ideally we want to be able to do this on the client side since the page overall submits its info to different system that we do not control. > > Seems that if we can get our hands on the post URL that will be associated with the built-in registration page form, we can just do a POST to that, but we have not been able to find a good way to get that URL which includes a server side session_code parameter. > > Any pointers are much appreciated. > > Thanks, > 0Georgi > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From georgi.matev at dominodatalab.com Mon Jun 10 16:02:00 2019 From: georgi.matev at dominodatalab.com (Georgi Matev) Date: Mon, 10 Jun 2019 20:02:00 +0000 Subject: [keycloak-user] Get Keycloak to include AttributeConsumingServiceIndex in SAML2.0 AuthnRequest Message-ID: We are using Keycloak as identity federation gateway, and one of the IdPs we are trying to connect to requires that SAML requests specify a AttributeConsumingServiceIndex so that the desired requested attributed can be returned. Have not been able to find a way to specify the index vlue so that the AttributeConsumingServiceIndex can be included in the request as part of configuring a SAML provider under Identity Providers. Any recommendations on how to configure this? Thanks, -Georgi From psilva at redhat.com Mon Jun 10 17:17:39 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 10 Jun 2019 18:17:39 -0300 Subject: [keycloak-user] Scope Permissions with Resource Type In-Reply-To: References: Message-ID: There is a limitation here in how resource types are used. You could achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource instance", with the owner other than the resource server. But this does not seem to be your case. There is one way to achieve this by using a JS Policy. Still not ideal, but something like this: ==== var permission = $evaluation.getPermission(); var scopes = permission.getScopes(); for (i = 0; i < scopes.length; i++) { var scope = scopes.get(i); if (scope.getName().equals("read")) { if (// check here if the user is member of a group) { permission.getScopes().remove(scope); } } } // grant or deny the permission ==== To check if a user is a member of a group, please take a look at https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-group-membership . On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi wrote: > Hi Pedro, > > If I create a scope-based permission without specifying the resource, then > that permission will apply to all the resources. > For instance in the example I mentioned in my previous email: > > I want to create permissions to give only SCOPE_READ access (not > SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. > > If I grant a permission for SCOPE_READ without specifying the resource > then basically I am granting SCOPE_READ to all the resources which is not > what I want. I want to only give SCOPE_READ to a specific set of resources. > > I think as you mentioned merging resource-based and scope-based > permissions is a good idea and would work better. But now that we do not > have this feature is there any other way to accomplish this somehow using > policies or something else? > > Cheers > > Farzad > > On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva > wrote: > >> You can create scope-based permission for a specific scope (without set a >> resource). Would that help? >> >> I think we could also think about merging resource-based permission into >> scope-based permission so that we only have a single type of permission. >> >> Regards. >> Pedro Igor >> >> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi >> wrote: >> >>> Hi, >>> >>> I have a client authorization set-up like the following: >>> >>> RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>> RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>> RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>> >>> USER_1: USER_GROUP_A >>> USER_2: USER_GROUP_A >>> >>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A >>> >>> I want to create permissions to give only SCOPE_READ access (not >>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >>> >>> If I create a resourced based permission then it will give grant access >>> to >>> both scopes. >>> Unfortunately I cannot create a scope based permission because scope >>> permission does not support resource type. It only supports resource. If >>> I >>> want to use scoped based permission then I have to create permission for >>> every single resource in my resource type. >>> >>> I was wondering if there is a reason that scope based permission does not >>> support resource type? >>> >>> Also anyone has any idea how I can achieve my requirement given the >>> limitations that we have? Is there a way to create a policy that grants >>> access only to a certain scope? >>> >>> >>> Cheers >>> >>> Farzad >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From khvastunov at gmail.com Mon Jun 10 17:55:46 2019 From: khvastunov at gmail.com (Eugeniy Khvastunov) Date: Tue, 11 Jun 2019 00:55:46 +0300 Subject: [keycloak-user] KC as SAML SSO point for Atlassian Cloud Jira/Confluence Message-ID: Hi Everyone! The last few days I spent in search of a mistake that I am doing(or not) in the integration of cloud Atlasian's applications and my KC. I see in SAML tracer that KC sends information about the successful authorization of the user, but atlassian responds with this error: GET application: jira continue: https://MyKeyCloakTest.atlassian.net/login?redirectCount=1 error: access_denied error_description: Invalid RSAES-OAEP padding. state: a8185482ff7e070fc3f7c6a91c2aac21eecae80b` Am I setting up a client incorrectly? Perhaps one of you has already had experience with integration KC and Atlassian's cloud applications through SAML? or met the integration instructions/howto? I would be grateful for any help! -- wbr. Eugeniy Khvastunov, System administrator. [FMGH-UANIC] http://blog.unlimite.net From abhishek.singh at spire.ai Tue Jun 11 03:03:06 2019 From: abhishek.singh at spire.ai (Abhishek Singh) Date: Tue, 11 Jun 2019 12:33:06 +0530 Subject: [keycloak-user] Keycloak database startup error Message-ID: Hi, I'm trying to upgrade the standalone mode to cluster-mode in Keycloak and for this i have configured a cluster using J groups and configured using local mysql database. The version is same as i have changed only conf file standalone-ha.xml . The cluster is successfully formed and checked also. Now when i'm pointing the both nodes to production database MySQL and starts the keycloak it's generating Database error called ?Failed to update the database Table already exists? I have tried every possible option my setting migration strategy as manual in standalone-ha.xml nut noting works. I'm using keycloak-3.4.3.Final version and Mysql mysql-server-5.5-1.6.amzn1.noarch Below is error code shown as exception by starting keycloak. 05:22:44,963 ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 62) Change Set META-INF/ jpa-changelog-1.0.0.Final.xml::1.0.0.Final::sthorger at redhat.com failed. Error: Table 'APPLICATION_DEFAULT_ROLES' already exists [Failed SQL: CREATE TABLE keycloak3_schema.APPLICATION_DEFAULT_ROLES (APPLICATION_ID VARCHAR(36) NOT NULL, ROLE_ID VARCHAR(36) NOT NULL)]: liquibase.exception.DatabaseException: Table 'APPLICATION_DEFAULT_ROLES' already exists [Failed SQL: CREATE TABLE keycloak3_schema.APPLICATION_DEFAULT_ROLES (APPLICATION_ID VARCHAR(36) NOT NULL, ROLE_ID VARCHAR(36) NOT NULL)] at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) at liquibase.Liquibase.update(Liquibase.java:210) at liquibase.Liquibase.update(Liquibase.java:190) at liquibase.Liquibase.update(Liquibase.java:186) 05:22:44,983 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 62) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) Please help for this issue. Regards, Abhishek From Paolo.Tedesco at cern.ch Tue Jun 11 05:00:11 2019 From: Paolo.Tedesco at cern.ch (Paolo Tedesco) Date: Tue, 11 Jun 2019 09:00:11 +0000 Subject: [keycloak-user] Configuring unique user identifiers Message-ID: <6D320D40264A8545A9C25EC79DE1E32502031D2615@CERNXCHG41.cern.ch> Hi all, I'm trying to setup Keycloak as the Single Sign-On service at CERN, to replace our current service based on ADFS. I would like to customize the unique identifiers used by Keycloak in its internal user database, to avoid possible email or username clashes. My problem is that, in our environment, we allow users to change their email address, and also to use an external (non-CERN) address as their mail, and we saw that a user changing mail can lead to problems with Keycloak. We tried using logins instead of emails as unique identifiers, but that creates possible clashes as well, as we don't have control over external IDPs logins. We want to avoid that in case of these clashes the external IDP user is prompted to join their account to one of our accounts. We thought that, to avoid this kind of clashes, we could add a postfix to the login, so that for example my CERN account could be identified as "ptedesco at cern.ch", without clashing with "ptedesco at github.com", but we couldn't find a way to do this, especially for Github or other social providers. Is there a way to customize the unique user identifiers in Keycloak, either though configuration, or by coding some extension? Thanks, Paolo Tedesco From psilva at redhat.com Tue Jun 11 07:39:02 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 11 Jun 2019 08:39:02 -0300 Subject: [keycloak-user] Keycloak caching issue In-Reply-To: References: Message-ID: I've tried different changes to settings and I think I got one. Could you confirm that you are changing a resource permission by replacing the type with a specific resource ? On Mon, Jun 10, 2019 at 4:36 PM Farzad Panahi wrote: > Hi Pedro, > > I think I can say that it happens after changing the authorization > settings. For instance I add resources/policies/permissions. > > To get the permissions (in Kotlin): > - I get the access token from KeycloakSecurityContext > accessToken = getKeycloakSecurityContext().tokenString > > - Create AuthzClient and send access token and an instance of > AuthorizaionRequest to it and extract the RPT: > rpt = > authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token > > - Then using the AuthzClient again I call the introspect RPT API to get > the guts of RPT and get the permissions: > permissions = > authzClient.protection().introspectRequestingPartyToken(rpt).permissions > > It is this permissions object that is not consistent between two nodes. > > > Cheers > > Farzad > > On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva > wrote: > >> Hi, >> >> Does it happen after changing anything in your client's authorization >> settings (eg.: resources, scopes, permissions, etc) ? >> >> How are you sending authorization requests? By passing a set of one or >> more permission parameters, obtaining all permissions or using a UMA ticket >> ? >> >> Regards. >> Pedro Igor >> >> On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi >> wrote: >> >>> Hi, >>> >>> I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a >>> load-balancer in front of them. I noticed that sometimes I am getting >>> inconsistent RPTs meaning that I send two queries and the two RPTs >>> returned >>> have different granted permissions in them. >>> >>> So I wend behind the load-balancer and queried each node individually. It >>> turns out that one of the nodes is always returning wrong set of >>> permissions in RPT. >>> >>> If I go to the admin console and clear the realm cache, then both nodes >>> would return the same correct permissions right away. >>> >>> This is so intermittent. I am not sure what is causing this. I cannot >>> find >>> any clue in the logs. There is not much out there. I do not know how to >>> reproduce this. >>> >>> Anyone with similar issue? Any suggestions? >>> >>> Cheers >>> >>> Farzad >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> From brandon at amazee.io Tue Jun 11 07:54:41 2019 From: brandon at amazee.io (Brandon Williams) Date: Tue, 11 Jun 2019 06:54:41 -0500 Subject: [keycloak-user] AUTHZ How can I provide custom attirbutes to JS policy? Message-ID: I'm using authorization services to protect an API (written in node.js). I would like to use a custom javascript policy that gets information from the context to determine if a user has access or not. Here's an example: > var context = $evaluation.getContext(); > var contextAttributes = context.getAttributes(); > > var myCustomData = contextAttributes.getValue('myCustomData'); This works well when I'm testing the policy via the UI and using the "Contextual information" section of the evaluate page. Now I'm trying to figure out how to send that data when I'm doing an authz check from the API. In my API I'm using the "keycloak-connect" library and using the grant manager to send authz requests. Link to relevant code: https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middleware/auth-utils/grant-manager.js#L106 My assumption is that I can add "myCustomData" to the claim_token for this request, and it would be made available in the contextAttribute. I'm following the examples to build the claim from these docs https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushing_claims Whenever I try to add arbitrary data as a claim, even simple strings, I get errors from keycloak API that it can't find the bearer token. Just removing the claim_token makes the requests work. My two questions are: Is adding data as a claim the correct way to push data into the policy evaluation context? If so, why are my claims failing the requests? Thanks, Brandon Williams From cosmin.a at adoreme.com Tue Jun 11 08:30:12 2019 From: cosmin.a at adoreme.com (Cosmin Ardeleanu) Date: Tue, 11 Jun 2019 15:30:12 +0300 Subject: [keycloak-user] How to use identity provider broker (google and facebook) via ajax/api Message-ID: Hello, *Context*: We have a single page application made with Angular JS. We want to implement login via facebook and google, by using keycloak. *Requirement*: We want to use ajax/api call, similar to "../protocol/openid-connect/token" (this end point is using user/pass to login"). *Problem*: The way the brokering works, is with a series of html redirects: start -> redirects to keycloak -> redirects to facebook or google -> back to keycloak -> back to start This is not compatible with a single page application. *Question*: Is there any documentation (or work around) how to achieve login with facebook/google by using ajax/api calls, similar with the one for user/password ("../protocol/openid-connect/token" endpoint)? We need to be able to retrieve the token from facebook and google, and send it to keycloak, and keycloak should respond with the authentication token. How can we do it? Thank you. From brandon at amazee.io Tue Jun 11 07:54:41 2019 From: brandon at amazee.io (Brandon Williams) Date: Tue, 11 Jun 2019 06:54:41 -0500 Subject: [keycloak-user] AUTHZ How can I provide custom attirbutes to JS policy? Message-ID: I'm using authorization services to protect an API (written in node.js). I would like to use a custom javascript policy that gets information from the context to determine if a user has access or not. Here's an example: > var context = $evaluation.getContext(); > var contextAttributes = context.getAttributes(); > > var myCustomData = contextAttributes.getValue('myCustomData'); This works well when I'm testing the policy via the UI and using the "Contextual information" section of the evaluate page. Now I'm trying to figure out how to send that data when I'm doing an authz check from the API. In my API I'm using the "keycloak-connect" library and using the grant manager to send authz requests. Link to relevant code: https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middleware/auth-utils/grant-manager.js#L106 My assumption is that I can add "myCustomData" to the claim_token for this request, and it would be made available in the contextAttribute. I'm following the examples to build the claim from these docs https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushing_claims Whenever I try to add arbitrary data as a claim, even simple strings, I get errors from keycloak API that it can't find the bearer token. Just removing the claim_token makes the requests work. My two questions are: Is adding data as a claim the correct way to push data into the policy evaluation context? If so, why are my claims failing the requests? Thanks, Brandon Williams From psilva at redhat.com Tue Jun 11 09:38:53 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 11 Jun 2019 10:38:53 -0300 Subject: [keycloak-user] AUTHZ How can I provide custom attirbutes to JS policy? In-Reply-To: References: Message-ID: I'm not sure why this change is not in the latest documentation, but here is how [1] [2] you pass additional claims to your policies when using node.js adapter. I would just add that in order to push claims the request should be made by a resource server (your client configured with the authz services). Public clients cannot perform such requests as they can be easily manipulated. [1] https://github.com/keycloak/keycloak-documentation/pull/654/files#diff-024749afb352586c692443c010585e24R218 [2] https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177 On Tue, Jun 11, 2019 at 8:56 AM Brandon Williams wrote: > I'm using authorization services to protect an API (written in node.js). I > would like to use a custom javascript policy that gets information from the > context to determine if a user has access or not. Here's an example: > > > var context = $evaluation.getContext(); > > var contextAttributes = context.getAttributes(); > > > > var myCustomData = contextAttributes.getValue('myCustomData'); > > This works well when I'm testing the policy via the UI and using the > "Contextual information" section of the evaluate page. > > Now I'm trying to figure out how to send that data when I'm doing an authz > check from the API. In my API I'm using the "keycloak-connect" library and > using the grant manager to send authz requests. Link to relevant code: > > https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middleware/auth-utils/grant-manager.js#L106 > > My assumption is that I can add "myCustomData" to the claim_token for this > request, and it would be made available in the contextAttribute. I'm > following the examples to build the claim from these docs > > https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushing_claims > > Whenever I try to add arbitrary data as a claim, even simple strings, I get > errors from keycloak API that it can't find the bearer token. Just removing > the claim_token makes the requests work. > > My two questions are: Is adding data as a claim the correct way to push > data into the policy evaluation context? If so, why are my claims failing > the requests? > > Thanks, > Brandon Williams > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From brandon at amazee.io Tue Jun 11 10:35:51 2019 From: brandon at amazee.io (Brandon Williams) Date: Tue, 11 Jun 2019 09:35:51 -0500 Subject: [keycloak-user] AUTHZ How can I provide custom attirbutes to JS policy? In-Reply-To: References: Message-ID: [forgot to reply all, forwarding to list in case others have same problem] Thanks for the links, I found those methods via other means and was using them already. Thanks for confirming that setting claims is the correct way to push data into the policies. Most of all, thanks for "just adding" that pushing claims requires a service account. That was the part I missed and changing that everything is working as expected now! On Tue, Jun 11, 2019 at 8:39 AM Pedro Igor Silva wrote: > I'm not sure why this change is not in the latest documentation, but here > is how [1] [2] you pass additional claims to your policies when using > node.js adapter. > > I would just add that in order to push claims the request should be made > by a resource server (your client configured with the authz services). > Public clients cannot perform such requests as they can be easily > manipulated. > > [1] > https://github.com/keycloak/keycloak-documentation/pull/654/files#diff-024749afb352586c692443c010585e24R218 > [2] > https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177 > > On Tue, Jun 11, 2019 at 8:56 AM Brandon Williams > wrote: > >> I'm using authorization services to protect an API (written in node.js). I >> would like to use a custom javascript policy that gets information from >> the >> context to determine if a user has access or not. Here's an example: >> >> > var context = $evaluation.getContext(); >> > var contextAttributes = context.getAttributes(); >> > >> > var myCustomData = contextAttributes.getValue('myCustomData'); >> >> This works well when I'm testing the policy via the UI and using the >> "Contextual information" section of the evaluate page. >> >> Now I'm trying to figure out how to send that data when I'm doing an authz >> check from the API. In my API I'm using the "keycloak-connect" library and >> using the grant manager to send authz requests. Link to relevant code: >> >> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middleware/auth-utils/grant-manager.js#L106 >> >> My assumption is that I can add "myCustomData" to the claim_token for this >> request, and it would be made available in the contextAttribute. I'm >> following the examples to build the claim from these docs >> >> https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushing_claims >> >> Whenever I try to add arbitrary data as a claim, even simple strings, I >> get >> errors from keycloak API that it can't find the bearer token. Just >> removing >> the claim_token makes the requests work. >> >> My two questions are: Is adding data as a claim the correct way to push >> data into the policy evaluation context? If so, why are my claims failing >> the requests? >> >> Thanks, >> Brandon Williams >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From brandon at amazee.io Tue Jun 11 10:35:51 2019 From: brandon at amazee.io (Brandon Williams) Date: Tue, 11 Jun 2019 09:35:51 -0500 Subject: [keycloak-user] AUTHZ How can I provide custom attirbutes to JS policy? In-Reply-To: References: Message-ID: [forgot to reply all, forwarding to list in case others have same problem] Thanks for the links, I found those methods via other means and was using them already. Thanks for confirming that setting claims is the correct way to push data into the policies. Most of all, thanks for "just adding" that pushing claims requires a service account. That was the part I missed and changing that everything is working as expected now! On Tue, Jun 11, 2019 at 8:39 AM Pedro Igor Silva wrote: > I'm not sure why this change is not in the latest documentation, but here > is how [1] [2] you pass additional claims to your policies when using > node.js adapter. > > I would just add that in order to push claims the request should be made > by a resource server (your client configured with the authz services). > Public clients cannot perform such requests as they can be easily > manipulated. > > [1] > https://github.com/keycloak/keycloak-documentation/pull/654/files#diff-024749afb352586c692443c010585e24R218 > [2] > https://github.com/keycloak/keycloak-nodejs-connect/blob/master/test/fixtures/node-console/index.js#L177 > > On Tue, Jun 11, 2019 at 8:56 AM Brandon Williams > wrote: > >> I'm using authorization services to protect an API (written in node.js). I >> would like to use a custom javascript policy that gets information from >> the >> context to determine if a user has access or not. Here's an example: >> >> > var context = $evaluation.getContext(); >> > var contextAttributes = context.getAttributes(); >> > >> > var myCustomData = contextAttributes.getValue('myCustomData'); >> >> This works well when I'm testing the policy via the UI and using the >> "Contextual information" section of the evaluate page. >> >> Now I'm trying to figure out how to send that data when I'm doing an authz >> check from the API. In my API I'm using the "keycloak-connect" library and >> using the grant manager to send authz requests. Link to relevant code: >> >> https://github.com/keycloak/keycloak-nodejs-connect/blob/master/middleware/auth-utils/grant-manager.js#L106 >> >> My assumption is that I can add "myCustomData" to the claim_token for this >> request, and it would be made available in the contextAttribute. I'm >> following the examples to build the claim from these docs >> >> https://www.keycloak.org/docs/4.8/authorization_services/#_service_pushing_claims >> >> Whenever I try to add arbitrary data as a claim, even simple strings, I >> get >> errors from keycloak API that it can't find the bearer token. Just >> removing >> the claim_token makes the requests work. >> >> My two questions are: Is adding data as a claim the correct way to push >> data into the policy evaluation context? If so, why are my claims failing >> the requests? >> >> Thanks, >> Brandon Williams >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From Kevin.Fox at pnnl.gov Tue Jun 11 15:45:11 2019 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Tue, 11 Jun 2019 19:45:11 +0000 Subject: [keycloak-user] vitess support Message-ID: <1A3C52DFCD06494D8528644858247BF01C3624E7@EX10MBOX03.pnnl.gov> Has anyone tried Keycloak on top of Vitess? Seems like it might be a good fit for clustering/HA. Thanks, Kevin From luis.villaca at petrobras.com.br Tue Jun 11 17:45:24 2019 From: luis.villaca at petrobras.com.br (luis.villaca at petrobras.com.br) Date: Tue, 11 Jun 2019 18:45:24 -0300 Subject: [keycloak-user] Cross-realm authentication followed by realm-specific authorization in Keycloak Message-ID: Greetings, I would like to understand the best strategy to implement cross-realm authentication with realm-specific authorization in Keycloak. A "brief" context: My company has maintained, for years, its own corporate authentication + authorization Service (internal solution), for which every application gets a distinct SOAP service, based on application-specific credentials. This service, when provided with user and those app credentials, authenticates and retrieves a list of user roles (application-specific). We plan on replacing this service soon, and the first step we thought was decoupling the applications from it. First thing we did was configuring Keycloak instance to allow the usage of OpenIDConnect. We created a JKS keystore for our certificate and set the SSL properties in our standalone.xml. Then we coded a Keycloak plugin (implementing org.keycloak.storage.UserStorageProviderFactory, and extending CredentialInputValidator) that interacts with our corporate service for authenticating and pulling the roles based on configured values provided by ProviderConfigurationBuilder. We deployed this plugin and configured a Keycloak UserFederation. We then configured two spring-boot apps, in realms A and B, setting their certificates (PKEntry and Keycloak JKS). Using spring-security-oauth2-autoconfigure dependency lib features, we configured all keycloak connectivity settings (access token url, clientid, secret, etc) for each realm. At this point it works fine: each app redirects to the configured IDP (on its specific realm) and is able to authenticate and pull their client-specific mapped roles, further correlating them to secured resources in a WebSecurityConfigurerAdapter extension (SpringSecurity). Now we want SSO. Basically we would like to have authenticated users identity propagated to other realms (as application may link to each other), but pull authorizations according to realm-specific roles (a second step). The strategy I thought: 1) Create a single Realm (named GLOBALAUTH for instance) with a configured user federation that calls our corporate authentication Service to authenticate users 2) Set realms A and B with GLOBALAUTH broker configured as identity providers 3) Maintain realms A and B with their specific UserFederation for further pulling out user roles, calling our corporate application-specific aothorization Service. (need to check Is there a better strategy to follow to provide cross-realm authentication with realm-specific authorization? A side question from step 2 above - I got the following exception as we access a secured resource in app B, a Bad Gateway. Here is what is happening: 0 - Redirection happens (302) to https://b.com/login 1 - Redirection happens (302) to https://corp.keycloak.com:9443/auth/realms/B/protocol/openid-connect/auth? 2 - Redirection happens (303) to https://corp.keycloak.com:9443/auth/realms/B/broker/brkrGLOBALAUTH/login? 3 - Redirection happens (303) to https://corp.keycloak.com:9443/auth/realms/GLOBALAUTH/protocol/openid-connect/auth? As we input a valid user /pass 4 - Redirection after POST https://corp.keycloak.com:9443/auth/realms/GLOBALAUTH/login-actions/authenticate? 5 - Bad Gateway (502) on https://corp.keycloak.com:9443/auth/realms/B/broker/brkrGLOBALAUTH/endpoint? Fails with "Unexpected error when authenticating with identity provider" Keycloak logs show: 09:49:48,572 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-161) : sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target It seems like a trust issue, any ideas? Thanks, regards, Luis "O emitente desta mensagem ? respons?vel por seu conte?do e endere?amento. Cabe ao destinat?rio cuidar quanto ao tratamento adequado. Sem a devida autoriza??o, a divulga??o, a reprodu??o, a distribui??o ou qualquer outra a??o em desconformidade com as normas internas do Sistema Petrobras s?o proibidas e pass?veis de san??o disciplinar, c?vel e criminal." "The sender of this message is responsible for its content and addressing. The receiver shall take proper care of it. Without due authorization, the publication, reproduction, distribution or the performance of any other action not conforming to Petrobras System internal policies and procedures is forbidden and liable to disciplinary, civil or criminal sanctions." "El emisor de este mensaje es responsable por su contenido y direccionamiento. Cabe al destinatario darle el tratamiento adecuado. Sin la debida autorizaci?n, su divulgaci?n, reproducci?n, distribuci?n o cualquier otra acci?n no conforme a las normas internas del Sistema Petrobras est?n prohibidas y ser?n pasibles de sanci?n disciplinaria, civil y penal." From nicksu at m800.com Wed Jun 12 03:15:40 2019 From: nicksu at m800.com (Nick Su) Date: Wed, 12 Jun 2019 07:15:40 +0000 Subject: [keycloak-user] Performance tunning of Keycloak Message-ID: <36EA6123-29D5-4438-9694-3DBA36769685@m800.com> Hi There I have done some load testing against Keycloak v5.0 since we are trying to use Keycloak as SSO for our project. However the performance is quite far lower than we expect, we run Keycloak in a 12c and 24g memory vm, and the highest rps is only around 70 rps,so I am wondering any tunning can help to increate the performance? I have tested it with this command ab -T 'application/x-www-form-urlencoded' -n 100000 -c 10000 -p post.data http://192.168.135.92:8080/auth/realms/master/protocol/openid-connect/token and also tested with locust, script as below: from locust import HttpLocust, TaskSet import requests import json import time def get_token(l): l.client.post("http://192.168.135.92:8080/auth/realms/test/protocol/openid-connect/token", {"client_id": "admin-cli", "username": "test", "password": "password", "grant_type": "password"}, headers={"Connection": "close"}) def get_users(l): requests.adapters.DEFAULT_RETRIES = 5 r = requests.post("http://192.168.135.92:8080/auth/realms/master/protocol/openid-connect/token", data= {"client_id": "admin-cli", "username": "admin", "password": "password", "grant_type": "password"}, headers={"Connection": "close"}).text h = {"Authorization": "Bearer "+json.loads(r)["access_token"], "Connection": "close"} l.client.get("http://192.168.135.92:8080/auth/admin/realms/master/users", headers=h, verify=False) class UserBehavior(TaskSet): tasks = {get_token: 1} class WebsiteUser(HttpLocust): task_set = UserBehavior Thank you From msakho at redhat.com Wed Jun 12 04:27:13 2019 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 12 Jun 2019 10:27:13 +0200 Subject: [keycloak-user] keycloak heathcheck with microprofile In-Reply-To: References: Message-ID: Hello all, Any advice on that? -- Meissa Sakho, RHCA Architect Red Hat EMEA msakho at redhat.com M: +33-6-9559-7778 Le mer. 29 mai 2019 ? 12:48, Meissa M'baye Sakho a ?crit : > Hello everyone, > Have someone tried to crate health check with SmallRye and the new metrics > extension? > I've tried long ago Thomas darimont's following example [1] to implement > health check, but would like to know is someone has started something. > ?1]=https://github.com/thomasdarimont/keycloak-health-checks/tree/master > > thanks > -- > > Meissa Sakho, RHCA > > Architect > > Red Hat EMEA > > msakho at redhat.com > M: +33-6-9559-7778 > > From sthorger at redhat.com Wed Jun 12 04:40:58 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 12 Jun 2019 09:40:58 +0100 Subject: [keycloak-user] keycloak heathcheck with microprofile In-Reply-To: References: Message-ID: Keycloak 6 is built with WildFly 16 that includes the smallrye. You can enable it by following config in WildFly docs or Google it. We will document this soon. On Wed, 12 Jun 2019, 09:32 Meissa M'baye Sakho, wrote: > Hello all, > Any advice on that? > > -- > > Meissa Sakho, RHCA > > Architect > > Red Hat EMEA > > msakho at redhat.com > M: +33-6-9559-7778 > > > > Le mer. 29 mai 2019 ? 12:48, Meissa M'baye Sakho a > ?crit : > > > Hello everyone, > > Have someone tried to crate health check with SmallRye and the new > metrics > > extension? > > I've tried long ago Thomas darimont's following example [1] to implement > > health check, but would like to know is someone has started something. > > ?1]=https://github.com/thomasdarimont/keycloak-health-checks/tree/master > > > > thanks > > -- > > > > Meissa Sakho, RHCA > > > > Architect > > > > Red Hat EMEA > > > > msakho at redhat.com > > M: +33-6-9559-7778 > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dennis.knorr at gmx.net Wed Jun 12 04:54:48 2019 From: dennis.knorr at gmx.net (Dennis Knorr) Date: Wed, 12 Jun 2019 10:54:48 +0200 Subject: [keycloak-user] keycloak update/create realm with localization Message-ID: <26d87c42-bf5a-4606-ddc9-373ad40630a1@gmx.net> Hi, i try to create/update a realm with de localization. therefore i enable internationalization, set defaultLocale to de and set themes to keycloak, with clicking in the AdminUI this works. When i try to update an existing realm with the following script, it does not work. neither with POST or PUT. Any idea what i do wrong? any tips how to do creating/updating realms properly via REST API? This is harder than i expected. ########################################################### benutzer01 at vm:~/keycloakscripts$ cat scripts/update_realm.sh #!/bin/bash set -o noclobber set -o errexit set -o pipefail set -o nounset # Debugging #set -xv if [[ $# -lt 2 ]]; then cat < References: Message-ID: Stian, The problem is not enabling it. I already did it. I would like to go beyond the defaults endpoints. I need to add features like beeing able to have an endpoint that tells me if the keycloak database is up and running. For that I need to add some dev and that's where I'm a little bit blind. -- Meissa Sakho, RHCA Architect Red Hat EMEA msakho at redhat.com M: +33-6-9559-7778 Le mer. 12 juin 2019 ? 10:41, Stian Thorgersen a ?crit : > Keycloak 6 is built with WildFly 16 that includes the smallrye. You can > enable it by following config in WildFly docs or Google it. We will > document this soon. > > On Wed, 12 Jun 2019, 09:32 Meissa M'baye Sakho, wrote: > >> Hello all, >> Any advice on that? >> >> -- >> >> Meissa Sakho, RHCA >> >> Architect >> >> Red Hat EMEA >> >> msakho at redhat.com >> M: +33-6-9559-7778 >> >> >> >> Le mer. 29 mai 2019 ? 12:48, Meissa M'baye Sakho a >> ?crit : >> >> > Hello everyone, >> > Have someone tried to crate health check with SmallRye and the new >> metrics >> > extension? >> > I've tried long ago Thomas darimont's following example [1] to implement >> > health check, but would like to know is someone has started something. >> > ?1]= >> https://github.com/thomasdarimont/keycloak-health-checks/tree/master >> > >> > thanks >> > -- >> > >> > Meissa Sakho, RHCA >> > >> > Architect >> > >> > Red Hat EMEA >> > >> > msakho at redhat.com >> > M: +33-6-9559-7778 >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From yy8402 at icloud.com Wed Jun 12 07:24:34 2019 From: yy8402 at icloud.com (Yang Yang) Date: Wed, 12 Jun 2019 19:24:34 +0800 Subject: [keycloak-user] Customize OpenID Endpoint Configuration Message-ID: <49257EBB-7683-436F-8063-E62BDBE49DA1@icloud.com> Hello, I am deploying Keycloak behind a reverse proxy, and do not want others to know where it is actually located. Can I customize the OpenID Endpoint Configuration information presented in http://[KEYCLOAK_ADD:PORT]/auth/realms/demo/.well-known/openid-configuration? So that I can present the login page at the address of the reverse proxy. Thanks, Yang From sthorger at redhat.com Wed Jun 12 08:40:00 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 12 Jun 2019 14:40:00 +0200 Subject: [keycloak-user] keycloak heathcheck with microprofile In-Reply-To: References: Message-ID: Ah, problem is we don't have support for CDI, but from what I gather there's a static instance of the smallrye registry that would allow adding custom health checks. I've also been talking to lots of folks around health checks and whether or not a "service" is responsible for checking if services it consumes is up as well, but opinions differ here. Some say Keycloak is down if the DB is down, but some say the DB should have separate health checks. Now looking at Kube for instance having Keycloak marked as down if the DB is down is kinda wrong as it would result in Kube restarting KC pods, not the DB pods which are actually down. On Wed, 12 Jun 2019 at 10:56, Meissa M'baye Sakho wrote: > Stian, > The problem is not enabling it. I already did it. > I would like to go beyond the defaults endpoints. > I need to add features like beeing able to have an endpoint that tells me > if the keycloak database is up and running. > For that I need to add some dev and that's where I'm a little bit blind. > > > > -- > > Meissa Sakho, RHCA > > Architect > > Red Hat EMEA > > msakho at redhat.com > M: +33-6-9559-7778 > > > > Le mer. 12 juin 2019 ? 10:41, Stian Thorgersen a > ?crit : > >> Keycloak 6 is built with WildFly 16 that includes the smallrye. You can >> enable it by following config in WildFly docs or Google it. We will >> document this soon. >> >> On Wed, 12 Jun 2019, 09:32 Meissa M'baye Sakho, >> wrote: >> >>> Hello all, >>> Any advice on that? >>> >>> -- >>> >>> Meissa Sakho, RHCA >>> >>> Architect >>> >>> Red Hat EMEA >>> >>> msakho at redhat.com >>> M: +33-6-9559-7778 >>> >>> >>> >>> Le mer. 29 mai 2019 ? 12:48, Meissa M'baye Sakho a >>> ?crit : >>> >>> > Hello everyone, >>> > Have someone tried to crate health check with SmallRye and the new >>> metrics >>> > extension? >>> > I've tried long ago Thomas darimont's following example [1] to >>> implement >>> > health check, but would like to know is someone has started something. >>> > ?1]= >>> https://github.com/thomasdarimont/keycloak-health-checks/tree/master >>> > >>> > thanks >>> > -- >>> > >>> > Meissa Sakho, RHCA >>> > >>> > Architect >>> > >>> > Red Hat EMEA >>> > >>> > msakho at redhat.com >>> > M: +33-6-9559-7778 >>> > >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From msakho at redhat.com Wed Jun 12 08:56:49 2019 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 12 Jun 2019 14:56:49 +0200 Subject: [keycloak-user] keycloak heathcheck with microprofile In-Reply-To: References: Message-ID: The use case I'm facing is a DB deployed externally. The requirement is to make sure that DB access from keycloak is always UP. This has been implemented in the following link: https://github.com/thomasdarimont/keycloak-health-checks/tree/master I wanted to do the same with smallrye. -- Meissa Sakho, RHCA Architect Red Hat EMEA msakho at redhat.com M: +33-6-9559-7778 Le mer. 12 juin 2019 ? 14:40, Stian Thorgersen a ?crit : > Ah, problem is we don't have support for CDI, but from what I gather > there's a static instance of the smallrye registry that would allow adding > custom health checks. > > I've also been talking to lots of folks around health checks and whether > or not a "service" is responsible for checking if services it consumes is > up as well, but opinions differ here. Some say Keycloak is down if the DB > is down, but some say the DB should have separate health checks. Now > looking at Kube for instance having Keycloak marked as down if the DB is > down is kinda wrong as it would result in Kube restarting KC pods, not the > DB pods which are actually down. > > On Wed, 12 Jun 2019 at 10:56, Meissa M'baye Sakho > wrote: > >> Stian, >> The problem is not enabling it. I already did it. >> I would like to go beyond the defaults endpoints. >> I need to add features like beeing able to have an endpoint that tells me >> if the keycloak database is up and running. >> For that I need to add some dev and that's where I'm a little bit blind. >> >> >> >> -- >> >> Meissa Sakho, RHCA >> >> Architect >> >> Red Hat EMEA >> >> msakho at redhat.com >> M: +33-6-9559-7778 >> >> >> >> Le mer. 12 juin 2019 ? 10:41, Stian Thorgersen a >> ?crit : >> >>> Keycloak 6 is built with WildFly 16 that includes the smallrye. You can >>> enable it by following config in WildFly docs or Google it. We will >>> document this soon. >>> >>> On Wed, 12 Jun 2019, 09:32 Meissa M'baye Sakho, >>> wrote: >>> >>>> Hello all, >>>> Any advice on that? >>>> >>>> -- >>>> >>>> Meissa Sakho, RHCA >>>> >>>> Architect >>>> >>>> Red Hat EMEA >>>> >>>> msakho at redhat.com >>>> M: +33-6-9559-7778 >>>> >>>> >>>> >>>> Le mer. 29 mai 2019 ? 12:48, Meissa M'baye Sakho a >>>> ?crit : >>>> >>>> > Hello everyone, >>>> > Have someone tried to crate health check with SmallRye and the new >>>> metrics >>>> > extension? >>>> > I've tried long ago Thomas darimont's following example [1] to >>>> implement >>>> > health check, but would like to know is someone has started something. >>>> > ?1]= >>>> https://github.com/thomasdarimont/keycloak-health-checks/tree/master >>>> > >>>> > thanks >>>> > -- >>>> > >>>> > Meissa Sakho, RHCA >>>> > >>>> > Architect >>>> > >>>> > Red Hat EMEA >>>> > >>>> > msakho at redhat.com >>>> > M: +33-6-9559-7778 >>>> > >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> From hossein.doutaghy at gmail.com Wed Jun 12 10:30:38 2019 From: hossein.doutaghy at gmail.com (Hossein Doutaghy) Date: Wed, 12 Jun 2019 10:30:38 -0400 Subject: [keycloak-user] Keycloak RestAPI to Assign Multiple Groups Message-ID: Hi, We are planning to assign multiple groups to a single user via a REST API call but it seems like keycloak does not currently an API for multiple groups assignment to users. As per keycloak API documentation, it is only possible to assign a single groups to a user in each API call. Does Keycloak support OneUser-to-MultipleGroups API? Thanks, Moe Doutaghy From luke at code-house.org Wed Jun 12 17:16:23 2019 From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=) Date: Wed, 12 Jun 2019 23:16:23 +0200 Subject: [keycloak-user] Customize OpenID Endpoint Configuration In-Reply-To: <49257EBB-7683-436F-8063-E62BDBE49DA1@icloud.com> References: <49257EBB-7683-436F-8063-E62BDBE49DA1@icloud.com> Message-ID: <19adf815-f0a4-1a48-59e2-af7aceef2bd7@code-house.org> Hostname resolution is pluggable via HostnameProviderSPI. Normally Keycloak should rely on HOST field set by reverse proxy. You can use FixedHostnameProvider to force certain host to be used. Please check out hostname SPI docs: https://github.com/keycloak/keycloak-documentation/blob/6.0.1/server_admin/topics/threat/host.adoc Best regards, ?ukasz -- Code-House http://code-house.org On 12.06.2019 13:24, Yang Yang wrote: > Hello, > > I am deploying Keycloak behind a reverse proxy, and do not want others to know where it is actually located. Can I customize the OpenID Endpoint Configuration information presented in http://[KEYCLOAK_ADD:PORT]/auth/realms/demo/.well-known/openid-configuration? So that I can present the login page at the address of the reverse proxy. > > Thanks, > Yang > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hyunji.kim at broadcom.com Wed Jun 12 17:58:38 2019 From: hyunji.kim at broadcom.com (Hyunji Kim) Date: Wed, 12 Jun 2019 14:58:38 -0700 Subject: [keycloak-user] How to integrate 3rd-party 2FA with Keycloak Message-ID: Hello all, is there any way to integrate a 3rd-party 2FA with Keycloak so that the OTP code is validated by the 2FA outside Keycloak? My team is using Authy for 2FA and I'm trying to figure out how to integrate it with Keycloak. Thank you, Hyunji From henning.waack at codecentric.de Thu Jun 13 05:41:00 2019 From: henning.waack at codecentric.de (Henning Waack) Date: Thu, 13 Jun 2019 11:41:00 +0200 Subject: [keycloak-user] ADMIN_EVENT_ENTITY Exception Message-ID: Dear all. We currently see the following exception in your KC 5.0 server log. Any idea what could be the root cause for this? Thanks in advance Henning 2019-06-13 09:42:08,669 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-676) SQL Error: 1366, SQLState: 22007 2019-06-13 09:42:08,670 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-676) (conn=3571) Incorrect string value: '\xC5\xABras"...' for column `keycloak`.`ADMIN_EVENT_ENTITY`.`REPRESENT ATION` at row 1 2019-06-13 09:42:08,671 ERROR [org.hibernate.internal.ExceptionMapperStandardImpl] (default task-676) HHH000346: Error during managed flush [org.hibernate.exception.DataException: could not execute statement ] 2019-06-13 09:42:08,671 WARN [com.arjuna.ats.arjuna] (default task-676) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffff91eff4af:-1becb8ba:5d0021fb:346da5, org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization at 360e1f51 >: javax.persistence.PersistenceException: org.hibernate.exception.DataException: could not execute statement at org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:154) at org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181) at org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188) at org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1460) at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:511) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3283) at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2479) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:473) at org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:352) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:360) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1288) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.resources.admin.UserResource.updateUser(UserResource.java:173) -- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From shivaprasadtp8 at gmail.com Thu Jun 13 08:08:59 2019 From: shivaprasadtp8 at gmail.com (Shiva Prasad Thagadur Prakash) Date: Thu, 13 Jun 2019 15:08:59 +0300 Subject: [keycloak-user] Does Keycloak support binding to ipv6 address Message-ID: Hi Guys, Can Keycloak be bound to ipv6 address? or Can it be bound to both ipv4 and ipv6, for example, -b [[::]]. Are there any configurations I have to changes to be done? Eagerly waiting for the reply. Thanks, Shiva From simon at aerian.com Thu Jun 13 08:18:06 2019 From: simon at aerian.com (Simon Neaves) Date: Thu, 13 Jun 2019 13:18:06 +0100 Subject: [keycloak-user] user data insights Message-ID: Hi, I have some feature requests around user data insights. As far as I'm aware, it's not possible to filter the User list in the keycloak admin to find out, for example, - Which users have enabled 2FA - Which users have incomplete actions (e.g. verify email) - Have disabled accounts - Have logged in in the last 6 months (e.g. sort by 'last logged in' or 'account created' etc.) - View/filter a custom attribute In an ideal world, we'd perhaps generate some reports (e.g. % users with 2FA) as a pie chart, but in the first instance, just some basic filters/sorts on the user list would be invaluable. Perhaps this work relates to the work proposed at https://github.com/stianst/keycloak-community/blob/master/design/observerability.md Thanks, *Simon Neaves *Technical Director | *Aerian* Like us on *Facebook* | Follow us on *Twitter* simon at aerian.com www.aerian.com +44 (0) 845 408 6009 +44 (0) 773 946 9564 The information contained in this message is for the confidential use of the addressee(s). It is not to be relied upon by any person(s) before receiving subsequent written confirmation of its contents. aerian studios accepts no responsibility or liability whatsoever (including liability in negligence) for any loss or damage suffered by any person(s) acting upon the information contained in this message. By using this system or by sending us emails you consent to the monitoring or recording of email and other terms as stated in aerian studios Email and Internet Use Policy. Please visit us on http://www.aerian.com From ssilvert at redhat.com Thu Jun 13 09:12:25 2019 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 13 Jun 2019 09:12:25 -0400 Subject: [keycloak-user] Does Keycloak support binding to ipv6 address In-Reply-To: References: Message-ID: <9ca2afd4-68bc-efcc-492e-3cee93a76861@redhat.com> On 6/13/2019 8:08 AM, Shiva Prasad Thagadur Prakash wrote: > Hi Guys, > > Can Keycloak be bound to ipv6 address? or Can it be bound to both ipv4 and > ipv6, for example, -b [[::]]. Are there any configurations I have to > changes to be done? Eagerly waiting for the reply. > > Thanks, > Shiva > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user Is this what you are looking for? https://docs.jboss.org/author/display/WFLY10/Interfaces+and+ports From bruno at abstractj.org Thu Jun 13 09:58:13 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 13 Jun 2019 10:58:13 -0300 Subject: [keycloak-user] Does Keycloak support binding to ipv6 address In-Reply-To: References: Message-ID: <20190613135813.GA20317@abstractj.org> Long time ago we tested ipv6[1], and everything worked really well. Just a quick not that we do not support ipv6 in the URLs, as mentioned in the same Jira. [1] - https://issues.jboss.org/browse/KEYCLOAK-1587 On 2019-06-13, Shiva Prasad Thagadur Prakash wrote: > Hi Guys, > > Can Keycloak be bound to ipv6 address? or Can it be bound to both ipv4 and > ipv6, for example, -b [[::]]. Are there any configurations I have to > changes to be done? Eagerly waiting for the reply. > > Thanks, > Shiva > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From Chris.Rains at jtv.com Thu Jun 13 14:55:26 2019 From: Chris.Rains at jtv.com (Rains, Chris) Date: Thu, 13 Jun 2019 18:55:26 +0000 Subject: [keycloak-user] Registration page still shown with existing session Message-ID: Hi, If I successfully login and then manually navigate to the registration endpoint (protocol/openid-connect/registrations), the registration form is returned. If I complete the form, I am getting a ?different_user_authenticated? error. Is this expected behavior? I would have expected my existing session to be recognized when I first navigated to the registration page, and not even see the registration form. Thanks! - Chris Rains From farzad.panahi at gmail.com Thu Jun 13 14:56:15 2019 From: farzad.panahi at gmail.com (Farzad Panahi) Date: Thu, 13 Jun 2019 11:56:15 -0700 Subject: [keycloak-user] Scope Permissions with Resource Type In-Reply-To: References: Message-ID: Thanks Pedro. I will try this out. BTW, do you think merging the resource-based and scope-based permissions would be in your roadmap for anytime soon? On Mon, Jun 10, 2019 at 2:17 PM Pedro Igor Silva wrote: > There is a limitation here in how resource types are used. You could > achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource > instance", with the owner other than the resource server. But this does not > seem to be your case. > > There is one way to achieve this by using a JS Policy. Still not ideal, > but something like this: > > ==== > var permission = $evaluation.getPermission(); > var scopes = permission.getScopes(); > > for (i = 0; i < scopes.length; i++) { > var scope = scopes.get(i); > > if (scope.getName().equals("read")) { > if (// check here if the user is member of a group) { > permission.getScopes().remove(scope); > } > } > } > > // grant or deny the permission > ==== > > To check if a user is a member of a group, please take a look at > https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-group-membership > . > > On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi > wrote: > >> Hi Pedro, >> >> If I create a scope-based permission without specifying the resource, >> then that permission will apply to all the resources. >> For instance in the example I mentioned in my previous email: >> >> I want to create permissions to give only SCOPE_READ access (not >> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >> >> If I grant a permission for SCOPE_READ without specifying the resource >> then basically I am granting SCOPE_READ to all the resources which is not >> what I want. I want to only give SCOPE_READ to a specific set of resources. >> >> I think as you mentioned merging resource-based and scope-based >> permissions is a good idea and would work better. But now that we do not >> have this feature is there any other way to accomplish this somehow using >> policies or something else? >> >> Cheers >> >> Farzad >> >> On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva >> wrote: >> >>> You can create scope-based permission for a specific scope (without set >>> a resource). Would that help? >>> >>> I think we could also think about merging resource-based permission into >>> scope-based permission so that we only have a single type of permission. >>> >>> Regards. >>> Pedro Igor >>> >>> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi >>> wrote: >>> >>>> Hi, >>>> >>>> I have a client authorization set-up like the following: >>>> >>>> RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>> RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>> RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>> >>>> USER_1: USER_GROUP_A >>>> USER_2: USER_GROUP_A >>>> >>>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A >>>> >>>> I want to create permissions to give only SCOPE_READ access (not >>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >>>> >>>> If I create a resourced based permission then it will give grant access >>>> to >>>> both scopes. >>>> Unfortunately I cannot create a scope based permission because scope >>>> permission does not support resource type. It only supports resource. >>>> If I >>>> want to use scoped based permission then I have to create permission for >>>> every single resource in my resource type. >>>> >>>> I was wondering if there is a reason that scope based permission does >>>> not >>>> support resource type? >>>> >>>> Also anyone has any idea how I can achieve my requirement given the >>>> limitations that we have? Is there a way to create a policy that grants >>>> access only to a certain scope? >>>> >>>> >>>> Cheers >>>> >>>> Farzad >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> From pavel.kokush at gmail.com Fri Jun 14 04:48:22 2019 From: pavel.kokush at gmail.com (pavel.kokush) Date: Fri, 14 Jun 2019 11:48:22 +0300 Subject: [keycloak-user] expiration for temporary password Message-ID: Hi Is it possible to set expiration for temporary password? Use case: User ask for reset password, system do call org.keycloak.admin.client.resource.UserResource.resetPassword method with temporary=true flag in model. System provide new temporary password to use (by email or something). When user try to change this temporal password, then keycloak UserResource. resetPassword should fail if temporary password expired (and then user must repeat flow). Of course temporary and normal password should have different expiration period. Is it possible in keycloak? If not, then any hint on how to do it with keycloak extension (without forking keycloak) ? Thanks, Pavel From l.lech at ringler.ch Fri Jun 14 06:07:02 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Fri, 14 Jun 2019 10:07:02 +0000 Subject: [keycloak-user] Adding 2FA with SMS Message-ID: <5E48B917000C984B86B77170F441903A18A0F161@exch.ringler.ch> Hello, I'm analysing the requirement for adding 2FA with SMS to keycloak. There is a ready project https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns and to activate this, you need to modify authentication browser flow. This look quite cheaply made. First, SMS is always sent, but validated only if you set SMS validation to REQUIRED, second, you give your mobile number, and if it is wrong, you must call support to change that for you. The correct way would be to make it analog to TOTP. A separate screen when you give your mobile number, and then give the validation code, and only then your mobile phone will be saved. Could you please give me a hint, if adding second 2FA this way could be made via plug-in, so, by writing provider(s), changing themes and editing flows in administration, or it would require some changes to keycloak core code? Were there any attemtps for writing alternative 2FA plugins working similar way as TOTP is working now? Best regards, Lukasz Lech From luke at code-house.org Fri Jun 14 06:20:13 2019 From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=) Date: Fri, 14 Jun 2019 12:20:13 +0200 Subject: [keycloak-user] How to integrate 3rd-party 2FA with Keycloak In-Reply-To: References: Message-ID: <0b282031-221a-3daf-9443-ad21ee2c9953@code-house.org> Hey Hyunji, In order to integrate additional OTP you have two ways: 1) extend existing OTPs (google, freeotp) and add your own 2) create own browser frow with your custom otp action I believe the later one is easier as it can be done without modifying existing Keycloak sources. A nice example with completely new Authenticator is available at github: https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns Best regards, ?ukasz -- Code-House http://code-house.org On 12.06.2019 23:58, Hyunji Kim wrote: > Hello all, > > is there any way to integrate a 3rd-party 2FA with Keycloak so that the OTP > code is validated by the 2FA outside Keycloak? > > My team is using Authy for 2FA and I'm trying to figure out how to > integrate it with Keycloak. > > Thank you, > Hyunji > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From l.lech at ringler.ch Fri Jun 14 07:21:29 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Fri, 14 Jun 2019 11:21:29 +0000 Subject: [keycloak-user] How to integrate 3rd-party 2FA with Keycloak In-Reply-To: <0b282031-221a-3daf-9443-ad21ee2c9953@code-house.org> References: <0b282031-221a-3daf-9443-ad21ee2c9953@code-house.org> Message-ID: <5E48B917000C984B86B77170F441903A18A0F18E@exch.ringler.ch> Hello, What would exactly mean 'extending existing OTPs'? Does it mean modifying Keycloak sources, or providing your own extension (via SPI)? Keycloak-sms-authenticator-sns configured in the way described in README works really strange. It is always active, but Is not validating token unless you set SMS to REQUIRED etc. Is it a productive project or a kind of an abandoned experiment / research ? Best regards, Lukasz Lech -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Lukasz Dywicki Sent: Freitag, 14. Juni 2019 12:20 To: Hyunji Kim ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to integrate 3rd-party 2FA with Keycloak Hey Hyunji, In order to integrate additional OTP you have two ways: 1) extend existing OTPs (google, freeotp) and add your own 2) create own browser frow with your custom otp action I believe the later one is easier as it can be done without modifying existing Keycloak sources. A nice example with completely new Authenticator is available at github: https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns Best regards, ?ukasz -- Code-House http://code-house.org On 12.06.2019 23:58, Hyunji Kim wrote: > Hello all, > > is there any way to integrate a 3rd-party 2FA with Keycloak so that > the OTP code is validated by the 2FA outside Keycloak? > > My team is using Authy for 2FA and I'm trying to figure out how to > integrate it with Keycloak. > > Thank you, > Hyunji > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Fri Jun 14 09:44:47 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 14 Jun 2019 10:44:47 -0300 Subject: [keycloak-user] Scope Permissions with Resource Type In-Reply-To: References: Message-ID: Yeah, I do. I've been thinking about this for a while and I think it would make permission mgmt more easy without too many choices on how to do it. It should be a quite trivial change as both share the same model. More a UI refactoring. Will create a JIRA for it. FYI, I've just pushed some changes for allowing people to configure a global decision strategy so that you change how permissions are evaluated. Please, take a look at https://github.com/keycloak/keycloak-documentation/pull/680. Maybe it can also help your use case. On Thu, Jun 13, 2019 at 3:56 PM Farzad Panahi wrote: > Thanks Pedro. I will try this out. > > BTW, do you think merging the resource-based and scope-based permissions > would be in your roadmap for anytime soon? > > On Mon, Jun 10, 2019 at 2:17 PM Pedro Igor Silva > wrote: > >> There is a limitation here in how resource types are used. You could >> achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource >> instance", with the owner other than the resource server. But this does not >> seem to be your case. >> >> There is one way to achieve this by using a JS Policy. Still not ideal, >> but something like this: >> >> ==== >> var permission = $evaluation.getPermission(); >> var scopes = permission.getScopes(); >> >> for (i = 0; i < scopes.length; i++) { >> var scope = scopes.get(i); >> >> if (scope.getName().equals("read")) { >> if (// check here if the user is member of a group) { >> permission.getScopes().remove(scope); >> } >> } >> } >> >> // grant or deny the permission >> ==== >> >> To check if a user is a member of a group, please take a look at >> https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-group-membership >> . >> >> On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi >> wrote: >> >>> Hi Pedro, >>> >>> If I create a scope-based permission without specifying the resource, >>> then that permission will apply to all the resources. >>> For instance in the example I mentioned in my previous email: >>> >>> I want to create permissions to give only SCOPE_READ access (not >>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >>> >>> If I grant a permission for SCOPE_READ without specifying the resource >>> then basically I am granting SCOPE_READ to all the resources which is not >>> what I want. I want to only give SCOPE_READ to a specific set of resources. >>> >>> I think as you mentioned merging resource-based and scope-based >>> permissions is a good idea and would work better. But now that we do not >>> have this feature is there any other way to accomplish this somehow using >>> policies or something else? >>> >>> Cheers >>> >>> Farzad >>> >>> On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva >>> wrote: >>> >>>> You can create scope-based permission for a specific scope (without set >>>> a resource). Would that help? >>>> >>>> I think we could also think about merging resource-based permission >>>> into scope-based permission so that we only have a single type of >>>> permission. >>>> >>>> Regards. >>>> Pedro Igor >>>> >>>> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have a client authorization set-up like the following: >>>>> >>>>> RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>>> RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>>> RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>>> >>>>> USER_1: USER_GROUP_A >>>>> USER_2: USER_GROUP_A >>>>> >>>>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A >>>>> >>>>> I want to create permissions to give only SCOPE_READ access (not >>>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >>>>> >>>>> If I create a resourced based permission then it will give grant >>>>> access to >>>>> both scopes. >>>>> Unfortunately I cannot create a scope based permission because scope >>>>> permission does not support resource type. It only supports resource. >>>>> If I >>>>> want to use scoped based permission then I have to create permission >>>>> for >>>>> every single resource in my resource type. >>>>> >>>>> I was wondering if there is a reason that scope based permission does >>>>> not >>>>> support resource type? >>>>> >>>>> Also anyone has any idea how I can achieve my requirement given the >>>>> limitations that we have? Is there a way to create a policy that grants >>>>> access only to a certain scope? >>>>> >>>>> >>>>> Cheers >>>>> >>>>> Farzad >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> From ccouzens at gmail.com Fri Jun 14 15:32:08 2019 From: ccouzens at gmail.com (Chris Couzens) Date: Fri, 14 Jun 2019 20:32:08 +0100 Subject: [keycloak-user] OpenAPI (swagger) documentation Message-ID: Hello, I've created an OpenAPI specification for Keycloak's admin Rest API. https://github.com/ccouzens/keycloak-openapi/blob/master/keycloak/6.0.json Feel free to make use of it. It was generated by programmatically scraping the Keycloak Admin Rest API documentation. This means it unfortunately has the same limitations (no authz routes, the types having all fields as optional). But what is there is complete and correct: all the paths [1] from the admin Rest documentation, all the parameters, all the request [2] and response bodies and their respective schemas. I used it in a couple projects as I was putting it together. It meant I didn't feel I was missing language specific clients for the Keycloak's API. Kind regards, Chris [1] except this one. Whilst it might appear simple, it can't be represented in OpenAPI because the path parameter would need to allow slashes https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_preflight [2] except for the request bodies that are labelled FormData. This affects 4 routes. I expect they'd be relatively easy to implement, but those 4 routes being broken doesn't affect me. Pull requests welcome https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_uploadjks From paul at templeman.co Sat Jun 15 00:53:27 2019 From: paul at templeman.co (Paul Templeman) Date: Sat, 15 Jun 2019 04:53:27 +0000 Subject: [keycloak-user] Sign in with Apple support Message-ID: Hi All I'm looking to integrate "Sign in with Apple" as social provider for Keycloak. See https://developer.apple.com/sign-in-with-apple/. Has anyone done this? It appears to be a straight OIDC integration according to this blog https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple. Are there any plans to add support officially? Cheers Paul.. From luke at code-house.org Sat Jun 15 02:10:12 2019 From: luke at code-house.org (=?utf-8?Q?=C5=81ukasz_Dywicki?=) Date: Sat, 15 Jun 2019 08:10:12 +0200 Subject: [keycloak-user] How to integrate 3rd-party 2FA with Keycloak In-Reply-To: <5E48B917000C984B86B77170F441903A18A0F18E@exch.ringler.ch> References: <0b282031-221a-3daf-9443-ad21ee2c9953@code-house.org> <5E48B917000C984B86B77170F441903A18A0F18E@exch.ringler.ch> Message-ID: <300EBA20-9B6B-4FC8-8658-21FD231070E9@code-house.org> I would say that project itself is good enough to be used as kind of starting point for similar requirements. Both OTP and SMS validation require additional step in login and/or registration process. The way to go in such cases is plugging additional Authenticator instances int the flow. Cheers, ?ukasz Dywicki -- Code-House http://code-house.org > On 14 Jun 2019, at 13:21, Lukasz Lech wrote: > > Hello, > > What would exactly mean 'extending existing OTPs'? Does it mean modifying Keycloak sources, or providing your own extension (via SPI)? > > Keycloak-sms-authenticator-sns configured in the way described in README works really strange. It is always active, but Is not validating token unless you set SMS to REQUIRED etc. > Is it a productive project or a kind of an abandoned experiment / research ? > > Best regards, > Lukasz Lech > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Lukasz Dywicki > Sent: Freitag, 14. Juni 2019 12:20 > To: Hyunji Kim ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to integrate 3rd-party 2FA with Keycloak > > Hey Hyunji, > In order to integrate additional OTP you have two ways: > 1) extend existing OTPs (google, freeotp) and add your own > 2) create own browser frow with your custom otp action > > I believe the later one is easier as it can be done without modifying existing Keycloak sources. > A nice example with completely new Authenticator is available at github: > https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns > > Best regards, > ?ukasz > -- > Code-House http://code-house.org > >> On 12.06.2019 23:58, Hyunji Kim wrote: >> Hello all, >> >> is there any way to integrate a 3rd-party 2FA with Keycloak so that >> the OTP code is validated by the 2FA outside Keycloak? >> >> My team is using Authy for 2FA and I'm trying to figure out how to >> integrate it with Keycloak. >> >> Thank you, >> Hyunji >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From luke at code-house.org Sat Jun 15 02:32:27 2019 From: luke at code-house.org (=?utf-8?Q?=C5=81ukasz_Dywicki?=) Date: Sat, 15 Jun 2019 08:32:27 +0200 Subject: [keycloak-user] Adding 2FA with SMS In-Reply-To: <5E48B917000C984B86B77170F441903A18A0F161@exch.ringler.ch> References: <5E48B917000C984B86B77170F441903A18A0F161@exch.ringler.ch> Message-ID: Introduction of extra steps for login/registration is entirely possible. However, there is a need to swap (extend) LoginFormsProvider, add new FormAction and Authenticator as well, and yes - template too. There is close relation between these parts when it comes to processing login and registration flows. You don?t need to modify directly any Keycloak code, it is sufficient to extend existing classes. You can use User attributes to store additional data about mobile number. It is mechanism made for that. Extension you linked is nice example of additional credential type which is a proper way from design point of view, but absolutely not necessary to start having sms code verifier. In the end such verifier is a simple bearer to fail authentication. Cheers, ?ukasz Dywicki -- Code-House http://code-house.org > On 14 Jun 2019, at 12:07, Lukasz Lech wrote: > > Hello, > > I'm analysing the requirement for adding 2FA with SMS to keycloak. > > There is a ready project https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns and to activate this, you need to modify authentication browser flow. > This look quite cheaply made. First, SMS is always sent, but validated only if you set SMS validation to REQUIRED, second, you give your mobile number, and if it is wrong, you must call support to change that for you. > > The correct way would be to make it analog to TOTP. A separate screen when you give your mobile number, and then give the validation code, and only then your mobile phone will be saved. > > Could you please give me a hint, if adding second 2FA this way could be made via plug-in, so, by writing provider(s), changing themes and editing flows in administration, or it would require some changes to keycloak core code? > > Were there any attemtps for writing alternative 2FA plugins working similar way as TOTP is working now? > > Best regards, > Lukasz Lech > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From farzad.panahi at gmail.com Sat Jun 15 05:07:34 2019 From: farzad.panahi at gmail.com (Farzad Panahi) Date: Sat, 15 Jun 2019 02:07:34 -0700 Subject: [keycloak-user] Scope Permissions with Resource Type In-Reply-To: References: Message-ID: Thanks Pedro. I will check it out. Let us know here when you create that UI JIRA ticket. On Fri, Jun 14, 2019 at 6:44 AM Pedro Igor Silva wrote: > Yeah, I do. I've been thinking about this for a while and I think it would > make permission mgmt more easy without too many choices on how to do it. It > should be a quite trivial change as both share the same model. More a UI > refactoring. > > Will create a JIRA for it. > > FYI, I've just pushed some changes for allowing people to configure a > global decision strategy so that you change how permissions are evaluated. > Please, take a look at > https://github.com/keycloak/keycloak-documentation/pull/680. Maybe it can > also help your use case. > > On Thu, Jun 13, 2019 at 3:56 PM Farzad Panahi > wrote: > >> Thanks Pedro. I will try this out. >> >> BTW, do you think merging the resource-based and scope-based permissions >> would be in your roadmap for anytime soon? >> >> On Mon, Jun 10, 2019 at 2:17 PM Pedro Igor Silva >> wrote: >> >>> There is a limitation here in how resource types are used. You could >>> achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource >>> instance", with the owner other than the resource server. But this does not >>> seem to be your case. >>> >>> There is one way to achieve this by using a JS Policy. Still not ideal, >>> but something like this: >>> >>> ==== >>> var permission = $evaluation.getPermission(); >>> var scopes = permission.getScopes(); >>> >>> for (i = 0; i < scopes.length; i++) { >>> var scope = scopes.get(i); >>> >>> if (scope.getName().equals("read")) { >>> if (// check here if the user is member of a group) { >>> permission.getScopes().remove(scope); >>> } >>> } >>> } >>> >>> // grant or deny the permission >>> ==== >>> >>> To check if a user is a member of a group, please take a look at >>> https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-group-membership >>> . >>> >>> On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi >>> wrote: >>> >>>> Hi Pedro, >>>> >>>> If I create a scope-based permission without specifying the resource, >>>> then that permission will apply to all the resources. >>>> For instance in the example I mentioned in my previous email: >>>> >>>> I want to create permissions to give only SCOPE_READ access (not >>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >>>> >>>> If I grant a permission for SCOPE_READ without specifying the resource >>>> then basically I am granting SCOPE_READ to all the resources which is not >>>> what I want. I want to only give SCOPE_READ to a specific set of resources. >>>> >>>> I think as you mentioned merging resource-based and scope-based >>>> permissions is a good idea and would work better. But now that we do not >>>> have this feature is there any other way to accomplish this somehow using >>>> policies or something else? >>>> >>>> Cheers >>>> >>>> Farzad >>>> >>>> On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva >>>> wrote: >>>> >>>>> You can create scope-based permission for a specific scope (without >>>>> set a resource). Would that help? >>>>> >>>>> I think we could also think about merging resource-based permission >>>>> into scope-based permission so that we only have a single type of >>>>> permission. >>>>> >>>>> Regards. >>>>> Pedro Igor >>>>> >>>>> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have a client authorization set-up like the following: >>>>>> >>>>>> RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>>>> RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>>>> RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>>>> >>>>>> USER_1: USER_GROUP_A >>>>>> USER_2: USER_GROUP_A >>>>>> >>>>>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A >>>>>> >>>>>> I want to create permissions to give only SCOPE_READ access (not >>>>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >>>>>> >>>>>> If I create a resourced based permission then it will give grant >>>>>> access to >>>>>> both scopes. >>>>>> Unfortunately I cannot create a scope based permission because scope >>>>>> permission does not support resource type. It only supports resource. >>>>>> If I >>>>>> want to use scoped based permission then I have to create permission >>>>>> for >>>>>> every single resource in my resource type. >>>>>> >>>>>> I was wondering if there is a reason that scope based permission does >>>>>> not >>>>>> support resource type? >>>>>> >>>>>> Also anyone has any idea how I can achieve my requirement given the >>>>>> limitations that we have? Is there a way to create a policy that >>>>>> grants >>>>>> access only to a certain scope? >>>>>> >>>>>> >>>>>> Cheers >>>>>> >>>>>> Farzad >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> From sthorger at redhat.com Sun Jun 16 04:28:44 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Sun, 16 Jun 2019 10:28:44 +0200 Subject: [keycloak-user] keycloak heathcheck with microprofile In-Reply-To: References: Message-ID: I'm that case it's more obvious that Keycloak can track dB status, but still it's not KC that is down so health check on KC being down is not exactly right. Really wonder what best practices are here. On Wed, 12 Jun 2019, 14:57 Meissa M'baye Sakho, wrote: > The use case I'm facing is a DB deployed externally. The requirement is to > make sure that DB access from keycloak is always UP. > This has been implemented in the following link: > https://github.com/thomasdarimont/keycloak-health-checks/tree/master > > I wanted to do the same with smallrye. > -- > > Meissa Sakho, RHCA > > Architect > > Red Hat EMEA > > msakho at redhat.com > M: +33-6-9559-7778 > > > > Le mer. 12 juin 2019 ? 14:40, Stian Thorgersen a > ?crit : > >> Ah, problem is we don't have support for CDI, but from what I gather >> there's a static instance of the smallrye registry that would allow adding >> custom health checks. >> >> I've also been talking to lots of folks around health checks and whether >> or not a "service" is responsible for checking if services it consumes is >> up as well, but opinions differ here. Some say Keycloak is down if the DB >> is down, but some say the DB should have separate health checks. Now >> looking at Kube for instance having Keycloak marked as down if the DB is >> down is kinda wrong as it would result in Kube restarting KC pods, not the >> DB pods which are actually down. >> >> On Wed, 12 Jun 2019 at 10:56, Meissa M'baye Sakho >> wrote: >> >>> Stian, >>> The problem is not enabling it. I already did it. >>> I would like to go beyond the defaults endpoints. >>> I need to add features like beeing able to have an endpoint that tells >>> me if the keycloak database is up and running. >>> For that I need to add some dev and that's where I'm a little bit blind. >>> >>> >>> >>> -- >>> >>> Meissa Sakho, RHCA >>> >>> Architect >>> >>> Red Hat EMEA >>> >>> msakho at redhat.com >>> M: +33-6-9559-7778 >>> >>> >>> >>> Le mer. 12 juin 2019 ? 10:41, Stian Thorgersen a >>> ?crit : >>> >>>> Keycloak 6 is built with WildFly 16 that includes the smallrye. You can >>>> enable it by following config in WildFly docs or Google it. We will >>>> document this soon. >>>> >>>> On Wed, 12 Jun 2019, 09:32 Meissa M'baye Sakho, >>>> wrote: >>>> >>>>> Hello all, >>>>> Any advice on that? >>>>> >>>>> -- >>>>> >>>>> Meissa Sakho, RHCA >>>>> >>>>> Architect >>>>> >>>>> Red Hat EMEA >>>>> >>>>> msakho at redhat.com >>>>> M: +33-6-9559-7778 >>>>> >>>>> >>>>> >>>>> Le mer. 29 mai 2019 ? 12:48, Meissa M'baye Sakho a >>>>> ?crit : >>>>> >>>>> > Hello everyone, >>>>> > Have someone tried to crate health check with SmallRye and the new >>>>> metrics >>>>> > extension? >>>>> > I've tried long ago Thomas darimont's following example [1] to >>>>> implement >>>>> > health check, but would like to know is someone has started >>>>> something. >>>>> > ?1]= >>>>> https://github.com/thomasdarimont/keycloak-health-checks/tree/master >>>>> > >>>>> > thanks >>>>> > -- >>>>> > >>>>> > Meissa Sakho, RHCA >>>>> > >>>>> > Architect >>>>> > >>>>> > Red Hat EMEA >>>>> > >>>>> > msakho at redhat.com >>>>> > M: +33-6-9559-7778 >>>>> > >>>>> > >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> From Ori.Doolman at cyberark.com Sun Jun 16 06:04:25 2019 From: Ori.Doolman at cyberark.com (Ori Doolman) Date: Sun, 16 Jun 2019 10:04:25 +0000 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: , Message-ID: Pedo, When I call the authz/resource-server/settings endpoint, I get the full list of all entities. That works great if I later want to update the settings using the /authz/resource-server/import endpoint. But /settings might become too big and I only want to update my permissions (specific ones, actually). Hence, I call the /policy endpoint. But then I get partial entity information for the scope-based permission, not similar to the one I get with /settings. The "config" object data is missing. 1) Is that a bug? You can see below both payloads. 2) Can I filter permissions by name contains "mySubstring" ? Seems that /search does not support that but only exact name match by /search?name="name" Here is /settings call: "policies": [ { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"set-01\"]", "scopes": "[\"read\",\"write\"]", "applyPolicies": "[\"userPolicy\"]" } } Here is what I get from /policy endpoint: { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} } ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Ori Doolman Sent: Thursday, June 6, 2019 4:22 PM To: Pedro Igor Silva; Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Great. I was looking for that as well. I don't think it is documented. How do you manipulate the authorization entities by REST API? For example, add a resource or a scope, modify policy etc. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Pedro Igor Silva Sent: Thursday, June 6, 2019 3:43 PM To: Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Hi, Please, append the following path to your URI: " /authz/resource-server/settings". Regards. Pedro Igor On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. wrote: > Hi everybody, > I'm trying to get the authorization settings of a client, but its not > coming in the response of the request. > This is the request im doing: > > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= > > and this is the response: > > { > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > "clientId": "api", > "surrogateAuthRequired": false, > "enabled": true, > "clientAuthenticatorType": "client-secret", > "redirectUris": [ > "*" > ], > "webOrigins": [], > "notBefore": 0, > "bearerOnly": false, > "consentRequired": false, > "standardFlowEnabled": true, > "implicitFlowEnabled": false, > "directAccessGrantsEnabled": true, > "serviceAccountsEnabled": true, > "authorizationServicesEnabled": true, > "publicClient": false, > "frontchannelLogout": false, > "protocol": "openid-connect", > "attributes": { > "saml.assertion.signature": "false", > "saml.force.post.binding": "false", > "saml.multivalued.roles": "false", > "saml.encrypt": "false", > "saml.server.signature": "false", > "saml.server.signature.keyinfo.ext": "false", > "exclude.session.state.from.auth.response": "false", > "saml_force_name_id_format": "false", > "saml.client.signature": "false", > "tls.client.certificate.bound.access.tokens": "false", > "saml.authnstatement": "false", > "display.on.consent.screen": "false", > "saml.onetimeuse.condition": "false" > }, > "authenticationFlowBindingOverrides": {}, > "fullScopeAllowed": true, > "nodeReRegistrationTimeout": -1, > "protocolMappers": [ > { > "id": "97330e11-24df-40ce-9335-51d5126d4059", > "name": "Client Host", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientHost", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientHost", > "jsonType.label": "String" > } > }, > { > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > "name": "Client ID", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientId", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientId", > "jsonType.label": "String" > } > }, > { > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > "name": "Client IP Address", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientAddress", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientAddress", > "jsonType.label": "String" > } > } > ], > "defaultClientScopes": [ > "web-origins", > "role_list", > "profile", > "roles", > "email" > ], > "optionalClientScopes": [ > "address", > "phone", > "offline_access", > "microprofile-jwt" > ], > "access": { > "view": true, > "configure": true, > "manage": true > } > } > > Thanks, > Rafael. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= ---------------------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e= From Ori.Doolman at cyberark.com Sun Jun 16 06:39:11 2019 From: Ori.Doolman at cyberark.com (Ori Doolman) Date: Sun, 16 Jun 2019 10:39:11 +0000 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: , , Message-ID: Pedro, Please ignore 2nd question. It seems to work well with partial name after all. So only the first one remains - is that a bug? Ori. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Ori Doolman Sent: Sunday, June 16, 2019 1:04 PM To: Pedro Igor Silva; Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Pedo, When I call the authz/resource-server/settings endpoint, I get the full list of all entities. That works great if I later want to update the settings using the /authz/resource-server/import endpoint. But /settings might become too big and I only want to update my permissions (specific ones, actually). Hence, I call the /policy endpoint. But then I get partial entity information for the scope-based permission, not similar to the one I get with /settings. The "config" object data is missing. 1) Is that a bug? You can see below both payloads. 2) Can I filter permissions by name contains "mySubstring" ? Seems that /search does not support that but only exact name match by /search?name="name" Here is /settings call: "policies": [ { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"set-01\"]", "scopes": "[\"read\",\"write\"]", "applyPolicies": "[\"userPolicy\"]" } } Here is what I get from /policy endpoint: { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} } ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Ori Doolman Sent: Thursday, June 6, 2019 4:22 PM To: Pedro Igor Silva; Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Great. I was looking for that as well. I don't think it is documented. How do you manipulate the authorization entities by REST API? For example, add a resource or a scope, modify policy etc. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Pedro Igor Silva Sent: Thursday, June 6, 2019 3:43 PM To: Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Hi, Please, append the following path to your URI: " /authz/resource-server/settings". Regards. Pedro Igor On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. wrote: > Hi everybody, > I'm trying to get the authorization settings of a client, but its not > coming in the response of the request. > This is the request im doing: > > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= > > and this is the response: > > { > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > "clientId": "api", > "surrogateAuthRequired": false, > "enabled": true, > "clientAuthenticatorType": "client-secret", > "redirectUris": [ > "*" > ], > "webOrigins": [], > "notBefore": 0, > "bearerOnly": false, > "consentRequired": false, > "standardFlowEnabled": true, > "implicitFlowEnabled": false, > "directAccessGrantsEnabled": true, > "serviceAccountsEnabled": true, > "authorizationServicesEnabled": true, > "publicClient": false, > "frontchannelLogout": false, > "protocol": "openid-connect", > "attributes": { > "saml.assertion.signature": "false", > "saml.force.post.binding": "false", > "saml.multivalued.roles": "false", > "saml.encrypt": "false", > "saml.server.signature": "false", > "saml.server.signature.keyinfo.ext": "false", > "exclude.session.state.from.auth.response": "false", > "saml_force_name_id_format": "false", > "saml.client.signature": "false", > "tls.client.certificate.bound.access.tokens": "false", > "saml.authnstatement": "false", > "display.on.consent.screen": "false", > "saml.onetimeuse.condition": "false" > }, > "authenticationFlowBindingOverrides": {}, > "fullScopeAllowed": true, > "nodeReRegistrationTimeout": -1, > "protocolMappers": [ > { > "id": "97330e11-24df-40ce-9335-51d5126d4059", > "name": "Client Host", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientHost", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientHost", > "jsonType.label": "String" > } > }, > { > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > "name": "Client ID", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientId", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientId", > "jsonType.label": "String" > } > }, > { > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > "name": "Client IP Address", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientAddress", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientAddress", > "jsonType.label": "String" > } > } > ], > "defaultClientScopes": [ > "web-origins", > "role_list", > "profile", > "roles", > "email" > ], > "optionalClientScopes": [ > "address", > "phone", > "offline_access", > "microprofile-jwt" > ], > "access": { > "view": true, > "configure": true, > "manage": true > } > } > > Thanks, > Rafael. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= ---------------------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=CXzfHbu3tS7-M4XAEs32GmtMA2-cJ64WMcFa3AUHirc&s=HQM_ulRNI8muZdVrVM7EIxdi1cuD6Vb3_jF4Z3p4uEg&e= From jamesm at suitebox.com Sun Jun 16 18:19:06 2019 From: jamesm at suitebox.com (James Mitchell) Date: Mon, 17 Jun 2019 10:19:06 +1200 Subject: [keycloak-user] Caching user details in a custom User Storage Provider Message-ID: Can I get a sanity check for this? I don't think my users are being retrieved from the cache. I'm using Keycloak 6.0.1 and doing proof of concept to use it as IDP for our application. So far I have a working User Storage Provider to call the existing API for user details and to authenticate users - I'm calling the token endpoint with a password grant-type and all is good. * I can see the initial search for email address works, and the user is added to the cache (at least the OnUserCache function is called) * the password matches and the user is authenticated * then there are many calls to get the user by ID - I think these are to get attributes for the token claims. These are not getting the details from the cache, as I can see hits on the existing API. So my questions are * should the user be coming from the cache? * is there a method I can override to confirm if the cache is being used? These are some logs from the keycloak service and the database adapter (both running as Docker containers). These logs are generated from the admin console when I click for user details. > keycloak_1 | 22:42:47,516 INFO [com.suitebox.keycloak.storage.SbxUserStorageProviderFactory] (default task-2) Create PHPAuth Provider instance > keycloak_1 | 22:42:47,519 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) getUserById: f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4 > keycloak_1 | 22:42:49,879 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) Caching user f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4 > keycloak_1 | 22:42:49,952 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) getUserById: f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4 > keycloak_1 | 22:42:51,996 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) getUserById: f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4 > keycloak_1 | 22:42:54,069 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) Closing PHPAuth Provider and the database API > dbadapter_1 | 2019-06-13 22:42:47.609 INFO 1 --- [p-nio-80-exec-4] c.s.d.controller.backend.UserController : get user id=4 > dbadapter_1 | 2019-06-13 22:42:50.031 INFO 1 --- [p-nio-80-exec-5] c.s.d.controller.backend.UserController : get user id=4 > dbadapter_1 | 2019-06-13 22:42:52.094 INFO 1 --- [p-nio-80-exec-6] c.s.d.controller.backend.UserController : get user id=4 Thanks, James From l.lech at ringler.ch Mon Jun 17 02:42:49 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Mon, 17 Jun 2019 06:42:49 +0000 Subject: [keycloak-user] Adding 2FA with SMS In-Reply-To: References: <5E48B917000C984B86B77170F441903A18A0F161@exch.ringler.ch> Message-ID: <5E48B917000C984B86B77170F441903A18A1130E@exch.ringler.ch> Hello, What would it actually mean to swap LoginFormsProvider? Would it be enough to drop own extension to standalone/deployments (+ some change in standalone-ha.xml)? Best regards, Lukasz Lech -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Lukasz Dywicki Sent: Samstag, 15. Juni 2019 08:32 To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Adding 2FA with SMS Introduction of extra steps for login/registration is entirely possible. However, there is a need to swap (extend) LoginFormsProvider, add new FormAction and Authenticator as well, and yes - template too. There is close relation between these parts when it comes to processing login and registration flows. You don?t need to modify directly any Keycloak code, it is sufficient to extend existing classes. You can use User attributes to store additional data about mobile number. It is mechanism made for that. Extension you linked is nice example of additional credential type which is a proper way from design point of view, but absolutely not necessary to start having sms code verifier. In the end such verifier is a simple bearer to fail authentication. Cheers, ?ukasz Dywicki -- Code-House http://code-house.org > On 14 Jun 2019, at 12:07, Lukasz Lech wrote: > > Hello, > > I'm analysing the requirement for adding 2FA with SMS to keycloak. > > There is a ready project https://github.com/UKGovernmentBEIS/keycloak-sms-authenticator-sns and to activate this, you need to modify authentication browser flow. > This look quite cheaply made. First, SMS is always sent, but validated only if you set SMS validation to REQUIRED, second, you give your mobile number, and if it is wrong, you must call support to change that for you. > > The correct way would be to make it analog to TOTP. A separate screen when you give your mobile number, and then give the validation code, and only then your mobile phone will be saved. > > Could you please give me a hint, if adding second 2FA this way could be made via plug-in, so, by writing provider(s), changing themes and editing flows in administration, or it would require some changes to keycloak core code? > > Were there any attemtps for writing alternative 2FA plugins working similar way as TOTP is working now? > > Best regards, > Lukasz Lech > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Mon Jun 17 02:52:43 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 17 Jun 2019 03:52:43 -0300 Subject: [keycloak-user] Scope Permissions with Resource Type In-Reply-To: References: Message-ID: https://issues.jboss.org/browse/KEYCLOAK-10663 On Sat, Jun 15, 2019 at 6:07 AM Farzad Panahi wrote: > Thanks Pedro. I will check it out. Let us know here when you create that > UI JIRA ticket. > > On Fri, Jun 14, 2019 at 6:44 AM Pedro Igor Silva > wrote: > >> Yeah, I do. I've been thinking about this for a while and I think it >> would make permission mgmt more easy without too many choices on how to do >> it. It should be a quite trivial change as both share the same model. More >> a UI refactoring. >> >> Will create a JIRA for it. >> >> FYI, I've just pushed some changes for allowing people to configure a >> global decision strategy so that you change how permissions are evaluated. >> Please, take a look at >> https://github.com/keycloak/keycloak-documentation/pull/680. Maybe it >> can also help your use case. >> >> On Thu, Jun 13, 2019 at 3:56 PM Farzad Panahi >> wrote: >> >>> Thanks Pedro. I will try this out. >>> >>> BTW, do you think merging the resource-based and scope-based permissions >>> would be in your roadmap for anytime soon? >>> >>> On Mon, Jun 10, 2019 at 2:17 PM Pedro Igor Silva >>> wrote: >>> >>>> There is a limitation here in how resource types are used. You could >>>> achieve that if RESOURCE_1, RESOURCE_2 and RESOURCE_3 were "resource >>>> instance", with the owner other than the resource server. But this does not >>>> seem to be your case. >>>> >>>> There is one way to achieve this by using a JS Policy. Still not ideal, >>>> but something like this: >>>> >>>> ==== >>>> var permission = $evaluation.getPermission(); >>>> var scopes = permission.getScopes(); >>>> >>>> for (i = 0; i < scopes.length; i++) { >>>> var scope = scopes.get(i); >>>> >>>> if (scope.getName().equals("read")) { >>>> if (// check here if the user is member of a group) { >>>> permission.getScopes().remove(scope); >>>> } >>>> } >>>> } >>>> >>>> // grant or deny the permission >>>> ==== >>>> >>>> To check if a user is a member of a group, please take a look at >>>> https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-group-membership >>>> . >>>> >>>> On Mon, Jun 10, 2019 at 4:44 PM Farzad Panahi >>>> wrote: >>>> >>>>> Hi Pedro, >>>>> >>>>> If I create a scope-based permission without specifying the resource, >>>>> then that permission will apply to all the resources. >>>>> For instance in the example I mentioned in my previous email: >>>>> >>>>> I want to create permissions to give only SCOPE_READ access (not >>>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >>>>> >>>>> If I grant a permission for SCOPE_READ without specifying the resource >>>>> then basically I am granting SCOPE_READ to all the resources which is not >>>>> what I want. I want to only give SCOPE_READ to a specific set of resources. >>>>> >>>>> I think as you mentioned merging resource-based and scope-based >>>>> permissions is a good idea and would work better. But now that we do not >>>>> have this feature is there any other way to accomplish this somehow using >>>>> policies or something else? >>>>> >>>>> Cheers >>>>> >>>>> Farzad >>>>> >>>>> On Mon, Jun 10, 2019 at 5:22 AM Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> You can create scope-based permission for a specific scope (without >>>>>> set a resource). Would that help? >>>>>> >>>>>> I think we could also think about merging resource-based permission >>>>>> into scope-based permission so that we only have a single type of >>>>>> permission. >>>>>> >>>>>> Regards. >>>>>> Pedro Igor >>>>>> >>>>>> On Fri, Jun 7, 2019 at 6:09 PM Farzad Panahi >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have a client authorization set-up like the following: >>>>>>> >>>>>>> RERSOURCE_1: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>>>>> RERSOURCE_2: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>>>>> RERSOURCE_3: [SCOPE_READ, SCOPE_WRITE], RESOURCE_TYPE_ALPHA >>>>>>> >>>>>>> USER_1: USER_GROUP_A >>>>>>> USER_2: USER_GROUP_A >>>>>>> >>>>>>> USER_GROUP_A_POLICY: GRANT ACCESS TO USER_GROUP_A >>>>>>> >>>>>>> I want to create permissions to give only SCOPE_READ access (not >>>>>>> SCOPE_WRITE access) to USER_GROUP_A for RESOURCE_TYPE_ALPHA. >>>>>>> >>>>>>> If I create a resourced based permission then it will give grant >>>>>>> access to >>>>>>> both scopes. >>>>>>> Unfortunately I cannot create a scope based permission because scope >>>>>>> permission does not support resource type. It only supports >>>>>>> resource. If I >>>>>>> want to use scoped based permission then I have to create permission >>>>>>> for >>>>>>> every single resource in my resource type. >>>>>>> >>>>>>> I was wondering if there is a reason that scope based permission >>>>>>> does not >>>>>>> support resource type? >>>>>>> >>>>>>> Also anyone has any idea how I can achieve my requirement given the >>>>>>> limitations that we have? Is there a way to create a policy that >>>>>>> grants >>>>>>> access only to a certain scope? >>>>>>> >>>>>>> >>>>>>> Cheers >>>>>>> >>>>>>> Farzad >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> From l.lech at ringler.ch Mon Jun 17 03:57:23 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Mon, 17 Jun 2019 07:57:23 +0000 Subject: [keycloak-user] Building master from source Message-ID: <5E48B917000C984B86B77170F441903A18A1138F@exch.ringler.ch> Hello, Is keycloak master meant to be built from source for non-keycloak-devs? My local build fails because of Plugin org.keycloak:db-allocator-plugin:7.0.0-SNAPSHOT or one of its dependencies could not be resolved: Could not find artifact org.keycloak:db-allocator-plugin:jar:7.0.0-SNAPSHOT in central Best regards, Lukasz Lech From triton.oidc at gmail.com Mon Jun 17 04:36:59 2019 From: triton.oidc at gmail.com (triton oidc) Date: Mon, 17 Jun 2019 08:36:59 +0000 Subject: [keycloak-user] exchange token cross realm Message-ID: Hi keycloak users ! my target is to exchange an OIDC access token (linked to a user) from an app1 in a realm 1 to an app2 in a realm two. I'm using 4.8.3.Final on both IDP Using curl script, it works great (minus a user linking issue) However I'm looking for a prod ready implementation, and i can't give all the credentials to the calling API. In my example, the API 1 would need the client id / secret on the IDP1, used for the link to IDP2 the client id / secret on the IDP2, used for the link to IDP1 I can't put that in my procedure. I therefore created a new component that does the mapping, and this component does have the credentials on both IDP. The complexity is increased, and my boss is not convinced creating an exchange component is the best way to solve the issue link to the sequence diagram link to the source of the diagram Is there a way to simplify this ? like when i do two token exchange on the same realm App1 to App2 to App3 that i could use the credential shared between App1 and App2 to do the exchange of the App2 token against an App3 token (only if the App1 token can be exchange against an App2 token) This way when i'll do a cross realm exchange, i won't need the credentials of the current IDP, but only the App credentials. Or some other way i have not figured at. Thanks for any tips Amaury From rafatov10 at gmail.com Mon Jun 17 04:48:28 2019 From: rafatov10 at gmail.com (Rafael Tovar.) Date: Mon, 17 Jun 2019 10:48:28 +0200 Subject: [keycloak-user] Error creating realm role with attributes Message-ID: Hi everybody, I'm trying to create a realm role with custom attributes. When i make this POST request: /auth/admin/realms/master/roles with the following body: { "name":"test_user", "description": "im a test user", "attributes": { "color": "#555" } } I get the error: Cannot deserialize instance of `java.util.ArrayList` out of VALUE_STRING token And when i try the request with this body: { "name":"test_user", "description": "im a test user", "attributes": { "color": ["#555"] } } I get a 201 but the role is created without the color attribute. Thanks, Rafael. From luke at code-house.org Mon Jun 17 05:07:36 2019 From: luke at code-house.org (=?UTF-8?Q?=c5=81ukasz_Dywicki?=) Date: Mon, 17 Jun 2019 11:07:36 +0200 Subject: [keycloak-user] Error creating realm role with attributes In-Reply-To: References: Message-ID: <766b7ddc-ba25-3b89-4cbe-3464752c7a25@code-house.org> This is kinda expected as representation you use is only used to fetch id, name and description. Rest of data is ignored. See relevant admin resource sources: https://github.com/keycloak/keycloak/blob/6.0.1/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java#L114 Effectively you need to execute two requests - one with create, second with update of attributes. Kind regards, ?ukasz Dywicki -- Code-House http://code-house.org On 17.06.2019 10:48, Rafael Tovar. wrote: > Hi everybody, > I'm trying to create a realm role with custom attributes. > When i make this POST request: > /auth/admin/realms/master/roles > with the following body: > { > "name":"test_user", > "description": "im a test user", > "attributes": { > "color": "#555" > } > } > I get the error: Cannot deserialize instance of `java.util.ArrayList` out > of VALUE_STRING token > > And when i try the request with this body: > { > "name":"test_user", > "description": "im a test user", > "attributes": { > "color": ["#555"] > } > } > I get a 201 but the role is created without the color attribute. > > Thanks, > Rafael. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From l.lech at ringler.ch Mon Jun 17 08:20:23 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Mon, 17 Jun 2019 12:20:23 +0000 Subject: [keycloak-user] Getting AuthenticationConfig from RequiredAction Message-ID: <5E48B917000C984B86B77170F441903A18A1242E@exch.ringler.ch> Hello, Is it possible, that RequiredAction implementation would get AuthenticatorConfig? I need to access configuration parameters when I process the template. I have RequiredActionContext, but getAuthenticatorConfig() is available on AuthenticationFlowContext... It has to do with my previous emails about the SMS 2FA. I'm in this class https://github.com/nickpack/keycloak-sms-authenticator-sns/blob/develop/src/main/java/six/six/keycloak/authenticator/KeycloakSmsAuthenticator.java And instead of pseudo-verification of phone number by tipping it twice I'm going to send SMS and expect to re-enter it on second page. But to send SMS, I need the configuration defined under Authentication -> Flows. Btw. I need to call more methods from Context, but they are defined in both RequiredActionContext and AuthenticationFlowContext (getRealm, getSession etc.). Is there a reason why those interfaces have no common parent interface, although they share a pack of common methods? Best regards, Lukasz Lech From s.booth at epcc.ed.ac.uk Mon Jun 17 08:48:32 2019 From: s.booth at epcc.ed.ac.uk (BOOTH Stephen) Date: Mon, 17 Jun 2019 12:48:32 +0000 Subject: [keycloak-user] How do I integrate with a SAML federation Message-ID: I'm wanting configure keycloak to use authenticate against a SAML federation (externally curated set of IdPs) rather than a single SAML IdP. Specifically I want to support EduGAIN. Is this something that keycloak supports natively? The form for configuring a SAML Identity provider appears to assume a single IdP. If not, does anyone have any suggestions for the best approach to bridging a shibboleth SP into something keycloak can use as an Identity provider. Stephen -- ====================================================================== |epcc| Dr Stephen P Booth Principal Architect |epcc| |epcc| s.booth at epcc.ed.ac.uk Phone 0131 650 5746 |epcc| ====================================================================== -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. From luis.villaca at petrobras.com.br Mon Jun 17 09:04:52 2019 From: luis.villaca at petrobras.com.br (luis.villaca at petrobras.com.br) Date: Mon, 17 Jun 2019 10:04:52 -0300 Subject: [keycloak-user] Realm-specific authorization following cross-realm authentication Message-ID: Greetings, I would like to understand the best strategy to implement a scenario of realm-specific authorization in Keycloak after cross-realm authentication. A "brief" context: My company has its own corporate authentication and authorization services. The first one returns the status based on user credentials (e.g. already logged, invalid credentials, etc). The second one relates a distinct service to each application, and is used for retrieving application-specific roles. So this service, when provided with a username and the app credentials, retrieves a list of user roles. We plan on decoupling the applications from it. So we configured Keycloak instance to allow the usage of OpenIDConnect. For security, we created a JKS keystore for our certificate and set the SSL properties in our standalone.xml. We created our own Keycloak plugin (implementing org.keycloak.storage.UserStorageProviderFactory, and extending UserStorageProvider, UserLookupProvider, and CredentialInputValidator) that currently interacts with our corporate service for authenticating and pulling the roles. This was configured as a UserFederation in realms A and B (for apps A and B), each along with application-specific settings for interacting with our corporate service. We also configured each app (springboot) with its certificate (PrivateKeyEntry) and a a Keycloak JKS Truststore. Using spring-security-oauth2-autoconfigure features (application.yml) we configured keycloak settings. It works fine, since each app redirects to the IDP (configured with its specific realm) and is able to authenticate and pull the client mapped roles, further correlated to our secured resources in our WebSecurityConfigurerAdapter extension (SpringSecurity). Now we have two applications (A and B) performing this strategy and we want SSO. For testing that we picked up the secret from realm A "broker" client, used it to configure an identity provider in realm B (i.e., pointing to realm A urls and this broker client). As we set the redirector in realm B Authentication config, it works as expected. A user tries to access a protected resource in B, is directed to realm A, authenticating there and coming back, bringing only Keycloak default roles to B (uma_authorization, not the "A" roles). So here is the strategy I thought for this scenario: 1) Create an authentication-only Realm with a configured user federation that calls our corporate authentication Service only to authenticate users 2) Set realms A and B with above realm broker configured as their identity providers 3) Assign realm-specific roles in realms A and B. Maybe using their specific UserFederation? Could it be set under Post Login Flow? It should call our corporate application-specific authorization Service and assign those roles to the user (if needed, creating those realm roles). Any thoughts or references/examples on that (specially step 3)? Thanks, regards, Luis "O emitente desta mensagem ? respons?vel por seu conte?do e endere?amento. Cabe ao destinat?rio cuidar quanto ao tratamento adequado. Sem a devida autoriza??o, a divulga??o, a reprodu??o, a distribui??o ou qualquer outra a??o em desconformidade com as normas internas do Sistema Petrobras s?o proibidas e pass?veis de san??o disciplinar, c?vel e criminal." "The sender of this message is responsible for its content and addressing. The receiver shall take proper care of it. Without due authorization, the publication, reproduction, distribution or the performance of any other action not conforming to Petrobras System internal policies and procedures is forbidden and liable to disciplinary, civil or criminal sanctions." "El emisor de este mensaje es responsable por su contenido y direccionamiento. Cabe al destinatario darle el tratamiento adecuado. Sin la debida autorizaci?n, su divulgaci?n, reproducci?n, distribuci?n o cualquier otra acci?n no conforme a las normas internas del Sistema Petrobras est?n prohibidas y ser?n pasibles de sanci?n disciplinaria, civil y penal." From tan.edwill at gmail.com Mon Jun 17 11:51:27 2019 From: tan.edwill at gmail.com (Ed Dave Tan) Date: Mon, 17 Jun 2019 23:51:27 +0800 Subject: [keycloak-user] Keycloak Gatekeeper to secure API services via Bearer Token results to 307 Message-ID: Hi, I have deployed Keycloak Gatekeeper to Kubernetes using helm chart here: https://hub.kubeapps.com/charts/gabibbo97/keycloak-gatekeeper/1.2.1 The configuration I used is: listen=0.0.0.0:3000 --set discoveryURL=https://domain.com/auth/realms/manager --set upstreamURL=http://up-domain.com:port --set ClientID=manager --set ClientSecret=$secret --set rules={"uri=/*|roles=manager"} --set droolsPolicyEnabled=false My intended use case for Keycloak Gatekeeper is use it to secure API services. 1.) I imagine the flow will be like Angular frontend (using JS Adapter) to login the user. 2.) Angular frontend will receive Bearer Token from authentication. 3.) Angular frontend will send Bearer Token to Keycloak Gatekeeper to access needed resources. So far I tested accessing the resource directly by accessing the 0.0.0.0:3000 via kubectl portfoward. Which worked fine. I was redirected to the login page then redirected to the resource after successful login. However, I tried mimicking my intended workflow via Curl. (Similar to this https://medium.com/@vcorreaniche/securing-serverless-services-in-kubernetes-with-keycloak-gatekeeper-6d07583e7382 ) 1.) I was able to get the access token and refresh token from using: curl -X POST \ 'https://domain.com/auth/realms/manager/protocol/openid-connect/token' \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'username=manager1&password=&grant_type=password&client_id=manager-service&client_secret=' 2.) I'm getting a HTTP 307: Temporary Redirect. When I try to access the resource using: curl -H 'Authorization: Bearer ' \ --proxy http://127.0.0.1:3000 http://up-domain.com/api/v1/manager \ -v > --proxy http://127.0.0.1:3000 http://up-domain:port/api/v1/manager \ > -v * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0) > GET http://up-domain:port/api/v1/manager HTTP/1.1 > Host: up-domain:port > User-Agent: curl/7.58.0 > Accept: */* > Proxy-Connection: Keep-Alive > Authorization: Bearer > < HTTP/1.1 307 Temporary Redirect < Content-Type: text/html; charset=utf-8 < Location: /oauth/authorize?state=8688edc1-f05d-49c5-ae33-f4f10605d8d8 My question: Is my intended work flow viable using Keycloak Gatekeeper? Or Did I do something wrong? PS: My Keycloak version is 5.0 and I change the image being pulled by the helm chart above to 5.0.0 because the 4.8.0.Final cant be found. *Note: droolsPolicyEnabled is set to false since it was causing issue in starting Keycloak. From manuel.waltschek at prisma-solutions.at Mon Jun 17 12:56:06 2019 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Mon, 17 Jun 2019 16:56:06 +0000 Subject: [keycloak-user] KEYCLOAK SAML logout not working as documented Message-ID: <04e336ab575e4c849f580ac1eabfcbaf@prisma-solutions.at> Hello KC Community, I am still trying to find out how to properly logout from keycloak using the kc adapter on wildfly10. Documentation says 3.1.8. Logout There are multiple ways you can logout from a web application. For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO, i.e. http://myapp?GLO=true. This will log you out if you have an SSO session with your browser. As HttpServletRequest.logout() in Undertows implementation io.undertow.servlet.spec.HttpServletRequestImpl checks isInvalidateSessionOnLogout returns false in my case it does not much. @Override public void logout() throws ServletException { SecurityContext sc = exchange.getSecurityContext(); sc.logout(); if(servletContext.getDeployment().getDeploymentInfo().isInvalidateSessionOnLogout()) { HttpSession session = getSession(false); if(session != null) { session.invalidate(); } } } Im calling HttpServletRequest.logout() in a ServletFilter implementation, but it does not end the keycloak session and I can still reach protected ressources. There is no backchannel request as I would expect. When I do the following: private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String contextPath = req.getContextPath(); req.logout(); resp.sendRedirect(contextPath + "?GLO=true"); it somehow works, but sends another AuthnRequest before sending the LogoutRequest. Then the LogoutResponse ist posted to myapp/saml again which leads to http Status code 403 forbidden. Please also see: https://issues.jboss.org/browse/KEYCLOAK-2191 and https://lists.jboss.org/pipermail/keycloak-user/2017-July/011207.html Regards, [Logo]to m Manuel Waltschek BSc. +43 660 86655 47 manuel.waltschek at prisma-solutions.at https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 M?dling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6418 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190617/10ce8ff6/attachment-0001.png From katariakhyati11 at gmail.com Mon Jun 17 16:58:47 2019 From: katariakhyati11 at gmail.com (Khyati Kataria) Date: Mon, 17 Jun 2019 16:58:47 -0400 Subject: [keycloak-user] Need help related to SSO session idle and SSO session idle max Message-ID: Hi, I have one doubt related to these two fields: SSO session idle and SSO session idle max in keycloak token settings In our case it is been 30 minutes set as session idle , so webpage should get logout within 30 minutes. But we can observe it is not logging out after described time. We have also tried by setting to 2-3 minutes, but it?s not happening. But, when we set Session_max to 3 minute, then webpage is getting logout after 3 minutes. So, basically it is taking session_max but session_idle is not working in our project. Could anyone please explain this behavior ? As per my understanding session idle time is not working. or I am not sure Is this expected behavior of keycloak or not ? Thanks in advance ! Regards, Khyati Kataria From bjoern.sonntag at t-online.de Mon Jun 17 17:25:45 2019 From: bjoern.sonntag at t-online.de (=?utf-8?Q?Bj=C3=B6rn_Sonntag?=) Date: Mon, 17 Jun 2019 23:25:45 +0200 Subject: [keycloak-user] KEYCLOAK SAML logout not working as documented In-Reply-To: <04e336ab575e4c849f580ac1eabfcbaf@prisma-solutions.at> References: <04e336ab575e4c849f580ac1eabfcbaf@prisma-solutions.at> Message-ID: <6264A4BF-F8A5-45E0-8218-424B546704F0@t-online.de> Hello Manuel, please refer the documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter . When you work within a servlet filter it will act as the same. In case of a java servlet filter client adapter the backchannel logout work different! Instead of invalidating the session, you will be marked as logged out. In your case, implement the logout inside your code which is in the application server like the web application and NOT in an external filter. With best regards, Bjoern > Am 17.06.2019 um 18:56 schrieb Manuel Waltschek >: > > Hello KC Community, > > I am still trying to find out how to properly logout from keycloak using the kc adapter on wildfly10. > Documentation says > > 3.1.8. Logout > > There are multiple ways you can logout from a web application. For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO, i.e. http://myapp?GLO=true . This will log you out if you have an SSO session with your browser. > As HttpServletRequest.logout() in Undertows implementation io.undertow.servlet.spec.HttpServletRequestImpl checks isInvalidateSessionOnLogout returns false in my case it does not much. > > @Override > public void logout() throws ServletException { > SecurityContext sc = exchange.getSecurityContext(); > sc.logout(); > if(servletContext.getDeployment().getDeploymentInfo().isInvalidateSessionOnLogout()) { > HttpSession session = getSession(false); > if(session != null) { > session.invalidate(); > } > } > } > > Im calling HttpServletRequest.logout() in a ServletFilter implementation, but it does not end the keycloak session and I can still reach protected ressources. There is no backchannel request as I would expect. > When I do the following: > > private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp) > throws ServletException, IOException { > String contextPath = req.getContextPath(); > req.logout(); > resp.sendRedirect(contextPath + "?GLO=true"); > > it somehow works, but sends another AuthnRequest before sending the LogoutRequest. Then the LogoutResponse ist posted to myapp/saml again which leads to http Status code 403 forbidden. > > Please also see: > > https://issues.jboss.org/browse/KEYCLOAK-2191 > > and https://lists.jboss.org/pipermail/keycloak-user/2017-July/011207.html > > > Regards, > > > [Logo]to m > > Manuel Waltschek BSc. > > +43 660 86655 47 > manuel.waltschek at prisma-solutions.at > https://www.prisma-solutions.com > > PRISMA solutions EDV-Dienstleistungen GmbH > Klostergasse 18, 2340 M?dling, Austria > Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From farzad.panahi at gmail.com Mon Jun 17 18:15:32 2019 From: farzad.panahi at gmail.com (Farzad Panahi) Date: Mon, 17 Jun 2019 15:15:32 -0700 Subject: [keycloak-user] Keycloak caching issue In-Reply-To: References: Message-ID: I am not able to reproduce it but it is happening constantly. I think what I can confirm is that if I play around with the authorization stuff (resource/policy/permission) of a realm, then there is a good chance the cache for that realm gets screwed up. I will let you know if I find a way to reproduce it. For the meantime is there a config fix for this caching issue? Thanks On Tue, Jun 11, 2019 at 4:39 AM Pedro Igor Silva wrote: > I've tried different changes to settings and I think I got one. Could you > confirm that you are changing a resource permission by replacing the type > with a specific resource ? > > On Mon, Jun 10, 2019 at 4:36 PM Farzad Panahi > wrote: > >> Hi Pedro, >> >> I think I can say that it happens after changing the authorization >> settings. For instance I add resources/policies/permissions. >> >> To get the permissions (in Kotlin): >> - I get the access token from KeycloakSecurityContext >> accessToken = getKeycloakSecurityContext().tokenString >> >> - Create AuthzClient and send access token and an instance of >> AuthorizaionRequest to it and extract the RPT: >> rpt = >> authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token >> >> - Then using the AuthzClient again I call the introspect RPT API to get >> the guts of RPT and get the permissions: >> permissions = >> authzClient.protection().introspectRequestingPartyToken(rpt).permissions >> >> It is this permissions object that is not consistent between two nodes. >> >> >> Cheers >> >> Farzad >> >> On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva >> wrote: >> >>> Hi, >>> >>> Does it happen after changing anything in your client's authorization >>> settings (eg.: resources, scopes, permissions, etc) ? >>> >>> How are you sending authorization requests? By passing a set of one or >>> more permission parameters, obtaining all permissions or using a UMA ticket >>> ? >>> >>> Regards. >>> Pedro Igor >>> >>> On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi >>> wrote: >>> >>>> Hi, >>>> >>>> I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a >>>> load-balancer in front of them. I noticed that sometimes I am getting >>>> inconsistent RPTs meaning that I send two queries and the two RPTs >>>> returned >>>> have different granted permissions in them. >>>> >>>> So I wend behind the load-balancer and queried each node individually. >>>> It >>>> turns out that one of the nodes is always returning wrong set of >>>> permissions in RPT. >>>> >>>> If I go to the admin console and clear the realm cache, then both nodes >>>> would return the same correct permissions right away. >>>> >>>> This is so intermittent. I am not sure what is causing this. I cannot >>>> find >>>> any clue in the logs. There is not much out there. I do not know how to >>>> reproduce this. >>>> >>>> Anyone with similar issue? Any suggestions? >>>> >>>> Cheers >>>> >>>> Farzad >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> From manuel.waltschek at prisma-solutions.at Tue Jun 18 02:58:43 2019 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Tue, 18 Jun 2019 06:58:43 +0000 Subject: [keycloak-user] KEYCLOAK SAML logout not working as documented In-Reply-To: <6264A4BF-F8A5-45E0-8218-424B546704F0@t-online.de> References: <04e336ab575e4c849f580ac1eabfcbaf@prisma-solutions.at> <6264A4BF-F8A5-45E0-8218-424B546704F0@t-online.de> Message-ID: <1d3026adc9794321b5600561b08f20f4@prisma-solutions.at> Hello and thank you Bjoern for your answer, unfortunately? ? it also behaves like this when I implement it in a logout servlet. What does ?being marked as logged out? actually mean? Please help me resolve this issue, thank you in advance and best regards, [Logo] Manuel Waltschek BSc. +43 660 86655 47 manuel.waltschek at prisma-solutions.at https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 M?dling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt Von: Bj?rn Sonntag Gesendet: Montag, 17. Juni 2019 23:26 An: Manuel Waltschek Cc: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] KEYCLOAK SAML logout not working as documented Hello Manuel, please refer the documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter. When you work within a servlet filter it will act as the same. In case of a java servlet filter client adapter the backchannel logout work different! Instead of invalidating the session, you will be marked as logged out. In your case, implement the logout inside your code which is in the application server like the web application and NOT in an external filter. With best regards, Bjoern Am 17.06.2019 um 18:56 schrieb Manuel Waltschek >: Hello KC Community, I am still trying to find out how to properly logout from keycloak using the kc adapter on wildfly10. Documentation says 3.1.8. Logout There are multiple ways you can logout from a web application. For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO, i.e. http://myapp?GLO=true. This will log you out if you have an SSO session with your browser. As HttpServletRequest.logout() in Undertows implementation io.undertow.servlet.spec.HttpServletRequestImpl checks isInvalidateSessionOnLogout returns false in my case it does not much. @Override public void logout() throws ServletException { SecurityContext sc = exchange.getSecurityContext(); sc.logout(); if(servletContext.getDeployment().getDeploymentInfo().isInvalidateSessionOnLogout()) { HttpSession session = getSession(false); if(session != null) { session.invalidate(); } } } Im calling HttpServletRequest.logout() in a ServletFilter implementation, but it does not end the keycloak session and I can still reach protected ressources. There is no backchannel request as I would expect. When I do the following: private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String contextPath = req.getContextPath(); req.logout(); resp.sendRedirect(contextPath + "?GLO=true"); it somehow works, but sends another AuthnRequest before sending the LogoutRequest. Then the LogoutResponse ist posted to myapp/saml again which leads to http Status code 403 forbidden. Please also see: https://issues.jboss.org/browse/KEYCLOAK-2191 and https://lists.jboss.org/pipermail/keycloak-user/2017-July/011207.html Regards, [Logo]to m Manuel Waltschek BSc. +43 660 86655 47 manuel.waltschek at prisma-solutions.at https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 M?dling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 6418 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190618/2d9ce928/attachment-0001.png From psilva at redhat.com Tue Jun 18 03:23:59 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 18 Jun 2019 04:23:59 -0300 Subject: [keycloak-user] Keycloak caching issue In-Reply-To: References: Message-ID: I have some changes in upstream that might be related. If you could check it out and see if the issue still persists, I appreciate it. Basically, I was able to reproduce a misbehavior when managing resource permissions and changing the resource type and associated resources. On Mon, Jun 17, 2019 at 7:15 PM Farzad Panahi wrote: > I am not able to reproduce it but it is happening constantly. I think what > I can confirm is that if I play around with the authorization stuff > (resource/policy/permission) of a realm, then there is a good chance the > cache for that realm gets screwed up. I will let you know if I find a way > to reproduce it. > For the meantime is there a config fix for this caching issue? > > Thanks > > On Tue, Jun 11, 2019 at 4:39 AM Pedro Igor Silva > wrote: > >> I've tried different changes to settings and I think I got one. Could you >> confirm that you are changing a resource permission by replacing the type >> with a specific resource ? >> >> On Mon, Jun 10, 2019 at 4:36 PM Farzad Panahi >> wrote: >> >>> Hi Pedro, >>> >>> I think I can say that it happens after changing the authorization >>> settings. For instance I add resources/policies/permissions. >>> >>> To get the permissions (in Kotlin): >>> - I get the access token from KeycloakSecurityContext >>> accessToken = getKeycloakSecurityContext().tokenString >>> >>> - Create AuthzClient and send access token and an instance of >>> AuthorizaionRequest to it and extract the RPT: >>> rpt = >>> authzClient.authorization(accessToken).authorize(AuthorizationRequest()).token >>> >>> - Then using the AuthzClient again I call the introspect RPT API to get >>> the guts of RPT and get the permissions: >>> permissions = >>> authzClient.protection().introspectRequestingPartyToken(rpt).permissions >>> >>> It is this permissions object that is not consistent between two nodes. >>> >>> >>> Cheers >>> >>> Farzad >>> >>> On Mon, Jun 10, 2019 at 5:11 AM Pedro Igor Silva >>> wrote: >>> >>>> Hi, >>>> >>>> Does it happen after changing anything in your client's authorization >>>> settings (eg.: resources, scopes, permissions, etc) ? >>>> >>>> How are you sending authorization requests? By passing a set of one or >>>> more permission parameters, obtaining all permissions or using a UMA ticket >>>> ? >>>> >>>> Regards. >>>> Pedro Igor >>>> >>>> On Sat, Jun 8, 2019 at 12:50 AM Farzad Panahi >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have two Keycloak nodes (4.8.3) in standalone cluster mode. I have a >>>>> load-balancer in front of them. I noticed that sometimes I am getting >>>>> inconsistent RPTs meaning that I send two queries and the two RPTs >>>>> returned >>>>> have different granted permissions in them. >>>>> >>>>> So I wend behind the load-balancer and queried each node individually. >>>>> It >>>>> turns out that one of the nodes is always returning wrong set of >>>>> permissions in RPT. >>>>> >>>>> If I go to the admin console and clear the realm cache, then both nodes >>>>> would return the same correct permissions right away. >>>>> >>>>> This is so intermittent. I am not sure what is causing this. I cannot >>>>> find >>>>> any clue in the logs. There is not much out there. I do not know how to >>>>> reproduce this. >>>>> >>>>> Anyone with similar issue? Any suggestions? >>>>> >>>>> Cheers >>>>> >>>>> Farzad >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> From manuel.waltschek at prisma-solutions.at Tue Jun 18 03:31:37 2019 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Tue, 18 Jun 2019 07:31:37 +0000 Subject: [keycloak-user] KEYCLOAK SAML logout not working as documented In-Reply-To: <1d3026adc9794321b5600561b08f20f4@prisma-solutions.at> References: <04e336ab575e4c849f580ac1eabfcbaf@prisma-solutions.at> <6264A4BF-F8A5-45E0-8218-424B546704F0@t-online.de> <1d3026adc9794321b5600561b08f20f4@prisma-solutions.at> Message-ID: <4d4d58c0296b40acb52cd414b16f6fa3@prisma-solutions.at> Hello, since the doc says : " For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO", could it be, that I need to point the browser to a protected ressource that is not only protected, but also not accessible for the current role? I guess org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler.handleRequest() is only called, if the ressource needs authentication, but when I am logged in already with the security constraint The protected resources /* * NONE it is not triggered and therefore there is no call to org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler.globalLogout() Regards, Manuel Waltschek -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org Im Auftrag von Manuel Waltschek Gesendet: Dienstag, 18. Juni 2019 08:59 An: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] KEYCLOAK SAML logout not working as documented Hello and thank you Bjoern for your answer, unfortunately? ? it also behaves like this when I implement it in a logout servlet. What does ?being marked as logged out? actually mean? Please help me resolve this issue, thank you in advance and best regards, [Logo] Manuel Waltschek BSc. +43 660 86655 47 manuel.waltschek at prisma-solutions.at https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 M?dling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt Von: Bj?rn Sonntag Gesendet: Montag, 17. Juni 2019 23:26 An: Manuel Waltschek Cc: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] KEYCLOAK SAML logout not working as documented Hello Manuel, please refer the documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter. When you work within a servlet filter it will act as the same. In case of a java servlet filter client adapter the backchannel logout work different! Instead of invalidating the session, you will be marked as logged out. In your case, implement the logout inside your code which is in the application server like the web application and NOT in an external filter. With best regards, Bjoern Am 17.06.2019 um 18:56 schrieb Manuel Waltschek >: Hello KC Community, I am still trying to find out how to properly logout from keycloak using the kc adapter on wildfly10. Documentation says 3.1.8. Logout There are multiple ways you can logout from a web application. For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO, i.e. http://myapp?GLO=true. This will log you out if you have an SSO session with your browser. As HttpServletRequest.logout() in Undertows implementation io.undertow.servlet.spec.HttpServletRequestImpl checks isInvalidateSessionOnLogout returns false in my case it does not much. @Override public void logout() throws ServletException { SecurityContext sc = exchange.getSecurityContext(); sc.logout(); if(servletContext.getDeployment().getDeploymentInfo().isInvalidateSessionOnLogout()) { HttpSession session = getSession(false); if(session != null) { session.invalidate(); } } } Im calling HttpServletRequest.logout() in a ServletFilter implementation, but it does not end the keycloak session and I can still reach protected ressources. There is no backchannel request as I would expect. When I do the following: private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String contextPath = req.getContextPath(); req.logout(); resp.sendRedirect(contextPath + "?GLO=true"); it somehow works, but sends another AuthnRequest before sending the LogoutRequest. Then the LogoutResponse ist posted to myapp/saml again which leads to http Status code 403 forbidden. Please also see: https://issues.jboss.org/browse/KEYCLOAK-2191 and https://lists.jboss.org/pipermail/keycloak-user/2017-July/011207.html Regards, [Logo]to m Manuel Waltschek BSc. +43 660 86655 47 manuel.waltschek at prisma-solutions.at https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 M?dling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Jun 18 03:44:41 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 18 Jun 2019 09:44:41 +0200 Subject: [keycloak-user] Latest documentation not showing on Google Message-ID: For some reason our latest documentation is not showing on Google. This issue started happening when we changed the toolset for our docs. Does anyone have any clue why this is happening and what we can do to resolve this? From manuel.bleichenbacher at acrea.com Tue Jun 18 04:03:28 2019 From: manuel.bleichenbacher at acrea.com (Manuel Bleichenbacher) Date: Tue, 18 Jun 2019 08:03:28 +0000 Subject: [keycloak-user] Automatic one-time login Message-ID: Hi everybody, Our new application will have a length user registration procedure that we would like to keep separate from Keycloak (it will mainly require application data, reuse part of the application's UI etc.). At the end of the registration procedure, we would still like to automatically login the user so he/she doesn't need to reenter the username and password. What are our options to achieve it? The backend will certainly use a privileged Keycloak user (e.g. to create the new user via the REST Admin API). And the result of the login should be that the user's access token (JWT) is available in the user's session in the backend. So far we have come up with the following options: Option A: REST endpoint / custom authenticator - Add a custom REST endpoint so the backend can create a one-time code and save it as a credential on the new user - Add a custom authenticator to the browser flow that checks for the one-time code - The user would then be directed to the regular authentication flow. If the one-time code is present and correct, the username/password step and possibly all other authentication steps will be skipped and the authentication immediately succeeds. Option B: REST endpoint / action token - Add a custom REST endpoint so the backend can create a one-time code and save it as a credential on the new user - Implement an additional action token handler that checks the one-time token to authenticate the user - The user would then be directed to the action token URL. If the one-time code is correct, the user is authenticated. What is your recommendation: - Are these feasible options? - Are we missing a good option? For option A: How can we pass the one-time code to the authentication flow? Can we use a URL parameter, HTTP header attribute? For option B: Can the action token flow initiate the OAUTH2 flow and return an authorization code? Can this flow be easily integrated with the Spring Boot adapter? Any input is appreciated. Thanks Manuel -- manuel bleichenbacher | senior consultant m +41 79 617 90 01 | manuel.bleichenbacher at acrea.com ? acrea ag | konradstrasse 32 | 8005 z?rich www.acrea.com | blog.acrea.com ? www.nezasa.com - incubated by Acrea From manuel.waltschek at prisma-solutions.at Tue Jun 18 04:52:09 2019 From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek) Date: Tue, 18 Jun 2019 08:52:09 +0000 Subject: [keycloak-user] KEYCLOAK SAML logout not working as documented In-Reply-To: <4d4d58c0296b40acb52cd414b16f6fa3@prisma-solutions.at> References: <04e336ab575e4c849f580ac1eabfcbaf@prisma-solutions.at> <6264A4BF-F8A5-45E0-8218-424B546704F0@t-online.de> <1d3026adc9794321b5600561b08f20f4@prisma-solutions.at> <4d4d58c0296b40acb52cd414b16f6fa3@prisma-solutions.at> Message-ID: Hello, somehow a call to /myApp?GLO=true now seems to do the trick and behaves as expected: sending a logout request to the kc-idp. I must have messed up any other configuration back when I tried it only with this setup. (I used to call HttpServletRequest.logout() and resp.sendRedirect(contextPath + "?GLO=true") since only redirecting to contextPath + "?GLO=true" did not work back then ) . There STILL is something I have not figured out. I am STILL getting a 403 Forbidden when the browser posts the logoutresponse with Back to the /saml endpoint in my application and I get redirected to a page with the content ErrorForbidden Isn't the client handling LogoutResponses? What can I do about it? Regards, Manuel Waltschek -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org Im Auftrag von Manuel Waltschek Gesendet: Dienstag, 18. Juni 2019 09:32 An: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] KEYCLOAK SAML logout not working as documented Hello, since the doc says : " For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO", could it be, that I need to point the browser to a protected ressource that is not only protected, but also not accessible for the current role? I guess org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler.handleRequest() is only called, if the ressource needs authentication, but when I am logged in already with the security constraint The protected resources /* * NONE it is not triggered and therefore there is no call to org.keycloak.adapters.saml.profile.webbrowsersso.WebBrowserSsoAuthenticationHandler.globalLogout() Regards, Manuel Waltschek -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org Im Auftrag von Manuel Waltschek Gesendet: Dienstag, 18. Juni 2019 08:59 An: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] KEYCLOAK SAML logout not working as documented Hello and thank you Bjoern for your answer, unfortunately? ? it also behaves like this when I implement it in a logout servlet. What does ?being marked as logged out? actually mean? Please help me resolve this issue, thank you in advance and best regards, [Logo] Manuel Waltschek BSc. +43 660 86655 47 manuel.waltschek at prisma-solutions.at https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 M?dling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt Von: Bj?rn Sonntag Gesendet: Montag, 17. Juni 2019 23:26 An: Manuel Waltschek Cc: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] KEYCLOAK SAML logout not working as documented Hello Manuel, please refer the documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter. When you work within a servlet filter it will act as the same. In case of a java servlet filter client adapter the backchannel logout work different! Instead of invalidating the session, you will be marked as logged out. In your case, implement the logout inside your code which is in the application server like the web application and NOT in an external filter. With best regards, Bjoern Am 17.06.2019 um 18:56 schrieb Manuel Waltschek >: Hello KC Community, I am still trying to find out how to properly logout from keycloak using the kc adapter on wildfly10. Documentation says 3.1.8. Logout There are multiple ways you can logout from a web application. For Java EE servlet containers, you can call HttpServletRequest.logout(). For any other browser application, you can point the browser at any url of your web application that has a security constraint and pass in a query parameter GLO, i.e. http://myapp?GLO=true. This will log you out if you have an SSO session with your browser. As HttpServletRequest.logout() in Undertows implementation io.undertow.servlet.spec.HttpServletRequestImpl checks isInvalidateSessionOnLogout returns false in my case it does not much. @Override public void logout() throws ServletException { SecurityContext sc = exchange.getSecurityContext(); sc.logout(); if(servletContext.getDeployment().getDeploymentInfo().isInvalidateSessionOnLogout()) { HttpSession session = getSession(false); if(session != null) { session.invalidate(); } } } Im calling HttpServletRequest.logout() in a ServletFilter implementation, but it does not end the keycloak session and I can still reach protected ressources. There is no backchannel request as I would expect. When I do the following: private void requestGlobalLogout(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String contextPath = req.getContextPath(); req.logout(); resp.sendRedirect(contextPath + "?GLO=true"); it somehow works, but sends another AuthnRequest before sending the LogoutRequest. Then the LogoutResponse ist posted to myapp/saml again which leads to http Status code 403 forbidden. Please also see: https://issues.jboss.org/browse/KEYCLOAK-2191 and https://lists.jboss.org/pipermail/keycloak-user/2017-July/011207.html Regards, [Logo]to m Manuel Waltschek BSc. +43 660 86655 47 manuel.waltschek at prisma-solutions.at https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 M?dling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Ori.Doolman at cyberark.com Tue Jun 18 05:21:11 2019 From: Ori.Doolman at cyberark.com (Ori Doolman) Date: Tue, 18 Jun 2019 09:21:11 +0000 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: , , Message-ID: Hi Pedro, Did you check item (1) as described below? Is that a bug? Ori. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Ori Doolman Sent: Sunday, June 16, 2019 1:39 PM To: Pedro Igor Silva ; Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Pedro, Please ignore 2nd question. It seems to work well with partial name after all. So only the first one remains - is that a bug? Ori. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Ori Doolman Sent: Sunday, June 16, 2019 1:04 PM To: Pedro Igor Silva; Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Pedo, When I call the authz/resource-server/settings endpoint, I get the full list of all entities. That works great if I later want to update the settings using the /authz/resource-server/import endpoint. But /settings might become too big and I only want to update my permissions (specific ones, actually). Hence, I call the /policy endpoint. But then I get partial entity information for the scope-based permission, not similar to the one I get with /settings. The "config" object data is missing. 1) Is that a bug? You can see below both payloads. 2) Can I filter permissions by name contains "mySubstring" ? Seems that /search does not support that but only exact name match by /search?name="name" Here is /settings call: "policies": [ { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"set-01\"]", "scopes": "[\"read\",\"write\"]", "applyPolicies": "[\"userPolicy\"]" } } Here is what I get from /policy endpoint: { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} } ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Ori Doolman Sent: Thursday, June 6, 2019 4:22 PM To: Pedro Igor Silva; Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Great. I was looking for that as well. I don't think it is documented. How do you manipulate the authorization entities by REST API? For example, add a resource or a scope, modify policy etc. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Pedro Igor Silva Sent: Thursday, June 6, 2019 3:43 PM To: Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Hi, Please, append the following path to your URI: " /authz/resource-server/settings". Regards. Pedro Igor On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. wrote: > Hi everybody, > I'm trying to get the authorization settings of a client, but its not > coming in the response of the request. > This is the request im doing: > > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= > > and this is the response: > > { > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > "clientId": "api", > "surrogateAuthRequired": false, > "enabled": true, > "clientAuthenticatorType": "client-secret", > "redirectUris": [ > "*" > ], > "webOrigins": [], > "notBefore": 0, > "bearerOnly": false, > "consentRequired": false, > "standardFlowEnabled": true, > "implicitFlowEnabled": false, > "directAccessGrantsEnabled": true, > "serviceAccountsEnabled": true, > "authorizationServicesEnabled": true, > "publicClient": false, > "frontchannelLogout": false, > "protocol": "openid-connect", > "attributes": { > "saml.assertion.signature": "false", > "saml.force.post.binding": "false", > "saml.multivalued.roles": "false", > "saml.encrypt": "false", > "saml.server.signature": "false", > "saml.server.signature.keyinfo.ext": "false", > "exclude.session.state.from.auth.response": "false", > "saml_force_name_id_format": "false", > "saml.client.signature": "false", > "tls.client.certificate.bound.access.tokens": "false", > "saml.authnstatement": "false", > "display.on.consent.screen": "false", > "saml.onetimeuse.condition": "false" > }, > "authenticationFlowBindingOverrides": {}, > "fullScopeAllowed": true, > "nodeReRegistrationTimeout": -1, > "protocolMappers": [ > { > "id": "97330e11-24df-40ce-9335-51d5126d4059", > "name": "Client Host", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientHost", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientHost", > "jsonType.label": "String" > } > }, > { > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > "name": "Client ID", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientId", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientId", > "jsonType.label": "String" > } > }, > { > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > "name": "Client IP Address", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientAddress", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientAddress", > "jsonType.label": "String" > } > } > ], > "defaultClientScopes": [ > "web-origins", > "role_list", > "profile", > "roles", > "email" > ], > "optionalClientScopes": [ > "address", > "phone", > "offline_access", > "microprofile-jwt" > ], > "access": { > "view": true, > "configure": true, > "manage": true > } > } > > Thanks, > Rafael. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= ---------------------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=CXzfHbu3tS7-M4XAEs32GmtMA2-cJ64WMcFa3AUHirc&s=HQM_ulRNI8muZdVrVM7EIxdi1cuD6Vb3_jF4Z3p4uEg&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=rFu7mE7knNfyRewIZHWcK1pXBthhWxDePL0qwiEW5ac&s=cJjx2OVTgkW4IgjwhCp0MHNdlSi46-zhVOI_nAJs7H8&e= From ezajko at root.ba Tue Jun 18 05:50:25 2019 From: ezajko at root.ba (Ernedin Zajko) Date: Tue, 18 Jun 2019 11:50:25 +0200 Subject: [keycloak-user] How do I integrate with a SAML federation In-Reply-To: References: Message-ID: <509a6440b2b01fae17409f1008c66b8edbbae451.camel@root.ba> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Stephan, take a look at CYCLONE Project (maybe you can get some hints)l https://github.com/cyclone-project http://www.cyclone-project.eu/ regards, - --eZ On Mon, 2019-06-17 at 12:48 +0000, BOOTH Stephen wrote: > I'm wanting configure keycloak to use authenticate against a SAML > federation (externally curated set of IdPs) rather than a single > SAML > IdP. Specifically I want to support EduGAIN. > > Is this something that keycloak supports natively? The form for > configuring a SAML Identity provider appears to assume a single IdP. > > If not, does anyone have any suggestions for the best approach to > bridging a shibboleth SP into something keycloak can use as an > Identity > provider. > > Stephen > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEx9dEkuuJI7eRUeqr6I6Je6FrlCMFAl0Is9sACgkQ6I6Je6Fr lCMulhAAhNZETs5gC4aqa4OA5igprnZ39Fm8AAO5lfoPl4/iKVRBv8XhffdAsNEr TdtmVunNOvfXRAOjQW7dd3z1NEF8fkDXBI3+mZvtKUfOwZAyaXrB4InMLn/KgxuP JOSXoF6uUaBWliobvTiv+t428YnzGAmlAyUnEc2VJbSgCScGVGvmn7cr4w+Zk1Wc VoXLJn/aOA41LbsoBHfhTP4hr4h3SexHkl13wDlgp31+0q8elWqXhZrQ18J4yQkE ZupU2MNa0EFZFoshVkiyzdH0Th7bF9hmGfACZ5Uhz1wT2BOaNxOzpGfTM7dHtn9o JY9bhtlOjUBPCD3KwyBG1xntE14fgL1VQ5ktkPOYfMBVhWJ/IhMxY2iB6GkzBQxT s4w/AkvXQ5gk/YClHpQGjik+vF00/5NRfQHW2b6iDlAFwqRcR8XIgwYc+c1K+j7Z PEh5cCFn/rA4LjhCtzMZ02o7sAY+Qopp7CuwJXlb7FmXsKyqkvCfRWxEaxOV8v1U CJDP5xEwJMKYuDSPVbwT8yF1X0xyc7ZuH/4obpZ9lHexThCJ/nBAHr/zMW2U5TKt /gxdiBHzlL7Shc8qciqWZvUlYADo8ZXTvdGTZD/y8XMT4THpxe5GY0aMZ6+wBn90 UOo7hQwM4U2LrjRYdrcwqo4Vl4uLfHtKoGRmzJZ9ch5RKx0ZNlE= =DyQ1 -----END PGP SIGNATURE----- From psilva at redhat.com Tue Jun 18 07:22:46 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 18 Jun 2019 08:22:46 -0300 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: Message-ID: On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman wrote: > Pedo, > When I call the authz/resource-server/settings endpoint, I get the full > list of all entities. > That works great if I later want to update the settings using the > /authz/resource-server/import endpoint. > > But /settings might become too big and I only want to update my > permissions (specific ones, actually). > Hence, I call the /policy endpoint. > But then I get partial entity information for the scope-based permission, > not similar to the one I get with /settings. The "config" object data is > missing. > > 1) Is that a bug? You can see below both payloads. > The settings endpoint is exporting the settings, basically. So that you have a JSON that you can later import data back to your client. The policy endpoint only returns the policy attributes so that any other associated entity such as resources, scopes, and associated policies should be obtained from another endpoint. {id}/associatedPolicies {id}/resources {id}/scopes > 2) Can I filter permissions by name contains "mySubstring" ? Seems that > /search does not support that but only exact name match by > /search?name="name" > You can use the "/" (root) endpoint. It is the one we use in the admin console. > > > Here is /settings call: > > "policies": [ > { > "id": "a10db0d8-993a-4f34-9082-350033ed8dff", > "name": "set-03", > "type": "scope", > "logic": "POSITIVE", > "decisionStrategy": "UNANIMOUS", > "config": { > "resources": "[\"set-01\"]", > "scopes": "[\"read\",\"write\"]", > "applyPolicies": "[\"userPolicy\"]" > } > } > > Here is what I get from /policy endpoint: > > { > "id": "a10db0d8-993a-4f34-9082-350033ed8dff", > "name": "set-03", > "type": "scope", > "logic": "POSITIVE", > "decisionStrategy": "UNANIMOUS", > "config": {} > } > > ------------------------------ > *From:* keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> on behalf of Ori Doolman < > Ori.Doolman at cyberark.com> > *Sent:* Thursday, June 6, 2019 4:22 PM > *To:* Pedro Igor Silva; Rafael Tovar. > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] authorizationSettings not in response > > Great. I was looking for that as well. I don't think it is documented. > How do you manipulate the authorization entities by REST API? > For example, add a resource or a scope, modify policy etc. > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> On Behalf Of Pedro Igor Silva > Sent: Thursday, June 6, 2019 3:43 PM > To: Rafael Tovar. > Cc: keycloak-user > Subject: Re: [keycloak-user] authorizationSettings not in response > > Hi, > > Please, append the following path to your URI: " > /authz/resource-server/settings". > > Regards. > Pedro Igor > > On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. wrote: > > > Hi everybody, > > I'm trying to get the authorization settings of a client, but its not > > coming in the response of the request. > > This is the request im doing: > > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a > > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 > > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG > > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp > > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= > > > > and this is the response: > > > > { > > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > > "clientId": "api", > > "surrogateAuthRequired": false, > > "enabled": true, > > "clientAuthenticatorType": "client-secret", > > "redirectUris": [ > > "*" > > ], > > "webOrigins": [], > > "notBefore": 0, > > "bearerOnly": false, > > "consentRequired": false, > > "standardFlowEnabled": true, > > "implicitFlowEnabled": false, > > "directAccessGrantsEnabled": true, > > "serviceAccountsEnabled": true, > > "authorizationServicesEnabled": true, > > "publicClient": false, > > "frontchannelLogout": false, > > "protocol": "openid-connect", > > "attributes": { > > "saml.assertion.signature": "false", > > "saml.force.post.binding": "false", > > "saml.multivalued.roles": "false", > > "saml.encrypt": "false", > > "saml.server.signature": "false", > > "saml.server.signature.keyinfo.ext": "false", > > "exclude.session.state.from.auth.response": "false", > > "saml_force_name_id_format": "false", > > "saml.client.signature": "false", > > "tls.client.certificate.bound.access.tokens": "false", > > "saml.authnstatement": "false", > > "display.on.consent.screen": "false", > > "saml.onetimeuse.condition": "false" > > }, > > "authenticationFlowBindingOverrides": {}, > > "fullScopeAllowed": true, > > "nodeReRegistrationTimeout": -1, > > "protocolMappers": [ > > { > > "id": "97330e11-24df-40ce-9335-51d5126d4059", > > "name": "Client Host", > > "protocol": "openid-connect", > > "protocolMapper": "oidc-usersessionmodel-note-mapper", > > "consentRequired": false, > > "config": { > > "user.session.note": "clientHost", > > "id.token.claim": "true", > > "access.token.claim": "true", > > "claim.name": "clientHost", > > "jsonType.label": "String" > > } > > }, > > { > > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > > "name": "Client ID", > > "protocol": "openid-connect", > > "protocolMapper": "oidc-usersessionmodel-note-mapper", > > "consentRequired": false, > > "config": { > > "user.session.note": "clientId", > > "id.token.claim": "true", > > "access.token.claim": "true", > > "claim.name": "clientId", > > "jsonType.label": "String" > > } > > }, > > { > > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > > "name": "Client IP Address", > > "protocol": "openid-connect", > > "protocolMapper": "oidc-usersessionmodel-note-mapper", > > "consentRequired": false, > > "config": { > > "user.session.note": "clientAddress", > > "id.token.claim": "true", > > "access.token.claim": "true", > > "claim.name": "clientAddress", > > "jsonType.label": "String" > > } > > } > > ], > > "defaultClientScopes": [ > > "web-origins", > > "role_list", > > "profile", > > "roles", > > "email" > > ], > > "optionalClientScopes": [ > > "address", > > "phone", > > "offline_access", > > "microprofile-jwt" > > ], > > "access": { > > "view": true, > > "configure": true, > > "manage": true > > } > > } > > > > Thanks, > > Rafael. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ > > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb > > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > > ---------------------------------------------------------------------- > _______________________________________________ > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. > If you are not an intended recipient of this e-mail, do not duplicate or > redistribute it by any means. Please delete it and any attachments and > notify the sender that you have received it in error. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e= > From demetrio at carretti.pro Tue Jun 18 09:13:46 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Tue, 18 Jun 2019 16:13:46 +0300 Subject: [keycloak-user] Automatic one-time login In-Reply-To: References: Message-ID: <0efe1bf8f72e934ea1ec6669a7d9f7fc855140fa.camel@carretti.pro> Hi Manuel, You might even avoid implementing one-time code logic (incl. REST endpoint, custom credential etc.) by using the approach demonstrated in the quickstart [1]. Had you been using Keycloak's registration flow, this quickstart could have been applicable entirely (modulo authentication vs. registration flow), but still you can borrow the main idea from it: using app-specific signed token (instead of one-time code) to assert that registration succeeded. Keycloak already supports one-time action tokens (see org.keycloak.authentication.actiontoken.ActionTokenHandler::canUseTokenRepeatedly). To ensure that your app-specific token is one-time too, you could associate it with the "parent" action token using the latter's "nonce" claim. One thing you need to know about one-time action tokens in Keycloak - this is done via org.keycloak.models.ActionTokenStoreProvider, and the default implementation (o.k.models.sessions.infinispan.InfinispanActionTokenStoreProvider) is non-persistent, so if by some reason the whole cluster gets restarted before action token expires, it could be potentially reused. Otherwise, both options that you described should be viable. Please find the answers below. On Tue, 2019-06-18 at 08:03 +0000, Manuel Bleichenbacher wrote: > Hi everybody, > > Our new application will have a length user registration procedure that we would like to keep separate from Keycloak (it will mainly require application data, reuse part of the application's UI etc.). At the end of the registration procedure, we would still like to automatically login the user so he/she doesn't need to reenter the username and password. What are our options to achieve it? > > The backend will certainly use a privileged Keycloak user (e.g. to create the new user via the REST Admin API). And the result of the login should be that the user's access token (JWT) is available in the user's session in the backend. So far we have come up with the following options: > > Option A: REST endpoint / custom authenticator > > - Add a custom REST endpoint so the backend can create a one-time code and save it as a credential on the new user > - Add a custom authenticator to the browser flow that checks for the one-time code > - The user would then be directed to the regular authentication flow. If the one-time code is present and correct, the username/password step and possibly all other authentication steps will be skipped and the authentication immediately succeeds. > > Option B: REST endpoint / action token > > - Add a custom REST endpoint so the backend can create a one-time code and save it as a credential on the new user > - Implement an additional action token handler that checks the one-time token to authenticate the user > - The user would then be directed to the action token URL. If the one-time code is correct, the user is authenticated. > > What is your recommendation: > - Are these feasible options? > - Are we missing a good option? > > For option A: How can we pass the one-time code to the authentication flow? Can we use a URL parameter, HTTP header attribute? This is possible, but not much reliable because of HTTP redirects. After a redirect, the initial parameters will be lost (as well as headers), and you'll need to parse the parameter out of Referer header. Check out this thread [2] for details. However, there exists a hack so that you can use "scope" parameter to pass data reliably, see this thread for details [3]. > For option B: Can the action token flow initiate the OAUTH2 flow and return an authorization code? Can this flow be easily integrated with the Spring Boot adapter? Yes, see this [4]. AFAIK for the adapter it should look like an ordinary flow, it won't even know it had been initiated via action token handler. [1] https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator [2] https://lists.jboss.org/pipermail/keycloak-user/2018-November/016230.html [3] https://lists.jboss.org/pipermail/keycloak-user/2019-May/018393.html [4] https://github.com/keycloak/keycloak-quickstarts/blob/latest/action-token-authenticator/src/main/java/org/keycloak/quickstart/actiontoken/token/ExternalApplicationNotificationActionTokenHandler.java#L89 Good luck, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro > > Any input is appreciated. > > Thanks > Manuel > > -- > manuel bleichenbacher | senior consultant > m +41 79 617 90 01 | manuel.bleichenbacher at acrea.com > > acrea ag | konradstrasse 32 | 8005 z?rich > www.acrea.com | blog.acrea.com > > www.nezasa.com - incubated by Acrea > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From demetrio at carretti.pro Tue Jun 18 09:23:18 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Tue, 18 Jun 2019 16:23:18 +0300 Subject: [keycloak-user] Configure Keycloak to be able to delegate authentication to other application In-Reply-To: <86ce31059fc87320cec564f6d45eb5ca70cef2bf.camel@carretti.pro> References: <86ce31059fc87320cec564f6d45eb5ca70cef2bf.camel@carretti.pro> Message-ID: Just a followup - if your IdP is able to 1) redirect back to a specific Keycloak URL upon successful login, 2) provide verifiable (e.g. signed) assertion of successful login, then you can use the approach demonstrated in this quickstart [1]. Unfortunately, you will lose the benefits of IdP brokering like first broker login flow, token storage etc., but this might be easier to implement. [1] https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator Good luck, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Fri, 2019-05-24 at 17:39 +0300, Dmitry Telegin wrote: > Hello C?cile, answers inline, > > On Thu, 2019-05-09 at 16:11 +0200, C?cile Radix Saint-Martin wrote: > > Hi, > > > > We wish to use Keycloak as our IDP for our application (frontend + REST > > micro services). > > We want to give users the possibility to authenticate using their > > credentials of another application (login + password). > > In the same time, our application needs to call this other application APIs > > and for this, needs the custom token returned by the application during > > authentication (this application is not OIDC compliant). > > > > First I wanted to implement a custom identity provider for Keycloak, as it > > enables to store token of external IDP. But there is very few documentation > > about that and only examples I found are for OIDC providers. > > The overall approach should depend on the semantics of the protocol used by your external IdP ("another application"). > > If the protocol is redirect-based, like OIDC and SAML, then yes, custom identity provider is definitely the way to go. This is also beneficial because IdP infrastructure in Keycloak already provides facilities for token storage, user creation upon first login etc. > > As for documentation - I personally don't like the mantra "code is the best documentation", but seems like this is just the case here. Here is the hierarchy of IdPs currently implemented in Keycloak: > > AbstractIdentityProvider > AbstractOAuth2IdentityProvider > BitbucketIdentityProvider > FacebookIdentityProvider > GitHubIdentityProvider > InstagramIdentityProvider > LinkedInIdentityProvider > MicrosoftIdentityProvider > OIDCIdentityProvider > GitLabIdentityProvider > GoogleIdentityProvider > KeycloakOIDCIdentityProvider > OpenshiftV3IdentityProvider > PayPalIdentityProvider > StackoverflowIdentityProvider > SAMLIdentityProvider > TwitterIdentityProvider > > When solving a similar problem, I used SAMLIdentityProvider as a reference, since I found it to be more understandable (but that's personal of course). > > But if your IdP's protocol is not redirect based (like e.g. it uses REST or even TCP socket API that consumes login/password and returns a token), then the only option would be custom authenticator. > > > So finally I decided to implement a custom authenticator > > (org.keycloak.authentication.Authenticator). > > > > I want to be sure that with a custom authenticator, I will be able to : > > - Store custom tokens of the other application > > IdPs (including custom) have that out ouf the box, via FederatedIdentityModel::token. > > OTOH, custom authenticator will need to take care of it itself. > If you're ok with transient tokens, then you can simply attach them to user sessions (using so called "user session notes"). > If you need persistent tokens, you'll also need to implement a custom JPA entity for that. > > > provide it to a client API > > In both cases (custom IdP and custom auth), you'll need a client mapper to push external token from the user session to the target OIDC token, as a custom claim. > > > and refresh it if expired > > Is it correct that your client side will always need a valid external token, and you want to delegate the refresh process to Keycloak? > > If so, you will need another client mapper to handle this. Each time the client asks Keycloak to refresh main (OIDC) token, the mapper will kick in and perform external refresh too, if needed, thus ensuring that both tokens (OIDC and external) are valid. > > > - Create user in Keycloak if it does not exist (if authentication with the > > other application succeed) > > Again, if using custom IdP, this will be out of the box via First Broker Login flow. > > In the case of custom authenticator, you should be also able to invoke the same flow when needed. But you will also need to implement internal-to-external user mapping; that should be easy if the username could be unambiguously derived from the external token. Otherwise, you will have to implement something similar to FederatedIdentity mechanism used by IdPs. > > Feel free to ask any further questions, > Dmitry Telegin > > Carretti Consulting O? | Keycloak Consulting and Training > Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro > > > Anyone can confirm ? > > > > *C?cile RADIX SAINT-MARTIN* > > *mailto:cecile.saintmartin at gmail.com * > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ahmadzadehasl at outlook.com Tue Jun 18 09:50:25 2019 From: ahmadzadehasl at outlook.com (Ali Ahmadzadeh Asl) Date: Tue, 18 Jun 2019 13:50:25 +0000 Subject: [keycloak-user] Allow access unauthenticated users Message-ID: Hi I'm using Keycloak 6.0.0 in Spring Boot and my application properties file is like this: keycloak.realm=my-realm keycloak.resource=my-app keycloak.ssl-required=external keycloak.principal-attribute=preferred_username keycloak.auth-server-url=http://localhost:8080/auth keycloak.credentials.secret=f3222288-26c7-4487-83ec-67c111fa3e13 keycloak.policy-enforcer-config.on-deny-redirect-to=/access-denied keycloak.securityConstraints Indeed, I want to get security constraints from Keycloak server (by setting config 'on-deny-redirect-to'). In Keycloak admin panel, I have only two permissions for client 'my-app', the default one (which generated automatically by Keycloak) and permission which only allow users having ROLE_REST for accessing /rest/* URL pattern. But there is a problem, after running the project and accessing the main page (/), the browser redirects to '/access-denied'. How can I config Keycloak from admin panel to allow unauthenticated users access main page of server?? I'm waiting for your responses, Thanks From manuel.bleichenbacher at acrea.com Tue Jun 18 10:02:22 2019 From: manuel.bleichenbacher at acrea.com (Manuel Bleichenbacher) Date: Tue, 18 Jun 2019 14:02:22 +0000 Subject: [keycloak-user] Automatic one-time login In-Reply-To: <0efe1bf8f72e934ea1ec6669a7d9f7fc855140fa.camel@carretti.pro> References: <0efe1bf8f72e934ea1ec6669a7d9f7fc855140fa.camel@carretti.pro> Message-ID: <8652069f81ea433b82fc023d1822c253@s0897.hosting.local> Hi Dmitry Thanks so much for your valuable input. It contains so much useful information. I had studied the action-token-authenticator quickstart example before but I can't see how we could fit it into our solution. I haven't mentioned so far that an unregistered user never goes to a login or registration page. Instead the flow is similar to what you find in some web shops: a customer purchases some items and - as part of the checkout process - enters email address and mobile phone number. After the checkout is complete, the customer is asked if an account should be created for him. Up to this moment, Keycloak has not been involved and no authentication or registration flow has been initiated. And since no further entry is needed (in the future the user will log in with email address and a one-time password sent to the mobile number), the Keycloak user can be immediately created and the customer can immediately be logged in. So given this flow: the quickstart example with a switch from the Keycloak flow to an external application and back is probably not applicable, right? Regards Manuel -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin Gesendet: Dienstag, 18. Juni 2019 15:14 An: Manuel Bleichenbacher ; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Automatic one-time login Hi Manuel, You might even avoid implementing one-time code logic (incl. REST endpoint, custom credential etc.) by using the approach demonstrated in the quickstart [1]. Had you been using Keycloak's registration flow, this quickstart could have been applicable entirely (modulo authentication vs. registration flow), but still you can borrow the main idea from it: using app-specific signed token (instead of one-time code) to assert that registration succeeded. Keycloak already supports one-time action tokens (see org.keycloak.authentication.actiontoken.ActionTokenHandler::canUseTokenRepeatedly). To ensure that your app-specific token is one-time too, you could associate it with the "parent" action token using the latter's "nonce" claim. One thing you need to know about one-time action tokens in Keycloak - this is done via org.keycloak.models.ActionTokenStoreProvider, and the default implementation (o.k.models.sessions.infinispan.InfinispanActionTokenStoreProvider) is non-persistent, so if by some reason the whole cluster gets restarted before action token expires, it could be potentially reused. Otherwise, both options that you described should be viable. Please find the answers below. On Tue, 2019-06-18 at 08:03 +0000, Manuel Bleichenbacher wrote: > Hi everybody, > > Our new application will have a length user registration procedure that we would like to keep separate from Keycloak (it will mainly require application data, reuse part of the application's UI etc.). At the end of the registration procedure, we would still like to automatically login the user so he/she doesn't need to reenter the username and password. What are our options to achieve it? > > The backend will certainly use a privileged Keycloak user (e.g. to create the new user via the REST Admin API). And the result of the login should be that the user's access token (JWT) is available in the user's session in the backend. So far we have come up with the following options: > > Option A: REST endpoint / custom authenticator > > - Add a custom REST endpoint so the backend can create a one-time code > and save it as a credential on the new user > - Add a custom authenticator to the browser flow that checks for the > one-time code > - The user would then be directed to the regular authentication flow. If the one-time code is present and correct, the username/password step and possibly all other authentication steps will be skipped and the authentication immediately succeeds. > > Option B: REST endpoint / action token > > - Add a custom REST endpoint so the backend can create a one-time code > and save it as a credential on the new user > - Implement an additional action token handler that checks the > one-time token to authenticate the user > - The user would then be directed to the action token URL. If the one-time code is correct, the user is authenticated. > > What is your recommendation: > - Are these feasible options? > - Are we missing a good option? > > For option A: How can we pass the one-time code to the authentication flow? Can we use a URL parameter, HTTP header attribute? This is possible, but not much reliable because of HTTP redirects. After a redirect, the initial parameters will be lost (as well as headers), and you'll need to parse the parameter out of Referer header. Check out this thread [2] for details. However, there exists a hack so that you can use "scope" parameter to pass data reliably, see this thread for details [3]. > For option B: Can the action token flow initiate the OAUTH2 flow and return an authorization code? Can this flow be easily integrated with the Spring Boot adapter? Yes, see this [4]. AFAIK for the adapter it should look like an ordinary flow, it won't even know it had been initiated via action token handler. [1] https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator [2] https://lists.jboss.org/pipermail/keycloak-user/2018-November/016230.html [3] https://lists.jboss.org/pipermail/keycloak-user/2019-May/018393.html [4] https://github.com/keycloak/keycloak-quickstarts/blob/latest/action-token-authenticator/src/main/java/org/keycloak/quickstart/actiontoken/token/ExternalApplicationNotificationActionTokenHandler.java#L89 Good luck, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro > > Any input is appreciated. > > Thanks > Manuel > > -- > manuel bleichenbacher | senior consultant m +41 79 617 90 01 | > manuel.bleichenbacher at acrea.com > > acrea ag | konradstrasse 32 | 8005 z?rich www.acrea.com | > blog.acrea.com > > www.nezasa.com - incubated by Acrea > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pavel.kokush at gmail.com Tue Jun 18 10:58:22 2019 From: pavel.kokush at gmail.com (pavel.kokush) Date: Tue, 18 Jun 2019 17:58:22 +0300 Subject: [keycloak-user] setup expiration for temporary password Message-ID: Hello Is it possible to setup expiration for temporary password ? (different from expiration for normal password) If not possible, then any hint on how to implement it with keycloak extension (without forking keycloak) ? BR, Pavel From demetrio at carretti.pro Tue Jun 18 13:12:16 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Tue, 18 Jun 2019 20:12:16 +0300 Subject: [keycloak-user] Automatic one-time login In-Reply-To: <8652069f81ea433b82fc023d1822c253@s0897.hosting.local> References: <0efe1bf8f72e934ea1ec6669a7d9f7fc855140fa.camel@carretti.pro> <8652069f81ea433b82fc023d1822c253@s0897.hosting.local> Message-ID: <965e2f9501f3c58c82993aff4cf552c92a43a72b.camel@carretti.pro> Hi Manuel, you're welcome, On Tue, 2019-06-18 at 14:02 +0000, Manuel Bleichenbacher wrote: > Hi Dmitry > > Thanks so much for your valuable input. It contains so much useful information. > > I had studied the action-token-authenticator quickstart example before but I can't see how we could fit it into our solution. I haven't mentioned so far that an unregistered user never goes to a login or registration page. Instead the flow is similar to what you find in some web shops: a customer purchases some items and - as part of the checkout process - enters email address and mobile phone number. After the checkout is complete, the customer is asked if an account should be created for him. Up to this moment, Keycloak has not been involved and no authentication or registration flow has been initiated. And since no further entry is needed (in the future the user will log in with email address and a one-time password sent to the mobile number), the Keycloak user can be immediately created and the customer can immediately be logged in. > > So given this flow: the quickstart example with a switch from the Keycloak flow to an external application and back is probably not applicable, right? Correct. This is exactly what I meant by "Had you been using Keycloak's registration flow, this quickstart could have been applicable entirely". Third conditional :) In other words, you should use this quickstart just as a source of inspiration if you decide to go with action token handler + authenticator + app-specific token instead of REST + one-time code. Cheers, Dmitry > > Regards > Manuel > > -----Urspr?ngliche Nachricht----- > Von: Dmitry Telegin > Gesendet: Dienstag, 18. Juni 2019 15:14 > An: Manuel Bleichenbacher ; keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Automatic one-time login > > Hi Manuel, > > You might even avoid implementing one-time code logic (incl. REST endpoint, custom credential etc.) by using the approach demonstrated in the quickstart [1]. > > Had you been using Keycloak's registration flow, this quickstart could have been applicable entirely (modulo authentication vs. registration flow), but still you can borrow the main idea from it: using app-specific signed token (instead of one-time code) to assert that registration succeeded. > > Keycloak already supports one-time action tokens (see org.keycloak.authentication.actiontoken.ActionTokenHandler::canUseTokenRepeatedly). To ensure that your app-specific token is one-time too, you could associate it with the "parent" action token using the latter's "nonce" claim. One thing you need to know about one-time action tokens in Keycloak - this is done via org.keycloak.models.ActionTokenStoreProvider, and the default implementation (o.k.models.sessions.infinispan.InfinispanActionTokenStoreProvider) is non-persistent, so if by some reason the whole cluster gets restarted before action token expires, it could be potentially reused. > > Otherwise, both options that you described should be viable. Please find the answers below. > > On Tue, 2019-06-18 at 08:03 +0000, Manuel Bleichenbacher wrote: > > Hi everybody, > > > > Our new application will have a length user registration procedure that we would like to keep separate from Keycloak (it will mainly require application data, reuse part of the application's UI etc.). At the end of the registration procedure, we would still like to automatically login the user so he/she doesn't need to reenter the username and password. What are our options to achieve it? > > > > The backend will certainly use a privileged Keycloak user (e.g. to create the new user via the REST Admin API). And the result of the login should be that the user's access token (JWT) is available in the user's session in the backend. So far we have come up with the following options: > > > > Option A: REST endpoint / custom authenticator > > > > - Add a custom REST endpoint so the backend can create a one-time code > > and save it as a credential on the new user > > - Add a custom authenticator to the browser flow that checks for the > > one-time code > > - The user would then be directed to the regular authentication flow. If the one-time code is present and correct, the username/password step and possibly all other authentication steps will be skipped and the authentication immediately succeeds. > > > > Option B: REST endpoint / action token > > > > - Add a custom REST endpoint so the backend can create a one-time code > > and save it as a credential on the new user > > - Implement an additional action token handler that checks the > > one-time token to authenticate the user > > - The user would then be directed to the action token URL. If the one-time code is correct, the user is authenticated. > > > > What is your recommendation: > > - Are these feasible options? > > - Are we missing a good option? > > > > For option A: How can we pass the one-time code to the authentication flow? Can we use a URL parameter, HTTP header attribute? > > This is possible, but not much reliable because of HTTP redirects. After a redirect, the initial parameters will be lost (as well as headers), and you'll need to parse the parameter out of Referer header. Check out this thread [2] for details. > > However, there exists a hack so that you can use "scope" parameter to pass data reliably, see this thread for details [3]. > > > For option B: Can the action token flow initiate the OAUTH2 flow and return an authorization code? Can this flow be easily integrated with the Spring Boot adapter? > > Yes, see this [4]. AFAIK for the adapter it should look like an ordinary flow, it won't even know it had been initiated via action token handler. > > [1] https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator > [2] https://lists.jboss.org/pipermail/keycloak-user/2018-November/016230.html > [3] https://lists.jboss.org/pipermail/keycloak-user/2019-May/018393.html > [4] https://github.com/keycloak/keycloak-quickstarts/blob/latest/action-token-authenticator/src/main/java/org/keycloak/quickstart/actiontoken/token/ExternalApplicationNotificationActionTokenHandler.java#L89 > > Good luck, > Dmitry Telegin > > Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro > > > Any input is appreciated. > > > > Thanks > > Manuel > > > > -- > > manuel bleichenbacher | senior consultant m +41 79 617 90 01 | > > manuel.bleichenbacher at acrea.com > > > > acrea ag | konradstrasse 32 | 8005 z?rich www.acrea.com | > > blog.acrea.com > > > > www.nezasa.com - incubated by Acrea > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user From l.lech at ringler.ch Wed Jun 19 03:03:39 2019 From: l.lech at ringler.ch (Lukasz Lech) Date: Wed, 19 Jun 2019 07:03:39 +0000 Subject: [keycloak-user] Changed email is written to DB without verification, then the account is blocked Message-ID: <5E48B917000C984B86B77170F441903A18A136B3@exch.ringler.ch> Hello, I have a following scenario. The user has changed email. Because of the typo the new email is invalid. The email was saved to the DB without verification, which makes it impossible to log in using valid email. The new email requires verification, which is impossible, because it is invalid. The user is effectively blocked. I've discovered this misbehavior in 4.8.1 Is my realm configured wrongly, or this is a known misbehavior? Or maybe it was our failure that we have allowed users to change email, which should be immutable by design? Best regards, Lukasz Lech From fabrice.geslin-prestataire at laposte.fr Wed Jun 19 04:00:17 2019 From: fabrice.geslin-prestataire at laposte.fr (GESLIN Fabrice) Date: Wed, 19 Jun 2019 08:00:17 +0000 Subject: [keycloak-user] Access token customization per client Message-ID: Hi, Is there a way to customize the content of the access token that is delivered to client applications ? This question is an attempt to revive this old thread: https://lists.jboss.org/pipermail/keycloak-user/2016-February/004784.html . The idea is to deliver basic JWT access tokens to public clients. This token can be exchanged later on at the resource server level with a full-fledged JWT. Regards, Fabrice Geslin Groupe La Poste Post-scriptum La Poste Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur. From demetrio at carretti.pro Wed Jun 19 07:24:42 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Wed, 19 Jun 2019 14:24:42 +0300 Subject: [keycloak-user] Access token customization per client In-Reply-To: References: Message-ID: Hello Fabrice, Just wondering if you want this feature to minimize token size, or rather for security purposes? If latter, just FYI, there's an ongoing effort to implement encrypted tokens [1]. At the moment, there are plans to do encrypted ID tokens only, but you can approach Takashi and Marek and discuss if that could be applied to access tokens too. [1] https://github.com/keycloak/keycloak/pull/5779 Good luck, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Wed, 2019-06-19 at 08:00 +0000, GESLIN Fabrice wrote: > Hi, > > Is there a way to customize the content of the access token that is delivered to client applications ? > > This question is an attempt to revive this old thread: https://lists.jboss.org/pipermail/keycloak-user/2016-February/004784.html . > > The idea is to deliver basic JWT access tokens to public clients. > This token can be exchanged later on at the resource server level with a full-fledged JWT. > > Regards, > > Fabrice Geslin > > Groupe La Poste > > Post-scriptum La Poste > > Ce message est confidentiel. Sous reserve de tout accord conclu par > ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement > l'expediteur. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From fabrice.geslin-prestataire at laposte.fr Wed Jun 19 07:31:24 2019 From: fabrice.geslin-prestataire at laposte.fr (GESLIN Fabrice) Date: Wed, 19 Jun 2019 11:31:24 +0000 Subject: [keycloak-user] Access token customization per client In-Reply-To: References: Message-ID: Hi, Thanks for the quick answer. This is mainly for security purpose. I will follow the advice and contact Takashi and Marek Regards, Fabrice Geslin -----Message d'origine----- De?: Dmitry Telegin [mailto:demetrio at carretti.pro] Envoy??: mercredi 19 juin 2019 13:25 ??: GESLIN Fabrice ; keycloak-user at lists.jboss.org Objet?: Re: [keycloak-user] Access token customization per client Hello Fabrice, Just wondering if you want this feature to minimize token size, or rather for security purposes? If latter, just FYI, there's an ongoing effort to implement encrypted tokens [1]. At the moment, there are plans to do encrypted ID tokens only, but you can approach Takashi and Marek and discuss if that could be applied to access tokens too. [1] https://github.com/keycloak/keycloak/pull/5779 Good luck, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Wed, 2019-06-19 at 08:00 +0000, GESLIN Fabrice wrote: > Hi, > > Is there a way to customize the content of the access token that is delivered to client applications ? > > This question is an attempt to revive this old thread: https://lists.jboss.org/pipermail/keycloak-user/2016-February/004784.html . > > The idea is to deliver basic JWT access tokens to public clients. > This token can be exchanged later on at the resource server level with a full-fledged JWT. > > Regards, > > Fabrice Geslin > > Groupe La Poste > > Post-scriptum La Poste > > Ce message est confidentiel. Sous reserve de tout accord conclu par > ecrit entre vous et La Poste, son contenu ne represente en aucun cas > un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user Post-scriptum La Poste Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur. From gmbnomis at gmail.com Wed Jun 19 10:33:01 2019 From: gmbnomis at gmail.com (Simon Baatz) Date: Wed, 19 Jun 2019 16:33:01 +0200 Subject: [keycloak-user] token introspection endpoint does not accept its URL as audience during signed JWT client auth Message-ID: <20190619143300.GA14031@gandalf> Hi, we think we found a problem when using the token introspection endpoint with signed JWT client auth. In the JWT, audience is set to the URL of the token introspection endpoint (we use mod_auth_openidc). However, Keycloak throws an error in JWTClientAuthenticator which looks like this: Error when validating client assertion: java.lang.RuntimeException: Token audience doesn't match domain. Realm issuer is 'https://.../auth/realms/master' but audience from token is '[https://.../auth/realms/master/protocol/openid-connect/token/introspect]' We found the description of a similar problem in KEYCLOAK-3424 for the token endpoint (see [0]). Here, JWTClientAuthenticator was adapted to accept both the issuer as well as the actual token endpoint URL as audience. Now, we are wondering whether that change missed to address the token introspection endpoint as well or whether we are doing something wrong. [0] https://issues.jboss.org/browse/KEYCLOAK-3424?focusedCommentId=13285402&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13285402 From nicksu at m800.com Wed Jun 19 21:39:09 2019 From: nicksu at m800.com (Nick Su) Date: Thu, 20 Jun 2019 01:39:09 +0000 Subject: [keycloak-user] Reduce content switch Message-ID: Hi , I am wondering whether there is a way to reduce content switch, as I have monitored the Keycloak env and found Hugh content switch broke out when concurrent user increase, so is it possible to reduce the switch, thank you From jamesm at suitebox.com Wed Jun 19 21:58:01 2019 From: jamesm at suitebox.com (James Mitchell) Date: Thu, 20 Jun 2019 13:58:01 +1200 Subject: [keycloak-user] Caching user details in a custom User Storage Provider In-Reply-To: References: Message-ID: I think I see the problem. Based on "examples found on the internet", I am taking the UserModel, and using "getDelegateForUpdate()" to get my UserAdapter - but the code points out this will invalidate the cache, so I doing it to myself :( I'll switch to storing my extra data into the cache with onCache() and extract it when I need it... On Mon, 17 Jun 2019 at 10:19, James Mitchell wrote: > > Can I get a sanity check for this? I don't think my users are being > retrieved from the cache. > > I'm using Keycloak 6.0.1 and doing proof of concept to use it as IDP > for our application. So far I have a working User Storage Provider to > call the existing API for user details and to authenticate users - I'm > calling the token endpoint with a password grant-type and all is good. > > * I can see the initial search for email address works, and the user > is added to the cache (at least the OnUserCache function is called) > * the password matches and the user is authenticated > * then there are many calls to get the user by ID - I think these are > to get attributes for the token claims. These are not getting the > details from the cache, as I can see hits on the existing API. > > So my questions are > * should the user be coming from the cache? > * is there a method I can override to confirm if the cache is being used? > > > These are some logs from the keycloak service and the database adapter > (both running as Docker containers). These logs are generated from the > admin console when I click for user details. > > > keycloak_1 | 22:42:47,516 INFO [com.suitebox.keycloak.storage.SbxUserStorageProviderFactory] (default task-2) Create PHPAuth Provider instance > > keycloak_1 | 22:42:47,519 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) getUserById: f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4 > > keycloak_1 | 22:42:49,879 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) Caching user f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4 > > keycloak_1 | 22:42:49,952 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) getUserById: f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4 > > keycloak_1 | 22:42:51,996 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) getUserById: f:df3bf6f5-0ae8-4d0d-8cee-8e01bdbb0649:4 > > keycloak_1 | 22:42:54,069 INFO [com.suitebox.keycloak.storage.SbxUserStorageProvider] (default task-2) Closing PHPAuth Provider > > > and the database API > > > dbadapter_1 | 2019-06-13 22:42:47.609 INFO 1 --- [p-nio-80-exec-4] c.s.d.controller.backend.UserController : get user id=4 > > dbadapter_1 | 2019-06-13 22:42:50.031 INFO 1 --- [p-nio-80-exec-5] c.s.d.controller.backend.UserController : get user id=4 > > dbadapter_1 | 2019-06-13 22:42:52.094 INFO 1 --- [p-nio-80-exec-6] c.s.d.controller.backend.UserController : get user id=4 > > > > > Thanks, > James From hans.zandbelt at zmartzone.eu Thu Jun 20 00:34:35 2019 From: hans.zandbelt at zmartzone.eu (Hans Zandbelt) Date: Thu, 20 Jun 2019 06:34:35 +0200 Subject: [keycloak-user] token introspection endpoint does not accept its URL as audience during signed JWT client auth In-Reply-To: References: Message-ID: FWIW: the spec is not clear on this case, see a discussion about it here: https://mailarchive.ietf.org/arch/msg/oauth/Z2QXaIPXvP8BIA0by6ktFSoyKK8 Based on that input I agree with Simon and would suggest to accept both. Hans. On Thu, Jun 20, 2019 at 3:45 AM wrote: > > we think we found a problem when using the token introspection > endpoint with signed JWT client auth. > > In the JWT, audience is set to the URL of the token introspection > endpoint (we use mod_auth_openidc). However, Keycloak throws an error in > JWTClientAuthenticator which looks like this: > > Error when validating client assertion: java.lang.RuntimeException: Token > audience doesn't match domain. Realm issuer is > 'https://.../auth/realms/master' but audience from token is > '[https:// > .../auth/realms/master/protocol/openid-connect/token/introspect]' > > We found the description of a similar problem in KEYCLOAK-3424 for > the token endpoint (see [0]). Here, JWTClientAuthenticator was adapted to > accept both the issuer as well as the actual token endpoint URL as > audience. > > Now, we are wondering whether that change missed to address the > token introspection endpoint as well or whether we are doing > something wrong. > > > [0] > https://issues.jboss.org/browse/KEYCLOAK-3424?focusedCommentId=13285402&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13285402 > > > -- hans.zandbelt at zmartzone.eu ZmartZone IAM - www.zmartzone.eu From shivaprasadtp8 at gmail.com Thu Jun 20 03:23:15 2019 From: shivaprasadtp8 at gmail.com (Shiva Prasad Thagadur Prakash) Date: Thu, 20 Jun 2019 10:23:15 +0300 Subject: [keycloak-user] Does Keycloak support binding to ipv6 address In-Reply-To: <20190613135813.GA20317@abstractj.org> References: <20190613135813.GA20317@abstractj.org> Message-ID: Hi Bruno/Stan, Thank you very much for the quick reply. I was able to bind Keycloak to listen on either ipv4 or on ipv6 address. But I was wondering if Keycloak supports dual ip stack i.e. can Keycloak listen on both ipv4 and ipv6 simultaneously? Please correct me if I am missing something. Eager to hear from you. Thanks, Shiva On Thu, Jun 13, 2019 at 4:58 PM Bruno Oliveira wrote: > Long time ago we tested ipv6[1], and everything worked really well. Just > a quick not that we do not support ipv6 in the URLs, as mentioned in > the same Jira. > > [1] - https://issues.jboss.org/browse/KEYCLOAK-1587 > > On 2019-06-13, Shiva Prasad Thagadur Prakash wrote: > > Hi Guys, > > > > Can Keycloak be bound to ipv6 address? or Can it be bound to both ipv4 > and > > ipv6, for example, -b [[::]]. Are there any configurations I have to > > changes to be done? Eagerly waiting for the reply. > > > > Thanks, > > Shiva > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > abstractj > From j9dy1g at gmail.com Thu Jun 20 05:35:06 2019 From: j9dy1g at gmail.com (Jody H) Date: Thu, 20 Jun 2019 11:35:06 +0200 Subject: [keycloak-user] Keycloak Gatekeeper access token encryption Message-ID: Hi, I am trying to use the Keycloak Gatekeeper proxy and have found a problem I can't seem to solve. I have a service which is hosting a webservice and an api. Keycloak gatekeeper is protecting this application. I have another webservice which is making requests to this api. I have encrypted tokens/cookies enabled in my gatekeeper config. I have looked into the source code of gatekeeper to figure out how the token is being decrypted, when it is coming inside of the Authorization header instead of a cookie. It is like this: 1) The token is read from the "Authorization: Bearer" header: https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75 2) If encryption is enabled, the access token needs be decrypted: https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L36-L39 3) Before decryption, the access token from the Authorization header will be base64-decoded: https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197 4) After decoding, it will be decrypted by AES-GCM: https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167-L183 I can't seem to figure out how to make requests to the gatekeeper proxy so that the access token I pass in the Authorization header can be read by the gatekeeper. I have checked multiple times that the key I use to encrypt my access token is identical to the one I use in the gatekeeper config. I am using this javascript code to encrypt my data: https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a - then after encryption, I base64 encode it and add it to the "Autorization: Bearer [base64-encoded encrypted-access-token]" header. The error gatekeeper gives me is this: https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204 The relevant javascript code looks like this: const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the on in the gatekeeper config const ciphertext = await aesGcmEncrypt(keycloak.token, key); console.log(ciphertext); var req = new XMLHttpRequest(); req.open('GET', url, true); req.setRequestHeader('Accept', 'application/json'); req.setRequestHeader('Authorization', 'Bearer ' + btoa(ciphertext)); req.onreadystatechange = function () { if (req.readyState == 4) { if (req.status == 200) { document.getElementById("userid").innerHTML = req.responseText + " (" + new Date() + ")"; } else if (req.status == 403) { console.log('Forbidden'); } else if (req.status == 401) { console.log('Unauthorized'); } } } req.send(); Can someone help me out? Sorry for the wall of text and thanks in advance! Best regards, From bruno at abstractj.org Thu Jun 20 16:09:59 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 20 Jun 2019 17:09:59 -0300 Subject: [keycloak-user] Keycloak Gatekeeper access token encryption In-Reply-To: References: Message-ID: <20190620200959.GA9818@abstractj.org> Hi Jody, don't need to be sorry. The more details, the better. Are you looking for something like this[1] ? [1] - https://github.com/keycloak/keycloak-gatekeeper/pull/445 On 2019-06-20, Jody H wrote: > Hi, > > I am trying to use the Keycloak Gatekeeper proxy and have found a problem I > can't seem to solve. > > I have a service which is hosting a webservice and an api. > Keycloak gatekeeper is protecting this application. > I have another webservice which is making requests to this api. > I have encrypted tokens/cookies enabled in my gatekeeper config. > I have looked into the source code of gatekeeper to figure out how the > token is being decrypted, when it is coming inside of the Authorization > header instead of a cookie. It is like this: > > 1) The token is read from the "Authorization: Bearer" header: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75 > 2) If encryption is enabled, the access token needs be decrypted: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L36-L39 > 3) Before decryption, the access token from the Authorization header will > be base64-decoded: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197 > 4) After decoding, it will be decrypted by AES-GCM: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167-L183 > > I can't seem to figure out how to make requests to the gatekeeper proxy so > that the access token I pass in the Authorization header can be read by the > gatekeeper. I have checked multiple times that the key I use to encrypt my > access token is identical to the one I use in the gatekeeper config. > I am using this javascript code to encrypt my data: > https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a - then > after encryption, I base64 encode it and add it to the "Autorization: > Bearer [base64-encoded encrypted-access-token]" header. The error > gatekeeper gives me is this: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204 > > The relevant javascript code looks like this: > const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the on in > the gatekeeper config > const ciphertext = await aesGcmEncrypt(keycloak.token, key); > console.log(ciphertext); > var req = new XMLHttpRequest(); > req.open('GET', url, true); > req.setRequestHeader('Accept', 'application/json'); > req.setRequestHeader('Authorization', 'Bearer ' + btoa(ciphertext)); > > req.onreadystatechange = function () { > if (req.readyState == 4) { > if (req.status == 200) { > document.getElementById("userid").innerHTML = req.responseText + " (" + new > Date() + ")"; > } else if (req.status == 403) { > console.log('Forbidden'); > } else if (req.status == 401) { > console.log('Unauthorized'); > } > } > } > > req.send(); > > Can someone help me out? Sorry for the wall of text and thanks in advance! > > Best regards, > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj From bruno at abstractj.org Thu Jun 20 16:18:28 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 20 Jun 2019 17:18:28 -0300 Subject: [keycloak-user] Does Keycloak support binding to ipv6 address In-Reply-To: References: <20190613135813.GA20317@abstractj.org> Message-ID: <20190620201828.GB9818@abstractj.org> I believe both can be supported, although you need to specify which one you prefer for the hostname to IP conversion. For example if you have a setup like this: java.net.preferIPv4Stack=false java.net.preferIPv6Addresses=true The prefered choice for hostname to IP conversions will be IPv6. There are more details into the WildFly documentation about it. I suggest to give it a try: https://docs.wildfly.org/17/Admin_Guide.html#ipv4-versus-ipv6 On 2019-06-20, Shiva Prasad Thagadur Prakash wrote: > Hi Bruno/Stan, > Thank you very much for the quick reply. > I was able to bind Keycloak to listen on either ipv4 or on ipv6 address. > But I was wondering if Keycloak supports dual ip stack i.e. can Keycloak > listen on both ipv4 and ipv6 simultaneously? Please correct me if I am > missing something. Eager to hear from you. > > Thanks, > Shiva > > On Thu, Jun 13, 2019 at 4:58 PM Bruno Oliveira wrote: > > > Long time ago we tested ipv6[1], and everything worked really well. Just > > a quick not that we do not support ipv6 in the URLs, as mentioned in > > the same Jira. > > > > [1] - https://issues.jboss.org/browse/KEYCLOAK-1587 > > > > On 2019-06-13, Shiva Prasad Thagadur Prakash wrote: > > > Hi Guys, > > > > > > Can Keycloak be bound to ipv6 address? or Can it be bound to both ipv4 > > and > > > ipv6, for example, -b [[::]]. Are there any configurations I have to > > > changes to be done? Eagerly waiting for the reply. > > > > > > Thanks, > > > Shiva > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > > > abstractj > > -- abstractj From Ori.Doolman at cyberark.com Thu Jun 20 11:51:35 2019 From: Ori.Doolman at cyberark.com (Ori Doolman) Date: Thu, 20 Jun 2019 15:51:35 +0000 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: Message-ID: Thanks for the answer Pedro. I understand what you wrote, but I think this poses a difficulty for the API users (such as myself ? ). I want to look for all permissions related to some resource. Now, instead of selecting all permissions and in my app iterate and filter according to the resource, I have two bad-performance solutions: 1. Use the /settings endpoint and get too much data, including many entities I don?t need. 2. Get all permissions, and then one by one call the {id}/resources. And then call the other endpoints if I also need scopes and associatedPolicies. I don?t understand why the /policies cannot return the full permission entity with the {config} object. It would be the straightforward thing to do. Thanks, Ori. From: Pedro Igor Silva Sent: Tuesday, June 18, 2019 2:23 PM To: Ori Doolman Cc: Rafael Tovar. ; keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman > wrote: Pedo, When I call the authz/resource-server/settings endpoint, I get the full list of all entities. That works great if I later want to update the settings using the /authz/resource-server/import endpoint. But /settings might become too big and I only want to update my permissions (specific ones, actually). Hence, I call the /policy endpoint. But then I get partial entity information for the scope-based permission, not similar to the one I get with /settings. The "config" object data is missing. 1) Is that a bug? You can see below both payloads. The settings endpoint is exporting the settings, basically. So that you have a JSON that you can later import data back to your client. The policy endpoint only returns the policy attributes so that any other associated entity such as resources, scopes, and associated policies should be obtained from another endpoint. {id}/associatedPolicies {id}/resources {id}/scopes 2) Can I filter permissions by name contains "mySubstring" ? Seems that /search does not support that but only exact name match by /search?name="name" You can use the "/" (root) endpoint. It is the one we use in the admin console. Here is /settings call: "policies": [ { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"set-01\"]", "scopes": "[\"read\",\"write\"]", "applyPolicies": "[\"userPolicy\"]" } } Here is what I get from /policy endpoint: { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} } ________________________________ From: keycloak-user-bounces at lists.jboss.org > on behalf of Ori Doolman > Sent: Thursday, June 6, 2019 4:22 PM To: Pedro Igor Silva; Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Great. I was looking for that as well. I don't think it is documented. How do you manipulate the authorization entities by REST API? For example, add a resource or a scope, modify policy etc. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org > On Behalf Of Pedro Igor Silva Sent: Thursday, June 6, 2019 3:43 PM To: Rafael Tovar. > Cc: keycloak-user > Subject: Re: [keycloak-user] authorizationSettings not in response Hi, Please, append the following path to your URI: " /authz/resource-server/settings". Regards. Pedro Igor On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. > wrote: > Hi everybody, > I'm trying to get the authorization settings of a client, but its not > coming in the response of the request. > This is the request im doing: > > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= > > and this is the response: > > { > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > "clientId": "api", > "surrogateAuthRequired": false, > "enabled": true, > "clientAuthenticatorType": "client-secret", > "redirectUris": [ > "*" > ], > "webOrigins": [], > "notBefore": 0, > "bearerOnly": false, > "consentRequired": false, > "standardFlowEnabled": true, > "implicitFlowEnabled": false, > "directAccessGrantsEnabled": true, > "serviceAccountsEnabled": true, > "authorizationServicesEnabled": true, > "publicClient": false, > "frontchannelLogout": false, > "protocol": "openid-connect", > "attributes": { > "saml.assertion.signature": "false", > "saml.force.post.binding": "false", > "saml.multivalued.roles": "false", > "saml.encrypt": "false", > "saml.server.signature": "false", > "saml.server.signature.keyinfo.ext": "false", > "exclude.session.state.from.auth.response": "false", > "saml_force_name_id_format": "false", > "saml.client.signature": "false", > "tls.client.certificate.bound.access.tokens": "false", > "saml.authnstatement": "false", > "display.on.consent.screen": "false", > "saml.onetimeuse.condition": "false" > }, > "authenticationFlowBindingOverrides": {}, > "fullScopeAllowed": true, > "nodeReRegistrationTimeout": -1, > "protocolMappers": [ > { > "id": "97330e11-24df-40ce-9335-51d5126d4059", > "name": "Client Host", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientHost", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientHost", > "jsonType.label": "String" > } > }, > { > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > "name": "Client ID", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientId", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientId", > "jsonType.label": "String" > } > }, > { > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > "name": "Client IP Address", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientAddress", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientAddress", > "jsonType.label": "String" > } > } > ], > "defaultClientScopes": [ > "web-origins", > "role_list", > "profile", > "roles", > "email" > ], > "optionalClientScopes": [ > "address", > "phone", > "offline_access", > "microprofile-jwt" > ], > "access": { > "view": true, > "configure": true, > "manage": true > } > } > > Thanks, > Rafael. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= ---------------------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e= From ah.ping.luk at gmail.com Fri Jun 21 00:23:59 2019 From: ah.ping.luk at gmail.com (Paul Luk) Date: Fri, 21 Jun 2019 12:23:59 +0800 Subject: [keycloak-user] Can we set a custom OIDC issuer identifier? Message-ID: Hi all, How can i change/customize the keycloak issuer identifier ? To cater for DNS name change, i want to set the issuer identifier to a DNS neutral one (say http://fake_name/oidc). Thank you. From tiago.batista at mindera.com Fri Jun 21 06:45:23 2019 From: tiago.batista at mindera.com (Tiago Batista) Date: Fri, 21 Jun 2019 11:45:23 +0100 Subject: [keycloak-user] When creating a user he is not added to the requested group (on only one of my instances) Message-ID: Hello all, I have migrated an application to keycloak a couple of months ago, however today I come to you with a problem I can not solve. The users created on the QA environment are created as they should. They are part of the "self-management" group as expected, however the users created on the staging environment are not added to the group! The thing that puzzles me is that the environments are a mirror of one another, same docker images of the api client are promoted from our QA to the client's staging. I have already checked and the keycloak helm charts are on the same version and the keycloak docker images have the same hash (6862c765d226). The user that is invoking the API has the manage-users role on the realm. I would love some insight as to where should I look next as this is puzzling me. Below is an export of the requests from the browser. The response to both is a 201 created, and there is no information on the logs or the admin events regarding any failure to add the user to the group. I have redacted the domain name and the token. curl 'https://auth.staging.TLD/auth/admin/realms/acme/users' -H 'User- Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -- compressed -H 'Referer: https://mc.acme.staging.TLD/app/members/list/' -H 'Authorization: Bearer VALID_TOKEN' -H 'content-type: application/json' -H 'Origin: https://mc.acme.staging.TLD' -H 'Connection: keep-alive' -H 'TE: Trailers' --data '{"username":"tiago.batista+acmemember1 at mindera.com","email":"tiago.bat ista+acmemember1 at mindera.com","firstName":"tiago","lastName":"member"," enabled":true,"groups":["self-management"]}' curl 'https://auth.qa.TLD/auth/admin/realms/acme/users' -H 'User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -- compressed -H 'Referer: http://mc.acme.qa.TLD/app/members/list' -H 'Authorization: Bearer VALID_TOKEN' -H 'content-type: application/json' -H 'Origin: http://mc.acme.qa.TLD' -H 'Connection: keep-alive' -H 'TE: Trailers' --data '{"username":"tiago.batista+acmeqa1 at mindera.com","email":"tiago.batista +acmeqa1 at mindera.com","firstName":"tiago","lastName":"member","enabled" :true,"groups":["self-management"]}' the token contains the following role on both environments: "resource_access": { "realm-management": { "roles": [ "manage-users" ] }, the staging environment has the following groups: [ { "id": "9fa577be-cf52-4f21-aa7f-770e7c1b81f3", "name": "all-plinth-permissions", "path": "/all-plinth-permissions", "subGroups": [] }, { "id": "5db60d20-3259-489c-8ac2-f684c3e7dd54", "name": "self-management", "path": "/self-management", "subGroups": [] } ] Anyone has any good idea as to where I should look next? Regards, Tiago From tiago.batista at mindera.com Fri Jun 21 06:54:21 2019 From: tiago.batista at mindera.com (Tiago Batista) Date: Fri, 21 Jun 2019 11:54:21 +0100 Subject: [keycloak-user] Realm templates - exporting once, importing many times Message-ID: <897b6170d0fbcd715aa3ae300b8bbe583d7bd564.camel@mindera.com> Hello all, This is something I have seen requested here and that I needed too. As keycloak does not supply such a tool, I did a quick hack to create one. I am sure there are plenty of bugs as this was created for a very particular purpose and was not extensively tested. Take a look here: https://github.com/plinth-tech/keycloak-realm-generator This is licensed as MIT, but I am sure the copyright holder will be accomodating if you need this under any other license for some reason. Feel free to use it as much as you want, and if you find any bugs please report them! Regards, Tiago From francois at medicaldynamics.nl Fri Jun 21 07:27:32 2019 From: francois at medicaldynamics.nl (Francois Verhees) Date: Fri, 21 Jun 2019 11:27:32 +0000 Subject: [keycloak-user] forgotten password Message-ID: Dear, I send a forgotten password message. I used the known e-mail address as a login, but did not receive a mail back with recovery of password. I used francois at medicaldynamics.nl and I used info at verdihealthcare.nl What am I doing wrong. Or why do I not get a reply? Met vriendelijke groet/Best regards/Mit freundlichen Gr?ssen, Fran?ois Verhees Algemeen Directeur/CEO [cid:image001.jpg at 01D3A662.B4B39470] Verdi Healhcare Wijde Wade 1 a 3439 NP Nieuwegein The Netherlands T +31(0)30 285 12 49 F +31(0)30 285 11 06 E francois at verdihealthcare.nl I www.verdihealthcare.nl Klik HIER om onze nieuwe website te bekijken Zoals u waarschijnlijk heeft gehoord is sinds 25 mei 2018 de nieuwe privacywetgeving in werking; de Algemene Verordening Gegevensbescherming (AVG). Onderdeel van deze nieuwe regelgeving is, dat wij van u willen vernemen of wij uw persoonlijk e-mailadres mogen bewaren. Geeft u daarvoor geen toestemming, dan verzoeken wij u hier op te klikken en de mail te versturen. U geeft dan geen toestemming voor het bewaren van uw e-mailadres en zullen wij deze binnen 4 werkweken uit onze bestanden verwijderen. Mocht u geen bezwaar hebben; wij zullen uw persoonlijk mailadres alleen gebruiken om met u te communiceren aangaande Verdi Healthcare. De volledige privacyverklaring kunt u vinden op www.verdihealthcare.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 3591 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190621/88f2769e/attachment.jpg From kyriakos.stefanidis at fokus.fraunhofer.de Fri Jun 21 09:23:31 2019 From: kyriakos.stefanidis at fokus.fraunhofer.de (Stefanidis, Kyriakos) Date: Fri, 21 Jun 2019 13:23:31 +0000 Subject: [keycloak-user] obtaining RTP by resource name Message-ID: <2846dd01201f4d3ea6fd9d731cfc9884@fokus.fraunhofer.de> Hello all, ...more specifically people that use keycloak authorization services. While dealing with RTPs (without permission tickets) for both user and centrally managed resources we encountered an inconsistent behavior and would like to know if it is considered a bug or works as intended (and why) The story: When a resource is owned by the resource provider (a client), you can get a RTP by providing either the resource id (uuid) or the resource name in the "permissions" parameter. Ex. "res1" is owned by "client.id" and given "update" scope permission to user "usr" via policy/permission combo $TOKEN is the access token for user "usr" curl -X POST \ https://something/auth/realms/something/protocol/openid-connect/token \ -H "Authorization: Bearer $TOKEN" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=client.id" \ --data "permission=res1.id#scope" //correct RTP with "update" for "res1" OR --data "permission=res1.name#scope" //correct RTP with "update" for "res1" When a resource is owned by a user, you can only get a RTP by providing the resource id (uuid) in the "permission" parameter. Requesting by name returns an "Resource with id [res2.name] does not exist." Ex. "res2" is owned by "usr" and has an "update" scope $TOKEN is the access token for user "usr" curl -X POST \ https://something/auth/realms/something/protocol/openid-connect/token \ -H "Authorization: Bearer $TOKEN" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=client.id" \ --data "permission=res2.id#scope" //correct RTP with "update" for "res1" OR --data "permission=res2.name#scope" //"Resource with id [res2.name] does not exist." The interesting thing is that If you request a RTP without specific "permission" property, keycloak returns the correct RTP with "update" for both res1 and res2 as it should. Our tests also shown that this behavior does not rely on the "user managed" property but only the "owner" property Is this supposed to happen? If yes, why? If no, which one of the two is the buggy behavior? The behavior for the user owned or the client owned resource? The main reason for this email is that the fact that you can obtain RTP based on resource name is immensely helpful for us since the other clients (other than the resource provider) cannot get the resource id from keycloak but they do know what they are looking for (the resource name). Not being able to get RTP based on resource name for user owned resources, forces us to use a generic RTP for all resources every time which could become a burden if a user can access a very large number of resources. Best regards, Kyriakos Stefanidis From Mark.Sargent at gallagher.com Fri Jun 21 14:27:06 2019 From: Mark.Sargent at gallagher.com (Mark Sargent) Date: Fri, 21 Jun 2019 18:27:06 +0000 Subject: [keycloak-user] Registration process Message-ID: Hi there, During an onboard game flow we would like to invite the user to register with a particular email address. Is there a way that I can send a user to the registration page with the email address filled in and possibly not editable? I am trying to skip the page where the user can either sign in or click the register button. Many thanks Mark Get Outlook for iOS ________________________________ This email is confidential and may contain information subject to legal privilege. If you are not the intended recipient please advise us of our error by return e-mail then delete this email and any attached files. You may not copy, disclose or use the contents in any way. The views expressed in this email may not be those of Gallagher Group Ltd or subsidiary companies thereof. ________________________________ From demetrio at carretti.pro Sat Jun 22 09:43:58 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Sat, 22 Jun 2019 16:43:58 +0300 Subject: [keycloak-user] How to use identity provider broker (google and facebook) via ajax/api In-Reply-To: References: Message-ID: <631422821dee910351b1677bbaf17bb2a70b54b3.camel@carretti.pro> Hello Cosmin, You can use Facebook Login for websites [1] and Google Sign-In [2] in combination with Keycloak token exchange feature [3]. Once Facebook or Google login succeeds, you need to obtain a token and perform an external-to-internal token exchange [4], which will give you a standard set of OIDC tokens (access+ID+refresh). Please pay attention to the proper setup of token exchange permissions in Keycloak. Also mind that token exchange doesn't yet support scope param [5], therefore you won't be able to obtain offline (long-lived) tokens from Keycloak, however there are workarounds for that. [1] https://developers.facebook.com/docs/facebook-login [2] https://developers.google.com/identity/sign-in/web/sign-in [3] https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange [4] https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange [5] https://issues.jboss.org/browse/KEYCLOAK-6230 Good luck, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Tue, 2019-06-11 at 15:30 +0300, Cosmin Ardeleanu wrote: > Hello, > > *Context*: We have a single page application made with Angular JS. We want > to implement login via facebook and google, by using keycloak. > > *Requirement*: We want to use ajax/api call, similar to > "../protocol/openid-connect/token" (this end point is using user/pass to > login"). > > *Problem*: The way the brokering works, is with a series of html redirects: > start -> redirects to keycloak -> redirects to facebook or google -> back > to keycloak -> back to start > This is not compatible with a single page application. > > *Question*: > Is there any documentation (or work around) how to achieve login with > facebook/google by using ajax/api calls, similar with the one for > user/password ("../protocol/openid-connect/token" endpoint)? > We need to be able to retrieve the token from facebook and google, and send > it to keycloak, and keycloak should respond with the authentication token. > > How can we do it? > > Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From remko at FreeBSD.org Sun Jun 23 15:37:57 2019 From: remko at FreeBSD.org (Remko Lodder) Date: Sun, 23 Jun 2019 21:37:57 +0200 Subject: [keycloak-user] Set which user can authenticate at which client Message-ID: Hi, I am new to Keycloak and first of all I would like to thank you and all contributors for all your hard work. I have little experience with Keycloak and it?s usage so please put me on the correct track in case I am off :-) So: For a customer and my own environment I am implementing Keycloak. I am consolidating our users in one Realm and have added a multitude of clients (both saml as oidc). I would like to be able to place selectors on users when importing them or setting it manually, that someone has access to for example gitlab. I found that Okta has probably want I am looking for described here: https://help.okta.com/en/prod/Content/Topics/Directory/group-assign-app.htm Now, is there something like that also in Keycloak? I would like users to be part of a group, or role, or whatever and that way control who has access where, without needing to fiddle with the application on the back (I can do that for targetting specific roles, like admin, manager, read-write, read-only, etc). I was not able to find something similar .. so probably I overlooked it or didn?t understand the documentation :-) Any pointers/suggestions/this is not an option right now? Thanks & Again, thank you all, Remko -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190623/7c56f7ba/attachment.bin From manuel.bleichenbacher at acrea.com Mon Jun 24 04:43:23 2019 From: manuel.bleichenbacher at acrea.com (Manuel Bleichenbacher) Date: Mon, 24 Jun 2019 08:43:23 +0000 Subject: [keycloak-user] Automatic one-time login In-Reply-To: <965e2f9501f3c58c82993aff4cf552c92a43a72b.camel@carretti.pro> References: <0efe1bf8f72e934ea1ec6669a7d9f7fc855140fa.camel@carretti.pro> <8652069f81ea433b82fc023d1822c253@s0897.hosting.local> <965e2f9501f3c58c82993aff4cf552c92a43a72b.camel@carretti.pro> Message-ID: <4910dc939795480bab32a9d5ce86bca6@s0897.hosting.local> Our implementation for the automatic one-time login is making good progress. We've now got a REST service that can create an action token and an action token handler that logs the user in (see main code below). It uses an authentication flow with no steps/executions. If we use to action token key and build a URL like http://localhost:8180/auth/realms/myrealm/login-actions/action-token?key=eyJhbGciOiJI... then the user is login in but ends up in the account console. Now we would like to integrate it into our Spring Boot application and would be grateful for some hints: - How can we initiate an OIDC flow from Spring Boot with the action token URL? - How can we ensure that the flow ends on a specific page in our application? Regards Manuel public class DirectLoginActionTokenHandler extends AbstractActionTokenHander { public DirectLoginActionTokenHandler() { super(DirectLoginToken.TOKEN_TYPE, DirectLoginToken.class, "not_allowed", EventType.LOGIN, "invalidCodeMessage"); } @Override public Response handleToken(DirectLoginToken token, ActionTokenContext tokenContext) { return tokenContext.processFlow(false, LoginActionsService.AUTHENTICATE_PATH, tokenContext.getRealm().getFlowByAlias("direct login"), null, new AuthenticationProcessor()); } @Override public String getAuthenticationSessionIdFromToken(DirectLoginToken token, ActionTokenContext tokenContext, AuthenticationSessionModel authenticationSessionModel) { return null; } @Override public AuthenticationSessionModel startFreshAuthenticationSession(DirectLoginToken token, ActionTokenContext tokenContext) { return tokenContext.createAuthenticationSessionForClient(token.getIssuedFor()); } @Override public boolean canUseTokenRepeatedly(DirectLoginToken token, ActionTokenContext tokenContext) { return false; } } -----Urspr?ngliche Nachricht----- Von: Dmitry Telegin Gesendet: Dienstag, 18. Juni 2019 19:12 An: Manuel Bleichenbacher ; keycloak-user at lists.jboss.org Betreff: Re: AW: [keycloak-user] Automatic one-time login Hi Manuel, you're welcome, On Tue, 2019-06-18 at 14:02 +0000, Manuel Bleichenbacher wrote: > Hi Dmitry > > Thanks so much for your valuable input. It contains so much useful information. > > I had studied the action-token-authenticator quickstart example before but I can't see how we could fit it into our solution. I haven't mentioned so far that an unregistered user never goes to a login or registration page. Instead the flow is similar to what you find in some web shops: a customer purchases some items and - as part of the checkout process - enters email address and mobile phone number. After the checkout is complete, the customer is asked if an account should be created for him. Up to this moment, Keycloak has not been involved and no authentication or registration flow has been initiated. And since no further entry is needed (in the future the user will log in with email address and a one-time password sent to the mobile number), the Keycloak user can be immediately created and the customer can immediately be logged in. > > So given this flow: the quickstart example with a switch from the Keycloak flow to an external application and back is probably not applicable, right? Correct. This is exactly what I meant by "Had you been using Keycloak's registration flow, this quickstart could have been applicable entirely". Third conditional :) In other words, you should use this quickstart just as a source of inspiration if you decide to go with action token handler + authenticator + app-specific token instead of REST + one-time code. Cheers, Dmitry > > Regards > Manuel > > -----Urspr?ngliche Nachricht----- > Von: Dmitry Telegin > Gesendet: Dienstag, 18. Juni 2019 15:14 > An: Manuel Bleichenbacher ; > keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Automatic one-time login > > Hi Manuel, > > You might even avoid implementing one-time code logic (incl. REST endpoint, custom credential etc.) by using the approach demonstrated in the quickstart [1]. > > Had you been using Keycloak's registration flow, this quickstart could have been applicable entirely (modulo authentication vs. registration flow), but still you can borrow the main idea from it: using app-specific signed token (instead of one-time code) to assert that registration succeeded. > > Keycloak already supports one-time action tokens (see org.keycloak.authentication.actiontoken.ActionTokenHandler::canUseTokenRepeatedly). To ensure that your app-specific token is one-time too, you could associate it with the "parent" action token using the latter's "nonce" claim. One thing you need to know about one-time action tokens in Keycloak - this is done via org.keycloak.models.ActionTokenStoreProvider, and the default implementation (o.k.models.sessions.infinispan.InfinispanActionTokenStoreProvider) is non-persistent, so if by some reason the whole cluster gets restarted before action token expires, it could be potentially reused. > > Otherwise, both options that you described should be viable. Please find the answers below. > > On Tue, 2019-06-18 at 08:03 +0000, Manuel Bleichenbacher wrote: > > Hi everybody, > > > > Our new application will have a length user registration procedure that we would like to keep separate from Keycloak (it will mainly require application data, reuse part of the application's UI etc.). At the end of the registration procedure, we would still like to automatically login the user so he/she doesn't need to reenter the username and password. What are our options to achieve it? > > > > The backend will certainly use a privileged Keycloak user (e.g. to create the new user via the REST Admin API). And the result of the login should be that the user's access token (JWT) is available in the user's session in the backend. So far we have come up with the following options: > > > > Option A: REST endpoint / custom authenticator > > > > - Add a custom REST endpoint so the backend can create a one-time > > code and save it as a credential on the new user > > - Add a custom authenticator to the browser flow that checks for the > > one-time code > > - The user would then be directed to the regular authentication flow. If the one-time code is present and correct, the username/password step and possibly all other authentication steps will be skipped and the authentication immediately succeeds. > > > > Option B: REST endpoint / action token > > > > - Add a custom REST endpoint so the backend can create a one-time > > code and save it as a credential on the new user > > - Implement an additional action token handler that checks the > > one-time token to authenticate the user > > - The user would then be directed to the action token URL. If the one-time code is correct, the user is authenticated. > > > > What is your recommendation: > > - Are these feasible options? > > - Are we missing a good option? > > > > For option A: How can we pass the one-time code to the authentication flow? Can we use a URL parameter, HTTP header attribute? > > This is possible, but not much reliable because of HTTP redirects. After a redirect, the initial parameters will be lost (as well as headers), and you'll need to parse the parameter out of Referer header. Check out this thread [2] for details. > > However, there exists a hack so that you can use "scope" parameter to pass data reliably, see this thread for details [3]. > > > For option B: Can the action token flow initiate the OAUTH2 flow and return an authorization code? Can this flow be easily integrated with the Spring Boot adapter? > > Yes, see this [4]. AFAIK for the adapter it should look like an ordinary flow, it won't even know it had been initiated via action token handler. > > [1] > https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-to > ken-authenticator [2] > https://lists.jboss.org/pipermail/keycloak-user/2018-November/016230.h > tml [3] > https://lists.jboss.org/pipermail/keycloak-user/2019-May/018393.html > [4] > https://github.com/keycloak/keycloak-quickstarts/blob/latest/action-to > ken-authenticator/src/main/java/org/keycloak/quickstart/actiontoken/to > ken/ExternalApplicationNotificationActionTokenHandler.java#L89 > > Good luck, > Dmitry Telegin > > Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, > Tallinn 15551, Estonia | info at carretti.pro > > > Any input is appreciated. > > > > Thanks > > Manuel > > > > -- > > manuel bleichenbacher | senior consultant m +41 79 617 90 01 | > > manuel.bleichenbacher at acrea.com > > > > acrea ag | konradstrasse 32 | 8005 z?rich www.acrea.com | > > blog.acrea.com > > > > www.nezasa.com - incubated by Acrea > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user From jlieskov at redhat.com Mon Jun 24 06:37:24 2019 From: jlieskov at redhat.com (Jan Lieskovsky) Date: Mon, 24 Jun 2019 12:37:24 +0200 Subject: [keycloak-user] Need help related to SSO session idle and SSO session idle max In-Reply-To: References: Message-ID: Hello Khyati, On Mon, Jun 17, 2019 at 11:01 PM Khyati Kataria wrote: > Hi, > > I have one doubt related to these two fields: SSO session idle and SSO > session idle max in keycloak token settings > > In our case it is been 30 minutes set as session idle , so webpage > should get logout within 30 minutes. But we can observe it is not > logging out after described time. We have also tried by setting to 2-3 > minutes, but it?s not happening. > Please have a look at the note in the "*13.3. Session and Token Timeouts*" section (below that table describing meaning of those options). Per that note, when *SSO Session Idle* set to 30 minutes, the session won't be invalidated after exactly 30 minutes, but rather after 32 minutes. That note explains, why this behaviour is needed / necessary. > > But, when we set Session_max to 3 minute, then webpage is getting > logout after 3 minutes. > For *SSO Session Idle* each any client requesting authentication or refresh token within the timeout will bump the timeout value again. On the other hand, *SSO Session Max* value is a hard timeout -- the session will be invalidated / expire after this period of time regardless of user (in)activity (if there were some requests in between or not). > > So, basically it is taking session_max but session_idle is not working > in our project. > See above. > > Could anyone please explain this behavior ? As per my understanding > session idle time is not working. or I am not sure Is this expected > behavior of keycloak or not ? > > Thanks in advance ! > > Regards, > Khyati Kataria > HTH Regards, Jan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Ondrej.Scerba at zoomint.com Mon Jun 24 07:09:24 2019 From: Ondrej.Scerba at zoomint.com (Ondrej Scerba) Date: Mon, 24 Jun 2019 11:09:24 +0000 Subject: [keycloak-user] Group Membership Token Mapper fails with an error in stacktrace Message-ID: <1014ae38d77d42ab8fb7f98500f28cf3@zoomint.com> Hi, When I configure Group Membership Token Mapper without token claim name, it fails with following error: 10:50:07,315 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-24) Uncaught server error: java.lang.RuntimeException: com.fasterxml.jackson.databind.JsonMappingException: Null key for a Map not allowed in JSON (use a converting NullKeySerializer?) (through reference chain: org.keycloak.representations.AccessToken["[anySetter]"]->java.util.HashMap["null"]) at org.keycloak.jose.jws.JWSBuilder.jsonContent(JWSBuilder.java:65) at org.keycloak.jose.jws.DefaultTokenManager.encode(DefaultTokenManager.java:52) at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.build(TokenManager.java:796) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:585) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190) at sun.reflect.GeneratedMethodAccessor684.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748) Caused by: com.fasterxml.jackson.databind.JsonMappingException: Null key for a Map not allowed in JSON (use a converting NullKeySerializer?) (through reference chain: org.keycloak.representations.AccessToken["[anySetter]"]->java.util.HashMap["null"]) at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:285) at com.fasterxml.jackson.databind.SerializerProvider.mappingException(SerializerProvider.java:1251) at com.fasterxml.jackson.databind.SerializerProvider.reportMappingProblem(SerializerProvider.java:1145) at com.fasterxml.jackson.databind.ser.impl.FailingSerializer.serialize(FailingSerializer.java:35) at com.fasterxml.jackson.databind.ser.std.MapSerializer.serializeFields(MapSerializer.java:705) at com.fasterxml.jackson.databind.ser.AnyGetterWriter.getAndSerialize(AnyGetterWriter.java:62) at com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:723) at com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:155) at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:480) at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:319) at com.fasterxml.jackson.databind.ObjectMapper._configAndWriteValue(ObjectMapper.java:3905) at com.fasterxml.jackson.databind.ObjectMapper.writeValueAsBytes(ObjectMapper.java:3243) at org.keycloak.util.JsonSerialization.writeValueAsBytes(JsonSerialization.java:67) at org.keycloak.jose.jws.JWSBuilder.jsonContent(JWSBuilder.java:63) ... 74 more I think that token claim name validation should be added or this token mapper should work correctly without token claim name as others does. Thanks, Ondrej From psilva at redhat.com Mon Jun 24 09:11:54 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 24 Jun 2019 10:11:54 -0300 Subject: [keycloak-user] obtaining RTP by resource name In-Reply-To: <2846dd01201f4d3ea6fd9d731cfc9884@fokus.fraunhofer.de> References: <2846dd01201f4d3ea6fd9d731cfc9884@fokus.fraunhofer.de> Message-ID: Hi, You should be able to obtain a user-owned resource by name if the bearer token is referencing the owner as the subject. Which version of Keycloak are you using? I did not find any specific test for this but adding one that does exactly what you described (I can be missing something though) it works as expected. On Fri, Jun 21, 2019 at 10:32 AM Stefanidis, Kyriakos < kyriakos.stefanidis at fokus.fraunhofer.de> wrote: > Hello all, > ...more specifically people that use keycloak authorization services. > > While dealing with RTPs (without permission tickets) for both user and > centrally managed resources we encountered an inconsistent behavior and > would like to know if it is considered a bug or works as intended (and why) > > The story: > > When a resource is owned by the resource provider (a client), you can get > a RTP by providing either the resource id (uuid) or the resource name in > the "permissions" parameter. > > Ex. > "res1" is owned by "client.id" and given "update" scope permission to > user "usr" via policy/permission combo > $TOKEN is the access token for user "usr" > curl -X POST \ > https://something/auth/realms/something/protocol/openid-connect/token \ > -H "Authorization: Bearer $TOKEN" \ > --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ > --data "audience=client.id" \ > --data "permission=res1.id#scope" //correct RTP with "update" for "res1" > OR > --data "permission=res1.name#scope" //correct RTP with "update" for > "res1" > > > When a resource is owned by a user, you can only get a RTP by providing > the resource id (uuid) in the "permission" parameter. Requesting by name > returns an "Resource with id [res2.name] does not exist." > > Ex. > "res2" is owned by "usr" and has an "update" scope > $TOKEN is the access token for user "usr" > > curl -X POST \ > https://something/auth/realms/something/protocol/openid-connect/token \ > -H "Authorization: Bearer $TOKEN" \ > --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ > --data "audience=client.id" \ > --data "permission=res2.id#scope" //correct RTP with "update" for "res1" > OR > --data "permission=res2.name#scope" //"Resource with id [res2.name] > does not exist." > > The interesting thing is that If you request a RTP without specific > "permission" property, keycloak returns the correct RTP with "update" for > both res1 and res2 as it should. > > Our tests also shown that this behavior does not rely on the "user > managed" property but only the "owner" property > > Is this supposed to happen? If yes, why? If no, which one of the two is the buggy behavior? The behavior for the > user owned or the client owned resource? > > The main reason for this email is that the fact that you can obtain RTP > based on resource name is immensely helpful for us since the other clients > (other than the resource provider) cannot get the resource id from keycloak > but they do know what they are looking for (the resource name). Not being > able to get RTP based on resource name for user owned resources, forces us > to use a generic RTP for all resources every time which could become a > burden if a user can access a very large number of resources. > > Best regards, > Kyriakos Stefanidis > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Mon Jun 24 10:53:08 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 24 Jun 2019 11:53:08 -0300 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: Message-ID: On Thu, Jun 20, 2019 at 12:52 PM Ori Doolman wrote: > Thanks for the answer Pedro. > > > > I understand what you wrote, but I think this poses a difficulty for the > API users (such as myself ? ). > > I want to look for all permissions related to some resource. > > Now, instead of selecting all permissions and in my app iterate and filter > according to the resource, I have two bad-performance solutions: > > 1. Use the /settings endpoint and get too much data, including many > entities I don?t need. > 2. Get all permissions, and then one by one call the {id}/resources. > And then call the other endpoints if I also need scopes and > associatedPolicies. > > > > I don?t understand why the /policies cannot return the full permission > entity with the {config} object. It would be the straightforward thing to > do. > We were doing that in the beginning, returning everything when querying a policy by id. But we had performance issues in both admin console and REST API when policies were associated with a lot of resources/scopes. I see no problem about enabling a query parameter to indicate whether or not the response should also return resources/scopes/associated policies. Wdyt ? > > > Thanks, > > Ori. > > > > > > *From:* Pedro Igor Silva > *Sent:* Tuesday, June 18, 2019 2:23 PM > *To:* Ori Doolman > *Cc:* Rafael Tovar. ; keycloak-user < > keycloak-user at lists.jboss.org> > *Subject:* Re: [keycloak-user] authorizationSettings not in response > > > > > > > > On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman > wrote: > > Pedo, > > When I call the authz/resource-server/settings endpoint, I get the full > list of all entities. > > That works great if I later want to update the settings using the > /authz/resource-server/import endpoint. > > > > But /settings might become too big and I only want to update my > permissions (specific ones, actually). > > Hence, I call the /policy endpoint. > > But then I get partial entity information for the scope-based permission, > not similar to the one I get with /settings. The "config" object data is > missing. > > > > 1) Is that a bug? You can see below both payloads. > > > > The settings endpoint is exporting the settings, basically. So that you > have a JSON that you can later import data back to your client. > > > > The policy endpoint only returns the policy attributes so that any other > associated entity such as resources, scopes, and associated policies should > be obtained from another endpoint. > > > > {id}/associatedPolicies > > {id}/resources > > {id}/scopes > > > > 2) Can I filter permissions by name contains "mySubstring" ? Seems that > /search does not support that but only exact name match by > /search?name="name" > > > > You can use the "/" (root) endpoint. It is the one we use in the admin > console. > > > > > > > > Here is /settings call: > > > > "policies": [ > > { > > "id": "a10db0d8-993a-4f34-9082-350033ed8dff", > > "name": "set-03", > > "type": "scope", > > "logic": "POSITIVE", > > "decisionStrategy": "UNANIMOUS", > > "config": { > > "resources": "[\"set-01\"]", > > "scopes": "[\"read\",\"write\"]", > > "applyPolicies": "[\"userPolicy\"]" > > } > > } > > > > Here is what I get from /policy endpoint: > > > > { > > "id": "a10db0d8-993a-4f34-9082-350033ed8dff", > > "name": "set-03", > > "type": "scope", > > "logic": "POSITIVE", > > "decisionStrategy": "UNANIMOUS", > > "config": {} > > } > > > ------------------------------ > > *From:* keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> on behalf of Ori Doolman < > Ori.Doolman at cyberark.com> > *Sent:* Thursday, June 6, 2019 4:22 PM > *To:* Pedro Igor Silva; Rafael Tovar. > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] authorizationSettings not in response > > > > Great. I was looking for that as well. I don't think it is documented. > How do you manipulate the authorization entities by REST API? > For example, add a resource or a scope, modify policy etc. > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> On Behalf Of Pedro Igor Silva > Sent: Thursday, June 6, 2019 3:43 PM > To: Rafael Tovar. > Cc: keycloak-user > Subject: Re: [keycloak-user] authorizationSettings not in response > > Hi, > > Please, append the following path to your URI: " > /authz/resource-server/settings". > > Regards. > Pedro Igor > > On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. wrote: > > > Hi everybody, > > I'm trying to get the authorization settings of a client, but its not > > coming in the response of the request. > > This is the request im doing: > > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a > > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 > > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG > > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp > > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= > > > > and this is the response: > > > > { > > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > > "clientId": "api", > > "surrogateAuthRequired": false, > > "enabled": true, > > "clientAuthenticatorType": "client-secret", > > "redirectUris": [ > > "*" > > ], > > "webOrigins": [], > > "notBefore": 0, > > "bearerOnly": false, > > "consentRequired": false, > > "standardFlowEnabled": true, > > "implicitFlowEnabled": false, > > "directAccessGrantsEnabled": true, > > "serviceAccountsEnabled": true, > > "authorizationServicesEnabled": true, > > "publicClient": false, > > "frontchannelLogout": false, > > "protocol": "openid-connect", > > "attributes": { > > "saml.assertion.signature": "false", > > "saml.force.post.binding": "false", > > "saml.multivalued.roles": "false", > > "saml.encrypt": "false", > > "saml.server.signature": "false", > > "saml.server.signature.keyinfo.ext": "false", > > "exclude.session.state.from.auth.response": "false", > > "saml_force_name_id_format": "false", > > "saml.client.signature": "false", > > "tls.client.certificate.bound.access.tokens": "false", > > "saml.authnstatement": "false", > > "display.on.consent.screen": "false", > > "saml.onetimeuse.condition": "false" > > }, > > "authenticationFlowBindingOverrides": {}, > > "fullScopeAllowed": true, > > "nodeReRegistrationTimeout": -1, > > "protocolMappers": [ > > { > > "id": "97330e11-24df-40ce-9335-51d5126d4059", > > "name": "Client Host", > > "protocol": "openid-connect", > > "protocolMapper": "oidc-usersessionmodel-note-mapper", > > "consentRequired": false, > > "config": { > > "user.session.note": "clientHost", > > "id.token.claim": "true", > > "access.token.claim": "true", > > "claim.name > ": > "clientHost", > > "jsonType.label": "String" > > } > > }, > > { > > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > > "name": "Client ID", > > "protocol": "openid-connect", > > "protocolMapper": "oidc-usersessionmodel-note-mapper", > > "consentRequired": false, > > "config": { > > "user.session.note": "clientId", > > "id.token.claim": "true", > > "access.token.claim": "true", > > "claim.name > ": > "clientId", > > "jsonType.label": "String" > > } > > }, > > { > > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > > "name": "Client IP Address", > > "protocol": "openid-connect", > > "protocolMapper": "oidc-usersessionmodel-note-mapper", > > "consentRequired": false, > > "config": { > > "user.session.note": "clientAddress", > > "id.token.claim": "true", > > "access.token.claim": "true", > > "claim.name > ": > "clientAddress", > > "jsonType.label": "String" > > } > > } > > ], > > "defaultClientScopes": [ > > "web-origins", > > "role_list", > > "profile", > > "roles", > > "email" > > ], > > "optionalClientScopes": [ > > "address", > > "phone", > > "offline_access", > > "microprofile-jwt" > > ], > > "access": { > > "view": true, > > "configure": true, > > "manage": true > > } > > } > > > > Thanks, > > Rafael. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ > > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb > > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > > ---------------------------------------------------------------------- > _______________________________________________ > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. > If you are not an intended recipient of this e-mail, do not duplicate or > redistribute it by any means. Please delete it and any attachments and > notify the sender that you have received it in error. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e= > > From patrice.amiel at thalesgroup.com Mon Jun 24 11:30:48 2019 From: patrice.amiel at thalesgroup.com (AMIEL Patrice) Date: Mon, 24 Jun 2019 15:30:48 +0000 Subject: [keycloak-user] How to achieve "service continuity" with KeyCloak in Standalone Cluster mode ? In-Reply-To: References: Message-ID: Hi all, I'm trying to deploy KeyCloak (v 4.8.3-final) in Standalone Cluster mode in order to answer a very specific requirement: get continuity of service 1/ in case of crash of a KeyCloak instance, 2/ during the upgrade of my solution. However, I unfortunately don't get such results :(, despite the fact the cluster looks to be properly configured. First, as I'm deploying KeyCloak in Kubernetes, I configured KeyCloak in Standalone Cluster by using the DNS_PING and a TCP transport for JGroups. Instances of the cluster can discover/see each other and the cluster is working fine as soon as it is used a couple of seconds/minutes after starting the instances. I've created a simple script that just get in a loop the JWT tokens using the Token endpoint of a Realm, and I always have a 200 Ok status code whatever the KeyCloak instance that is hit through the Kubernetes Service. However, coming back to the 2 uses cases I'm interested in, it looks the KeyCloak instances are getting crazy as soon as the cluster is not "stable". By "cluster is not stable", I mean: - When scaling down the number of Keycloak instances (whatever it is by killing a Container or by a smart scale down of the Kubernetes Deployment) - When performing a rolling update of the Pods In both cases, during a particular time, most of the calls to get a JWT return a HTTP 499 status code and KeyCloak logs show the following: 08:14:56,785 ERROR [org.infinispan.interceptors.impl.InvocationContextInterceptor] (timeout-thread--p13-t1) ISPN000136: Error executing command GetKeyValueCommand, writing keys ISPN000476: Timed out waiting for responses for request 1883 from id-provider-5c55bbd99d-kqr8v at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) at org.infinispan.remoting.transport.jgroups.StaggeredRequest.onTimeout(StaggeredRequest.java:64) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 08:14:56,790 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-992) Uncaught server error: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Time-provider-5c55bbd99d-kqr8v at org.infinispan.interceptors.impl.AsyncInterceptorChainImpl.invoke(AsyncInterceptorChainImpl.java:259) at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:479) at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:472) at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) at org.infinispan.cache.impl.EncoderCache.get(EncoderCache.java:659) at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) at org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction.get(InfinispanChangelogBasedTransaction.java:120) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getLoginFailureEntity(InfinispanUserSessionProvider.java:678) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:672) at org.keycloak.services.managers.DefaultBruteForceProtector.isTemporarilyDisabled(DefaultBruteForceProtector.java:306) at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:85) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:148) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:910) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:554) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:187) at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Caused by: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out waiting for responses for request 1883 from id-provider-5c55bbd99d-kqr8v at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) at org.infinispan.remoting.transport.jgroups.StaggeredRequest.onTimeout(StaggeredRequest.java:64) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ... 1 more Suppressed: org.infinispan.util.logging.TraceException at org.infinispan.interceptors.impl.SimpleAsyncInvocationStage.get(SimpleAsyncInvocationStage.java:41) at org.infinispan.interceptors.impl.AsyncInterceptorChainImpl.invoke(AsyncInterceptorChainImpl.java:250) at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:479) at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:472) at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) at org.infinispan.cache.impl.EncoderCache.get(EncoderCache.java:659) at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) at org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction.get(InfinispanChangelogBasedTransaction.java:120) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getLoginFailureEntity(InfinispanUserSessionProvider.java:678) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:672) at org.keycloak.services.managers.DefaultBruteForceProtector.isTemporarilyDisabled(DefaultBruteForceProtector.java:306) at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:85) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:148) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:910) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:554) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:187) at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) ... 1 more It looks that the KeyCloak instances that is still alive and receiving the call for generation of the JWT is trying to contact the other instances in order to get some data from the distributed cache... In particular, it tries to contact the instance that is no longer here (because killed, shutdown, rolled...), received a Timeout error, and then terminates the incoming request in error. As I'm making the same request within a loop, I see the error happening during a couple of seconds (around 10 to 15 secs), i.e. during the time the cluster composition is not stabilized yet. When the re-discovery of the cluster has been performed, the new composition of the cluster is updated, and everything goes back to normal! I can understand, from KeyCloak documentation on server caches (https://www.keycloak.org/docs/4.8/server_installation/index.html#_replication) that "By default, Keycloak only specifies one owner for data. So if that one node goes down that data is lost. This usually means that users will be logged out and will have to login again. You can change the number of nodes that replicate a piece of data by change the owners attribute in the distributed-cache declaration.", but unfortunately, setting the "owner" field to 2 (or more !) for all distributed caches does not remove the issue. I even tried to change the type of cache from "distributed-cache" to "replicated-cache", but then KeyCloak is not starting: Error during startup: 15:07:13,942 ERROR [org.infinispan.topology.LocalTopologyManagerImpl] (transport-thread--p14-t10) ISPN000230: Failed to start rebalance for cache authenticationSessions: java.lang.ClassCastException: org.infinispan.distribution.ch.impl.DefaultConsistentHash cannot be cast to org.infinispan.distribution.ch.impl.ReplicatedConsistentHash at org.infinispan.distribution.ch.impl.SyncReplicatedConsistentHashFactory.union(SyncReplicatedConsistentHashFactory.java:26) at org.infinispan.topology.LocalTopologyManagerImpl.doHandleRebalance(LocalTopologyManagerImpl.java:512) at org.infinispan.topology.LocalTopologyManagerImpl.lambda$handleRebalance$3(LocalTopologyManagerImpl.java:475) at org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175) at org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37) at org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47) at java.lang.Thread.run(Thread.java:748) Did I forgot one thing? How to get a real continuity of service with KeyCloak? Is Standalone Cluster mode the good way, and how? Thanks a lot for your help. Patrice ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. From Ori.Doolman at cyberark.com Mon Jun 24 12:00:25 2019 From: Ori.Doolman at cyberark.com (Ori Doolman) Date: Mon, 24 Jun 2019 16:00:25 +0000 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: , Message-ID: Pedro, That would be a perfect solution! Ori. Get Outlook for Android ________________________________ From: Pedro Igor Silva Sent: Monday, June 24, 2019 5:53:08 PM To: Ori Doolman Cc: Rafael Tovar.; keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response On Thu, Jun 20, 2019 at 12:52 PM Ori Doolman > wrote: Thanks for the answer Pedro. I understand what you wrote, but I think this poses a difficulty for the API users (such as myself ? ). I want to look for all permissions related to some resource. Now, instead of selecting all permissions and in my app iterate and filter according to the resource, I have two bad-performance solutions: 1. Use the /settings endpoint and get too much data, including many entities I don?t need. 2. Get all permissions, and then one by one call the {id}/resources. And then call the other endpoints if I also need scopes and associatedPolicies. I don?t understand why the /policies cannot return the full permission entity with the {config} object. It would be the straightforward thing to do. We were doing that in the beginning, returning everything when querying a policy by id. But we had performance issues in both admin console and REST API when policies were associated with a lot of resources/scopes. I see no problem about enabling a query parameter to indicate whether or not the response should also return resources/scopes/associated policies. Wdyt ? Thanks, Ori. From: Pedro Igor Silva > Sent: Tuesday, June 18, 2019 2:23 PM To: Ori Doolman > Cc: Rafael Tovar. >; keycloak-user > Subject: Re: [keycloak-user] authorizationSettings not in response On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman > wrote: Pedo, When I call the authz/resource-server/settings endpoint, I get the full list of all entities. That works great if I later want to update the settings using the /authz/resource-server/import endpoint. But /settings might become too big and I only want to update my permissions (specific ones, actually). Hence, I call the /policy endpoint. But then I get partial entity information for the scope-based permission, not similar to the one I get with /settings. The "config" object data is missing. 1) Is that a bug? You can see below both payloads. The settings endpoint is exporting the settings, basically. So that you have a JSON that you can later import data back to your client. The policy endpoint only returns the policy attributes so that any other associated entity such as resources, scopes, and associated policies should be obtained from another endpoint. {id}/associatedPolicies {id}/resources {id}/scopes 2) Can I filter permissions by name contains "mySubstring" ? Seems that /search does not support that but only exact name match by /search?name="name" You can use the "/" (root) endpoint. It is the one we use in the admin console. Here is /settings call: "policies": [ { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"set-01\"]", "scopes": "[\"read\",\"write\"]", "applyPolicies": "[\"userPolicy\"]" } } Here is what I get from /policy endpoint: { "id": "a10db0d8-993a-4f34-9082-350033ed8dff", "name": "set-03", "type": "scope", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": {} } ________________________________ From: keycloak-user-bounces at lists.jboss.org > on behalf of Ori Doolman > Sent: Thursday, June 6, 2019 4:22 PM To: Pedro Igor Silva; Rafael Tovar. Cc: keycloak-user Subject: Re: [keycloak-user] authorizationSettings not in response Great. I was looking for that as well. I don't think it is documented. How do you manipulate the authorization entities by REST API? For example, add a resource or a scope, modify policy etc. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org > On Behalf Of Pedro Igor Silva Sent: Thursday, June 6, 2019 3:43 PM To: Rafael Tovar. > Cc: keycloak-user > Subject: Re: [keycloak-user] authorizationSettings not in response Hi, Please, append the following path to your URI: " /authz/resource-server/settings". Regards. Pedro Igor On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. > wrote: > Hi everybody, > I'm trying to get the authorization settings of a client, but its not > coming in the response of the request. > This is the request im doing: > > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= > > and this is the response: > > { > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", > "clientId": "api", > "surrogateAuthRequired": false, > "enabled": true, > "clientAuthenticatorType": "client-secret", > "redirectUris": [ > "*" > ], > "webOrigins": [], > "notBefore": 0, > "bearerOnly": false, > "consentRequired": false, > "standardFlowEnabled": true, > "implicitFlowEnabled": false, > "directAccessGrantsEnabled": true, > "serviceAccountsEnabled": true, > "authorizationServicesEnabled": true, > "publicClient": false, > "frontchannelLogout": false, > "protocol": "openid-connect", > "attributes": { > "saml.assertion.signature": "false", > "saml.force.post.binding": "false", > "saml.multivalued.roles": "false", > "saml.encrypt": "false", > "saml.server.signature": "false", > "saml.server.signature.keyinfo.ext": "false", > "exclude.session.state.from.auth.response": "false", > "saml_force_name_id_format": "false", > "saml.client.signature": "false", > "tls.client.certificate.bound.access.tokens": "false", > "saml.authnstatement": "false", > "display.on.consent.screen": "false", > "saml.onetimeuse.condition": "false" > }, > "authenticationFlowBindingOverrides": {}, > "fullScopeAllowed": true, > "nodeReRegistrationTimeout": -1, > "protocolMappers": [ > { > "id": "97330e11-24df-40ce-9335-51d5126d4059", > "name": "Client Host", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientHost", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientHost", > "jsonType.label": "String" > } > }, > { > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", > "name": "Client ID", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientId", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientId", > "jsonType.label": "String" > } > }, > { > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", > "name": "Client IP Address", > "protocol": "openid-connect", > "protocolMapper": "oidc-usersessionmodel-note-mapper", > "consentRequired": false, > "config": { > "user.session.note": "clientAddress", > "id.token.claim": "true", > "access.token.claim": "true", > "claim.name": "clientAddress", > "jsonType.label": "String" > } > } > ], > "defaultClientScopes": [ > "web-origins", > "role_list", > "profile", > "roles", > "email" > ], > "optionalClientScopes": [ > "address", > "phone", > "offline_access", > "microprofile-jwt" > ], > "access": { > "view": true, > "configure": true, > "manage": true > } > } > > Thanks, > Rafael. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= ---------------------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e= From psilva at redhat.com Mon Jun 24 12:13:25 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 24 Jun 2019 13:13:25 -0300 Subject: [keycloak-user] authorizationSettings not in response In-Reply-To: References: Message-ID: Created https://issues.jboss.org/browse/KEYCLOAK-10705. On Mon, Jun 24, 2019 at 1:00 PM Ori Doolman wrote: > Pedro, > That would be a perfect solution! > Ori. > > > Get Outlook for Android > > ------------------------------ > *From:* Pedro Igor Silva > *Sent:* Monday, June 24, 2019 5:53:08 PM > *To:* Ori Doolman > *Cc:* Rafael Tovar.; keycloak-user > *Subject:* Re: [keycloak-user] authorizationSettings not in response > > > > On Thu, Jun 20, 2019 at 12:52 PM Ori Doolman > wrote: > >> Thanks for the answer Pedro. >> >> >> >> I understand what you wrote, but I think this poses a difficulty for the >> API users (such as myself ? ). >> >> I want to look for all permissions related to some resource. >> >> Now, instead of selecting all permissions and in my app iterate and >> filter according to the resource, I have two bad-performance solutions: >> >> 1. Use the /settings endpoint and get too much data, including many >> entities I don?t need. >> 2. Get all permissions, and then one by one call the {id}/resources. >> And then call the other endpoints if I also need scopes and >> associatedPolicies. >> >> >> >> I don?t understand why the /policies cannot return the full permission >> entity with the {config} object. It would be the straightforward thing to >> do. >> > > We were doing that in the beginning, returning everything when querying a > policy by id. But we had performance issues in both admin console and REST > API when policies were associated with a lot of resources/scopes. > > I see no problem about enabling a query parameter to indicate whether or > not the response should also return resources/scopes/associated policies. > Wdyt ? > > >> >> >> Thanks, >> >> Ori. >> >> >> >> >> >> *From:* Pedro Igor Silva >> *Sent:* Tuesday, June 18, 2019 2:23 PM >> *To:* Ori Doolman >> *Cc:* Rafael Tovar. ; keycloak-user < >> keycloak-user at lists.jboss.org> >> *Subject:* Re: [keycloak-user] authorizationSettings not in response >> >> >> >> >> >> >> >> On Sun, Jun 16, 2019 at 7:04 AM Ori Doolman >> wrote: >> >> Pedo, >> >> When I call the authz/resource-server/settings endpoint, I get the full >> list of all entities. >> >> That works great if I later want to update the settings using the >> /authz/resource-server/import endpoint. >> >> >> >> But /settings might become too big and I only want to update my >> permissions (specific ones, actually). >> >> Hence, I call the /policy endpoint. >> >> But then I get partial entity information for the scope-based permission, >> not similar to the one I get with /settings. The "config" object data is >> missing. >> >> >> >> 1) Is that a bug? You can see below both payloads. >> >> >> >> The settings endpoint is exporting the settings, basically. So that you >> have a JSON that you can later import data back to your client. >> >> >> >> The policy endpoint only returns the policy attributes so that any other >> associated entity such as resources, scopes, and associated policies should >> be obtained from another endpoint. >> >> >> >> {id}/associatedPolicies >> >> {id}/resources >> >> {id}/scopes >> >> >> >> 2) Can I filter permissions by name contains "mySubstring" ? Seems that >> /search does not support that but only exact name match by >> /search?name="name" >> >> >> >> You can use the "/" (root) endpoint. It is the one we use in the admin >> console. >> >> >> >> >> >> >> >> Here is /settings call: >> >> >> >> "policies": [ >> >> { >> >> "id": "a10db0d8-993a-4f34-9082-350033ed8dff", >> >> "name": "set-03", >> >> "type": "scope", >> >> "logic": "POSITIVE", >> >> "decisionStrategy": "UNANIMOUS", >> >> "config": { >> >> "resources": "[\"set-01\"]", >> >> "scopes": "[\"read\",\"write\"]", >> >> "applyPolicies": "[\"userPolicy\"]" >> >> } >> >> } >> >> >> >> Here is what I get from /policy endpoint: >> >> >> >> { >> >> "id": "a10db0d8-993a-4f34-9082-350033ed8dff", >> >> "name": "set-03", >> >> "type": "scope", >> >> "logic": "POSITIVE", >> >> "decisionStrategy": "UNANIMOUS", >> >> "config": {} >> >> } >> >> >> ------------------------------ >> >> *From:* keycloak-user-bounces at lists.jboss.org < >> keycloak-user-bounces at lists.jboss.org> on behalf of Ori Doolman < >> Ori.Doolman at cyberark.com> >> *Sent:* Thursday, June 6, 2019 4:22 PM >> *To:* Pedro Igor Silva; Rafael Tovar. >> *Cc:* keycloak-user >> *Subject:* Re: [keycloak-user] authorizationSettings not in response >> >> >> >> Great. I was looking for that as well. I don't think it is documented. >> How do you manipulate the authorization entities by REST API? >> For example, add a resource or a scope, modify policy etc. >> >> >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org < >> keycloak-user-bounces at lists.jboss.org> On Behalf Of Pedro Igor Silva >> Sent: Thursday, June 6, 2019 3:43 PM >> To: Rafael Tovar. >> Cc: keycloak-user >> Subject: Re: [keycloak-user] authorizationSettings not in response >> >> Hi, >> >> Please, append the following path to your URI: " >> /authz/resource-server/settings". >> >> Regards. >> Pedro Igor >> >> On Thu, Jun 6, 2019 at 8:41 AM Rafael Tovar. wrote: >> >> > Hi everybody, >> > I'm trying to get the authorization settings of a client, but its not >> > coming in the response of the request. >> > This is the request im doing: >> > >> > https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_a >> > uth_admin_realms_master_clients_c8e32bbc-2D72e6-2D4c30-2D827f-2D41ee51 >> > 980433_&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mG >> > Z6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=9-yp >> > A5J1MC05KhyJ0Wt2UjBualwKUwejLvPXS4JUB0w&e= >> > >> > and this is the response: >> > >> > { >> > "id": "c8e32bbc-72e6-4c30-827f-41ee51980433", >> > "clientId": "api", >> > "surrogateAuthRequired": false, >> > "enabled": true, >> > "clientAuthenticatorType": "client-secret", >> > "redirectUris": [ >> > "*" >> > ], >> > "webOrigins": [], >> > "notBefore": 0, >> > "bearerOnly": false, >> > "consentRequired": false, >> > "standardFlowEnabled": true, >> > "implicitFlowEnabled": false, >> > "directAccessGrantsEnabled": true, >> > "serviceAccountsEnabled": true, >> > "authorizationServicesEnabled": true, >> > "publicClient": false, >> > "frontchannelLogout": false, >> > "protocol": "openid-connect", >> > "attributes": { >> > "saml.assertion.signature": "false", >> > "saml.force.post.binding": "false", >> > "saml.multivalued.roles": "false", >> > "saml.encrypt": "false", >> > "saml.server.signature": "false", >> > "saml.server.signature.keyinfo.ext": "false", >> > "exclude.session.state.from.auth.response": "false", >> > "saml_force_name_id_format": "false", >> > "saml.client.signature": "false", >> > "tls.client.certificate.bound.access.tokens": "false", >> > "saml.authnstatement": "false", >> > "display.on.consent.screen": "false", >> > "saml.onetimeuse.condition": "false" >> > }, >> > "authenticationFlowBindingOverrides": {}, >> > "fullScopeAllowed": true, >> > "nodeReRegistrationTimeout": -1, >> > "protocolMappers": [ >> > { >> > "id": "97330e11-24df-40ce-9335-51d5126d4059", >> > "name": "Client Host", >> > "protocol": "openid-connect", >> > "protocolMapper": "oidc-usersessionmodel-note-mapper", >> > "consentRequired": false, >> > "config": { >> > "user.session.note": "clientHost", >> > "id.token.claim": "true", >> > "access.token.claim": "true", >> > "claim.name >> ": >> "clientHost", >> > "jsonType.label": "String" >> > } >> > }, >> > { >> > "id": "9e45c71d-63f9-4d15-a3b2-e8064a569041", >> > "name": "Client ID", >> > "protocol": "openid-connect", >> > "protocolMapper": "oidc-usersessionmodel-note-mapper", >> > "consentRequired": false, >> > "config": { >> > "user.session.note": "clientId", >> > "id.token.claim": "true", >> > "access.token.claim": "true", >> > "claim.name >> ": >> "clientId", >> > "jsonType.label": "String" >> > } >> > }, >> > { >> > "id": "1e3f6604-a22e-4b0b-b5d8-ffaa501c142f", >> > "name": "Client IP Address", >> > "protocol": "openid-connect", >> > "protocolMapper": "oidc-usersessionmodel-note-mapper", >> > "consentRequired": false, >> > "config": { >> > "user.session.note": "clientAddress", >> > "id.token.claim": "true", >> > "access.token.claim": "true", >> > "claim.name >> ": >> "clientAddress", >> > "jsonType.label": "String" >> > } >> > } >> > ], >> > "defaultClientScopes": [ >> > "web-origins", >> > "role_list", >> > "profile", >> > "roles", >> > "email" >> > ], >> > "optionalClientScopes": [ >> > "address", >> > "phone", >> > "offline_access", >> > "microprofile-jwt" >> > ], >> > "access": { >> > "view": true, >> > "configure": true, >> > "manage": true >> > } >> > } >> > >> > Thanks, >> > Rafael. >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m >> > ailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_ >> > QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQb >> > D8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=DLpa-D1y8zX1Cq0Hewm4RRkmQbD8mMhJa1vurH06wdY&s=ftNZFS0MmIPo6qHQ5UK6NWEyvM23zQzIkjIKnmWtB7I&e= >> >> ---------------------------------------------------------------------- >> _______________________________________________ >> This e-mail may contain information that is confidential, privileged or >> otherwise protected from disclosure. >> If you are not an intended recipient of this e-mail, do not duplicate or >> redistribute it by any means. Please delete it and any attachments and >> notify the sender that you have received it in error. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=GNLqFGVlYtMr4x2dKmI9lltRxxFRkpiwcUb0dN5_Vk0&s=FSGV9rSoCx_-bnd1ZH59vnrElHr4f4JKrDggC010xRU&e= >> >> From demetrio at carretti.pro Mon Jun 24 13:18:45 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Mon, 24 Jun 2019 20:18:45 +0300 Subject: [keycloak-user] How to achieve "service continuity" with KeyCloak in Standalone Cluster mode ? In-Reply-To: References: Message-ID: Hello Patrice, Do you experience this even if the node is properly shutdown, i.e. via SIGTERM rather than SIGKILL? Keycloak does seem to properly shutdown caches [1], which, according to Infinispan doc [2], should result in a graceful leave. Do you see messages like this in the log after shutdown has been triggered? 20:14:26,598 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0003: Stopped XXX cache from keycloak container As for replicated caches, the issue might be triggered by mixing caches with different synchronization modes. Could you try to explicitly specify mode="SYNC", like here [3]? [1] https://github.com/keycloak/keycloak/blob/4.8.3.Final/model/infinispan/src/main/java/org/keycloak/connections/infinispan/DefaultInfinispanConnectionProviderFactory.java#L72 [2] https://infinispan.org/docs/stable/user_guide/user_guide.html#cache_manager [3] https://infinispan.org/docs/stable/user_guide/user_guide.html#cache_configuration_declarative Regards, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Mon, 2019-06-24 at 15:30 +0000, AMIEL Patrice wrote: > Hi all, > > I'm trying to deploy KeyCloak (v 4.8.3-final) in Standalone Cluster mode in order to answer a very specific requirement: get continuity of service 1/ in case of crash of a KeyCloak instance, 2/ during the upgrade of my solution. > However, I unfortunately don't get such results :(, despite the fact the cluster looks to be properly configured. > > First, as I'm deploying KeyCloak in Kubernetes, I configured KeyCloak in Standalone Cluster by using the DNS_PING and a TCP transport for JGroups. Instances of the cluster can discover/see each other and the cluster is working fine as soon as it is used a couple of seconds/minutes after starting the instances. > I've created a simple script that just get in a loop the JWT tokens using the Token endpoint of a Realm, and I always have a 200 Ok status code whatever the KeyCloak instance that is hit through the Kubernetes Service. > > However, coming back to the 2 uses cases I'm interested in, it looks the KeyCloak instances are getting crazy as soon as the cluster is not "stable". By "cluster is not stable", I mean: > > - When scaling down the number of Keycloak instances (whatever it is by killing a Container or by a smart scale down of the Kubernetes Deployment) > > - When performing a rolling update of the Pods > > In both cases, during a particular time, most of the calls to get a JWT return a HTTP 499 status code and KeyCloak logs show the following: > 08:14:56,785 ERROR [org.infinispan.interceptors.impl.InvocationContextInterceptor] (timeout-thread--p13-t1) ISPN000136: Error executing command GetKeyValueCommand, writing keys ISPN000476: Timed out waiting for responses for request 1883 from id-provider-5c55bbd99d-kqr8v > at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) > at org.infinispan.remoting.transport.jgroups.StaggeredRequest.onTimeout(StaggeredRequest.java:64) > at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) > at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > 08:14:56,790 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-992) Uncaught server error: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Time-provider-5c55bbd99d-kqr8v > at org.infinispan.interceptors.impl.AsyncInterceptorChainImpl.invoke(AsyncInterceptorChainImpl.java:259) > at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:479) > at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:472) > at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) > at org.infinispan.cache.impl.EncoderCache.get(EncoderCache.java:659) > at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) > at org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction.get(InfinispanChangelogBasedTransaction.java:120) > at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getLoginFailureEntity(InfinispanUserSessionProvider.java:678) > at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:672) > at org.keycloak.services.managers.DefaultBruteForceProtector.isTemporarilyDisabled(DefaultBruteForceProtector.java:306) > at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:85) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:148) > at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:910) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:554) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:187) > at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > Caused by: org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out waiting for responses for request 1883 from id-provider-5c55bbd99d-kqr8v > at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167) > at org.infinispan.remoting.transport.jgroups.StaggeredRequest.onTimeout(StaggeredRequest.java:64) > at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87) > at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > ... 1 more > Suppressed: org.infinispan.util.logging.TraceException > at org.infinispan.interceptors.impl.SimpleAsyncInvocationStage.get(SimpleAsyncInvocationStage.java:41) > at org.infinispan.interceptors.impl.AsyncInterceptorChainImpl.invoke(AsyncInterceptorChainImpl.java:250) > at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:479) > at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:472) > at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) > at org.infinispan.cache.impl.EncoderCache.get(EncoderCache.java:659) > at org.infinispan.cache.impl.AbstractDelegatingCache.get(AbstractDelegatingCache.java:348) > at org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction.get(InfinispanChangelogBasedTransaction.java:120) > at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getLoginFailureEntity(InfinispanUserSessionProvider.java:678) > at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:672) > at org.keycloak.services.managers.DefaultBruteForceProtector.isTemporarilyDisabled(DefaultBruteForceProtector.java:306) > at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:85) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221) > at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:148) > at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:910) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.resourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:554) > at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:187) > at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > ... 1 more > > It looks that the KeyCloak instances that is still alive and receiving the call for generation of the JWT is trying to contact the other instances in order to get some data from the distributed cache... In particular, it tries to contact the instance that is no longer here (because killed, shutdown, rolled...), received a Timeout error, and then terminates the incoming request in error. > As I'm making the same request within a loop, I see the error happening during a couple of seconds (around 10 to 15 secs), i.e. during the time the cluster composition is not stabilized yet. When the re-discovery of the cluster has been performed, the new composition of the cluster is updated, and everything goes back to normal! > > I can understand, from KeyCloak documentation on server caches (https://www.keycloak.org/docs/4.8/server_installation/index.html#_replication) that "By default, Keycloak only specifies one owner for data. So if that one node goes down that data is lost. This usually means that users will be logged out and will have to login again. You can change the number of nodes that replicate a piece of data by change the owners attribute in the distributed-cache declaration.", but unfortunately, setting the "owner" field to 2 (or more !) for all distributed caches does not remove the issue. > I even tried to change the type of cache from "distributed-cache" to "replicated-cache", but then KeyCloak is not starting: > > > > > > > > > > > > Error during startup: > 15:07:13,942 ERROR [org.infinispan.topology.LocalTopologyManagerImpl] (transport-thread--p14-t10) ISPN000230: Failed to start rebalance for cache authenticationSessions: java.lang.ClassCastException: org.infinispan.distribution.ch.impl.DefaultConsistentHash cannot be cast to org.infinispan.distribution.ch.impl.ReplicatedConsistentHash > at org.infinispan.distribution.ch.impl.SyncReplicatedConsistentHashFactory.union(SyncReplicatedConsistentHashFactory.java:26) > at org.infinispan.topology.LocalTopologyManagerImpl.doHandleRebalance(LocalTopologyManagerImpl.java:512) > at org.infinispan.topology.LocalTopologyManagerImpl.lambda$handleRebalance$3(LocalTopologyManagerImpl.java:475) > at org.infinispan.executors.LimitedExecutor.runTasks(LimitedExecutor.java:175) > at org.infinispan.executors.LimitedExecutor.access$100(LimitedExecutor.java:37) > at org.infinispan.executors.LimitedExecutor$Runner.run(LimitedExecutor.java:227) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at org.wildfly.clustering.service.concurrent.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:47) > at java.lang.Thread.run(Thread.java:748) > > Did I forgot one thing? How to get a real continuity of service with KeyCloak? Is Standalone Cluster mode the good way, and how? > > Thanks a lot for your help. > Patrice > > ________________________________ > This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Mark.Sargent at gallagher.com Mon Jun 24 21:45:52 2019 From: Mark.Sargent at gallagher.com (Mark Sargent) Date: Tue, 25 Jun 2019 01:45:52 +0000 Subject: [keycloak-user] Registrations URL Message-ID: Hi all, I solved my previous challenge of direct linking to the key cloak registration page. I was wondering if I should expect the login_hint to populate to work? We are using email as username option? /auth/realms/gallagher/protocol/openid-connect/registrations?client_id=account&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2F&state=71825558-a803-4393-8b2c-4cce951b4fe9&response_mode=fragment&response_type=code&scope=openid&nonce=4f1c3181-255f-4781-83d6-1849ed2321a3&login_hint=username I have used username username at example.com username%40example.com Thoughts? Cheers Mark ________________________________ This email is confidential and may contain information subject to legal privilege. If you are not the intended recipient please advise us of our error by return e-mail then delete this email and any attached files. You may not copy, disclose or use the contents in any way. The views expressed in this email may not be those of Gallagher Group Ltd or subsidiary companies thereof. ________________________________ From tiago.batista at mindera.com Tue Jun 25 05:29:12 2019 From: tiago.batista at mindera.com (Tiago Batista) Date: Tue, 25 Jun 2019 10:29:12 +0100 Subject: [keycloak-user] When creating a user he is not added to the requested group (on only one of my instances) In-Reply-To: References: Message-ID: <51edee41a4213947b313d6e9e152580ab65c5247.camel@mindera.com> Please disregard this, it was a simple mis-configuration on one of the realms. One of the realms had that group as a default group for new accounts, so it appeared to work as I expected. I ended up making a second invocation of the api to assign the user to the correct group when creating a new account. Regards, Tiago On Fri, 2019-06-21 at 11:45 +0100, Tiago Batista wrote: > Hello all, > > I have migrated an application to keycloak a couple of months ago, > however today I come to you with a problem I can not solve. The users > created on the QA environment are created as they should. They are > part > of the "self-management" group as expected, however the users created > on the staging environment are not added to the group! > > The thing that puzzles me is that the environments are a mirror of > one > another, same docker images of the api client are promoted from our > QA > to the client's staging. I have already checked and the keycloak helm > charts are on the same version and the keycloak docker images have > the > same hash (6862c765d226). > > The user that is invoking the API has the manage-users role on the > realm. > > I would love some insight as to where should I look next as this is > puzzling me. > > Below is an export of the requests from the browser. The response to > both is a 201 created, and there is no information on the logs or the > admin events regarding any failure to add the user to the group. I > have > redacted the domain name and the token. > > curl 'https://auth.staging.TLD/auth/admin/realms/acme/users' -H > 'User- > Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) > Gecko/20100101 > Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' > -- > compressed -H 'Referer: > https://mc.acme.staging.TLD/app/members/list/' > -H 'Authorization: Bearer VALID_TOKEN' -H 'content-type: > application/json' -H 'Origin: https://mc.acme.staging.TLD' -H > 'Connection: keep-alive' -H 'TE: > Trailers' --data > '{"username":"tiago.batista+acmemember1 at mindera.com","email":"tiago.b > at > ista+acmemember1 at mindera.com","firstName":"tiago","lastName":"member" > ," > enabled":true,"groups":["self-management"]}' > > > curl 'https://auth.qa.TLD/auth/admin/realms/acme/users' -H 'User- > Agent: > Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:67.0) Gecko/20100101 > Firefox/67.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' > -- > compressed -H 'Referer: http://mc.acme.qa.TLD/app/members/list' -H > 'Authorization: Bearer VALID_TOKEN' -H 'content-type: > application/json' > -H 'Origin: http://mc.acme.qa.TLD' -H 'Connection: keep-alive' -H > 'TE: > Trailers' --data > '{"username":"tiago.batista+acmeqa1 at mindera.com","email":"tiago.batis > ta > +acmeqa1 at mindera.com","firstName":"tiago","lastName":"member","enable > d" > :true,"groups":["self-management"]}' > > > the token contains the following role on both environments: > > "resource_access": { > "realm-management": { > "roles": [ > "manage-users" > ] > }, > > the staging environment has the following groups: > > [ > { > "id": "9fa577be-cf52-4f21-aa7f-770e7c1b81f3", > "name": "all-plinth-permissions", > "path": "/all-plinth-permissions", > "subGroups": [] > }, > { > "id": "5db60d20-3259-489c-8ac2-f684c3e7dd54", > "name": "self-management", > "path": "/self-management", > "subGroups": [] > } > ] > > Anyone has any good idea as to where I should look next? > > Regards, > > Tiago > From j9dy1g at gmail.com Tue Jun 25 09:06:49 2019 From: j9dy1g at gmail.com (Jody H) Date: Tue, 25 Jun 2019 15:06:49 +0200 Subject: [keycloak-user] Keycloak Gatekeeper access token encryption In-Reply-To: <20190620200959.GA9818@abstractj.org> References: <20190620200959.GA9818@abstractj.org> Message-ID: Hi Bruno, this was exactly what we were looking for, thank you. Would be great if this also gets merged sometime soon. Best regards, Am Do., 20. Juni 2019 um 17:10 Uhr schrieb Bruno Oliveira < bruno at abstractj.org>: > Hi Jody, don't need to be sorry. The more details, the better. Are you > looking for something like this[1] ? > > [1] - https://github.com/keycloak/keycloak-gatekeeper/pull/445 > > On 2019-06-20, Jody H wrote: > > Hi, > > > > I am trying to use the Keycloak Gatekeeper proxy and have found a > problem I > > can't seem to solve. > > > > I have a service which is hosting a webservice and an api. > > Keycloak gatekeeper is protecting this application. > > I have another webservice which is making requests to this api. > > I have encrypted tokens/cookies enabled in my gatekeeper config. > > I have looked into the source code of gatekeeper to figure out how the > > token is being decrypted, when it is coming inside of the Authorization > > header instead of a cookie. It is like this: > > > > 1) The token is read from the "Authorization: Bearer" header: > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75 > > 2) If encryption is enabled, the access token needs be decrypted: > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L36-L39 > > 3) Before decryption, the access token from the Authorization header will > > be base64-decoded: > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197 > > 4) After decoding, it will be decrypted by AES-GCM: > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167-L183 > > > > I can't seem to figure out how to make requests to the gatekeeper proxy > so > > that the access token I pass in the Authorization header can be read by > the > > gatekeeper. I have checked multiple times that the key I use to encrypt > my > > access token is identical to the one I use in the gatekeeper config. > > I am using this javascript code to encrypt my data: > > https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a - > then > > after encryption, I base64 encode it and add it to the "Autorization: > > Bearer [base64-encoded encrypted-access-token]" header. The error > > gatekeeper gives me is this: > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204 > > > > The relevant javascript code looks like this: > > const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the on in > > the gatekeeper config > > const ciphertext = await aesGcmEncrypt(keycloak.token, key); > > console.log(ciphertext); > > var req = new XMLHttpRequest(); > > req.open('GET', url, true); > > req.setRequestHeader('Accept', 'application/json'); > > req.setRequestHeader('Authorization', 'Bearer ' + btoa(ciphertext)); > > > > req.onreadystatechange = function () { > > if (req.readyState == 4) { > > if (req.status == 200) { > > document.getElementById("userid").innerHTML = req.responseText + " (" + > new > > Date() + ")"; > > } else if (req.status == 403) { > > console.log('Forbidden'); > > } else if (req.status == 401) { > > console.log('Unauthorized'); > > } > > } > > } > > > > req.send(); > > > > Can someone help me out? Sorry for the wall of text and thanks in > advance! > > > > Best regards, > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > abstractj > From Rob.Resendez at cpsi.com Tue Jun 25 10:32:07 2019 From: Rob.Resendez at cpsi.com (Rob Resendez) Date: Tue, 25 Jun 2019 14:32:07 +0000 Subject: [keycloak-user] rfc7523 - section 2.1 - jwt-bearer Message-ID: <45e0ed88b84947c3b72d124a88ea65d6@cpsi.com> I would like to use rfc7523 in keycloak. In particular, section 2.1. https://tools.ietf.org/html/rfc7523#section-2.1 There have been some prior requests on the mailing list that are mostly unanswered. I found one that has a response, "create an issue". I couldn't find any related issues in jira. Any info on plans to implement this specification? Is it okay to open an issue - I worry about getting some of the fields (component, etc) wrong. Rob Resendez [cid:CPSINew_8e504092-fab6-4ce3-ab1f-37d711ec8192.PNG] Electronic Mail Confidentiality Notice: This electronic mail message and all attachments may contain confidential information belonging to the sender or the intended recipient. This information is intended ONLY for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution (electronic or otherwise), forwarding or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by telephone, facsimile, or email to arrange for the return of the electronic mail, attachments, or documents. -------------- next part -------------- A non-text attachment was scrubbed... Name: CPSINew_8e504092-fab6-4ce3-ab1f-37d711ec8192.PNG Type: image/png Size: 9997 bytes Desc: CPSINew_8e504092-fab6-4ce3-ab1f-37d711ec8192.PNG Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190625/c165226e/attachment-0001.png From psilva at redhat.com Tue Jun 25 10:50:07 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 25 Jun 2019 11:50:07 -0300 Subject: [keycloak-user] rfc7523 - section 2.1 - jwt-bearer In-Reply-To: <45e0ed88b84947c3b72d124a88ea65d6@cpsi.com> References: <45e0ed88b84947c3b72d124a88ea65d6@cpsi.com> Message-ID: We only support JWTs for client authentication. For the authorization grant "jwt-bearer", we need an RFE. Try creating a JIRA with more details about your requirements/use case. If anything is missing we will help you :) Regards. Pedro Igor On Tue, Jun 25, 2019 at 11:34 AM Rob Resendez wrote: > I would like to use rfc7523 in keycloak. In particular, section 2.1. > https://tools.ietf.org/html/rfc7523#section-2.1 > > There have been some prior requests on the mailing list that are mostly > unanswered. I found one that has a response, "create an issue". I couldn't > find any related issues in jira. Any info on plans to implement this > specification? Is it okay to open an issue - I worry about getting some of > the fields (component, etc) wrong. > > Rob Resendez > > > [cid:CPSINew_8e504092-fab6-4ce3-ab1f-37d711ec8192.PNG] > > Electronic Mail Confidentiality Notice: > This electronic mail message and all attachments may contain confidential > information belonging to the sender or the intended recipient. This > information is intended ONLY for the use of the individual or entity named > above. If you are not the intended recipient, you are hereby notified that > any disclosure, copying, distribution (electronic or otherwise), forwarding > or taking any action in reliance on the contents of this information is > strictly prohibited. If you have received this electronic transmission in > error, please immediately notify the sender by telephone, facsimile, or > email to arrange for the return of the electronic mail, attachments, or > documents. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nanzepanze at gmail.com Tue Jun 25 11:04:35 2019 From: nanzepanze at gmail.com (Nanze Panze) Date: Tue, 25 Jun 2019 17:04:35 +0200 Subject: [keycloak-user] Is Keycloak 2.5.4 EOL or unsupported? Message-ID: I?m not finding an easy way to tell if Keycloak 2.5.4 is EOL or unsupported. Looking at the Github releases this version was released in Feb 2017. That in itself doesn?t tell me if the version is unsupported or contains security vulnerabilities. Can someone from Redhat please provide some information regarding the status of this version. Thanks in advance. From msakho at redhat.com Tue Jun 25 12:20:47 2019 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 25 Jun 2019 18:20:47 +0200 Subject: [keycloak-user] Is Keycloak 2.5.4 EOL or unsupported? In-Reply-To: References: Message-ID: Hello Nanze, Keycloak is a community edition of Red Hat SSO. Only RedHat SSO is supported. You can take any keycloak version you want. You will not have support from Red Hat with the community edition. -- Meissa Sakho, RHCA Architect Red Hat EMEA msakho at redhat.com M: +33-6-9559-7778 Le mar. 25 juin 2019 ? 17:33, Nanze Panze a ?crit : > I?m not finding an easy way to tell if Keycloak 2.5.4 is EOL or > unsupported. Looking at the Github releases this version was released in > Feb 2017. That in itself doesn?t tell me if the version is unsupported or > contains security vulnerabilities. > > Can someone from Redhat please provide some information regarding the > status of this version. > > Thanks in advance. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Jun 25 14:14:25 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 25 Jun 2019 15:14:25 -0300 Subject: [keycloak-user] Spring Security and KeycloakRole (GrantedAuthority) Implementation Message-ID: Hello All, I would like to know from those using the Spring Security Adapter if we can do a very simple change to the KeycloakRole type which is used to represent roles granted by Keycloak. The change [1] is all about changing the equals method to support any instance of GrantedAuthority (parent) instead of KeycloakRole instances only. The reason I'm asking is that in GrantedAuthority docs there is a comment [2] that made me wonder if we could potentially break any existing deployment relying on the current implementation of equals, where an exact match of KeycloakRole instance is expected. Please, let me know your feedback. I'm OK with the proposed changes but I would like to hear more feedback before we accept the changes. [1] https://github.com/keycloak/keycloak/pull/6113 [2] https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/core/GrantedAuthority.java#L42 Regards. Pedro Igor From lasse.jahn at student.hpi.de Tue Jun 25 16:49:39 2019 From: lasse.jahn at student.hpi.de (Lasse Jahn) Date: Tue, 25 Jun 2019 22:49:39 +0200 Subject: [keycloak-user] ClientRole Import/Export , Get all ClientRoles of an User, Sharing Authorization Message-ID: <9f26aca4-49bc-211e-c379-e9117651bff7@student.hpi.de> Hello, I have 3 questions. 1. How can I export and import client roles? (Background: I have a client and created some roles, policies, permission... Now when I export the client the authorization data was not included, but I could export them separately. For client roles I could not find a way of exporting them separate. Some of the client roles are normal roles other are composite roles.) 2. How do I get all client roles of an user? (Background: When I look at the OIDC access token of an user, obviously somehow all client roles can be fetched for an specific user. I need to walk trough all client roles of an user. For realmRoles there exists an endpoint in Admin REST api, but for client roles only one to recieve the client roles of one specific client regarding the user. Is there some efficient way of getting an array of client roles or something similar?) 3. Can I restrict role-mapping rights of a user to some of the client roles? (Background: I want to enable an user to map existing client roles to other users. Give an user the right to share roles to others can be done this way [1]. But how can I ristrict this rights to only sharing particular roles? Is this possible? For instance we have 5 roles admin, share_resource1, access_resource1, share_resource2, access_resource2. A user with the role admin shall be able to map each of this roles to other user, user with share_resource1 shall only be able to map the role access_resource1 but non else, analog for resource2.) Thanks in advance for any response. Regards Lasse [1] https://lists.jboss.org/pipermail/keycloak-user/2017-November/012192.html From Lasse.Jahn at student.hpi.uni-potsdam.de Wed Jun 26 03:06:06 2019 From: Lasse.Jahn at student.hpi.uni-potsdam.de (Jahn, Lasse) Date: Wed, 26 Jun 2019 07:06:06 +0000 Subject: [keycloak-user] ClientRole Import/Export , Get all ClientRoles of an User, Sharing Authorization In-Reply-To: <9f26aca4-49bc-211e-c379-e9117651bff7@student.hpi.de> References: <9f26aca4-49bc-211e-c379-e9117651bff7@student.hpi.de> Message-ID: Hello, I have 3 questions. 1. How can I export and import client roles? (Background: I have a client and created some roles, policies, permission... Now when I export the client the authorization data was not included, but I could export them separately. For client roles I could not find a way of exporting them separate. Some of the client roles are normal roles other are composite roles.) 2. How do I get all client roles of an user? (Background: When I look at the OIDC access token of an user, obviously somehow all client roles can be fetched for an specific user. I need to walk trough all client roles of an user. For realmRoles there exists an endpoint in Admin REST api, but for client roles only one to recieve the client roles of one specific client regarding the user. Is there some efficient way of getting an array of client roles or something similar?) 3. Can I restrict role-mapping rights of a user to some of the client roles? (Background: I want to enable an user to map existing client roles to other users. Give an user the right to share roles to others can be done this way [1]. But how can I ristrict this rights to only sharing particular roles? Is this possible? For instance we have 5 roles admin, share_resource1, access_resource1, share_resource2, access_resource2. A user with the role admin shall be able to map each of this roles to other user, user with share_resource1 shall only be able to map the role access_resource1 but non else, analog for resource2.) Thanks in advance for any response. Regards Lasse [1] https://lists.jboss.org/pipermail/keycloak-user/2017-November/012192.html From mark.banierink at nedap.com Wed Jun 26 03:12:33 2019 From: mark.banierink at nedap.com (Mark Banierink) Date: Wed, 26 Jun 2019 07:12:33 +0000 Subject: [keycloak-user] Alternative SP login Message-ID: Hi all, For our application it is important that there is an alternative login mechanism for KEYCLOAK-SAML. Wildfly/Undertow already support this mechanism for SPNEGO (SPNEGO,FORM with FORM as fallback for instance). For SAML this could be achieved by allowing an excluded URL, which is not redirecting to the IDP, showing the a form for FORM authentication. What are your thoughts on this feature? Or is there an existing thread on this subject? Thanks in advance. Kind regards, Mark From i.subasi at medyatakip.com Wed Jun 26 08:19:58 2019 From: i.subasi at medyatakip.com (=?UTF-8?B?xLBsaGFuIFN1YmHFn8Sx?=) Date: Wed, 26 Jun 2019 15:19:58 +0300 Subject: [keycloak-user] Redirecting page after e-mail verification Message-ID: Is there any build-in configuration that makes it possible to redirect the user after successful e-mail verification? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3717 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190626/1b8ce29d/attachment-0001.bin From vramik at redhat.com Wed Jun 26 08:34:55 2019 From: vramik at redhat.com (Vlasta Ramik) Date: Wed, 26 Jun 2019 14:34:55 +0200 Subject: [keycloak-user] Is Keycloak 2.5.4 EOL or unsupported? In-Reply-To: References: Message-ID: Recommended is always latest released version, it's 6.0.1 atm. On 6/25/19 6:20 PM, Meissa M'baye Sakho wrote: > Hello Nanze, > Keycloak is a community edition of Red Hat SSO. > Only RedHat SSO is supported. > You can take any keycloak version you want. You will not have support from > Red Hat with the community edition. > > -- Meissa Sakho, RHCA Architect Red Hat EMEA > msakho at redhat.com M: +33-6-9559-7778 Le mar. > 25 juin 2019 ? 17:33, Nanze Panze a ?crit : >> I?m not finding an easy way to tell if Keycloak 2.5.4 is EOL or >> unsupported. Looking at the Github releases this version was released in >> Feb 2017. That in itself doesn?t tell me if the version is unsupported or >> contains security vulnerabilities. >> >> Can someone from Redhat please provide some information regarding the >> status of this version. >> >> Thanks in advance. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From tiago.batista at mindera.com Wed Jun 26 08:48:30 2019 From: tiago.batista at mindera.com (Tiago Batista) Date: Wed, 26 Jun 2019 13:48:30 +0100 Subject: [keycloak-user] Redirecting page after e-mail verification In-Reply-To: References: Message-ID: I do not think you can do it if you request the verification via the admin console. However if you do it via the admin api, you can specify a client_id and a valid redirect_uri to be followed after the procedure is done. Tiago On Wed, 2019-06-26 at 15:19 +0300, ?lhan Suba?? wrote: > Is there any build-in configuration that makes it possible to > redirect > the user after successful e-mail verification? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bruno at abstractj.org Wed Jun 26 09:51:08 2019 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 26 Jun 2019 10:51:08 -0300 Subject: [keycloak-user] Keycloak Gatekeeper access token encryption In-Reply-To: References: <20190620200959.GA9818@abstractj.org> Message-ID: <20190626135108.GA15177@abstractj.org> Hi Jody, I'm glad that worked for you. I just returned back from travel and will try do a proper review/merge it. On 2019-06-25, Jody H wrote: > Hi Bruno, > > this was exactly what we were looking for, thank you. > Would be great if this also gets merged sometime soon. > > Best regards, > > Am Do., 20. Juni 2019 um 17:10 Uhr schrieb Bruno Oliveira < > bruno at abstractj.org>: > > > Hi Jody, don't need to be sorry. The more details, the better. Are you > > looking for something like this[1] ? > > > > [1] - https://github.com/keycloak/keycloak-gatekeeper/pull/445 > > > > On 2019-06-20, Jody H wrote: > > > Hi, > > > > > > I am trying to use the Keycloak Gatekeeper proxy and have found a > > problem I > > > can't seem to solve. > > > > > > I have a service which is hosting a webservice and an api. > > > Keycloak gatekeeper is protecting this application. > > > I have another webservice which is making requests to this api. > > > I have encrypted tokens/cookies enabled in my gatekeeper config. > > > I have looked into the source code of gatekeeper to figure out how the > > > token is being decrypted, when it is coming inside of the Authorization > > > header instead of a cookie. It is like this: > > > > > > 1) The token is read from the "Authorization: Bearer" header: > > > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75 > > > 2) If encryption is enabled, the access token needs be decrypted: > > > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L36-L39 > > > 3) Before decryption, the access token from the Authorization header will > > > be base64-decoded: > > > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197 > > > 4) After decoding, it will be decrypted by AES-GCM: > > > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167-L183 > > > > > > I can't seem to figure out how to make requests to the gatekeeper proxy > > so > > > that the access token I pass in the Authorization header can be read by > > the > > > gatekeeper. I have checked multiple times that the key I use to encrypt > > my > > > access token is identical to the one I use in the gatekeeper config. > > > I am using this javascript code to encrypt my data: > > > https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a - > > then > > > after encryption, I base64 encode it and add it to the "Autorization: > > > Bearer [base64-encoded encrypted-access-token]" header. The error > > > gatekeeper gives me is this: > > > > > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204 > > > > > > The relevant javascript code looks like this: > > > const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the on in > > > the gatekeeper config > > > const ciphertext = await aesGcmEncrypt(keycloak.token, key); > > > console.log(ciphertext); > > > var req = new XMLHttpRequest(); > > > req.open('GET', url, true); > > > req.setRequestHeader('Accept', 'application/json'); > > > req.setRequestHeader('Authorization', 'Bearer ' + btoa(ciphertext)); > > > > > > req.onreadystatechange = function () { > > > if (req.readyState == 4) { > > > if (req.status == 200) { > > > document.getElementById("userid").innerHTML = req.responseText + " (" + > > new > > > Date() + ")"; > > > } else if (req.status == 403) { > > > console.log('Forbidden'); > > > } else if (req.status == 401) { > > > console.log('Unauthorized'); > > > } > > > } > > > } > > > > > > req.send(); > > > > > > Can someone help me out? Sorry for the wall of text and thanks in > > advance! > > > > > > Best regards, > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > > > abstractj > > -- abstractj From i.subasi at medyatakip.com Wed Jun 26 09:59:46 2019 From: i.subasi at medyatakip.com (=?UTF-8?B?xLBsaGFuIFN1YmHFn8Sx?=) Date: Wed, 26 Jun 2019 16:59:46 +0300 Subject: [keycloak-user] Redirecting page after e-mail verification In-Reply-To: References: Message-ID: Thanks. Just I did it from the user interface. Under the configure menu ? Clients ? account ? Settings ? Base URL. There I have entered http://example.com. Then user registers via the registration page, then user verifies its email address, and finally web browser redirects to http://example.com. I didn't know what "Base URL" was used for but apparently it is redirect url. On 26.06.2019 15:48, Tiago Batista wrote: > I do not think you can do it if you request the verification via the > admin console. However if you do it via the admin api, you can specify > a client_id and a valid redirect_uri to be followed after the procedure > is done. > > Tiago > > On Wed, 2019-06-26 at 15:19 +0300, ?lhan Suba?? wrote: >> Is there any build-in configuration that makes it possible to >> redirect >> the user after successful e-mail verification? >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3717 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190626/4a574939/attachment.bin From reese.garth at indexexchange.com Wed Jun 26 10:01:55 2019 From: reese.garth at indexexchange.com (Reese Garth) Date: Wed, 26 Jun 2019 14:01:55 +0000 Subject: [keycloak-user] OIDC Client Secret Encryption Message-ID: <5A6A5CE6-7C9D-4629-93FE-E4FBB13454F8@indexexchange.com> Hi, I have APIs that I?d like to give programmatic access to partners and I have some questions on how best to use Keycloak to facilitate this. From the research I?ve done, it seems that the best method is to use the client credentials grant where each partner can create a new client in Keycloak and have their app authenticate as that client to access the APIs. My largest hesitation with using this method is that the client secret is stored in plaintext and is visible in the admin UI. 1. Is there a particular reason the generated client secret is stored in plaintext? I?m assuming there is, but I can?t figure out what it would be. 2. Is there any possibility to add encrypted client secrets as a feature in the future? 3. Are there any alternatives/best practices for programmatic access that makes use of Keycloak? Thanks for your time, Reese CONFIDENTIALITY NOTICE AND DISCLAIMER : This telecommunication, including any and all attachments, contains confidential information intended only for the person(s) to whom it is addressed. Any dissemination, distribution, copying or disclosure is strictly prohibited and is not a waiver of confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail and delete the message from your inbox and deleted items folders. This telecommunication does not constitute an express or implied agreement to conduct transactions by electronic means, nor does it constitute a contract offer, a contract amendment or an acceptance of a contract offer. Contract terms contained in this telecommunication are subject to legal review and the completion of formal documentation and are not binding until same is confirmed in writing and has been signed by an authorized signatory. From ronaldo.yamada at serpro.gov.br Wed Jun 26 15:41:36 2019 From: ronaldo.yamada at serpro.gov.br (Ronaldo Hideki Yamada) Date: Wed, 26 Jun 2019 16:41:36 -0300 (BRT) Subject: [keycloak-user] Only bearer client and Authorization Message-ID: <1351098037.9622089.1561578096460.JavaMail.zimbra@serpro.gov.br> Hi, I have a following use case: One client A1 (web) makes a authentication code flow and gets a access_token. I want use this access token as Bearer token T1[azp=A1] in backend client B1 (api) with authorization enabled. And validate permissions on Resources#Scopes in client B1 mapped by client B1 RolePolicy I already gets work only if I add builtin protocol mapper "User Client Role" to first client A1 and insert client roles of B1 on token T1. But this largely increases size of access_token T1 and I have limit of 4k. How make Keycloak evaluate authz permissions [RolePolicy] aganist User client role on internal Database, instead information on first token T1? Ronaldo Hideki Yamada - "Esta mensagem do SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa p?blica federal regida pelo disposto na Lei Federal n? 5.615, ? enviada exclusivamente a seu destinat?rio e pode conter informa??es confidenciais, protegidas por sigilo profissional. Sua utiliza??o desautorizada ? ilegal e sujeita o infrator ?s penas da lei. Se voc? a recebeu indevidamente, queira, por gentileza, reenvi?-la ao emitente, esclarecendo o equ?voco." "This message from SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure." From psilva at redhat.com Wed Jun 26 15:56:53 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 26 Jun 2019 16:56:53 -0300 Subject: [keycloak-user] Only bearer client and Authorization In-Reply-To: <1351098037.9622089.1561578096460.JavaMail.zimbra@serpro.gov.br> References: <1351098037.9622089.1561578096460.JavaMail.zimbra@serpro.gov.br> Message-ID: Hi Ronaldo, That is a good point and probably something we can improve. Currently, the roles are always obtained from the bearer token or subject_token you are using to make the authorization request. I think we could also fall back to checking roles by querying our identity stores internally. One thing you could do for now though is writing a JS policy to perform RBAC [1]. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada < ronaldo.yamada at serpro.gov.br> wrote: > Hi, > > I have a following use case: > > One client A1 (web) makes a authentication code flow and gets a > access_token. > > I want use this access token as Bearer token T1[azp=A1] in backend client > B1 (api) with authorization enabled. > > And validate permissions on Resources#Scopes in client B1 mapped by client > B1 RolePolicy > > I already gets work only if I add builtin protocol mapper "User Client > Role" to first client A1 and insert client roles of B1 on token T1. > > But this largely increases size of access_token T1 and I have limit of 4k. > > How make Keycloak evaluate authz permissions [RolePolicy] aganist User > client role on internal Database, instead information on first token T1? > > > > > Ronaldo Hideki Yamada > > - > > > "Esta mensagem do SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), > empresa p?blica federal regida pelo disposto na Lei Federal n? 5.615, ? > enviada exclusivamente a seu destinat?rio e pode conter informa??es > confidenciais, protegidas por sigilo profissional. Sua utiliza??o > desautorizada ? ilegal e sujeita o infrator ?s penas da lei. Se voc? a > recebeu indevidamente, queira, por gentileza, reenvi?-la ao emitente, > esclarecendo o equ?voco." > > "This message from SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a > government company established under Brazilian law (5.615/70) -- is > directed exclusively to its addressee and may contain confidential data, > protected under professional secrecy rules. Its unauthorized use is illegal > and may subject the transgressor to the law's penalties. If you're not the > addressee, please send it back, elucidating the failure." > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hossein.doutaghy at gmail.com Wed Jun 26 16:26:46 2019 From: hossein.doutaghy at gmail.com (Hossein Doutaghy) Date: Wed, 26 Jun 2019 16:26:46 -0400 Subject: [keycloak-user] The "Lost data because of abrupt leavers" message in the server logs Message-ID: Hi, We are seeing the following FATAL logs message in server.log whenever a node leaves the HA cluster. 15:39:21,605 FATAL [org.infinispan.CLUSTER] (transport-thread--p14-t6) [Context=clientSessions] ISPN000313: Lost data because of abrupt leavers [ckey-ckey-1] I do not see any session lost when a node is leaving a cluster. Could you please confirm why this message is generate and is there actually any data lose at the time a node leaves the cluster? Can we prevent this FATAL message from showing in the logs? if so, how it is possible? -- Moe Doutaghy From luis.villaca at petrobras.com.br Wed Jun 26 17:03:43 2019 From: luis.villaca at petrobras.com.br (luis.villaca at petrobras.com.br) Date: Wed, 26 Jun 2019 18:03:43 -0300 Subject: [keycloak-user] Missing custom attributes from migrated users Message-ID: Greetings, I do not see the custom attributes from users created in Realm A, migrated to Realm B. I have configured in Realm A, using it for SSO, a user federation that validates the credentials and fetches user data from a service (via a custom UserStorageProvider), and populates a Keycloak user with name, e-mail, and some corporate attributes like division (setting singleAttributes from UserModel). Then in realm B I have an Identity Provider that points to a Broker in Realm A. In "first login flow" I have a custom Authentication flow, with two execution steps: - Create User If Unique - Automatically Link Brokered Account This allows me to automatically migrate this user to my realm. So login from realm B ends in authentication in realm A, which pulls a user according to our service. Then the process migrates user data to realm B - but as I inspect this user I see e-mail, name (first & last) but I cannot see my custom attributes. Any hints? Thanks, Luis "O emitente desta mensagem ? respons?vel por seu conte?do e endere?amento. Cabe ao destinat?rio cuidar quanto ao tratamento adequado. Sem a devida autoriza??o, a divulga??o, a reprodu??o, a distribui??o ou qualquer outra a??o em desconformidade com as normas internas do Sistema Petrobras s?o proibidas e pass?veis de san??o disciplinar, c?vel e criminal." "The sender of this message is responsible for its content and addressing. The receiver shall take proper care of it. Without due authorization, the publication, reproduction, distribution or the performance of any other action not conforming to Petrobras System internal policies and procedures is forbidden and liable to disciplinary, civil or criminal sanctions." "El emisor de este mensaje es responsable por su contenido y direccionamiento. Cabe al destinatario darle el tratamiento adecuado. Sin la debida autorizaci?n, su divulgaci?n, reproducci?n, distribuci?n o cualquier otra acci?n no conforme a las normas internas del Sistema Petrobras est?n prohibidas y ser?n pasibles de sanci?n disciplinaria, civil y penal." From sthorger at redhat.com Thu Jun 27 02:17:26 2019 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Jun 2019 08:17:26 +0200 Subject: [keycloak-user] Review update to Turkish translation Message-ID: Can someone from the community please review a short update to the Turkish translation? The PR is: https://github.com/keycloak/keycloak/pull/6124 From wolfgang.weber at bearingpoint.com Thu Jun 27 02:58:33 2019 From: wolfgang.weber at bearingpoint.com (Weber, Wolfgang) Date: Thu, 27 Jun 2019 06:58:33 +0000 Subject: [keycloak-user] Upgrade to 6.0.1 - Oracle driver failing to load Message-ID: Hi! Regarding the question: Has something changed between these versions requiring driver install changes? Check https://issues.jboss.org/browse/WFLY-10640, resolved with WildFly 14. Configured datasource are checked now whether the specified datasource-class or xa-datasource-class is a valid implementation of javax.sql.DataSource or javax.sql.XADataSource when adding new jdbc driver or adding new (xa-)datasource. Regards, Wolfgang On Wed, 2019-06-05 at 13:35 +0000, David Paul wrote: > Hi all, > > I was able to determine that it is 4.5.0 to 4.6.0 that breaks the oracle driver load. Was something changed between those versions that breaks the upgrade process I used (shown in email content below)? I used that same process from: > 3.2.1 to 3.4 > 3.4 to 4.0 > 4.0 to 4.1 > 4.1 to 4.2.1 > 4.2.1 to 4.5 > > 4.5 to 4.6 causes the error I listed in the below email content. > My (oracle) linux 7 OS is up to date and I have tried java 7, 8 and openJava 10. Also I used ojdbc7.jar and ojdbc8.jar drivers > > Has something changed between these versions requiring driver install changes? > > Dave > > > > changes? ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. From mihai.g at adoreme.com Thu Jun 27 03:08:39 2019 From: mihai.g at adoreme.com (Mihai Gogu) Date: Thu, 27 Jun 2019 10:08:39 +0300 Subject: [keycloak-user] Session persistence in MySQL Message-ID: <265C44DD-F188-4A1B-ACFD-3E88DF727CE9@adoreme.com> Hello, We have a keycloak 6.0.1 setup in kubernetes and we want to configure the infinispan persistence for sessions through MySQL since we can expect the containers to be restarted at any time and setting up more infinispan owners does not offer enough guarantees for our needs. The config that we have now is like this: false true ? When we try to start Keycloak with this config we get the following error: ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.clustering.infinispan.cache.keycloak.sessions" => "org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.persistence.manager.PreloadManager.start() on object of type PreloadManager Caused by: org.infinispan.commons.CacheException: Unable to invoke method public void org.infinispan.persistence.manager.PreloadManager.start() on object of type PreloadManager Caused by: java.lang.RuntimeException: org.h2.jdbc.JdbcSQLException: Invalid value \"-2147483648\" for parameter \"rows\" [90008-193] Caused by: org.h2.jdbc.JdbcSQLException: Invalid value \"-2147483648\" for parameter \"rows\" [90008-193]?}} Can you please point us to an example config for this use case or help us with some advices on how we can achieve session persistence with MySQL? We are also using MySQL as the database for Keycloak (users, clients, configs etc?) Thank you! From corentin.dupont at gmail.com Thu Jun 27 04:26:36 2019 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Thu, 27 Jun 2019 10:26:36 +0200 Subject: [keycloak-user] resource ids Message-ID: Hi guys, I discovered that you can provide your own id when creating resources: curl -X POST " http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d '{*"_id": "123-456"*, "type": "test", "name":"test", "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", "ownerManagedAccess": true}' This is very practical for synchronizing the resources with my own database. After some investigation, I found: - the ID should be unique - the name should be unique Is that correct? The resource type is not used in the unicity. In my application database, resources with different types are stored in different collections, so two resources with different types *can* have the same ID. How do you suggest to solve this in Keycloak? Providing a keycloak ID of the form - for example? e.g. sensor-123 and project-123 would not collide. Cheers From celine at libertymedical.fr Thu Jun 27 07:34:06 2019 From: celine at libertymedical.fr (=?utf-8?Q?C=C3=A9line_Leduc?=) Date: Thu, 27 Jun 2019 13:34:06 +0200 Subject: [keycloak-user] Implementing keycloak User Storage SPI in Scala using Akka Message-ID: Hello there, I?m currently implementing a User Storage SPI in Scala using Akka which is the main protocol used within our back services. I first encountered some troubles regarding sbt assembly and the configuration files, leading to the creation of this ticket here on lightbend forum https://discuss.lightbend.com/t/configuration-error-when-deploying-akka-application-in-fat-jar-on-jboss/4470 I finally managed to retrieve correctly my configuration file adding it manually and reading it via ConfigFactory.parseFile(filename) However, now I?m facing a new exception : I get an ClassNotFoundException for the class akka.event.DefaultLoggingFilter at startup. A message with the same issue has already been published two years ago on the mailing list but doesn?t have any precise answer. Does anyone know what may be causing this error and how to solve it? Or maybe have a sample of working integration of a Scala User Storage SPI using Akka? Here is the complete stack trace I?m getting : 09:19:32,530 WARN [org.keycloak.services] (default task-466) KC-SERVICES0013: Failed authentication: java.lang.ClassNotFoundException: akka.event.DefaultLoggingFilter from [Module "deployment.keycloak-server.war" from Service Module Loader] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at akka.actor.ReflectiveDynamicAccess.$anonfun$getClassFor$1(ReflectiveDynamicAccess.scala:22) at scala.util.Try$.apply(Try.scala:213) at akka.actor.ReflectiveDynamicAccess.getClassFor(ReflectiveDynamicAccess.scala:21) at akka.actor.ReflectiveDynamicAccess.createInstanceFor(ReflectiveDynamicAccess.scala:39) at akka.actor.ActorSystemImpl.(ActorSystem.scala:780) at akka.actor.ActorSystem$.apply(ActorSystem.scala:246) at akka.actor.ActorSystem$.apply(ActorSystem.scala:289) at akka.actor.ActorSystem$.apply(ActorSystem.scala:264) at med.lib.service.client.MicroServiceClient.$init$(MicroServiceClient.scala:27) at med.lib.service.client.KeycloakDataServicesClient.(KeycloakDataServicesClient.scala:18) at med.lib.service.keycloak.DSInterface.(DSInterface.scala:22) at med.lib.service.keycloak.DSUserStorageProvider.(DSUserStorageProvider.scala:19) at med.lib.service.keycloak.DSUserStorageProviderFactory.create(DSUserStorageProviderFactory.scala:43) at med.lib.service.keycloak.DSUserStorageProviderFactory.create(DSUserStorageProviderFactory.scala:19) at org.keycloak.storage.UserStorageManager.getStorageProviderInstance(UserStorageManager.java:92) at org.keycloak.storage.UserStorageManager.getEnabledStorageProviders(UserStorageManager.java:130) at org.keycloak.storage.UserStorageManager.getUserByEmail(UserStorageManager.java:407) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByEmail(UserCacheSession.java:380) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:207) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:148) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263) at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320) at sun.reflect.GeneratedMethodAccessor701.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748) Thanks for your help! C?line Leduc C?line Leduc Software engineer www.libmed.fr Soutenue par : - Le Minist?re de l?Enseignement sup?rieur, de la Recherche et de l?Innovation - BPI France From Ondrej.Scerba at zoomint.com Thu Jun 27 07:41:51 2019 From: Ondrej.Scerba at zoomint.com (Ondrej Scerba) Date: Thu, 27 Jun 2019 11:41:51 +0000 Subject: [keycloak-user] Is it possible to invalidate token in Spring Security Adapter Message-ID: <71b6316ae93141b9ae7cde41d8e19f7f@zoomint.com> Hi, Is it possible to invalidate token in "offline validator" in Spring Security Adapater? Thanks, Ondrej From Dustin.Teel at leidos.com Thu Jun 27 07:45:34 2019 From: Dustin.Teel at leidos.com (Teel, Dustin L.) Date: Thu, 27 Jun 2019 11:45:34 +0000 Subject: [keycloak-user] Undeclared namespace "ec" while deserializing SAML Response Message-ID: Hi all, My team is having a deserialization issue with a certain SAML Response document that we are getting from one of our clients. I have submitted a bug ticket (https://issues.jboss.org/browse/KEYCLOAK-10729), but I also wanted to start a discussion here to see if anyone has ran into this issue/it is fixed in a later version already/knows of a workaround. We are currently on version 4.1.0.Final. The stack trace and relevant parts of the SAML Response document are part of the ticket description, but I will summarize the issue we are seeing here. Our setup includes a SAML Client which has the properties for IDP-Initiated SSO set. We then have a SAML IDP setup with the metadata from our client. Our client posts a SAML Response to the IDP-Initiated SSO for the client and IDP and we are getting the following exception when Keycloak attempts to deserialize the SAML Response: org.keycloak.saml.common.exceptions.ParsingException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ec" (Full stack trace and SAML Response document are in the ticket linked above) The issue here seems to be the location in which the ?ec? namespace is declared. The namespace is declared in the root element. The ?ec? namespace is actually used in a element that is a descendant of the element. It seems that during deserialization Keycloak does not apply namespaces declared in the root element to descendant elements. I say this because if we move the ?ec? namespace declaration down to the element then everything works as expected. If you have any questions or need clarification, please let me know. Thank you in advance for your help! Thank you, Dustin Teel From psilva at redhat.com Thu Jun 27 08:43:17 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 27 Jun 2019 09:43:17 -0300 Subject: [keycloak-user] Is it possible to invalidate token in Spring Security Adapter In-Reply-To: <71b6316ae93141b9ae7cde41d8e19f7f@zoomint.com> References: <71b6316ae93141b9ae7cde41d8e19f7f@zoomint.com> Message-ID: Hi, If you are using bearer tokens, the adapter only performs local validation based on a specific set of claims and signature. If you need to revoke tokens and propagate the revocation to your resource servers, you should consider introspecting the token using the token introspection endpoint. However, our adapters don't provide the support for choosing between local/remote introspection. Local introspection and validation are enough for most people but depending on your requirements/constraints you may want to use the introspection endpoint. Regards. Pedro Igor On Thu, Jun 27, 2019 at 8:51 AM Ondrej Scerba wrote: > Hi, > > Is it possible to invalidate token in "offline validator" in Spring > Security Adapater? > > Thanks, > Ondrej > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Thu Jun 27 08:53:26 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 27 Jun 2019 09:53:26 -0300 Subject: [keycloak-user] resource ids In-Reply-To: References: Message-ID: Hi Corentin, One of the main reasons to allow setting the ID is to make easier to map resources managed by Keycloak to those you are protecting in your app. The IDs must be unique. It is not clear to me why the type is not enough? On Thu, Jun 27, 2019 at 5:28 AM Corentin Dupont wrote: > Hi guys, > I discovered that you can provide your own id when creating resources: > > curl -X POST " > http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H > "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d > '{*"_id": "123-456"*, "type": "test", "name":"test", > > "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", > "ownerManagedAccess": true}' > > This is very practical for synchronizing the resources with my own > database. > After some investigation, I found: > - the ID should be unique > - the name should be unique > > Is that correct? The resource type is not used in the unicity. > In my application database, resources with different types are stored in > different collections, so two resources with different types *can* have the > same ID. > How do you suggest to solve this in Keycloak? Providing a keycloak ID of > the form - for example? e.g. sensor-123 and project-123 would not > collide. > > Cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mareklindner at neomailbox.ch Thu Jun 27 09:24:50 2019 From: mareklindner at neomailbox.ch (Marek Lindner) Date: Thu, 27 Jun 2019 21:24:50 +0800 Subject: [keycloak-user] resource ids In-Reply-To: References: Message-ID: <4364012.2UoHNFKnBZ@rousseau> Hi Pedro, > One of the main reasons to allow setting the ID is to make easier to map > resources managed by Keycloak to those you are protecting in your app. > > The IDs must be unique. apologies for jumping in here - if the IDs must be unique why is the name also required to be unique ? The APIs appear to be referencing the IDs only and the name is just an attribute to the resource ? Thanks, Marek -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190627/adb220c9/attachment.bin From chris.smith at cmfirstgroup.com Thu Jun 27 09:50:57 2019 From: chris.smith at cmfirstgroup.com (Chris Smith) Date: Thu, 27 Jun 2019 13:50:57 +0000 Subject: [keycloak-user] Where might I find a list of recommended Keycloak PHP clients? Message-ID: There are several OpenID Connect clients and I have no idea about their quality. From psilva at redhat.com Thu Jun 27 10:05:00 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 27 Jun 2019 11:05:00 -0300 Subject: [keycloak-user] resource ids In-Reply-To: <4364012.2UoHNFKnBZ@rousseau> References: <4364012.2UoHNFKnBZ@rousseau> Message-ID: Not at all. Feel free to participate in any discussion :) The name attribute is unique for a client+owner basis. The unicity of ids is important as we have optimizations around it. In the future, we are planning to make two main enhancements to resource mgmt: * Resource-less Evaluation, so that you don't actually need to manage resources in Keycloak in order to evaluate policies. This can be done today using a single resource and a JS policy though, but we can provide something better. * Resource SPI, so that you can plug your resource store instead of using Keycloak internal database On Thu, Jun 27, 2019 at 10:47 AM Marek Lindner wrote: > Hi Pedro, > > > One of the main reasons to allow setting the ID is to make easier to map > > resources managed by Keycloak to those you are protecting in your app. > > > > The IDs must be unique. > > apologies for jumping in here - if the IDs must be unique why is the name > also > required to be unique ? The APIs appear to be referencing the IDs only and > the > name is just an attribute to the resource ? > > Thanks, > Marek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jonesy at sydow.org Thu Jun 27 14:00:11 2019 From: jonesy at sydow.org (JTK) Date: Thu, 27 Jun 2019 13:00:11 -0500 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final Message-ID: I've read through all the documentation I can find online both with the official documents and everything else I could find and I believe I have everything setup, with additional logging turned on, but I'm not getting any type of prompt for a x509 certificate when logging in. Here is the excerpts from the standalone.xml file where ssl-realm was added to the management security-realms and under the subsystem. ...... ...... I've setup the Authentication Flows for the Browser to have x509/Validate Username Form above the new Browser flow and it's required. Everything is setup per the KeyCloak documentation to include the binding settings. The only thing I'm not sure about is if the keycloak.jks and truststore.jks files are the issue. I have enabled extra logging as best I know, but I'm not seeing anything in the logs of any relevance when trying to authenticate into the Keycloak Realm. Can anyone assist? We are looking to most likely purchase this as a product through RedHat SSO if it works well to get the support we need, but I've been hung up on this for a few weeks and I know it shouldn't be this hard. Thanks, J From pnalyvayko at agi.com Thu Jun 27 19:41:03 2019 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 27 Jun 2019 23:41:03 +0000 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References: Message-ID: One possible reason you are not getting prompted is that the intermediate or root certs in your trust store do not match the intermediate or root certs used to sign the client certificates registered on your client machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, see https://access.redhat.com/solutions/973783 for more info. ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of JTK [jonesy at sydow.org] Sent: Thursday, June 27, 2019 2:00 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final I've read through all the documentation I can find online both with the official documents and everything else I could find and I believe I have everything setup, with additional logging turned on, but I'm not getting any type of prompt for a x509 certificate when logging in. Here is the excerpts from the standalone.xml file where ssl-realm was added to the management security-realms and under the subsystem. ...... ...... I've setup the Authentication Flows for the Browser to have x509/Validate Username Form above the new Browser flow and it's required. Everything is setup per the KeyCloak documentation to include the binding settings. The only thing I'm not sure about is if the keycloak.jks and truststore.jks files are the issue. I have enabled extra logging as best I know, but I'm not seeing anything in the logs of any relevance when trying to authenticate into the Keycloak Realm. Can anyone assist? We are looking to most likely purchase this as a product through RedHat SSO if it works well to get the support we need, but I've been hung up on this for a few weeks and I know it shouldn't be this hard. Thanks, J _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mareklindner at neomailbox.ch Thu Jun 27 22:01:54 2019 From: mareklindner at neomailbox.ch (Marek Lindner) Date: Fri, 28 Jun 2019 10:01:54 +0800 Subject: [keycloak-user] resource ids In-Reply-To: References: <4364012.2UoHNFKnBZ@rousseau> Message-ID: <6043715.S9K7MI4llo@rousseau> On Thursday, 27 June 2019 22:05:00 HKT Pedro Igor Silva wrote: > The name attribute is unique for a client+owner basis. > > The unicity of ids is important as we have optimizations around it. I fully understand why an ID has to be unique. My question was about the name being unique per client+owner. What makes the name attribute special to require it to be unique per client+owner ? > In the future, we are planning to make two main enhancements to resource > mgmt: > > * Resource-less Evaluation, so that you don't actually need to manage > resources in Keycloak in order to evaluate policies. This can be done today > using a single resource and a JS policy though, but we can provide > something better. > * Resource SPI, so that you can plug your resource store instead of using > Keycloak internal database Great plan! Cheers, Marek -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190628/fc12936f/attachment.bin From sean at fixedpointcode.com Fri Jun 28 04:18:19 2019 From: sean at fixedpointcode.com (=?UTF-8?Q?Se=C3=A1n_Kelleher?=) Date: Fri, 28 Jun 2019 09:18:19 +0100 Subject: [keycloak-user] Getting grant from access token Message-ID: Hi everyone, This is my first time using this service, so apologies if I've overlooked a precondition for posting. Is there a way to retrieve or derive the grant that was used to obtain a particular access token, from the access token itself? My use case is that I have an `/accept_tos` endpoint that takes an IP address, which is logged as having accepted our terms of service. This is under the assumption that the endpoint is being called by a client application that authenticated the user using an authorization code grant. However, we now also support logins using the implicit flow, so the acceptance request is no longer being relayed by a third party client, but is instead being made by the client itself. In this case I want the app to use `/accept_tos_direct`, which will use the IP address of the request itself (accounting for reverse proxies) instead of taking it from the body of the request. Of course, a client could try and determine its own IP address and supply that using `/accept_tos`, but I feel like this is a slightly hacky workaround and may lend itself to error. I want to be able to prevent clients from using the wrong endpoint, based on the grant they used to retrieve their access token. At the moment, I don't see any fields in the access token that can be used to get this information, or how I could enable such a field. I thought the "aud" field could fit the purpose, assuming that it was something like "" in the case of an authorization code grant and something like "resource_server" in the case of an implicit grant, but when I tested this assumption, access tokens from both grants gave a value of `["", "account"]`. Does anyone have any suggestions as to how I could get this behaviour? Kind regards, Se?n. From jonesy at sydow.org Fri Jun 28 09:17:26 2019 From: jonesy at sydow.org (JTK) Date: Fri, 28 Jun 2019 08:17:26 -0500 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References: Message-ID: Thanks, I enabled the debug option for ssl in ../keycloak/bin/standalone.conf if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Djava.awt.headless=true -Djavax.net.debug=ssl" I am seeing no errors in the logs related to certificates. I do see the root CA I'm trying to use along with the intermediate. I am using a client certificate, but I'm providing it via a card reader on my computer. So I'm presenting a token on a smart card per say and not a soft cert loaded on my system. Would this make a difference? Should I be seeing any sort of error output in the logs if the certs were loaded wrong or any other JAVA related issue? I can post the debug output, but it's quite line. - Note, we currently use a commercial based IdP which accepts our smart card with tokens on them, so I assumed Keycloak by default would see a certificate loaded locally or via the smart card reader. On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter wrote: > One possible reason you are not getting prompted is that the intermediate > or root certs in your trust store do not match the intermediate or root > certs used to sign the client certificates registered on your client > machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, > see https://access.redhat.com/solutions/973783 for more info. > > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org [ > keycloak-user-bounces at lists.jboss.org] on behalf of JTK [jonesy at sydow.org] > Sent: Thursday, June 27, 2019 2:00 PM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > I've read through all the documentation I can find online both with the > official documents and everything else I could find and I believe I have > everything setup, with additional logging turned on, but I'm not getting > any type of prompt for a x509 certificate when logging in. > > Here is the excerpts from the standalone.xml file where ssl-realm was > added to the management security-realms and under the subsystem. > > > > ...... > > > > relative-to="jboss.server.config.dir" keystore-password="mypass"/> > > > > relative-to="jboss.server.config.dir" keystore-password="mypass"/> > > > ...... > > default-server="default-server" default-virtual-host="default-host" > default-servlet-container="default" default-security-domain="other"> > > > redirect-socket="https" enable-http2="true"/> > security-realm="ssl-realm" verify-client="REQUESTED"/> > > > directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/> > > > > I've setup the Authentication Flows for the Browser to have x509/Validate > Username Form above the new Browser flow and it's required. > Everything is setup per the KeyCloak documentation to include the binding > settings. > > The only thing I'm not sure about is if the keycloak.jks and truststore.jks > files are the issue. > I have enabled extra logging as best I know, but I'm not seeing anything in > the logs of any relevance when trying to authenticate into the Keycloak > Realm. > > Can anyone assist? We are looking to most likely purchase this as a product > through RedHat SSO if it works well to get the support we need, but I've > been hung up on this for a few weeks and I know it shouldn't be this hard. > > Thanks, > J > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pnalyvayko at agi.com Fri Jun 28 09:32:47 2019 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Fri, 28 Jun 2019 13:32:47 +0000 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References: , Message-ID: We have successfully tested and deployed the CAC card & X509 auth without any issues. One suggestion is In the SSL debug output search for a list of CA authorities the KC server sends back to the client as a part of mutual SSL handshake. For the mutual SSL to kick in, the client certificates registered on the client machine must be signed by one of the CAs from that list. For example, say your trusted store has a CA cert with the Subject: CN=cert_auth Then you should be prompted to select a cert only if your client cert's issuer (the cert used to sign the client cert) matches the subject above. You may also try troubleshooting using "openssl s_client" to avoid digging through thousands of lines of SSL debug output I hope it makes sense and helps :) Cheers --Peter ________________________________________ From: JTK [jonesy at sydow.org] Sent: Friday, June 28, 2019 9:17 AM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final Thanks, I enabled the debug option for ssl in ../keycloak/bin/standalone.conf if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Djava.awt.headless=true -Djavax.net.debug=ssl" I am seeing no errors in the logs related to certificates. I do see the root CA I'm trying to use along with the intermediate. I am using a client certificate, but I'm providing it via a card reader on my computer. So I'm presenting a token on a smart card per say and not a soft cert loaded on my system. Would this make a difference? Should I be seeing any sort of error output in the logs if the certs were loaded wrong or any other JAVA related issue? I can post the debug output, but it's quite line. - Note, we currently use a commercial based IdP which accepts our smart card with tokens on them, so I assumed Keycloak by default would see a certificate loaded locally or via the smart card reader. On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter > wrote: One possible reason you are not getting prompted is that the intermediate or root certs in your trust store do not match the intermediate or root certs used to sign the client certificates registered on your client machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, see https://access.redhat.com/solutions/973783 for more info. ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of JTK [jonesy at sydow.org] Sent: Thursday, June 27, 2019 2:00 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final I've read through all the documentation I can find online both with the official documents and everything else I could find and I believe I have everything setup, with additional logging turned on, but I'm not getting any type of prompt for a x509 certificate when logging in. Here is the excerpts from the standalone.xml file where ssl-realm was added to the management security-realms and under the subsystem. ...... ...... I've setup the Authentication Flows for the Browser to have x509/Validate Username Form above the new Browser flow and it's required. Everything is setup per the KeyCloak documentation to include the binding settings. The only thing I'm not sure about is if the keycloak.jks and truststore.jks files are the issue. I have enabled extra logging as best I know, but I'm not seeing anything in the logs of any relevance when trying to authenticate into the Keycloak Realm. Can anyone assist? We are looking to most likely purchase this as a product through RedHat SSO if it works well to get the support we need, but I've been hung up on this for a few weeks and I know it shouldn't be this hard. Thanks, J _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jonesy at sydow.org Fri Jun 28 10:13:28 2019 From: jonesy at sydow.org (JTK) Date: Fri, 28 Jun 2019 09:13:28 -0500 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References: Message-ID: I'll look into it. I'm sure it's something simple, but it's just not clicking. As of now I'm only testing my CAC and so there is a Root CA along with an intermediate CA which I have loaded into Keycloak. This is the steps I used: keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks -file Email-CA-1.cer ... Just for clarity and sanity check, with our current IdP, we only need to load the public certs (Root/Intermediate) and as long as they are loaded, any user certificate that is presented would be trusted if the chain is loaded for that user certificate. We do not have access to the private keys for the certificates loaded to the keystore.jks - I just want to make sure that's not the issue. At this point in time, I'd love to see ERROR in the server.log file, but I just get INFO. tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR" The output of the above command has no output. This is some of the output: 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99, 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 } 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake state: finished[20] 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and SHA1 hashes: len = 16 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext before ENCRYPTION: len = 16 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2 Handshake, length = 40 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384] 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 6 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 01 01 ...... 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 45 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w....... 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F 33 D2 CA D3 C5 FA A5 05 54 $...3.......T etc Here is the output of keystore.jks keytool -list -v -keystore keycloak.jks | grep DoD Enter keystore password: password Owner: CN=Root CA, OU=PKI, O=Company, C=US Issuer: CN=Root CA, OU=PKI, O=Company, C=US Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US Issuer: CN=Root CA, OU=PKI, O=Company, C=US Sows the Root CA and the Intermediate CA (CA-1) On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter wrote: > We have successfully tested and deployed the CAC card & X509 auth without > any issues. One suggestion is In the SSL debug output search for a list of > CA authorities the KC server sends back to the client as a part of mutual > SSL handshake. For the mutual SSL to kick in, the client certificates > registered on the client machine must be signed by one of the CAs from > that list. > > For example, say your trusted store has a CA cert with the Subject: > CN=cert_auth > > Then you should be prompted to select a cert only if your client cert's > issuer (the cert used to sign the client cert) matches the subject above. > > You may also try troubleshooting using "openssl s_client" to avoid > digging through thousands of lines of SSL debug output > > I hope it makes sense and helps :) > > Cheers > > --Peter > > ________________________________________ > From: JTK [jonesy at sydow.org] > Sent: Friday, June 28, 2019 9:17 AM > To: Nalyvayko, Peter > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > Thanks, I enabled the debug option for ssl in > ../keycloak/bin/standalone.conf > if [ "x$JAVA_OPTS" = "x" ]; then > JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" > JAVA_OPTS="$JAVA_OPTS > -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS > -Djava.awt.headless=true -Djavax.net.debug=ssl" > > I am seeing no errors in the logs related to certificates. I do see the > root CA I'm trying to use along with the intermediate. > I am using a client certificate, but I'm providing it via a card reader on > my computer. So I'm presenting a token on a smart card per say and not a > soft cert loaded on my system. > Would this make a difference? Should I be seeing any sort of error output > in the logs if the certs were loaded wrong or any other JAVA related issue? > I can post the debug output, but it's quite line. > - > Note, we currently use a commercial based IdP which accepts our smart card > with tokens on them, so I assumed Keycloak by default would see a > certificate loaded locally or via the smart card reader. > > > On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter > wrote: > One possible reason you are not getting prompted is that the intermediate > or root certs in your trust store do not match the intermediate or root > certs used to sign the client certificates registered on your client > machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, > see https://access.redhat.com/solutions/973783 for more info. > > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org> [ > keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org>] on behalf of JTK [jonesy at sydow.org > ] > Sent: Thursday, June 27, 2019 2:00 PM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > I've read through all the documentation I can find online both with the > official documents and everything else I could find and I believe I have > everything setup, with additional logging turned on, but I'm not getting > any type of prompt for a x509 certificate when logging in. > > Here is the excerpts from the standalone.xml file where ssl-realm was > added to the management security-realms and under the subsystem. > > > > ...... > > > > relative-to="jboss.server.config.dir" keystore-password="mypass"/> > > > > relative-to="jboss.server.config.dir" keystore-password="mypass"/> > > > ...... > > default-server="default-server" default-virtual-host="default-host" > default-servlet-container="default" default-security-domain="other"> > > > redirect-socket="https" enable-http2="true"/> > security-realm="ssl-realm" verify-client="REQUESTED"/> > > > directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/> > > > > I've setup the Authentication Flows for the Browser to have x509/Validate > Username Form above the new Browser flow and it's required. > Everything is setup per the KeyCloak documentation to include the binding > settings. > > The only thing I'm not sure about is if the keycloak.jks and truststore.jks > files are the issue. > I have enabled extra logging as best I know, but I'm not seeing anything in > the logs of any relevance when trying to authenticate into the Keycloak > Realm. > > Can anyone assist? We are looking to most likely purchase this as a product > through RedHat SSO if it works well to get the support we need, but I've > been hung up on this for a few weeks and I know it shouldn't be this hard. > > Thanks, > J > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Fri Jun 28 10:50:54 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 28 Jun 2019 11:50:54 -0300 Subject: [keycloak-user] resource ids In-Reply-To: <6043715.S9K7MI4llo@rousseau> References: <4364012.2UoHNFKnBZ@rousseau> <6043715.S9K7MI4llo@rousseau> Message-ID: On Thu, Jun 27, 2019 at 11:04 PM Marek Lindner wrote: > On Thursday, 27 June 2019 22:05:00 HKT Pedro Igor Silva wrote: > > The name attribute is unique for a client+owner basis. > > > > The unicity of ids is important as we have optimizations around it. > > I fully understand why an ID has to be unique. My question was about the > name > being unique per client+owner. What makes the name attribute special to > require it to be unique per client+owner ? > You may have resources with the same name belonging to different owners. I also forgot to mention that we also have lookups by name on a per owner basis. > > > > In the future, we are planning to make two main enhancements to resource > > mgmt: > > > > * Resource-less Evaluation, so that you don't actually need to manage > > resources in Keycloak in order to evaluate policies. This can be done > today > > using a single resource and a JS policy though, but we can provide > > something better. > > * Resource SPI, so that you can plug your resource store instead of using > > Keycloak internal database > > Great plan! > > Cheers, > Marek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ronaldo.yamada at serpro.gov.br Fri Jun 28 11:01:13 2019 From: ronaldo.yamada at serpro.gov.br (Ronaldo Hideki Yamada) Date: Fri, 28 Jun 2019 12:01:13 -0300 (BRT) Subject: [keycloak-user] Only bearer client and Authorization In-Reply-To: References: <1351098037.9622089.1561578096460.JavaMail.zimbra@serpro.gov.br> Message-ID: <56720168.1219972.1561734073796.JavaMail.zimbra@serpro.gov.br> Pedro, Using JSpolicy also not work, as shown in https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context but: context.getIdentity() also gets data from token, not internal identity store, How get UserModel (or any internal user) from a context? I find a KeycloakIdentity::getUserFromSessionState but method is private. /** * JSPolicy: eh_gestor */ var context = $evaluation.getContext(); var identity = context.getIdentity(); var Logger = Java.type("org.jboss.logging.Logger"); var LOG = Logger.getLogger(Java.type("org.keycloak.authorization.policy.provider.js.JSPolicyProvider")) LOG.info(identity.getAttributes().toMap().toString()); if (identity.hasClientRole('suite-sc', 'gestor')) { $evaluation.grant(); } /* EOF */ # Log output when client roles isn't mapped to token: 2019-06-28 11:35:58,823 INFO [[JavaClass org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default task-102) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada], typ=[Bearer], exp=[1561734358], session_state=[c73b7532-55d6-4d49-a1d1-662fe9fac369], iat=[1561732558], jti=[0873781a-b595-4a50-a4e2-33730cede059]} # Log output when client roles is mapped to token: 2019-06-28 11:51:42,295 INFO [[JavaClass org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default task-107) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada], kc.client.suite-sc.roles=[cadastrador, gestor], typ=[Bearer], exp=[1561735302], session_state=[af72aa12-3e94-4ebe-9bc7-a47bffeecef1], iat=[1561733502], jti=[f8ef05a1-44ab-4c99-863c-1875a82cdd8f]} Ronaldo Hideki Yamada SUPES/ESDEA/ESCSP ----- Mensagem original ----- De: "Pedro Igor Silva" Para: "ronaldo.yamada serpro" Cc: "keycloak-user" Enviadas: Quarta-feira, 26 de junho de 2019 16:56:53 Assunto: Re: [keycloak-user] Only bearer client and Authorization Hi Ronaldo, That is a good point and probably something we can improve. Currently, the roles are always obtained from the bearer token or subject_token you are using to make the authorization request. I think we could also fall back to checking roles by querying our identity stores internally. One thing you could do for now though is writing a JS policy to perform RBAC [1]. [1] [ https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context | https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context ] On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada < [ mailto:ronaldo.yamada at serpro.gov.br | ronaldo.yamada at serpro.gov.br ] > wrote: Hi, I have a following use case: One client A1 (web) makes a authentication code flow and gets a access_token. I want use this access token as Bearer token T1[azp=A1] in backend client B1 (api) with authorization enabled. And validate permissions on Resources#Scopes in client B1 mapped by client B1 RolePolicy I already gets work only if I add builtin protocol mapper "User Client Role" to first client A1 and insert client roles of B1 on token T1. But this largely increases size of access_token T1 and I have limit of 4k. How make Keycloak evaluate authz permissions [RolePolicy] aganist User client role on internal Database, instead information on first token T1? Ronaldo Hideki Yamada - "Esta mensagem do SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa p?blica federal regida pelo disposto na Lei Federal n? 5.615, ? enviada exclusivamente a seu destinat?rio e pode conter informa??es confidenciais, protegidas por sigilo profissional. Sua utiliza??o desautorizada ? ilegal e sujeita o infrator ?s penas da lei. Se voc? a recebeu indevidamente, queira, por gentileza, reenvi?-la ao emitente, esclarecendo o equ?voco." "This message from SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure." _______________________________________________ keycloak-user mailing list [ mailto:keycloak-user at lists.jboss.org | keycloak-user at lists.jboss.org ] [ https://lists.jboss.org/mailman/listinfo/keycloak-user | https://lists.jboss.org/mailman/listinfo/keycloak-user ] - "Esta mensagem do SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa p?blica federal regida pelo disposto na Lei Federal n? 5.615, ? enviada exclusivamente a seu destinat?rio e pode conter informa??es confidenciais, protegidas por sigilo profissional. Sua utiliza??o desautorizada ? ilegal e sujeita o infrator ?s penas da lei. Se voc? a recebeu indevidamente, queira, por gentileza, reenvi?-la ao emitente, esclarecendo o equ?voco." "This message from SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure." From psilva at redhat.com Fri Jun 28 11:16:13 2019 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 28 Jun 2019 12:16:13 -0300 Subject: [keycloak-user] Only bearer client and Authorization In-Reply-To: <56720168.1219972.1561734073796.JavaMail.zimbra@serpro.gov.br> References: <1351098037.9622089.1561578096460.JavaMail.zimbra@serpro.gov.br> <56720168.1219972.1561734073796.JavaMail.zimbra@serpro.gov.br> Message-ID: For realm roles you can use: var realm = $evaluation.getRealm(); if (realm.isUserInRealmRole('marta', 'role-a')) { $evaluation.grant(); } For client roles: var realm = $evaluation.getRealm(); if (realm.isUserInClientRole('marta', 'my-client', 'some-client-role')) { $evaluation.grant(); } For roles granted to a group: var realm = $evaluation.getRealm(); if (realm.isGroupInRole('/Group A/Group D', 'role-a')) { $evaluation.grant(); } Where you can change "marta" in those examples to "identity.getId()". On Fri, Jun 28, 2019 at 12:02 PM Ronaldo Hideki Yamada < ronaldo.yamada at serpro.gov.br> wrote: > Pedro, > > Using JSpolicy also not work, as shown in > https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context > > but: context.getIdentity() also gets data from token, not internal > identity store, > > How get UserModel (or any internal user) from a context? > > I find a KeycloakIdentity::getUserFromSessionState but method is private. > > > > > /** > * JSPolicy: eh_gestor > */ > > var context = $evaluation.getContext(); > var identity = context.getIdentity(); > var Logger = Java.type("org.jboss.logging.Logger"); > var LOG = > Logger.getLogger(Java.type("org.keycloak.authorization.policy.provider.js.JSPolicyProvider")) > LOG.info(identity.getAttributes().toMap().toString()); > > if (identity.hasClientRole('suite-sc', 'gestor')) { > $evaluation.grant(); > } > > /* EOF */ > > > > # Log output when client roles isn't mapped to token: > 2019-06-28 11:35:58,823 INFO [[JavaClass > org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default > task-102) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], > azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada], typ=[Bearer], > exp=[1561734358], session_state=[c73b7532-55d6-4d49-a1d1-662fe9fac369], > iat=[1561732558], jti=[0873781a-b595-4a50-a4e2-33730cede059]} > > > # Log output when client roles is mapped to token: > 2019-06-28 11:51:42,295 INFO [[JavaClass > org.keycloak.authorization.policy.provider.js.JSPolicyProvider]] (default > task-107) {sub=[d52ee480-a081-4cee-ba0c-c3fcd31cc19c], acr=[1], nbf=[0], > azp=[suite-sc], auth_time=[0], name=[Ronaldo Hideki Yamada], > kc.client.suite-sc.roles=[cadastrador, gestor], typ=[Bearer], > exp=[1561735302], session_state=[af72aa12-3e94-4ebe-9bc7-a47bffeecef1], > iat=[1561733502], jti=[f8ef05a1-44ab-4c99-863c-1875a82cdd8f]} > > > > > > Ronaldo Hideki Yamada > SUPES/ESDEA/ESCSP > > ----- Mensagem original ----- > De: "Pedro Igor Silva" > Para: "ronaldo.yamada serpro" > Cc: "keycloak-user" > Enviadas: Quarta-feira, 26 de junho de 2019 16:56:53 > Assunto: Re: [keycloak-user] Only bearer client and Authorization > > Hi Ronaldo, > That is a good point and probably something we can improve. > > Currently, the roles are always obtained from the bearer token or > subject_token you are using to make the authorization request. I think we > could also fall back to checking roles by querying our identity stores > internally. > > One thing you could do for now though is writing a JS policy to perform > RBAC [1]. > > [1] [ > https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context > | > https://www.keycloak.org/docs/latest/authorization_services/index.html#checking-for-attributes-from-the-evaluation-context > ] > > On Wed, Jun 26, 2019 at 4:44 PM Ronaldo Hideki Yamada < [ mailto: > ronaldo.yamada at serpro.gov.br | ronaldo.yamada at serpro.gov.br ] > wrote: > > > Hi, > > I have a following use case: > > One client A1 (web) makes a authentication code flow and gets a > access_token. > > I want use this access token as Bearer token T1[azp=A1] in backend client > B1 (api) with authorization enabled. > > And validate permissions on Resources#Scopes in client B1 mapped by client > B1 RolePolicy > > I already gets work only if I add builtin protocol mapper "User Client > Role" to first client A1 and insert client roles of B1 on token T1. > > But this largely increases size of access_token T1 and I have limit of 4k. > > How make Keycloak evaluate authz permissions [RolePolicy] aganist User > client role on internal Database, instead information on first token T1? > > > > > Ronaldo Hideki Yamada > > - > > > "Esta mensagem do SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), > empresa p?blica federal regida pelo disposto na Lei Federal n? 5.615, ? > enviada exclusivamente a seu destinat?rio e pode conter informa??es > confidenciais, protegidas por sigilo profissional. Sua utiliza??o > desautorizada ? ilegal e sujeita o infrator ?s penas da lei. Se voc? a > recebeu indevidamente, queira, por gentileza, reenvi?-la ao emitente, > esclarecendo o equ?voco." > > "This message from SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a > government company established under Brazilian law (5.615/70) -- is > directed exclusively to its addressee and may contain confidential data, > protected under professional secrecy rules. Its unauthorized use is illegal > and may subject the transgressor to the law's penalties. If you're not the > addressee, please send it back, elucidating the failure." > _______________________________________________ > keycloak-user mailing list > [ mailto:keycloak-user at lists.jboss.org | keycloak-user at lists.jboss.org ] > [ https://lists.jboss.org/mailman/listinfo/keycloak-user | > https://lists.jboss.org/mailman/listinfo/keycloak-user ] > > > > - > > > "Esta mensagem do SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), > empresa p?blica federal regida pelo disposto na Lei Federal n? 5.615, ? > enviada exclusivamente a seu destinat?rio e pode conter informa??es > confidenciais, protegidas por sigilo profissional. Sua utiliza??o > desautorizada ? ilegal e sujeita o infrator ?s penas da lei. Se voc? a > recebeu indevidamente, queira, por gentileza, reenvi?-la ao emitente, > esclarecendo o equ?voco." > > "This message from SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a > government company established under Brazilian law (5.615/70) -- is > directed exclusively to its addressee and may contain confidential data, > protected under professional secrecy rules. Its unauthorized use is illegal > and may subject the transgressor to the law's penalties. If you're not the > addressee, please send it back, elucidating the failure." > From jonesy at sydow.org Fri Jun 28 11:27:50 2019 From: jonesy at sydow.org (JTK) Date: Fri, 28 Jun 2019 10:27:50 -0500 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References: Message-ID: Here is the standalone.xml file if anyone can sport or locate any obvious errors associated with it. https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5peZuGfU8cw= Authentication flow: https://imgur.com/tZYj9N9 (Bindings) https://imgur.com/3v2HYtW (Flows) On Fri, Jun 28, 2019 at 9:13 AM JTK wrote: > I'll look into it. I'm sure it's something simple, but it's just not > clicking. As of now I'm only testing my CAC and so there is a Root CA along > with an intermediate CA which I have loaded into Keycloak. > This is the steps I used: > > keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer > > keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks > -file Email-CA-1.cer > > ... > > Just for clarity and sanity check, with our current IdP, we only need to > load the public certs (Root/Intermediate) and as long as they are loaded, > any user certificate that is presented would be trusted if the chain is > loaded for that user certificate. We do not have access to the private > keys for the certificates loaded to the keystore.jks - I just want to make > sure that's not the issue. > > > At this point in time, I'd love to see ERROR in the server.log file, but I > just get INFO. > > tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR" > > The output of the above command has no output. > > > This is some of the output: > > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99, > 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 } > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake > state: finished[20] > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and > SHA1 hashes: len = 16 > 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C > 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... > 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext > before ENCRYPTION: len = 16 > 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C > 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3, > WRITE: TLSv1.2 Handshake, length = 40 > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server > session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384] > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length > = 6 > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 > 01 01 ...... > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length > = 45 > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 > 28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O > 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 > 25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w....... > 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F > 33 D2 CA D3 C5 FA A5 05 54 $...3.......T > > etc > > > Here is the output of keystore.jks > > keytool -list -v -keystore keycloak.jks | grep DoD > Enter keystore password: password > Owner: CN=Root CA, OU=PKI, O=Company, C=US > Issuer: CN=Root CA, OU=PKI, O=Company, C=US > Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US > Issuer: CN=Root CA, OU=PKI, O=Company, C=US > > > Sows the Root CA and the Intermediate CA (CA-1) > > > On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter > wrote: > >> We have successfully tested and deployed the CAC card & X509 auth without >> any issues. One suggestion is In the SSL debug output search for a list of >> CA authorities the KC server sends back to the client as a part of mutual >> SSL handshake. For the mutual SSL to kick in, the client certificates >> registered on the client machine must be signed by one of the CAs from >> that list. >> >> For example, say your trusted store has a CA cert with the Subject: >> CN=cert_auth >> >> Then you should be prompted to select a cert only if your client cert's >> issuer (the cert used to sign the client cert) matches the subject above. >> >> You may also try troubleshooting using "openssl s_client" to avoid >> digging through thousands of lines of SSL debug output >> >> I hope it makes sense and helps :) >> >> Cheers >> >> --Peter >> >> ________________________________________ >> From: JTK [jonesy at sydow.org] >> Sent: Friday, June 28, 2019 9:17 AM >> To: Nalyvayko, Peter >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on >> KeyCloak version 4.8.3.Final >> >> Thanks, I enabled the debug option for ssl in >> ../keycloak/bin/standalone.conf >> if [ "x$JAVA_OPTS" = "x" ]; then >> JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M >> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" >> JAVA_OPTS="$JAVA_OPTS >> -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS >> -Djava.awt.headless=true -Djavax.net.debug=ssl" >> >> I am seeing no errors in the logs related to certificates. I do see the >> root CA I'm trying to use along with the intermediate. >> I am using a client certificate, but I'm providing it via a card reader >> on my computer. So I'm presenting a token on a smart card per say and not a >> soft cert loaded on my system. >> Would this make a difference? Should I be seeing any sort of error output >> in the logs if the certs were loaded wrong or any other JAVA related issue? >> I can post the debug output, but it's quite line. >> - >> Note, we currently use a commercial based IdP which accepts our smart >> card with tokens on them, so I assumed Keycloak by default would see a >> certificate loaded locally or via the smart card reader. >> >> >> On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter > > wrote: >> One possible reason you are not getting prompted is that the intermediate >> or root certs in your trust store do not match the intermediate or root >> certs used to sign the client certificates registered on your client >> machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, >> see https://access.redhat.com/solutions/973783 for more info. >> >> ________________________________________ >> From: keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org> [ >> keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org>] on behalf of JTK [ >> jonesy at sydow.org] >> Sent: Thursday, June 27, 2019 2:00 PM >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] Not being prompted for x509 User Certs on >> KeyCloak version 4.8.3.Final >> >> I've read through all the documentation I can find online both with the >> official documents and everything else I could find and I believe I have >> everything setup, with additional logging turned on, but I'm not getting >> any type of prompt for a x509 certificate when logging in. >> >> Here is the excerpts from the standalone.xml file where ssl-realm was >> added to the management security-realms and under the subsystem. >> >> >> >> ...... >> >> >> >> > relative-to="jboss.server.config.dir" keystore-password="mypass"/> >> >> >> >> > relative-to="jboss.server.config.dir" keystore-password="mypass"/> >> >> >> ...... >> >> > default-server="default-server" default-virtual-host="default-host" >> default-servlet-container="default" default-security-domain="other"> >> >> >> > redirect-socket="https" enable-http2="true"/> >> > security-realm="ssl-realm" verify-client="REQUESTED"/> >> >> >> > directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/> >> >> >> >> I've setup the Authentication Flows for the Browser to have x509/Validate >> Username Form above the new Browser flow and it's required. >> Everything is setup per the KeyCloak documentation to include the binding >> settings. >> >> The only thing I'm not sure about is if the keycloak.jks and >> truststore.jks >> files are the issue. >> I have enabled extra logging as best I know, but I'm not seeing anything >> in >> the logs of any relevance when trying to authenticate into the Keycloak >> Realm. >> >> Can anyone assist? We are looking to most likely purchase this as a >> product >> through RedHat SSO if it works well to get the support we need, but I've >> been hung up on this for a few weeks and I know it shouldn't be this hard. >> >> Thanks, >> J >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From pnalyvayko at agi.com Fri Jun 28 11:57:14 2019 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Fri, 28 Jun 2019 15:57:14 +0000 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References: , Message-ID: Run the command "openssl s_client -connect :" where host and port are the Keycloak's host and the port number (e.g. login.mycompany.com:443) and verify that the list of certificates listed under "Acceptable CA client certificate names" is not empty and that the CA names match the client cert's issuer ________________________________________ From: JTK [jonesy at sydow.org] Sent: Friday, June 28, 2019 11:27 AM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final Here is the standalone.xml file if anyone can sport or locate any obvious errors associated with it. https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5peZuGfU8cw= Authentication flow: https://imgur.com/tZYj9N9 (Bindings) https://imgur.com/3v2HYtW (Flows) On Fri, Jun 28, 2019 at 9:13 AM JTK > wrote: I'll look into it. I'm sure it's something simple, but it's just not clicking. As of now I'm only testing my CAC and so there is a Root CA along with an intermediate CA which I have loaded into Keycloak. This is the steps I used: keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks -file Email-CA-1.cer ... Just for clarity and sanity check, with our current IdP, we only need to load the public certs (Root/Intermediate) and as long as they are loaded, any user certificate that is presented would be trusted if the chain is loaded for that user certificate. We do not have access to the private keys for the certificates loaded to the keystore.jks - I just want to make sure that's not the issue. At this point in time, I'd love to see ERROR in the server.log file, but I just get INFO. tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR" The output of the above command has no output. This is some of the output: 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99, 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 } 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake state: finished[20] 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and SHA1 hashes: len = 16 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext before ENCRYPTION: len = 16 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2 Handshake, length = 40 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384] 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 6 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 01 01 ...... 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length = 45 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w....... 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F 33 D2 CA D3 C5 FA A5 05 54 $...3.......T etc Here is the output of keystore.jks keytool -list -v -keystore keycloak.jks | grep DoD Enter keystore password: password Owner: CN=Root CA, OU=PKI, O=Company, C=US Issuer: CN=Root CA, OU=PKI, O=Company, C=US Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US Issuer: CN=Root CA, OU=PKI, O=Company, C=US Sows the Root CA and the Intermediate CA (CA-1) On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter > wrote: We have successfully tested and deployed the CAC card & X509 auth without any issues. One suggestion is In the SSL debug output search for a list of CA authorities the KC server sends back to the client as a part of mutual SSL handshake. For the mutual SSL to kick in, the client certificates registered on the client machine must be signed by one of the CAs from that list. For example, say your trusted store has a CA cert with the Subject: CN=cert_auth Then you should be prompted to select a cert only if your client cert's issuer (the cert used to sign the client cert) matches the subject above. You may also try troubleshooting using "openssl s_client" to avoid digging through thousands of lines of SSL debug output I hope it makes sense and helps :) Cheers --Peter ________________________________________ From: JTK [jonesy at sydow.org] Sent: Friday, June 28, 2019 9:17 AM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final Thanks, I enabled the debug option for ssl in ../keycloak/bin/standalone.conf if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Djava.awt.headless=true -Djavax.net.debug=ssl" I am seeing no errors in the logs related to certificates. I do see the root CA I'm trying to use along with the intermediate. I am using a client certificate, but I'm providing it via a card reader on my computer. So I'm presenting a token on a smart card per say and not a soft cert loaded on my system. Would this make a difference? Should I be seeing any sort of error output in the logs if the certs were loaded wrong or any other JAVA related issue? I can post the debug output, but it's quite line. - Note, we currently use a commercial based IdP which accepts our smart card with tokens on them, so I assumed Keycloak by default would see a certificate loaded locally or via the smart card reader. On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter >> wrote: One possible reason you are not getting prompted is that the intermediate or root certs in your trust store do not match the intermediate or root certs used to sign the client certificates registered on your client machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, see https://access.redhat.com/solutions/973783 for more info. ________________________________________ From: keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org>] on behalf of JTK [jonesy at sydow.org>] Sent: Thursday, June 27, 2019 2:00 PM To: keycloak-user at lists.jboss.org> Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final I've read through all the documentation I can find online both with the official documents and everything else I could find and I believe I have everything setup, with additional logging turned on, but I'm not getting any type of prompt for a x509 certificate when logging in. Here is the excerpts from the standalone.xml file where ssl-realm was added to the management security-realms and under the subsystem. ...... ...... I've setup the Authentication Flows for the Browser to have x509/Validate Username Form above the new Browser flow and it's required. Everything is setup per the KeyCloak documentation to include the binding settings. The only thing I'm not sure about is if the keycloak.jks and truststore.jks files are the issue. I have enabled extra logging as best I know, but I'm not seeing anything in the logs of any relevance when trying to authenticate into the Keycloak Realm. Can anyone assist? We are looking to most likely purchase this as a product through RedHat SSO if it works well to get the support we need, but I've been hung up on this for a few weeks and I know it shouldn't be this hard. Thanks, J _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user From jonesy at sydow.org Fri Jun 28 12:41:39 2019 From: jonesy at sydow.org (JTK) Date: Fri, 28 Jun 2019 11:41:39 -0500 Subject: [keycloak-user] Not being prompted for x509 User Certs on KeyCloak version 4.8.3.Final In-Reply-To: References: Message-ID: Obviously the certs are not loaded on the ELB as I need them. openssl s_client -servername keycloak.domainhere.net -connect keycloak.domainhere.net:8443 2>/dev/null | egrep "subject=|issuer=|notAfter=" subject=CN = keycloak.domainhere.net issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon I'm waiting on feedback from our internal team to find out when they can load the Root CA/Intermediate certs on the proxy. It might not be until next week, but I will update when I get a chance. Thanks! On Fri, Jun 28, 2019 at 10:57 AM Nalyvayko, Peter wrote: > Run the command "openssl s_client -connect :" where host and > port are the Keycloak's host and the port number (e.g. > login.mycompany.com:443) and verify that the list of certificates listed > under "Acceptable CA client certificate names" is not empty and that the CA > names match the client cert's issuer > > > ________________________________________ > From: JTK [jonesy at sydow.org] > Sent: Friday, June 28, 2019 11:27 AM > To: Nalyvayko, Peter > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > Here is the standalone.xml file if anyone can sport or locate any obvious > errors associated with it. > > https://zerobin.net/?740f9250fdc1a6f1#9FqhPJx0iNfQshWY8hA2aYdWPhWUEVHW5peZuGfU8cw= > > Authentication flow: > https://imgur.com/tZYj9N9 (Bindings) > https://imgur.com/3v2HYtW (Flows) > > On Fri, Jun 28, 2019 at 9:13 AM JTK jonesy at sydow.org>> wrote: > I'll look into it. I'm sure it's something simple, but it's just not > clicking. As of now I'm only testing my CAC and so there is a Root CA along > with an intermediate CA which I have loaded into Keycloak. > This is the steps I used: > > keytool -import -alias ROOT-CA -keystore keystore.jks -file Root-CA.cer > > keytool -import -alias EMAIL-CA-INTERMEDIATE-1 -keystore keystore.jks > -file Email-CA-1.cer > > ... > > Just for clarity and sanity check, with our current IdP, we only need to > load the public certs (Root/Intermediate) and as long as they are loaded, > any user certificate that is presented would be trusted if the chain is > loaded for that user certificate. We do not have access to the private keys > for the certificates loaded to the keystore.jks - I just want to make sure > that's not the issue. > > > At this point in time, I'd love to see ERROR in the server.log file, but I > just get INFO. > > tail -f /opt/keycloak/standalone/log/server.log | grep -E "WARN|ERROR" > > The output of the above command has no output. > > > This is some of the output: > > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** Finished > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) verify_data: { 99, > 40, 129, 188, 202, 118, 214, 208, 192, 179, 230, 8 } > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) *** > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) update handshake > state: finished[20] > 2019-06-28 13:55:07,507 INFO [stdout] (default I/O-3) [write] MD5 and > SHA1 hashes: len = 16 > 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C > 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... > 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) Padded plaintext > before ENCRYPTION: len = 16 > 2019-06-28 13:55:07,508 INFO [stdout] (default I/O-3) 0000: 14 00 00 0C > 63 28 81 BC CA 76 D6 D0 C0 B3 E6 08 ....c(...v...... > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) default I/O-3, > WRITE: TLSv1.2 Handshake, length = 40 > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) %% Cached server > session: [Session-15, TLS_RSA_WITH_AES_256_GCM_SHA384] > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length > = 6 > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 14 03 03 00 > 01 01 ...... > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) [Raw write]: length > = 45 > 2019-06-28 13:55:07,509 INFO [stdout] (default I/O-3) 0000: 16 03 03 00 > 28 00 00 00 00 00 00 00 00 73 16 4F ....(........s.O > 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0010: C2 AA 1E 08 > 25 E9 36 15 77 D5 D4 18 E0 F8 BE BE ....%.6.w....... > 2019-06-28 13:55:07,510 INFO [stdout] (default I/O-3) 0020: 24 8A F4 7F > 33 D2 CA D3 C5 FA A5 05 54 $...3.......T > > etc > > > Here is the output of keystore.jks > > keytool -list -v -keystore keycloak.jks | grep DoD > Enter keystore password: password > Owner: CN=Root CA, OU=PKI, O=Company, C=US > Issuer: CN=Root CA, OU=PKI, O=Company, C=US > Owner: CN=EMAIL CA-1, OU=PKI, O=Company, C=US > Issuer: CN=Root CA, OU=PKI, O=Company, C=US > > > Sows the Root CA and the Intermediate CA (CA-1) > > > On Fri, Jun 28, 2019 at 8:33 AM Nalyvayko, Peter > wrote: > We have successfully tested and deployed the CAC card & X509 auth without > any issues. One suggestion is In the SSL debug output search for a list of > CA authorities the KC server sends back to the client as a part of mutual > SSL handshake. For the mutual SSL to kick in, the client certificates > registered on the client machine must be signed by one of the CAs from > that list. > > For example, say your trusted store has a CA cert with the Subject: > CN=cert_auth > > Then you should be prompted to select a cert only if your client cert's > issuer (the cert used to sign the client cert) matches the subject above. > > You may also try troubleshooting using "openssl s_client" to avoid > digging through thousands of lines of SSL debug output > > I hope it makes sense and helps :) > > Cheers > > --Peter > > ________________________________________ > From: JTK [jonesy at sydow.org] > Sent: Friday, June 28, 2019 9:17 AM > To: Nalyvayko, Peter > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > Thanks, I enabled the debug option for ssl in > ../keycloak/bin/standalone.conf > if [ "x$JAVA_OPTS" = "x" ]; then > JAVA_OPTS="-Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" > JAVA_OPTS="$JAVA_OPTS > -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS > -Djava.awt.headless=true -Djavax.net.debug=ssl" > > I am seeing no errors in the logs related to certificates. I do see the > root CA I'm trying to use along with the intermediate. > I am using a client certificate, but I'm providing it via a card reader on > my computer. So I'm presenting a token on a smart card per say and not a > soft cert loaded on my system. > Would this make a difference? Should I be seeing any sort of error output > in the logs if the certs were loaded wrong or any other JAVA related issue? > I can post the debug output, but it's quite line. > - > Note, we currently use a commercial based IdP which accepts our smart card > with tokens on them, so I assumed Keycloak by default would see a > certificate loaded locally or via the smart card reader. > > > On Thu, Jun 27, 2019 at 6:41 PM Nalyvayko, Peter pnalyvayko at agi.com>>> wrote: > One possible reason you are not getting prompted is that the intermediate > or root certs in your trust store do not match the intermediate or root > certs used to sign the client certificates registered on your client > machine. To troubleshoot the SSL handshake you can use -Djavax.net.debug, > see https://access.redhat.com/solutions/973783 for more info. > > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org>> [ > keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org keycloak-user-bounces at lists.jboss.org>>] on behalf of JTK [ > jonesy at sydow.org jonesy at sydow.org>>] > Sent: Thursday, June 27, 2019 2:00 PM > To: keycloak-user at lists.jboss.org > keycloak-user at lists.jboss.org>> > Subject: [keycloak-user] Not being prompted for x509 User Certs on > KeyCloak version 4.8.3.Final > > I've read through all the documentation I can find online both with the > official documents and everything else I could find and I believe I have > everything setup, with additional logging turned on, but I'm not getting > any type of prompt for a x509 certificate when logging in. > > Here is the excerpts from the standalone.xml file where ssl-realm was > added to the management security-realms and under the subsystem. > > > > ...... > > > > relative-to="jboss.server.config.dir" keystore-password="mypass"/> > > > > relative-to="jboss.server.config.dir" keystore-password="mypass"/> > > > ...... > > default-server="default-server" default-virtual-host="default-host" > default-servlet-container="default" default-security-domain="other"> > > > redirect-socket="https" enable-http2="true"/> > security-realm="ssl-realm" verify-client="REQUESTED"/> > > > directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/> > > > > I've setup the Authentication Flows for the Browser to have x509/Validate > Username Form above the new Browser flow and it's required. > Everything is setup per the KeyCloak documentation to include the binding > settings. > > The only thing I'm not sure about is if the keycloak.jks and truststore.jks > files are the issue. > I have enabled extra logging as best I know, but I'm not seeing anything in > the logs of any relevance when trying to authenticate into the Keycloak > Realm. > > Can anyone assist? We are looking to most likely purchase this as a product > through RedHat SSO if it works well to get the support we need, but I've > been hung up on this for a few weeks and I know it shouldn't be this hard. > > Thanks, > J > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > keycloak-user at lists.jboss.org>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > From chris.smith at cmfirstgroup.com Fri Jun 28 14:41:56 2019 From: chris.smith at cmfirstgroup.com (Chris Smith) Date: Fri, 28 Jun 2019 18:41:56 +0000 Subject: [keycloak-user] Using Active Directory as LDAP/Kerberos provider but all managemet from Keycloak Message-ID: I have a client implementing SSO. The plan is to setup a standalone Active Directory forest as the LDAP/Kerberos federation provider. Active directory was chosen because of limited Linux expertise. User self service and registration is strongly desired. I followed the setup and for existing users, authentication works and I can get a Kerberos ticket as a claim. A new user registration always fails. Has anyone done this? LDAP provider is Active Directory Edit Mode is WRITEABLE. Sync Registrations is ON Bind DN is an Active Directory domain administrator Kerberos integration is ON The Kerberos Principle and keytab are for the same user as the Bind DN. 11:33:49,799 WARN [org.keycloak.services] (default task-1) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException: Error creating subcontext [cn=\ ,CN=Users,DC=xxx-sso,DC=com] at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:625) at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:102) at org.keycloak.storage.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:72) at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProvider.java:269) at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.java:147) at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCacheSession.java:768) at org.keycloak.authentication.forms.RegistrationUserCreation.success(RegistrationUserCreation.java:133) at org.keycloak.authentication.FormAuthenticationFlow.processAction(FormAuthenticationFlow.java:251) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) at org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:627) at org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:681) at org.keycloak.services.resources.LoginActionsService.processRegister(LoginActionsService.java:661) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748) Caused by: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00002071: UpdErr: DSID-030503CF, problem 6005 (ENTRY_EXISTS), data 0 ]; remaining name 'cn=\ ,CN=Users,DC=xxx-sso,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:607) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager$8.execute(LDAPOperationManager.java:604) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:759) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:737) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:604) ... 82 more 11:33:49,946 WARN [org.keycloak.events] (default task-1) type=REGISTER_ERROR, realmId=XXX-SSO, clientId=xxx-sso, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, register_method=form, redirect_uri=http://localhost:9080/xxx-sso/kc, code_id=223fbcfb-4946-43c2-b483-5bd104e4f239, email=newUser at something.com, username=a.new.user From chris.smith at cmfirstgroup.com Fri Jun 28 16:01:50 2019 From: chris.smith at cmfirstgroup.com (Chris Smith) Date: Fri, 28 Jun 2019 20:01:50 +0000 Subject: [keycloak-user] Fine Grain Admin Permissions is Technology Preview Message-ID: <6234CFEC-6FD8-44E3-B056-C5F5E409429A@cmfirstgroup.com> Fine grained Admin permissions is exactly something I need for my project. Is there any guidance on when it may be stable? From demetrio at carretti.pro Fri Jun 28 16:55:59 2019 From: demetrio at carretti.pro (Dmitry Telegin) Date: Fri, 28 Jun 2019 23:55:59 +0300 Subject: [keycloak-user] Getting grant from access token In-Reply-To: References: Message-ID: <3675d161cdc066a9122c2c0f3be7e27d89d10f6a.camel@carretti.pro> Hello Se?n, welcome on board :) Yes, what you want is doable, however with a few customizations. The "theory" here is that different flows (authorization code / implicit / hybrid) are triggered by different incoming response_type param values [2], and this param is exposed to Keycloak authentication layer. However, token generation happens at a different layer, and you'll need to bridge them together. - run Keycloak with -Dkeycloak.profile=preview or -Dkeycloak.profile.feature.script=enabled [1]; - in your browser flow, create a script authenticator. Its authenticate() method body should consist only of a couple of lines: var response_type = authenticationSession.clientNotes.response_type; authenticationSession.setUserSessionNote("response_type", response_type); context.success(); - go to client settings -> Mappers, create a User Session Note mapper and map "response_type" note into a claim. Your application will need analyze this claim and make an allow/deny decision; - alternatively, you can craft a more sophisticated JS mapper that would look into response_type and infer flow type from it, putting it into a custom claim. Let me know if you have any further questions. [1] https://www.keycloak.org/docs/latest/server_installation/index.html#profiles [2] https://openid.net/specs/openid-connect-core-1_0.html#Authentication Good luck, Dmitry Telegin Carretti Consulting O? | Keycloak Consulting and Training Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro On Fri, 2019-06-28 at 09:18 +0100, Se?n Kelleher wrote: > Hi everyone, > > This is my first time using this service, so apologies if I've overlooked a > precondition for posting. > > Is there a way to retrieve or derive the grant that was used to obtain a > particular access token, from the access token itself? > > My use case is that I have an `/accept_tos` endpoint that takes an IP > address, which is logged as having accepted our terms of service. This is > under the assumption that the endpoint is being called by a client > application that authenticated the user using an authorization code grant. > However, we now also support logins using the implicit flow, so the > acceptance request is no longer being relayed by a third party client, but > is instead being made by the client itself. In this case I want the app to > use `/accept_tos_direct`, which will use the IP address of the request > itself (accounting for reverse proxies) instead of taking it from the body > of the request. Of course, a client could try and determine its own IP > address and supply that using `/accept_tos`, but I feel like this is a > slightly hacky workaround and may lend itself to error. > > I want to be able to prevent clients from using the wrong endpoint, based > on the grant they used to retrieve their access token. At the moment, I > don't see any fields in the access token that can be used to get this > information, or how I could enable such a field. I thought the "aud" field > could fit the purpose, assuming that it was something like "" in > the case of an authorization code grant and something like > "resource_server" in the case of an implicit grant, but when I tested this > assumption, access tokens from both grants gave a value of `["", > "account"]`. Does anyone have any suggestions as to how I could get this > behaviour? > > Kind regards, > > Se?n. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From davidkarlsen at gmail.com Sun Jun 30 14:25:01 2019 From: davidkarlsen at gmail.com (David Karlsen) Date: Sun, 30 Jun 2019 20:25:01 +0200 Subject: [keycloak-user] Wrong redirect url from KK Message-ID: I do IDP logon with request to redirect to https://myhost.mydomain/somecontext/#/login but the redirect received is: https://myhost.mydomain/somecontext/?code=somecode&state=somestate#/login notice how the fragment comes at the end, and the parameters in-between. Is this a known issue? I would guess it is quite common for angular-apps to want to be redirected back into a well known route. -- -- David J. M. Karlsen - http://www.linkedin.com/in/davidkarlsen